Electronic Engineering Times, Jan. 16, 195 copyright 1995 by CMP Publications, Inc. All rights reserved. LAWYERS TO U.S: HALT PGP PROBE PARTIES MEET IN ZIMMERMANN CRYPTO CASE BY ALEXANDER WOLFE San Jose, Calif. -- A two-year-long federal criminal probe that could reshape the future of encryption technology on the Internet took a major step forward last week, as attorneys in the case met face-to-face for the first time. The investigation pits the U.S. government against Phil Zimmermann, an independent software developer who wrote the Pretty Good Privacy (PGP) encryption package and offered it on the Internet. Zimmermann's troubles stem from the fact that numerous copies of PGP have found their way outside the United States_in violation of laws restricting the export of encryption algorithms and categorizing them as military secrets. Last week, Philip Dubois, Zimmermann's lead counsel, met with U.S. assistant attorney William Keane, the government lawyer handling the case. Dubois sought to persuade Keane not to proceed toward an indictment that could result in sanctions of up to 10 years in prison and $1 million in fines. ``We told the prosecutor our concerns,'' Dubois said. ``He agreed to consider them. We might hear back in a month or two. He didn't make any promises.'' The inquiry has raised hackles in the cryptography community, where it has been called by some an effort to quash independent software in favor of government-supported algorithms (see sidebar). In some circles, the affair has been cited as a software incarnation of last year's Clipper-chip debacle. Zimmermann is not in danger of being indicted for willfully exporting PGP. Rather, the U.S. attorney's office, here, is considering charging him for making PGP available in such a manner that it could be exported by a third party. ``The basis of that concern is a bit opaque,'' said Ken Bass, a former intelligence-policy official in the Carter administration and a legal adviser to Zimmermann. ``The government has never specified why they think that Zimmermann is responsible, when in fact he's taken numerous steps to prevent export of PGP.'' According to Dubois, ``If you go on the 'Net, you see that PGP is the de facto standard for encrypting your e-mail. So, if the government intended to make a statement about private cryptography or export, Zimmermann would be the obvious target. ``It's the government's theory that, since [Zimmermann] wrote PGP, he must have something to do with its leaving the United States. It's unclear how they make that leap.'' Since version 1.0 of PGP was released in 1991, end users have snapped up thousands of copies. Industry experts noted that PGP is now widely used for the secure transmission of credit-card and signature-verification information via e-mail. That capability positions it as a powerful engine to drive commercial transactions on the Internet. PGP is available for downloading off the Internet, from an ftp site at the Massachusetts Institute of Technology (MIT). Bass said that the site has domain-control software that prevents access from outside the United States. According to Bass, export of PGP could occur only via ``trans-shipment''_where a domestic Internet user downloads PGP from the MIT site and sends it overseas. (PGP is also sold commercially by the Viacrypt division of Lemcom Systems Inc., in Phoenix.) After last week's meeting, the government attorneys involved in the case were expected to confer. It may take several months for them to reach a decision on whether to drop the case, or proceed toward an indictment, Dubois said. ``It's hard for me to imagine that they would [indict], but I have, unfortunately, seen the federal government make crimes out of things that aren't crimes,'' he said. ``I would hope [U.S. attorney Keane] would consider that the overwhelming impression of people in the know is that Zimmermann ought not to be prosecuted. Not just for his sake, but for the sake of society.'' Zimmermann's supporters see the case as having broad implications for the use of all types of encryption software. ``If he's indicted, it will be most unfortunate,'' said Dan Geer, chie scientist at Open Vision Inc. (Cambridge, Mass.). ``He wrote software and made it available to anyone. The idea that codified knowledge is in some way criminal leads in the direction of `thought crime.' If we have any belief in free speech, we can't have this.'' Said Dubois: ``If he's indicted, the law will be that anybody who has anything to do with making available something the government defines as contraband is a felon.'' Zimmermann's case has attracted some heavy-hitting legal representation. In addition to Dubois and Bass, his team includes Eben Moglen, a Harvard law professor and former clerk to the late Supreme Court Justice Thurgood Marshall. Some of the representation is being done on a pro bono basis. Contributions have also been pouring in to Dubois via e-mail, with donors encrypting their credit-card numbers with the PGP algorithm. The technological and social issues raised by the Zimmermann affair are not cut-and-dried, according to industry observers. Leading the laundry list of points typically raised when discussing encryption is whether government agencies responsible for national security should have the right to read a citizen's mail. ``PGP makes it possible for anyone to have absolute privacy,'' said Open Vision's Geer. ``This raises the argument of whether absolute privacy is a right. It's problematic.'' On the technological front, a typical stumbling block has been encountered when trying to deploy encryption software. For example, algorithms robust enough to survive all attempts to be ``hacked'' are usually too cumbersome to use. Conversely, easy-to-use crypto software is often easy to break into. Indeed, the two opposing concerns of usability and vulnerability have been at the heart of the government's export-control attempts. Technology watchers note that the government generally allows the export of encryption software to which it can retain ``back-door'' access. Moreover, many basic patents on public-key encryption will run out before the end of the century, making the technology even less controllable. PGP, which is based on the Diffie-Hellman public-key encryption technology developed in the 1970s, is considered robust enough for the average user, though it's by no means invulnerable. Zimmermann is said to be at work developing a follow-on to PGP, known as PGP Phone. That would enable a PC equipped with a sound card and a modem to function as a secure telephone. Zimmermann is also preparing a formal PGP standards document, for submission to the Internet Engineering Task Force.