Philip Zimmermann and 'Guilt' Over PGP

Philip R. Zimmermann, creator of PGP, was quoted in a recent Washington Post article as saying he has been "overwhelmed with feelings of guilt" about the use of PGP by suspected terrorists. Zimmermann says the story was not entirely accurate, and has written a response to it (below) that he hopes will clear things up. He has also consented to a Slashdot interview, so please post any questions you have for him. As usual, we'll send 10 of the highest-moderated ones to Zimmermann by email, and post his replies verbatim as soon as we get them back.

No Regrets About Developing PGP

The Friday September 21st Washington Post carried an article by Ariana Cha that I feel misrepresents my views on the role of PGP encryption software in the September 11th terrorist attacks. She interviewed me on Monday September 17th, and we talked about how I felt about the possibility that the terrorists might have used PGP in planning their attack. The article states that as the inventor of PGP, I was "overwhelmed with feelings of guilt". I never implied that in the interview, and specifically went out of my way to emphasize to her that that was not the case, and made her repeat back to me this point so that she would not get it wrong in the article. This misrepresentation is serious, because it implies that under the duress of terrorism I have changed my principles on the importance of cryptography for protecting privacy and civil liberties in the information age.

Because of the political sensitivity of how my views were to be expressed, Ms. Cha read to me most of the article by phone before she submitted it to her editors, and the article had no such statement or implication when she read it to me. The article that appeared in the Post was significantly shorter than the original, and had the abovementioned crucial change in wording. I can only speculate that her editors must have taken some inappropriate liberties in abbreviating my feelings to such an inaccurate soundbite.

In the interview six days after the attack, we talked about the fact that I had cried over the heartbreaking tragedy, as everyone else did. But the tears were not because of guilt over the fact that I developed PGP, they were over the human tragedy of it all. I also told her about some hate mail I received that blamed me for developing a technology that could be used by terrorists. I told her that I felt bad about the possibility of terrorists using PGP, but that I also felt that this was outweighed by the fact that PGP was a tool for human rights around the world, which was my original intent in developing it ten years ago. It appears that this nuance of reasoning was lost on someone at the Washington Post. I imagine this may be caused by this newspaper's staff being stretched to their limits last week.

In these emotional times, we in the crypto community find ourselves having to defend our technology from well-intentioned but misguided efforts by politicians to impose new regulations on the use of strong cryptography. I do not want to give ammunition to these efforts by appearing to cave in on my principles. I think the article correctly showed that I'm not an ideologue when faced with a tragedy of this magnitude. Did I re-examine my principles in the wake of this tragedy? Of course I did. But the outcome of this re-examination was the same as it was during the years of public debate, that strong cryptography does more good for a democratic society than harm, even if it can be used by terrorists. Read my lips: I have no regrets about developing PGP.

The question of whether strong cryptography should be restricted by the government was debated all through the 1990's. This debate had the participation of the White House, the NSA, the FBI, the courts, the Congress, the computer industry, civilian academia, and the press. This debate fully took into account the question of terrorists using strong crypto, and in fact, that was one of the core issues of the debate. Nonetheless, society's collective decision (over the FBI's objections) was that on the whole, we would be better off with strong crypto, unencumbered with government back doors. The export controls were lifted and no domestic controls were imposed. I feel this was a good decision, because we took the time and had such broad expert participation. Under the present emotional pressure, if we make a rash decision to reverse such a careful decision, it will only lead to terrible mistakes that will not only hurt our democracy, but will also increase the vulnerability of our national information infrastructure.

PGP users should rest assured that I would still not acquiesce to any back doors in PGP.

It is noteworthy that I had only received a single piece of hate mail on this subject. Because of all the press interviews I was dealing with, I did not have time to quietly compose a carefully worded reply to the hate mail, so I did not send a reply at all. After the article appeared, I received hundreds of supportive emails, flooding in at two or three per minute on the day of the article.

I have always enjoyed good relations with the press over the past decade, especially with the Washington Post. I'm sure they will get it right next time.

The article in question appears at http://www.washingtonpost.com/wp-dyn/articles/A1234-2001Sep20.html

-Philip Zimmermann
24 September 2001

(This letter may be widely circulated)

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3

iQA/AwUBO69F2sdGNjmy13leEQIn+QCg2DjDeyibtRe61tUSplSAobdzAqEAoOMF ir3lRc4c1D/0Mmmv/JtP/E73 =HmRO
-----END PGP SIGNATURE-----

Tools are never evil

[SuiteSisterMary]

Only their users. And remember, good and evil are relative. Not everybody thinks like you do.

