Slashdot Mirror
Philip Zimmermann and 'Guilt' Over PGP
No Regrets About Developing PGP
The Friday September 21st Washington Post carried an article by Ariana Cha that I feel misrepresents my views on the role of PGP encryption software in the September 11th terrorist attacks. She interviewed me on Monday September 17th, and we talked about how I felt about the possibility that the terrorists might have used PGP in planning their attack. The article states that as the inventor of PGP, I was "overwhelmed with feelings of guilt". I never implied that in the interview, and specifically went out of my way to emphasize to her that that was not the case, and made her repeat back to me this point so that she would not get it wrong in the article. This misrepresentation is serious, because it implies that under the duress of terrorism I have changed my principles on the importance of cryptography for protecting privacy and civil liberties in the information age.
Because of the political sensitivity of how my views were to be expressed, Ms. Cha read to me most of the article by phone before she submitted it to her editors, and the article had no such statement or implication when she read it to me. The article that appeared in the Post was significantly shorter than the original, and had the abovementioned crucial change in wording. I can only speculate that her editors must have taken some inappropriate liberties in abbreviating my feelings to such an inaccurate soundbite.
In the interview six days after the attack, we talked about the fact that I had cried over the heartbreaking tragedy, as everyone else did. But the tears were not because of guilt over the fact that I developed PGP, they were over the human tragedy of it all. I also told her about some hate mail I received that blamed me for developing a technology that could be used by terrorists. I told her that I felt bad about the possibility of terrorists using PGP, but that I also felt that this was outweighed by the fact that PGP was a tool for human rights around the world, which was my original intent in developing it ten years ago. It appears that this nuance of reasoning was lost on someone at the Washington Post. I imagine this may be caused by this newspaper's staff being stretched to their limits last week.
In these emotional times, we in the crypto community find ourselves having to defend our technology from well-intentioned but misguided efforts by politicians to impose new regulations on the use of strong cryptography. I do not want to give ammunition to these efforts by appearing to cave in on my principles. I think the article correctly showed that I'm not an ideologue when faced with a tragedy of this magnitude. Did I re-examine my principles in the wake of this tragedy? Of course I did. But the outcome of this re-examination was the same as it was during the years of public debate, that strong cryptography does more good for a democratic society than harm, even if it can be used by terrorists. Read my lips: I have no regrets about developing PGP.
The question of whether strong cryptography should be restricted by the government was debated all through the 1990's. This debate had the participation of the White House, the NSA, the FBI, the courts, the Congress, the computer industry, civilian academia, and the press. This debate fully took into account the question of terrorists using strong crypto, and in fact, that was one of the core issues of the debate. Nonetheless, society's collective decision (over the FBI's objections) was that on the whole, we would be better off with strong crypto, unencumbered with government back doors. The export controls were lifted and no domestic controls were imposed. I feel this was a good decision, because we took the time and had such broad expert participation. Under the present emotional pressure, if we make a rash decision to reverse such a careful decision, it will only lead to terrible mistakes that will not only hurt our democracy, but will also increase the vulnerability of our national information infrastructure.
PGP users should rest assured that I would still not acquiesce to any back doors in PGP.
It is noteworthy that I had only received a single piece of hate mail on this subject. Because of all the press interviews I was dealing with, I did not have time to quietly compose a carefully worded reply to the hate mail, so I did not send a reply at all. After the article appeared, I received hundreds of supportive emails, flooding in at two or three per minute on the day of the article.
I have always enjoyed good relations with the press over the past decade, especially with the Washington Post. I'm sure they will get it right next time.
The article in question appears at http://www.washingtonpost.com/wp-dyn/articles/A1234-2001Sep20.html
-Philip Zimmermann
24 September 2001
(This letter may be widely circulated)
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3iQA/AwUBO69F2sdGNjmy13leEQIn+QCg2DjDeyibtRe61tUSplSAobdzAqEAoOMF ir3lRc4c1D/0Mmmv/JtP/E73 =HmRO
-----END PGP SIGNATURE-----
Only their users. And remember, good and evil are relative. Not everybody thinks like you do.
