The Phil Zimmerman Case

by Charles A. Gimon



(This was originally published in June 1995. I have an update from February 1996, too.)

For over two thousand years, the science of cryptography remained the same. All secret codes were based on the idea that the sender and the recipient would share a secret "key" that could decode the message.

In 1976, a completely new way to encrypt messages was published by Whitfield Diffie and Martin Hellman. This new method was called public key encryption. In this system, each person has two keys, a public key and a private key. The public key is broadcast around so anyone can use it, the private key is known only to the owner. You can encode a message with the recipient's public key so that only they can decode it with their private key. This public key encryption not only provides privacy, it also makes it possible to be certain that only the sender wrote the secret message you received. It ensures both privacy and identity.

Public key encryption is fantastically difficult for even computers to break. The longer you make the keys, the more difficult it is to break. You can make the keys long enough so that, using today's technology, anyone's best guess is that it would take so-and-so many billions of years to break the code. One cute phrase you hear to describe this situation is "acres of Crays". There's even wild talk of making keys so long that using the codebreaking methods we have right now, you'd need a computer with more circuits than there are atomic particles in the known universe working for a longer period of time than has passed since the Big Bang to break it. In other words, a metaphysically unbreakable code--talk about tough math homework.

Many companies, including AT&T, SCO and Sun Microsystems, have used public key encryption in their products. In order to give the power of public key encryption to folks like you and me, a programmer in Boulder, Colorado named Phil Zimmermann put together a shareware program called PGP--"Pretty Good Privacy"--which lets anyone with a PC use public key cryptography.

Governments like ours have a healthy respect for cryptography; it's sometimes said that the U.S. and Britain won the Second World War by breaking German and Japanese codes. In the United States, strong, "unbreakable" encryption is considered a weapon for export purposes, just like hand grenades or fighter planes are. In theory, it's illegal to export public key cryptography, on paper or as a computer program.

In 1991, right after the Gulf War, there was a bill before the U.S. Senate (S.266) that would have had the effect of banning public key encryption altogether. Faced with this situation, some activists in the Bay Area decided that if they could spread public key encryption around widely enough, the genie would be out of the bottle and there'd be no way for Uncle Sam to get it back in again. They took a copy of Zimmermann's program and uploaded it to as many bulletin boards and Internet sites as they could.

It took the Feds two years to react. In February 1993, Mr. Zimmermann received a visit from Customs. Even though he didn't do the uploading himself, the Feds say that Zimmermann allowed his program to be uploaded to Internet sites that can be reached from anywhere in the world, and therefore he has supposedly exported a munition without a license. It sounds like something an oily guy in Miami or Beirut would be involved in--but a computer geek in Boulder, Colorado?

As of this writing, any indictments from the grand jury are still pending--hanging over Phil Zimmermann's head. Businesses that have been using strong encryption (but haven't been visited by customs agents) are peeved and worried, and some of them have been pressuring the Government to lay off the heat, at least. Thousands of regular Net users have come to Zimmermann's defense, some of them sending e-mail to the appropriate politicians, some of them donating to Zimmermann's legal defense fund.

David-and-Goliath aspects aside, the case is important for two reasons. The obvious one is the First Amendment one--computer software ought to be considered speech, something that Congress isn't supposed to pass any law abridging the freedom of. Anyway, encryption is just math, and restricting or banning it isn't that much different than banning the knowledge that two plus two equals four.

The other thing about the case is its impact on America's software industry. Restricting the export of strong encryption is a joke--you can buy it shrink-wrapped in Moscow. The restrictions are an outdated, artificial leg-iron on American companies, and if they were enforced on everybody, it would make American encryption software a second-rate choice in every other part of the world. Public key encryption lets you do secure transactions on the Internet. That means buying and selling and free enterprise ---all the things that we won the Cold War for--with little risk of theft or fraud. It's a shame that exporting what could be a great crime-fighting device could end up being a crime itself.

For more info, check out these Web pages: (Lots of good PGP info and links) (Zimmerman Legal Defense Fund)

To get your own copy of PGP, look for the "Where to get PGP" FAQ-list in the newsgroups sci.crypt, talk.politics.crypto, or It's on a lot of sites--you should be able to get it by anonymous ftp from; start from the /pub/cypherpunks/pgp directory. Version 2.62 is the one you want, and it's there for the Mac as well as DOS, Windows and unix versions.

Back to my net writings.
Back to my home page.