[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

San Jose Mercury News Article



                             SAN JOSE MERCURY NEWS
                     Copyright 1994, San Jose Mercury News

 DATE: Sunday, April  3, 1994
 PAGE: 1F                         EDITION: Morning Final
 SECTION: Computing               LENGTH:  41 in. Long
 ILLUSTRATION: Drawing
 SOURCE: SIMSON L. GARFINKEL, Special to the Mercury News

                             KEEPING SECRETS SECRET
                 ENCRYPTION SOFTWARE SPARKS DEBATE OVER PRIVACY
                  LAW ENFORCEMENT AGENCIES CONTEND UNFETTERED
                   ENCRYPTION POSES A THREAT TO INTELLIGENCE
                   GATHERING, COURT-ORDERED WIRETAPS AND THE
                         EXECUTION OF SEARCH WARRANTS.

    IN THE last year, a piece of public domain software has become the bane
of the FBI, the rallying cry for a new generation of anti-government radicals
and the focal point of an international debate about privacy on the
information superhighway.
    Pretty Good Privacy allows two people anywhere in the world to exchange
electronic mail messages by telephone or over the Internet in absolute and
total privacy.
    PGP accomplishes this feat of technological magic with a technique called
public key encryption, the newest twist on the time-honored technique used by
spies for protecting their messages from interception by the enemy. What's
significant about PGP, say both its admirers and critics, is that the
encryption it uses is so powerful that PGP-protected messages cannot be
forcibly decrypted, or broken, by even the world's most sophisticated code
breakers.
    ''The problem is that guaranteeing privacy to everybody will guarantee
privacy to people who are going to misuse that technological sanctuary,''
said Stewart Baker, general counsel of the National Security Agency,
addressing the fourth annual conference on Computers, Freedom and Privacy
last week in Chicago.
    The nation's intelligence and law enforcement establishments have mounted
a crusade against unfettered encryption in general and PGP in particular,
saying they pose a serious threat to intelligence gathering, court-ordered
wiretaps and the execution of search warrants.
    ''With respect to PGP, the only use that has come to the attention of law
enforcement agencies is a guy who used it so police couldn't tell which
little boys he had seduced over the Internet,'' Baker said.
    PGP users at the conference said such characterizations are grossly
unfair. The overwhelming majority of people using PGP, they said, are
law-abiding individuals who simply wish to protect their communications from
the prying eyes of computer hackers and unscrupulous system administrators.
    ''If privacy is outlawed, only outlaws will have privacy,'' said Phil
Zimmerman, the Colorado-based*cryptography*consultant who wrote the first
version of PGP in March 1991.
    That year, the U.S. Senate considered an amendment to the Anti-Crime Bill
of 1991 that would have made it illegal to use encryption within the United
States unless law enforcement agencies were provided with a copy of the keys.
Although the proposal was ultimately withdrawn, it put the electronic
underground on notice that widespread encryption might be outlawed by
government before most people even realized what encryption was all about -
or its value for protecting individual privacy. Zimmerman's solution was to
write PGP and flood the country with high-quality cryptographic software.
    Leveling the playing field
    ''Intelligence agencies have access to good cryptographic technology,''
Zimmerman wrote in the PGP manual. ''So do the big arms and drug traffickers.
So do defense contractors, oil companies and other corporate giants. But
ordinary people and grass-roots political organizations mostly have not had
access to affordable 'military grade' public-key cryptographic technology . .
. until now.''
    While personal computer-based encryption programs have been available for
years, Zimmerman's PGP was the first to bring public-key encryption - which
is ideal for encrypting communications to a variety of people - to the
masses.
    Most*cryptography*programs available for personal computers use
private-key*cryptography.*With private-key schemes, the same encrypting
''key'' is used to encrypt and to decrypt any given file.
    This means you can't exchange encrypted e-mail with somebody unless you
first exchange a cryptographic key.
    Public-key cryptographic systems, first developed in the 1970s, use two
keys. The first key is called the public key; it encrypts the message. But it
takes a second key, called the private key, to decrypt the message and
recover the original text.
    The big advantage of public-key systems is that the public keys of many
people can be gathered and published in electronic address books. Then, if
