From NETGUIDE magazine, May 1, 1995, Issue 205, page 65
Phil Zimmerman, a man who has dedicated his career to privacy, now finds himself very much in the public eye. It's not a lot of fun. ''I need to make some more money,'' he says, a little ruefully. Zimmerman has just returned to his Boulder, Colo., home after a trip to California. It was there that his lawyers met for the first time with a federal prosecutor who soon will decide whether to indict Zimmerman for violating laws that prohibit the export of munitions and other state secrets.
Zimmerman isn't a gunrunner. He's a computer expert who wrote a highly regarded encryption program called PGP (Pretty Good Privacy) and made it available for free to anyone who wants to make sure that the contents of electronic-mail messages are read only by the intended recipients. An unnamed friend of his posted the program on the Internet, and soon it was being downloaded by users from Latvia to Indonesia.
Under current U.S. laws, encryption programs such as PGP are grouped with certain munitions as highly classified materials that can't be exported without State Department approval. Zimmerman, unaware that PGP had been posted on the net, and certainly unable to keep it from being downloaded by others, became the target of a U.S. Customs Service investigation. (Customs officials refuse to comment on the ongoing investigation.) The government knows Zimmerman neither posted the software on the net nor actually exported it, yet it can charge him with export by act of creation--which means it can hold him liable simply because he's admitted to developing the program. If he's indicted and subsequently convicted, he could face up to 10 years in jail and fines of $1 million.
But the financial concerns he expresses have less to do with the possibility of enormous fines than they do with simply paying the bills. Zimmerman's consulting fees have actually gone up thanks to the publicity surrounding the 2-year-old investigation, but the time spent on legal matters has cut deeply into his work life.
''From the time the Customs people paid their first visit to Boulder, in February of '93, until now, I've had to spend a lot of time and energy dealing with this,'' he says.
Luckily, he adds, his case has generated enough attention to attract financial and moral support. A legal defense fund has been established on his behalf, and various parties, from the American Civil Liberties Union (ACLU) to Internet industry groups such as the Usenix Association, say they will assist in any way they can. Groups such as the Electronic Frontier Foundation are watching the case closely, concerned that the government's interest in security and law enforcement is outstripping its constitutional duty to protect free speech. Although Zimmerman's lead counsel, Philip DuBois, does not view the case as a matter of free speech--his argument centers on the impossibility of proving who precisely is responsible for the export of a program posted on the Internet--others see the investigation as part of a broader effort to control personal communications in cyberspace.
If all electronic communication is protected, observers say, the government would in fact be severely hampered in its ability to prove certain crimes (consider the role that wiretaps have played in sending various organized crime figures to jail). But if PGP and similar programs are restricted in favor of encryption programs the government can crack (for example, the much-debated Clipper chip--a government-designed device that allows for simple wiretaps), then no citizen could be absolutely sure of privacy.
''We are at a fork in the road,'' says Dan Geer, who oversaw the Kerberos computer-security research effort at the Massachusetts Institute of Technology (MIT) for five years and is now an executive at a computer security firm called, oddly enough, Open Vision. ''One road leads to no proof, the other to no privacy. One is anarchy, the other totalitarianism. Neither is a good choice, but if I were pressed, I'd say privacy is paramount.''
But why put Zimmerman at the center of this battle? After all, he wrote PGP on his own time and gave it away. Even though the product is a virtualhery what can be explained by simple incompetence.'' And he adds that Zimmerman did little more than put into code various algorithms that had long been available in academic journals.
All of this is little comfort to Zimmerman. Still, he carries on, continuing to urge all Internet neophytes to use PGP or some other encryption program to protect their messages. ''Privacy is a right like any other,'' he says. ''You have to exercise it or risk losing it. People ask why they should encrypt a message when they have nothing to hide. For the same reason you put letters in envelopes even though the content may be harmless. Privacy is very important; it's that simple.''
As if to underscore his point, Zimmerman adds that he is working on a new product, PGP Voice, that will let people use a modem-equipped PC as a secure telephone. ''I plan to make it available in some form for free to people in the U.S.,'' Zimmerman vows, ''but you can be sure my lawyers will review every step of the process. I'm not going through this again.''
Scott Leibs, a writer from Cambridge, Mass., recalls several instances when he should have encrypted his e-mail.
Copyright 1995 by CMP Publications. All rights reserved.
