Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ

Phil Zimmerman & the "crypto wars" of the 1990s

Freewheeling spot to chew the fat on anything cryptostorm-related that doesn't fit elsewhere (i.e. support, howto, &c.). Criticism & praise & brainstorming & requests for explanation... this is where it goes when it's hot & ready for action! :-)
User avatar

Topic Author
Pattern_Juggled
Posts: 611
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Phil Zimmerman & the "crypto wars" of the 1990s

Post by Pattern_Juggled » Tue Mar 26, 2013 9:18 am

For the youngsters out there, this stuff may seem like "old news" - but it's still relevant today. I'm going to plop down some basic information on what happened, and we can add to it as we go along.
The Ethical Spectacle, July 1995, http://www.spectacle.org

The Zimmerman Case

Phil Zimmerman is the author of a popular encryption program called Pretty Good Privacy (PGP). He has been under investigation for two years by a federal grand jury because, after he released PGP as shareware, someone else put it on the Internet and foreign citizens downloaded it. Cryptography programs are classified as munitions under federal law and may not be exported.

The Zimmerman case involves a head-on conflict between the First Amendment right of free expression and the legal doctrine that an idea can be an export. The result of the latter doctrine is that an idea that may be freely expressed within our borders may land one in jail if carried out of the country. Combine this with the impossibility of keeping ideas that are on the Internet from going abroad, and the impossibility of keeping ideas off the Internet, and you have a volatile mix.

Export laws make most sense applied to tangible objects, the kind you can search people's luggage for. Applied to ideas, whether in your head or embodied in speech, export laws rapidly get into trouble. How do you prevent a foreign visitor from leaving the country with ideas about cryptography he gained in a conversation, perhaps at a conference, here?

Years ago, I was startled to learn that a foreign subscriber to Compuserve who downloads a utility program from the IBM PC forum, has just engaged in an export. Depending on the country he comes from and the nature of the software, it may be an illegal export. The federal government has taken a special interest in cryptography software, of the sort written by Phil Zimmerman, and has legally classified it as a "munition", not to be exported anywhere, including friendly countries, without permission.

In the course of a single session surfing the Web, you may find yourself on servers in France, the Netherlands, Britain, South Africa, Israel and Japan, and you may take an idea from, or leave an idea on, any one of them.

It is the nature of the Internet that anything you place on it here will be downloaded abroad, sooner rather than later. On the Internet, there is no difference between local and international any more. It is the same as if all phone calls went over party lines where any listener might be in a foreign country.

According to Phil Zimmerman's attorneys, if he is indicted the government will not claim that he placed Pretty Good Privacy on the Internet; he merely released it as shareware, and someone else put it online. The government will effectively be forced to argue that Phil Zimmerman should not have released PGP because it was foreseeable that someone would place it on the Net and it would go out of the country. The chilling effect of such an argument cannot be overstated.

Of course, the feds need never indict him to deter others from emulating him; the legal fees and the two year ordeal of being investigated are chilling enough.

In copyright law, when idea and expression merge--when there is only one way to implement a particular concept in code, for example--then the copyright monopoly is not available. It was never intended to allow anyone to monopolize an idea for all purposes, because of the ownership of a particular expression of the idea. Similarly, when there is only one channel of communication, simultaneously local and international, an idea cannot be barred from any expression because it might end up being transmitted accross the border.

All ideas that do not originate on the Internet are soon echoed there. (In recent weeks, I have used WebCrawler to search for the Holocaust, guns, Jake Baker, evolution, and the Prisoner's Dilemma, and have found ample material on every topic.) We have reached the point at which the only sure way to avoid the export of an idea is not to utter it. We all lose if this happens. Therefore, our interest in the free expression of ideas must outweigh the government's interest in keeping them within our borders.

I am not arguing that the government has no legitimate interest here. But, if you evaluate its interest in cryptographical software, it becomes clear that this is not a case of the government trying to "bogart" technology that can kill people. Instead, the government's desire is to be able to decode and read other people's communications more effectively. This is the same desire that led this administration to ask all telecommunications manufacturers to install a back door, the Clipper chip, to allow the unscrambling of all communications. What the government really seems afraid of in the Zimmerman case is not Pretty Good Privacy, but privacy itself.

For more information, see a letter from Phil Zimmerman.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

[list]✨ ✨ ✨[/list]
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f[/color]

User avatar

Topic Author
Pattern_Juggled
Posts: 611
Joined: Sun Dec 16, 2012 6:34 am
Contact:

WHY DO YOU NEED PGP? by Phil Zimmermann

Post by Pattern_Juggled » Tue Mar 26, 2013 9:19 am

The Ethical Spectacle, July 1995, http://www.spectacle.org


WHY DO YOU NEED PGP? by Phil Zimmermann

It's personal. It's private. And it's no one's business but yours. You may be planning a political campaign, discussing your taxes, or having an illicit affair. Or you may be doing something that you feel shouldn't be illegal, but is. Whatever it is, you don't want your private electronic mail (E-mail) or confidential documents read by anyone else. There's nothing wrong with asserting your privacy. Privacy is as apple-pie as the Constitution.