Vintage computer games and RPG books available. Email me if you're interested.
We who live in the D.C. area are very familiar with the Post's penchant for "manufacturing" stories where none exist. Mr. Zimmerman unfortunately was the party on the receiving end of the editorial foul play in this particular case.
/.ers are.
As a community, we should recognize that the Post as well as other news media outlets are NOT in their line of work to provide complete and unbiased coverage of events. They are in business to make MONEY, and that is a goal that creates in and of itself conflict of interest with reporting the truth in most (if not all) cases.
I wish the readership of the Post was going to be privy to Mr. Zimmerman's clarifications in the same way we
I was very skeptical of that article. My question: Has the Washington Post apologized or printed a correction? Better yet, have they offered to run your comment as an op-ed? They really should.
sulli
RTFJ.
Couple honest questions I would like to ask within this thread for clarification on this issue?
1. What are the uses of cryptography as a "Human Rights Tool"?
2. If in fact tools such as PGP are used by terrorists, how do governments protect against this?
Any information provided would be greatly appreciated.
Awesome!
There is justification in someone's mind, else it wouldn't have happened. Not saying it's a good justification, it isn't, but they felt it justified. Which proves the bankruptcy of their ideas.
Best Slashdot Co
My own position is confused and contradictory. I see personal communication mechanisms and security a force for good. I think that US interests would actually be served if everyone in Central Asia had the ability to communicate privately and securely with anyone they wish to. I also believe that it is a proper part of the job of governments to spy. I have problems reconciling these views.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
>PGP users should rest assured that I would still not acquiesce to any back doors in PGP.
It's really good to have a veteran with the possibility of being a champion for privacy issues. Afterall, we all know for a fact that Phil's willing to run the gauntlet in defense of what he thinks is right... I would think that's been proven.
I just hope it won't be necessary to go to the lengths that happened last time.
'Life is like a spoonful of Drain-O, it feels good on the way down but leaves you feeling hollow inside'
Maybe "Envelope" would be a better product name.
In fact, for this public debate, I think that even "encryption" is a bad term to use. It sounds cryptical in the most literal sense, and the average user (or politician) doesn't understand it, so it must be something scary.
While I see a lot of people who discuss abolishing "secure email transmission" (i.e. encrypted mail), I have seen very few people who would demand backdors in "Secure Socket Layer" (i.e. encrypted HTTP) or "secure online banking" (i.e. encrypted financial transactions). The main difference between the three is that in the case of email transmission, people usually use the term "encrypted", while in the latter cases, the buzzword is "security."
If you want to talk with average people, talk about secure communication, not about encrypted communication. Politicians will have a much harder time abolishing security than abolishing encryption.
Sig (appended to the end of comments I post, 54 chars)
Frankly, I am somewhat puzzled that the company which manufactures the beard clipper used by one of the terrorists on the plane has not brought a message of apology to the world...
Seriously: Are we going to relate every little thing in this world to the terrorism act of lately? I am just getting tired of reading so much BS about everyone trying to get some sort of visibility after the tragic events: the CNN talking heads, Bush the Donkey, the Pope, Billie Brown the SF mayor, Larry "Devil" Ellison, Richard "stadder" Stallman and now Ziziman.
What's next? People around me, are almost starting to feel sorry that they DIDN'T know anyone who died in the attacks. I want to throw up when I hear that.
This is human vanity at its best. Welcome to the real world!
Much of the encryption restriction/key-escrow debate has focused on how it will affect society if we restrict or alter the use of strong encryption. I haven't heard much debate on whether it would even be possible to enforce the use of key escrow systems or to prevent people such as terrorsts from using strong encryption.
What are your views on this, and do you think such proposed systems could ever be enforced?
I agree to a limited degree with the comments
about the human part of the human-tool pairing
being the part from which most evil originates.
But this does not mean all tools are devoid of
any meaning or purpose.
