A New Era for PGP
In his keynote speech on the first day of the Black Hat Briefings here Wednesday, Zimmermann ripped NAI for all but shelving PGP after the security conglomerate bought Zimmermanns company in the late 1990s.
"I used to get a lot of e-mails from people worried that PGP would fall into the wrong hands. It did fall into the wrong hands at Network Associates," Zimmermann said, drawing a big laugh from the assembled group of hackers, security specialists, crypto enthusiasts and law enforcement officers in the audience. "Why do you laugh when I mention NAI? I see this is a knowledgeable crowd. That was a dark chapter in PGPs history. But the dark times are over."
PGP Corp., a new company formed last year, now sells the commercial version of PGP. Zimmermann began work on the encryption software in the mid-1980s as a human rights project. He was looking for a way to help activists in countries under oppressive regimes to protect their electronic communications. Over the years, he has been contacted by numerous people who have described how the use of PGP helped save their lives or the lives of others.
But at the same time, the government decided that Zimmermanns software was too dangerous to be exported and opened an investigation into whether he had violated the Arms Control Export Act when he uploaded it to the Internet. Prosecutors maintained that criminals and terrorists would use PGP to defeat government eavesdropping efforts, which outweighed the potential good the software might do.
Zimmermann, and many thousands of his supporters, disagreed. However, he readily admits that PGP has in fact been used by criminals.
"That was the central question of the debate during the 1990s. We came to a decision that society is better off with crypto," Zimmermann said. "I wish criminals and terrorists didnt use crypto, and specifically I wish they didnt use PGP, but they do. You have to look at the big picture. Its saved lives around the world. Its a decision we made with our eyes open."
Responding to a question about whether the governments policy on allowing the use and export of strong encryption might change now that it has become ubiquitous, Zimmermann said no, but warned that there could be other scenarios on the horizon that are just as troubling.
"We might see some effort by the government to force you to give up your private key if you are the target of a criminal investigation," he said. "But I would submit that under stress you might forget your passphrase."
Zimmermann also had a direct message for the government representatives in the audience. "A lot of you in the audience work for the federal government, or so Im told. Lets not throw the baby out with the bathwater when it comes to the erosion of our civil rights. We have seen the worst erosion of our civil rights in the last two years," he said, drawing a loud round of applause.