you want to send somebody an encrypted message, all you have to do is look up
her key and use it: No prior arrangement is necessary.
    Launching the Clipper
    One year ago, the National Institute of Standards and Technology, working
in conjunction with the NSA, proposed a system for encrypting communications
within the United States called the Clipper chip. Like PGP, Clipper uses
public-key encryption so that any two Clipper chips can communicate with each
other without fear of wiretappers. But Clipper also uses a system called key
escrow to make it possible for law enforcement agencies - with authorization
by a court of law - to wiretap an encrypted conversation.
    Key escrow means the private key used by each Clipper chip is held in a
central repository. The Clipper system actually splits the key into two
parts, each stored with a different agency, to minimize the chance of an
illegal wiretap. The agencies are supposed to give up their copies of the
private key only when they are presented with a warrant for a wiretap.
    This March, NIST published a notice in the Federal Register setting forth
Clipper as a voluntary encryption standard for the federal government. By
endorsing an encryption standard, the Clinton administration hopes that
telephones, faxes and modems implementing a compatible encryption system will
soon be widely available.
    ''The rationale behind the Clipper and key escrow is to lower the cost,
to make encryption tools available to a large number of people while
maintaining the ability of the government to do the 1,000 or so authorized
wiretaps every year,'' said David Lytel, a policy analyst with the
president's Office of Science and Technology Policy.
    ''If you don't think Clipper keeps your communications secure, don't use
it,'' said Lytel. ''And if you want to use your own encryption on top of it,
go ahead.''
    Many people at the Computers, Freedom and Privacy conference said they
would avoid Clipper and added that it was likely that drug dealers, organized
crime and terrorists would do the same.
    ''The administration can't come up with examples of criminals bright
enough to use encryption in the first place but dumb enough to do it with the
government's chip,'' said Charles C. Marson, a San Francisco-based lawyer.
    Nevertheless, many organizations might be interested in
telecommunications systems based on Clipper, said the NSA's general counsel.
For example, said Baker, a company might prefer that its employees use a
system like Clipper, which provides security but can be wiretapped in
extraordinary circumstances, so it can monitor its employees should the need
arise.
    The next generation
    To use Clipper, however, these organizations will have to wait for
manufacturers to build the expensive Clipper chips into the next generation
of telephones.
    In the meantime, PGP is a solid system that provides privacy today. PGP
is free software, so if you have a friend who has it, you can simply make a
copy. If you have access to the Internet, you can also get a copy from the
computer SODA.BERKELEY.EDU using the Internet's File Transfer Protocol
system.
    Companies and individuals who feel more comfortable buying their programs
can now get a version of PGP that works on DOS and several Unix systems from
Viacrypt of Phoenix.
    Most oppose Clipper plan
    Buying the program entitles you to customer support - important for
people new to*cryptography.*
    Will the Clipper plan fly? No one knows. But a recent New York Times/CNN
poll found 80 percent of the U.S. public opposed to the Clipper and key
escrow when the proposal was explained to them, said Marc Rotenberg, director
of the Computer Professionals for Social Responsibility's Washington office.
    On the other hand, Zimmerman and others like him say
unrestricted*cryptography*is already making a difference around the world.
    As proof, he cites an electronic mail message that he received from
Russia in October on the day that President Boris Yeltsin was shelling the
Russian Parliament building. The e-mail said, in part: ''Phil, I wish you to
know: Let it never be, but if dictatorship takes over Russia, your PGP is
widespread from Baltic to Far East now and will help democratic people if
necessary. Thanks.''

  IF YOU'RE INTERESTED The public-domain version of Pretty Good Privacy is
available on many bulletin board systems or can be obtained from the FTP site
SODA.BERKELEY.EDU via the Internet. A commercial version is available from
Viacrypt, 2104 W. Peoria Ave., Phoenix, Ariz. Phone: (602) 944-0773. Fax:
(602) 943-2601.

 CAPTION:   DRAWING: CHRISTINE BENJAMIN - SPECIAL TO THE MERCURY NEWS [An
eagle, representing the US government, scans a flow of data from one computer
to another to interpret encrypted data.] [940403 CO 1F; color]

 KEYWORDS: COMPUTER SOFTWARE PRODUCT ETHICS CRIME
END OF DOCUMENT.