A sword, for example, is clearly a military
tool. Its evolution, and its purpose, is
inherent in its form. It is designed to injure
and kill.
The atomic bomb is designed to vaporize things.
Yes, you can (with some effort) envision a
situation where either of these items can be
not-used but perhaps threatened to obtain a
"good" outcome. But by their nature, if they
are ever employed, the results are not what
one would call good.
Some tools exist for no purpose other than
the infliction of damage upon another human.
Some tools cannot damage another human
practically (ie a pencil eraser). These
tools are differentiable, one from the other,
by this distinction of purpose and form and
if one wants to use the problematic concepts,
by their different potentials for doing evil.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
When we turn a human into an object, we lay
the foundations for inhumane treatment of the
person in question.
The ability to think of another human in an
objectified manner, as in when we treat the
local fast-food server as if he or she was
merely an interchangeable part with no important
human characteristics, we then begin to think
of them in a way which (taken to the extreme)
allows one to devalue their lives completely.
If we make an effort to treat each human as having
intrinsic value, every life as having some worth,
then we begin to eliminate the thinking that
breeds suicide bombers. For if every man's life
has worth, then to take another life is reducing
the worth of the world.
Objectification is very common in our world today.
The terrorist trainers use it (and its cousin,
demonization) to train suicide bombers. We use
it in our industrialized society. When we
recognize the underlying commonality here -
treating another person only in terms of
inhuman characteristics such as whether they
can serve you something, or whether they can
deliver a service for a buck, etc. - then
we begin to see where part of the fix lies.
I'm not utopian enough to think good thoughts
alone are enough. But if the democratic and
ostensibly civilized free world does not set
a precedent based on the value of _any_ human
life, then they haven't attacked the mindset
that allows manipulators to turn the downtrodden
or aggreived into human weapons.
And if we don't address the root cause, we can
expect more of the same ad infinitum.
-- Mal: "Well they tell you: never hit a man with a closed fist. But it is, on occasion, hilarious."
You also stated that you could only guarantee that version 7.slightly_lower_version_than_above was free of backdoors - in fact, you sign your open letter with version 7.0.3.
1. How do you reconcile these two, somewhat differing, views?
2. Which version(s) do you regard as "safe".
3. Why don't you run the latest version?
All the relevant versions and statements can be found in stories on
This sig left unintentionally blank.
Why isn't the informed crowd playing up the fact that encrytion is key to computer security? That is, putting it into words that Congressional-types can understand and fear. "Such and such incident where that hacker (technically cracker, but they fear the word hacker.) stole a zillion credit card numbers from SomewhereImportant.com could have been prevented if they ONLY used encryption." "That break in where those hacker defaced SuchAndSuch.gov wouldn't have happened if they ONLY used encryption." ...maybe even something is absurd as "That email virus could have been prevented if they ONLY used encryption."
-Steve
-- Making computers see, hear, and think... http://www.componica.com/
How do you feel about NAI not releasing anything but the crypto code, as opposed to the whole shebang like when you were in charge? Do you have anything comforting to say to us who look back through a nostalgic fog at the days when you personally signed every binary copy and assured your users that every relase was backdoor-free, or is it time to revive the age-old myth about the gaping hole that allows the NSA or whoever it is to read everything you try to keep them from gleaning at?
"If you think education is expensive, try ignorance" - Derek Bok
my dad is a brick mason. last week i went to work with him since i am having a problem finding a job. on the way home, we were listening to npr and talking about the news. when encryption came up, my dad didn't have any idea what this encryption thing was and the lady from the eff that was interviewed didn't help to explain it since she was spouting off jargon left and right.
i used the analagy of a house, since that is what he deals with every day. everyone has locks on their doors. i told him to imagine a house where the only way you could break in was by trying different keys on the lock until one worked. the rest of the building was solid and unbreakable. i told him to suppose that if you were just trying random keys one after another on this house, it would take 10,000 years. (worse than some weak crypto, but 10k was big enough).
i told him to suppose that the government was asking for a copy of your key and a copy of everyone else's key. the government promised they would guard the keys and only use them lawfully. we all know that at a convenient time, the lines of "lawful" would be blurred. and we also know that the place where these keys are kept would be a prime target for terrorist groups and organized crime.
he said, "well, who would fall for that? i wouldn't give them my key?"