Re:Tools are never evil

[WNight]

So our society has determined that slavery is wrong for everybody.

So, it's a relative absolute.

You really shouldn't be arguing in this, you're in over your head. You can't simply change the definition of absolute to suit yourself. Absolute morals can NOT exist without religion. If you're saying morals are absolute, you're saying that there's a universal law which mandates it, the only way that's possible is if there's a god doing the mandating.

Now, I know you're not saying there's a universal law, but this means you're not talking about absolute morals, even if you think you are. If a society has decided something, then it wasn't absolute.

What you're talking about is strictly enforced relative morals. Society X has decided that slavery is bad, and there are no exceptions. Only the last part is absolute, the first part is relative.

Furthermore, these morals of our society aren't even enforced absolutely. Murder is wrong, except when a cop shoots a lawbreaker, or you execute a criminal, etc. Slavery is wrong, except when you put prisoners to work. And it's not different just because they're criminals. Absolute in this sense means 100%, no exceptions. If there are exceptions, it's not absolute.

You were closer with your "laws of physics" idea, than with the point you're trying to make.

Thanks Phil

[sulli]

I was very skeptical of that article. My question: Has the Washington Post apologized or printed a correction? Better yet, have they offered to run your comment as an op-ed? They really should.

Clarification Por Favor?

[doomicon]

Couple honest questions I would like to ask within this thread for clarification on this issue?

1. What are the uses of cryptography as a "Human Rights Tool"?

2. If in fact tools such as PGP are used by terrorists, how do governments protect against this?

Any information provided would be greatly appreciated.

Re:Clarification Por Favor?

[Bonker]

This is probably a troll, so mod me down for biting.

1. What are the uses of cryptography as a "Human Rights Tool"?

Okay, say you live in China, where the government is known to imprison members of certain religous groups using rather spurious claims that these groups are 'terrorist groups'. You've heard of the Faulan Gaun (sp?).

How else do you meet and exchange information and be free in your religion (which the U.S. considers a 'human right') without the aid of data encryption. There are a few ways to do it, but data encryption is the safest and fastest way to do so.

By the same token, look at Amnesty International's website. You won't be able to in China, or other certain countries, unless you use a proxy that bypasses the national filtering. Then, you won't be able to do it safely unless unless your connection to that proxy is encrypted so that you can't be spied upon. Safeweb rocks for surfing pr0n at work. It is essential tool for individuals in China who want to learn about the world around them without seeing it filtered through the prejudices of the Communist Party.

One last example. Say you are an Amnesty International worker in a country where your work is only barely tolerated, like Afghanistan. If you're smart, you'll hide evidences of human rights abuse behind strong encryption so that the collection of that evidence can't be used against you by a hostile court. Bescrypt is the first tool that comes to mind, but I know that there are equally good open source tools that will do the same job.

I could go on and on. Remember that these 'belligerant' governments aren't the only governments that try to violate human rights. The U.S. government will do it if they can get away with it. You've heard of Echelon? Carnivore? These privacy invading tools are completely useless in the face of 2048-bit strength DSS encryption, which is the default key-length in PGP.

Kevin Mitnick's laptop, which is still in posession of the Fed, has *yet* to yeild up any of his secrets that could be used against him because the data inside was encrypted. I think many /.ers feel like Kevin's rights were repeatedly violated. The data in his laptop cannot be used against him to further violate his rights after he's finally out and about to be able to work again.

Encryption is a wondrous power. Let's *not* give it up just because it rubs LEO's the wrong way. The police already have enough power to solve even the most heinous of crimes, just as they are *currently* doing in the WTC attack. Let's not give them more than they need.

Nice to have a veteran champion...

[weslocke]

>PGP users should rest assured that I would still not acquiesce to any back doors in PGP.

It's really good to have a veteran with the possibility of being a champion for privacy issues. Afterall, we all know for a fact that Phil's willing to run the gauntlet in defense of what he thinks is right... I would think that's been proven.

I just hope it won't be necessary to go to the lengths that happened last time.

Re:But there is

[HenryFlower]

"Some Christians are morally bankrupt" does not imply "All Christians are morally bankrupt". It is just that sort of misguided reasoning that leads Islamic terrorists to justify killing innocent Americans and Americans to justify killing innocent Arabs, Pakistanis...