Perhaps you think your E-mail is legitimate enough that encryption is unwarranted. If you really are a law-abiding citizen with nothing to hide, then why don't you always send your paper mail on postcards? Why not submit to drug testing on demand? Why require a warrant for police searches of your house? Are you trying to hide something? You must be a subversive or a drug dealer if you hide your mail inside envelopes. Or maybe a paranoid nut. Do law-abiding citizens have any need to encrypt their E-mail?

What if everyone believed that law-abiding citizens should use postcards for their mail? If some brave soul tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. There's safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their E-mail, innocent or not, so that no one drew suspicion by asserting their E-mail privacy with encryption. Think of it as a form of solidarity.

Today, if the Government wants to violate the privacy of ordinary citizens, it has to expend a certain amount of expense and labor to intercept and steam open and read paper mail, and listen to and possibly transcribe spoken telephone conversation. This kind of labor-intensive monitoring is not practical on a large scale. This is only done in important cases when it seems worthwhile.

More and more of our private communications are being routed through electronic channels. Electronic mail is gradually replacing conventional paper mail. E-mail messages are just too easy to intercept and scan for interesting keywords. This can be done easily, routinely, automatically, and undetectably on a grand scale. International cablegrams are already scanned this way on a large scale by the NSA.

We are moving toward a future when the nation will be crisscrossed with high capacity fiber optic data networks linking together all our increasingly ubiquitous personal computers. E-mail will be the norm for everyone, not the novelty it is today. The Government will protect our E-mail with Government-designed encryption protocols. Probably most people will acquiesce to that. But perhaps some people will prefer their own protective measures.

Senate Bill 266, a 1991 omnibus anti-crime bill, had an unsettling measure buried in it. If this non-binding resolution had become real law, it would have forced manufacturers of secure communications equipment to insert special trap doors in their products, so that the Government can read anyone's encrypted messages. It reads:

"It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall insure that communications systems permit the Government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law."
This measure was defeated after rigorous protest from civil libertarians and industry groups.

In 1992, the FBI Digital Telephony wiretap proposal was introduced to Congress. It would require all manufacturers of communications equipment to build in special remote wiretap ports that would enable the FBI to remotely wiretap all forms of electronic communication from FBI offices. Although it never attracted any sponsors in Congress in 1992 because of citizen opposition, it was reintroduced in 1994.

Most alarming of all is the White House's bold new encryption policy initiative, under development at NSA since the start of the Bush administration, and unveiled April 16th, 1993. The centerpiece of this initiative is a Government-built encryption device, called the Clipper chip, containing a new classified NSA encryption algorithm. The Government is encouraging private industry to design it into all their secure communication products, like secure phones, secure FAX, etc. AT&T is now putting the Clipper into their secure voice products. The catch: At the time of manufacture, each Clipper chip will be loaded with its own unique key, and the Government gets to keep a copy, placed in escrow. Not to worry, though -- the Government promises that they will use these keys to read your traffic only when duly authorized by law. Of course, to make Clipper completely effective, the next logical step would be to outlaw other forms of cryptography.

If privacy is outlawed, only outlaws will have privacy. Intelligence agencies have access to good cryptographic technology. So do the big arms and drug traffickers. So do defense contractors, oil companies, and other corporate giants. But ordinary people and grassroots political organizations mostly have not had access to affordable military grade public-key cryptographic technology. Until now.

PGP empowers people to take their privacy into their own hands. There's a growing social need for it. That's why I wrote it.

Phil Zimmermann

  • This informational message has been provided as a public service to the Internet community by the ZLDF -- the Phil Zimmermann Legal Defense Fund (info: zldf@clark.net), and is maintained by friendly supporters. (To reach a human being: zldf-people@clark.net.)

    Support Phil Zimmermann -- make a contribution today at http://www.fv.com/pzldf.html -- and please pass this message along to a friend right now. Thanks!

    Worldwide redistribution is encouraged in any form, as long as this entire message is redistributed and this attribution notice is included.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

[list]✨ ✨ ✨[/list]
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f[/color]

User avatar

Topic Author
Pattern_Juggled
Posts: 611
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: Phil Zimmerman & the "crypto wars" of the 1990s

Post by Pattern_Juggled » Tue Mar 26, 2013 9:27 am

...some information about his indictment, the dropping of charges, the applicability of munitions export laws to cryptographic code, and the background smears against Phil that - despite all credible, verifiable evidence - he "sold out" and both cooperated with the Fed cops who had harassed him for years, and magically "backdoored" the PGP codebase itself:
The History of PGP

PGP was born in controversy. Zimmermann wrote version 1.0 as a response to
United States Senate Bill 266. If it had been passed, this legislation would
have required all communications vendors to embed "back doors" to permit
government agencies to tap their products. He rushed a release of 1.0 into
the hands of his computing friends, at least one of whom began to distribute
it on bulletin boards throughout North America. Its circulation meant that
any criminality resulting from passage of the bill would have been difficult
to enforce.