Do we need to come up with new analogies to explain the civil and privacy rights justification for encryption to politicians and the lay public?
In the past we've used envelopes and locks, but I think these fall short because the reason for encryption is to create a time delay to access sufficient to dissuade the smart and lazy opponent AND allow detection of the stupid but industrious ones.
Not only did Catholics support the Crusades, they enthusiastically supported them. That outbreak of mental illness lasted from 1095 A.D. to 1291; it was not an isolated circumstance. During that time Europeans traveled to Arab lands to kill them. At that time almost all Christians were Catholic.
Many people don't understand the significance of the Crusades, which happened a long time ago. The significance is that the moral teaching of the Christians did not prevent them from designing and participating in a killing rampage.
The Crusades were not the only Christian killing rampage. The Spanish Inquisition was another outbreak of craziness.
The moral teachings of the Christians have not changed significantly since the Crusades. Arabs ask themselves, "What would prevent Christians from being part of another killing rampage?" That's why the crusades have significance in modern thinking. It is easy to understand that when President Bush talked about a crusade in a speech to the entire nation of the U.S., while at the same time declaring "war", Arabs became anxious.
It is remarkable how quickly the discussion of terrorism became off-topic. People are blaming PGP!!! Do you have a right to speak to your wife in private, with no interference or listening from the government? If you do have this right, then you have a right to use PGP. Your wife may be in another country, and PGP is a way of being sure you speak only to her. If you don't have this right, then the government can legally force its way into anything you say to your wife.
The primary reason for the violence seems to be corruption in secret agencies of the U.S. government like the CIA. For example, the CIA trained Osama bin Laden. If there is more trouble, the CIA receives more funding. So the CIA, at least unconsciously, wants more trouble.
Israel receives an astounding $905 per year from the U.S. government for every man, woman and child who lives there. A large part of that money is spent on weapons bought from the United States. Senators in the U.S. who represent the states with weapons manufacturers have lobbied to continue giving money to Israel. The U.S. weapons manufacturers also sell weapons to the Arabs.
I've tried to pull together information about these issues: What should be the Response to Violence? .
The U.S. has bombed 14 countries in the last 30 years, killing about 3,000,000 people. Yet Phil Zimmermann gets hassled for causing problems!!! Duh!
Bush's education improvements were
The research that created the nuclear bomb will one day produce a safe, cheap, earth-friendly source of abundant energy. Once this occurs, not only will we have vast amounts of energy without destroying our environment, but oil will become useless and we (U.S.) will have less reason to meddle in the Middle East.
True, many lives have been lost in truly sad ways, but the bomb didn't get up on its own and jump out of a plane over Nagasaki. It took an American president to make the decision that it was okay to kill thousands of civilians to achieve our political goals. That, by the way, was the *same* conclusion the terrorists came to.
Encryption technology has enabled many benefits. Besides, it's really just a more advanced form of whispering. If you're going to blame cryptologists for the actions of terrorists, then you need to blame airplane manufactures, oil companies, flight attendants, travel agencies, car rental agencies, airport security personnel, et al.
If you *really* feel a strong need to blame someone for what happened last week, you can pretty safely point your finger at the U.S. State Department. It's been discussed here ad nauseum, but to sum up the majority of the population in the Middle East hates America *not* because we have more freedom but because our government takes action that directly impacts their access to freedom.
If you ban encryption thinking it will keep you safe, they'll turn to other methods. If you outlaw box cutters, they'll smuggle on letter openers. The only real solution is to find the root cause of the problem and solve that. Until then you're merely patching holes in the hopes that the dam won't burst.
Freedom to fear. Freedom from thought. Freedom to kill.
I guess the War on Terror really is about freedom!