Re:Name `PGP`

[j7953]

Maybe "Envelope" would be a better product name.

In fact, for this public debate, I think that even "encryption" is a bad term to use. It sounds cryptical in the most literal sense, and the average user (or politician) doesn't understand it, so it must be something scary.

While I see a lot of people who discuss abolishing "secure email transmission" (i.e. encrypted mail), I have seen very few people who would demand backdors in "Secure Socket Layer" (i.e. encrypted HTTP) or "secure online banking" (i.e. encrypted financial transactions). The main difference between the three is that in the case of email transmission, people usually use the term "encrypted", while in the latter cases, the buzzword is "security."

If you want to talk with average people, talk about secure communication, not about encrypted communication. Politicians will have a much harder time abolishing security than abolishing encryption.

Backdoors?

[YuppieScum]

PGP users should rest assured that I would still not acquiesce to any back doors in PGP.

I seems to remember that, not too long ago, you quite publically left NAI (the owners of the PGP franchise) after they refused to open the source of PGP 7.blah to public scrutiny.

You also stated that you could only guarantee that version 7.slightly_lower_version_than_above was free of backdoors - in fact, you sign your open letter with version 7.0.3.

1. How do you reconcile these two, somewhat differing, views?
2. Which version(s) do you regard as "safe".
3. Why don't you run the latest version?


All the relevant versions and statements can be found in stories on /.

Re:But there is

[Christianfreak]

As a disclaimer: The people who led the Crusades were not right in what they did.

That said I wonder why everyone seems to forget that it was the Arabs that invaded Palistine first and killed innocent Christians and Jews in the name of Islam, thus one of the main reasons for the Crusades...

I also wonder why no one can seem to forget an event that happened hundreds of years ago and that no one alive today (Muslim, Christian, or Jew) is responsible for it. Just because someone did something in the name of someone's god doesn't mean that the religion or the god advocate it. It was true in the time of the Crusdes (at least the God part, or Allah on the Islam side if you will) and its true now with this terrorist attack.

Question for Phil Zimmerman on realworld analogies

[jhritz]

Do we need to come up with new analogies to explain the civil and privacy rights justification for encryption to politicians and the lay public?

In the past we've used envelopes and locks, but I think these fall short because the reason for encryption is to create a time delay to access sufficient to dissuade the smart and lazy opponent AND allow detection of the stupid but industrious ones.

Do you have a right to speak privately?

[Futurepower(tm)]

Not only did Catholics support the Crusades, they enthusiastically supported them. That outbreak of mental illness lasted from 1095 A.D. to 1291; it was not an isolated circumstance. During that time Europeans traveled to Arab lands to kill them. At that time almost all Christians were Catholic.

Many people don't understand the significance of the Crusades, which happened a long time ago. The significance is that the moral teaching of the Christians did not prevent them from designing and participating in a killing rampage.

The Crusades were not the only Christian killing rampage. The Spanish Inquisition was another outbreak of craziness.

The moral teachings of the Christians have not changed significantly since the Crusades. Arabs ask themselves, "What would prevent Christians from being part of another killing rampage?" That's why the crusades have significance in modern thinking. It is easy to understand that when President Bush talked about a crusade in a speech to the entire nation of the U.S., while at the same time declaring "war", Arabs became anxious.

It is remarkable how quickly the discussion of terrorism became off-topic. People are blaming PGP!!! Do you have a right to speak to your wife in private, with no interference or listening from the government? If you do have this right, then you have a right to use PGP. Your wife may be in another country, and PGP is a way of being sure you speak only to her. If you don't have this right, then the government can legally force its way into anything you say to your wife.

The primary reason for the violence seems to be corruption in secret agencies of the U.S. government like the CIA. For example, the CIA trained Osama bin Laden. If there is more trouble, the CIA receives more funding. So the CIA, at least unconsciously, wants more trouble.

Israel receives an astounding $905 per year from the U.S. government for every man, woman and child who lives there. A large part of that money is spent on weapons bought from the United States. Senators in the U.S. who represent the states with weapons manufacturers have lobbied to continue giving money to Israel. The U.S. weapons manufacturers also sell weapons to the Arabs.

I've tried to pull together information about these issues: What should be the Response to Violence? .

The U.S. has bombed 14 countries in the last 30 years, killing about 3,000,000 people. Yet Phil Zimmermann gets hassled for causing problems!!! Duh!