Code-sharing didn't stop at national borders, though, and there was nothing
hypothetical about it: export of PGP outside the U.S. (with possible
exceptions involving Canada) was definitely illegal. Everyone involved
agreed that the Office of Defense Trade Control's enforcement of the
International Traffic in Arms Regulations (ITAR) extended to cryptographic
software.


Whom to Prosecute?

Whom could the US Department of Justice indict, though? Zimmermann just
programmed and talked; he was careful not to engage in any "munitions
exports" himself.

Despite these precautions, criminal charges were brought against him. The
programming and civil rights communities joined to create a legal defense
fund. After three years of what Zimmermann calmly categorizes as
"persecution," prosecutors dropped the case in early 1996 with as little
comment as they had earlier justified it.

Controversy didn't end there. Even before the criminal indictment, RSA
notified Zimmermann that it considered PGP an infringement of its patents.
Zimmermann had been careful to engage only in "educational use" of
applicable documents and inventions. He consistently emphasized in his
presentations that users were responsible for securing applicable licenses.

The RSA battle ended as undramatically as the ITAR one had. Zimmermann and
Public Key Partners (PKP), an RSA affiliate, signed an agreement that
Zimmermann would continue not to distribute RSA inventions and PKP would not
sue Zimmermann. RSA threatened Zimmermann and the Massachusetts Institute of
Technology (MIT) for various alleged infringements. Zimmermann programmed
around legal problems, and MIT shielded him from others in pursuit of its
own intellectual rights.

While the publicity around these disputes served as valuable marketing for
PGP, it also made it hard to move on. Hecklers continue to believe, for
example, that Zimmermann had secretly acquiesced to government demands and
somehow weakened PGP
. Although it's hard to prove covert arrangements do not
exist, it's equally difficult to imagine how Zimmermann might contaminate
source code available for public review, which PGP was.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

[list]✨ ✨ ✨[/list]
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f[/color]

User avatar

Topic Author
Pattern_Juggled
Posts: 611
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: Phil Zimmerman & the "crypto wars" of the 1990s

Post by Pattern_Juggled » Tue Mar 26, 2013 9:35 am

...and here's a nice little summary of the export restrictions, the ways people used to get around them, and their relevance to crypto nowadays:
Wasn't PGP Considered A Non-Exportable Weapon? How Did The International Versions Stay Legal?

During this time, PGP and the RSA libraries, or any other so-called "strong" encryption were considered "munitions" in the same category as bioweapons and whatnot. They were therefore illegal to export out of North America under ITAR (International Traffic in Arms Regulations). Yeah, I know, once it's been released on the internet, how are you going to keep it in North America? Can't be done, but they gave it a shot. It gets stranger. Hang on.

Now, the Norweigans may not have cared a wet slap for US Patent law, but importing material declared by a friendly country to be an illegally exported weapon was another matter. To avoid getting wrapped around the whole munitions export/import tar-baby, they had to find another way to get the source code which was reliable (preferably directly from PGP) and legal.

They couldn't believe their good fortune when a review of the ITAR regulations revealed an odd thing: The export control only applied to cryptographic software in electronic form...disks, emails, ftp downloads, etc.

So, every time PGP would release a new version of their software, all the Internationals had to do was order up a written copy of the source code, which wasn't covered under ITAR since it wasn't in electronic form.

For example, the picture below is the twelve volumes of PGP Ver 5 source code...which they then simply(!) scanned into a computer using OCR software, checking it line at a time for errors. This took approximately 1000 hours for seventy people to complete. You wouldn't believe what a pain it is to go over scanned source code to make sure not a character was misplaced.

Image

At any rate, once done, all they had to do was run it through a compiler and Voila: PGP (International Version) popped out. They've done the same thing with every version since then.

No, I'm not kidding.

Since US law didn't apply to the written version, and Norweigan law didn't apply to the electronic version, they had a perfectly legal, 100% accurate version of PGP available for free download to the world (even the US, since IMPORTING crypto was legal...ITAR only applied to EXPORTING the stuff.)

By 1999, it was clear that putting the "strong crypto" genie back into the bottle wasn't going to happen. On top of that, ITAR was hammering the crap out of US security companies, including Microsoft. They couldn't export their strong PKI encryption either, which meant that anyone else in the world who wrote security software automatically had a leg up on US companies in the multi-bazillion dollar Internet security and authentication game (banks, credit cards, etc.) because Uncle Bill, et al, had to build weaker crypto into their products for overseas markets.

