Zimmermann: Public too slow to adopt encryption
- By William Jackson
- Jul 30, 2003
LAS VEGAS'The reported use of encryption by terrorists has not shaken Philip Zimmermann's faith in having strong encryption in the hands of the public.
Zimmermann, the creator of Pretty Good Privacy software for protecting e-mail, spoke today at the Black Hat Briefings about the struggle to commercialize the software and his three-year battle with the government over export restrictions.
'That was the central argument argument in the debate,' he said. 'At no time did I deny that criminals would use PGP. But we came to the decision that society is better off with strong encryption than without it, even though criminals would use it.'
PGP is a public-key encryption scheme without a supporting infrastructure of certificates and trusted authorities. It is a standalone product that depends on trust between users.
Zimmermann said he originally began PGP 'as a human rights project. I got the idea in the 1980s when I was a peace activist.' The idea was to provide a tool to protect the privacy of organizations and individuals around the world who were being investigated by their governments.
But the U.S. government banned the export of most encryption without permission, and accused Zimmermann of violating export controls when PGP was distributed worldwide.
'We beat them in the 1990s,' he said. 'They tried to stop us domestically and with export controls, and we won.'
But he said civil liberties have begun to erode in this country since Sept. 11 and offered a warning to government officials in his audience: 'Don't throw out the baby with the bath water in our zeal to stop terrorists.'
Despite concerns about civil liberties, Zimmermann doubts that government will make efforts to limit the use of encryption in the name of security.
'I don't think that is going to reach critical mass in Congress,' he said. 'Things have changed too much' since the 1990s.
Zimmermann said he is disappointed at the slow speed with which the public has adopted cryptology. Most people are not using standalone products such as PGP and other commercial software based on the Open PGP standard to encrypt e-mail, he said. And efforts to establish large public-key infrastructures have failed. PKI makes sense in hierarchical organizations such as the Defense Department, which is deploying it with its Common Access Card, but it is proving too inflexible to be widely adopted elsewhere, Zimmerman said.
The exception, he said, is in schemes such as Secure Sockets Layer, which transparently encrypts communications between browsers and servers. Zimmermann said such user-friendly schemes are the future of cryptography.
William Jackson is a Maryland-based freelance writer.