Crypto doesn't kill--people do


By Charles Cooper
September 28, 2001


In June 1991, Phil Zimmerman sent the first release of Pretty Good Privacy, an e-mail encryption program he developed, to a couple of buddies who uploaded the code to the Internet.

Within a very short time, PGP had been ported to nearly every computer platform out there in many different foreign languages as people latched onto something that would help them maintain their electronic privacy in an ever-more-connected world.

Some folks in powerful positions were not of a similar mind, and a controversy was born as Zimmerman quickly became the subject of a criminal investigation by the U.S. Customs Service. The probe came about because of suspicions that Zimmerman had violated a federal regulation proscribing the illegal export of munitions--even though the code was up there on the Internet for anyone to download.

Simply put, the feeling inside the federal bureaucracy was that PGP was potent enough to be lumped together with rocket-propelled grenades and advanced jet aircraft, and this was just not acceptable.

Calmer voices ultimately prevailed, and the investigation was finally closed without indictment in 1996.

But in the aftermath of the Sept. 11 suicide bombings in New York and Washington, some people want to require U.S. software companies to build so-called backdoors into their products. New Hampshire Sen. Judd Gregg has been at the forefront of the debate , allowing that even if a perfect solution isn't attainable, Congress shouldn't sit idly by since perfection isn't attainable, in any case.

To be sure, terrorists can use encryption to hide their activities from the likes of Interpol, the CIA or any other snoopy intelligence gatherer. Ramzi Yousef, who was convicted of planning the 1993 World Trade Center bombing, was found to have used encryption to shield his plot to blow up U.S. airplanes while they were en route to this country over the Pacific. Thus the temptation to reopen the 1990s' key escrow debate.

But would we then all be better off if law enforcement agencies had keys to unlock encrypted messages? It's a philosophical issue that was never firmly answered because market realities intervened. At the time, consumers and companies steadfastly balked at the prospect of using software that included built-in backdoor access for the feds. The Clinton administration realized it was on a fruitless mission and dropped the issue.

So I'd like to take a stab at explaining why requiring backdoor access to encryption software is a non-starter:

  First off, it's a quick-fix, feel-good measure that won't make a whit of difference when it comes to stopping the bad guys. Terrorists don't need U.S. encryption technology. Code makers long ago broke ahead of the code breakers, and the fact is that the knowledge of cryptography has since spread far and wide. Remember that Zimmerman wrote PGP from information that was readily available in the open literature at the time.

I doubt whether the Osama bin Ladens of the world are so dumb that they would use software that has already been compromised. No doubt there are any number of capable computer scientists in the Middle East and Central Asia whom these groups can turn to in a pinch for technical assistance.

  Then there are the obvious civil-liberty objections. Presumably, backdoor access would be limited to instances in which the authorities need to track e-mail communications between terrorists. The problem here is that you never know which way the wind is going to blow. Once surveillance tools receive legitimization, who can guarantee that they'll always be used in enlightened ways by an administration in, oh, how about the year 2084?

  The competitive angle: If U.S. companies are forced to play by the these rules, rest assured there are foreign companies aplenty that will get around the Americans' export ban. Network defense is something governments are keen on. Consulting company Frost & Sullivan estimates that sales of encryption technologies to government and military agencies around the world will soar to $457.6 million in 2007 from the current $176 million.

Assessing the blame
The fear now is that encryption technology will be unfairly singled out in the debate over how to guard against future terror attacks.

A recent story in The Washington Post, for example, misrepresented Zimmerman's views on the role PGP encryption may have played in the terrorist attacks. Still, I suppose that a lot of people may be ready to believe that encryption played a role in the deaths of the victims on Sept. 11. It's a flight of logic that makes as much sense as pointing a finger of blame at Boeing, the company whose giant aircraft destroyed thousands of lives in a matter of minutes.

In this ever-smaller world of ours, there are few tools that people can't misuse to fulfill their own evil purposes. Nuclear power can be used to provide cheap electricity to towns and cities; it also can be used to build atomic bombs.

In the end, we're left with the unsatisfying conclusion that partisans on both sides of the debate were right about encryption. PGP has become the way for people--and that includes the bad guys--to encrypt their e-mail.

But there's no way--or at least none that I've heard about--to stop the use of encryption. The hard truth is that the encryption genie has escaped from the bottle. Somebody indeed deserves to shoulder the rap for the suicide bombings of Sept. 11, but it's not Phil Zimmerman. If he hadn't invented PGP, rest assured that somebody else would have.
Bullpen penner
Charles Cooper is the executive editor of commentary at CNET News.com.