As a result, the US government finally saw the light, and granted worldwide export authority for a variety of strong encryption, including PGP. This, for all practical purposes, invalidated the ITAR export restrictions on crypto in general, and, not incidentally, also allows the PGPi people to just get the stuff electronically instead of tying up a giant wad of man-hours checking millions of lines of printed source code.

They rather prefer the electronic method.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

[list]✨ ✨ ✨[/list]
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f[/color]

User avatar

Topic Author
Pattern_Juggled
Posts: 611
Joined: Sun Dec 16, 2012 6:34 am
Contact:

Re: Phil Zimmerman & the "crypto wars" of the 1990s

Post by Pattern_Juggled » Fri Jul 12, 2013 8:17 am

Lost in Kafka Territory
The feds go after a man who hoped to protect privacy rights
By Vic Sussman | Posted 3/26/95 | US News & World Report


If anyone on Earth can claim to be a cyberspace celebrity, it is Philip Zimmermann, a soft-spoken data security consultant from Boulder, Colo. Every day, he is discussed on the Internet and computer bulletin boards in nearly 200 countries and is deluged with E-mail that treats him as a hero, a villain or a victim.

This week, the Electronic Frontier Foundation, a cyberspace civil liberties organization, will give Zimmermann a prestigious Pioneer Award, for helping protect citizens' privacy by creating a powerful encryption program called "Pretty Good Privacy" (PGP) and making it available for free. It has been a boon to those seeking to protect their E-mail and commercial transactions and, in some notable cases abroad, shielding communications by human-rights groups and dissidents in repressive countries.

But law enforcement and intelligence officials have a different view of Zimmermann's achievement. He is being investigated for possible violation of federal arms-export laws because his "cryptography for the masses" has slipped out of America. "The ability of just about everybody to encrypt their messages is rapidly outrunning our ability to decode them," worries a U.S. intelligence official. "It's a lot harder to eavesdrop on a worldwide web than it is to tap a cable." Echoes James Kallstrom, assistant director in charge of the FBI's New York office: "We need balanced public policy because it has unbelievable ramifications for business and law enforcement."

"Strengthen democracy." There is no coherent policy, and Zimmermann could end up paying for that. He says he feared for Americans' privacy rights and decided to give away PGP in 1991 because Congress was considering banning it. (No law ever passed.) He says he gave the program to friends, asking them to distribute it only in the United States: "I wanted to strengthen democracy, to ensure that Americans could continue to protect their privacy."

But the encryption program ended up on the Internet and has been downloaded by countless foreigners. So a grand jury in San Jose, Calif., has been gathering evidence since 1993, pondering whether to indict Zimmermann for violating a federal weapons-export law--a charge that carries a presumptive three-to-five-year sentence and a maximum $1 million fine. The investigation is being led by Silicon Valley Assistant U.S. Attorney William P. Keane; a grand jury indictment must be authorized by the Justice Department in Washington.

Zimmermann's woes raise big questions. Can machine-age law be applied fairly to rapidly developing technology? Is putting software on a computer the same as exporting it? Is he being strung out in a Kafkaesque nightmare as a warning to others? Some intelligence officials concede that it's too late to keep cryptography from spreading and say that intimidating distributors is the only way they can hope to deter code makers.

Beyond those issues, the case is saturated with irony. Powerful crypto is already widely available on Internet-accessible computers. An MIT Internet site distributes PGP, for example, as does a forum on the CompuServe commercial service. The latter--easily reached via phone lines from Europe and Asia--carries this impotent disclaimer: IF YOU ARE NOT A CITIZEN OF THE UNITED STATES, DO NOT DOWNLOAD THIS FILE. Oddest of all, it is perfectly legal for a foreign bad guy to buy books containing encryption codes and type them into a computer.

Oops! If Zimmermann is indicted as an alleged arms merchant because his cryptography ended up in foreign hands, then somebody in the U.S. government probably should be prosecuted, too. In 1993, the National Institute of Standards and Technology (NIST) inadvertently placed DES, a strong encryption program, on one of its Internet-linked computers. Word spread quickly in cyberspace, and a U.S. News reporter easily found a file copy on a computer in Finland. A NIST spokesman sheepishly admitted that the accidental crypto "export" was a mistaken attempt to help U.S. computer users strengthen their security.

Zimmermann says his motivation was also security-minded. It isn't comforting to him, though, that he might be hanging his Pioneer Award in a prison cell.

This story appears in the April 3, 1995 print edition of U.S. News & World Report.
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

[list]✨ ✨ ✨[/list]
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f[/color]

Post Reply