Slashdot Mirror
Philip Zimmermann and 'Guilt' Over PGP
No Regrets About Developing PGP
The Friday September 21st Washington Post carried an article by Ariana Cha that I feel misrepresents my views on the role of PGP encryption software in the September 11th terrorist attacks. She interviewed me on Monday September 17th, and we talked about how I felt about the possibility that the terrorists might have used PGP in planning their attack. The article states that as the inventor of PGP, I was "overwhelmed with feelings of guilt". I never implied that in the interview, and specifically went out of my way to emphasize to her that that was not the case, and made her repeat back to me this point so that she would not get it wrong in the article. This misrepresentation is serious, because it implies that under the duress of terrorism I have changed my principles on the importance of cryptography for protecting privacy and civil liberties in the information age.
Because of the political sensitivity of how my views were to be expressed, Ms. Cha read to me most of the article by phone before she submitted it to her editors, and the article had no such statement or implication when she read it to me. The article that appeared in the Post was significantly shorter than the original, and had the abovementioned crucial change in wording. I can only speculate that her editors must have taken some inappropriate liberties in abbreviating my feelings to such an inaccurate soundbite.
In the interview six days after the attack, we talked about the fact that I had cried over the heartbreaking tragedy, as everyone else did. But the tears were not because of guilt over the fact that I developed PGP, they were over the human tragedy of it all. I also told her about some hate mail I received that blamed me for developing a technology that could be used by terrorists. I told her that I felt bad about the possibility of terrorists using PGP, but that I also felt that this was outweighed by the fact that PGP was a tool for human rights around the world, which was my original intent in developing it ten years ago. It appears that this nuance of reasoning was lost on someone at the Washington Post. I imagine this may be caused by this newspaper's staff being stretched to their limits last week.
In these emotional times, we in the crypto community find ourselves having to defend our technology from well-intentioned but misguided efforts by politicians to impose new regulations on the use of strong cryptography. I do not want to give ammunition to these efforts by appearing to cave in on my principles. I think the article correctly showed that I'm not an ideologue when faced with a tragedy of this magnitude. Did I re-examine my principles in the wake of this tragedy? Of course I did. But the outcome of this re-examination was the same as it was during the years of public debate, that strong cryptography does more good for a democratic society than harm, even if it can be used by terrorists. Read my lips: I have no regrets about developing PGP.
The question of whether strong cryptography should be restricted by the government was debated all through the 1990's. This debate had the participation of the White House, the NSA, the FBI, the courts, the Congress, the computer industry, civilian academia, and the press. This debate fully took into account the question of terrorists using strong crypto, and in fact, that was one of the core issues of the debate. Nonetheless, society's collective decision (over the FBI's objections) was that on the whole, we would be better off with strong crypto, unencumbered with government back doors. The export controls were lifted and no domestic controls were imposed. I feel this was a good decision, because we took the time and had such broad expert participation. Under the present emotional pressure, if we make a rash decision to reverse such a careful decision, it will only lead to terrible mistakes that will not only hurt our democracy, but will also increase the vulnerability of our national information infrastructure.
PGP users should rest assured that I would still not acquiesce to any back doors in PGP.
It is noteworthy that I had only received a single piece of hate mail on this subject. Because of all the press interviews I was dealing with, I did not have time to quietly compose a carefully worded reply to the hate mail, so I did not send a reply at all. After the article appeared, I received hundreds of supportive emails, flooding in at two or three per minute on the day of the article.
I have always enjoyed good relations with the press over the past decade, especially with the Washington Post. I'm sure they will get it right next time.
The article in question appears at http://www.washingtonpost.com/wp-dyn/articles/A1234-2001Sep20.html
-Philip Zimmermann
24 September 2001
(This letter may be widely circulated)
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.3iQA/AwUBO69F2sdGNjmy13leEQIn+QCg2DjDeyibtRe61tUSplSAobdzAqEAoOMF ir3lRc4c1D/0Mmmv/JtP/E73 =HmRO
-----END PGP SIGNATURE-----
I instantly disagreed with your analogy but had to think for a while before deciding why:
I think the difference is that an aircraft is designed to transport passengers and cargo through the air, and in this case was transformed into a destructive tool. (Same for the box cutters used in the hijackings.) Cryptography, on the other hand, is designed to conceal information. If PGP or other crypto was used in the WTC attacks (which I haven't seen anything conclusive saying it was) it was used in precisely the job for which it was intended.
A better analogy is to guns. They make individuals less vulnerable and more powerful, which can be used for all sorts of good and bad purposes.
I've had similar conversations with my father-in-law about working on scientific research that could potentially make for bad uses. I appreciate the importance of ethical oversight in all firelds of science and engineering, but I feel a lot better about my biomedical research, even with the potential for abuse, than about his work on H-bombs that in his opinion (and mine) contributed to the preservation of democracy.
Engineers, wake up. You are responsible for your inventions, and you have to live with the moral consequences of those inventions. This is exactly what Bill Joy was trying to tell us. Robert Oppenheimer employed 5,000 people to build his bomb, and after it was employed against Japanese civilians he declared to Harry Truman, "Mr. President, I have blood on my hands." To the engineers building the bomb, it was a neat hack. They did not question the moral implications of the device until it was proven. If you build something that you expect to change the world, don't snivel about your "overwhelming feelings of guilt". Either accept the moral implications of your invention or don't build it.
This is kindof a flame, but...
The article mentions a rebel fighter in Kosovo who supposedly used PGP encryption. If this is the case, it is likely that the rebel fighter was a KLA terrorist. The KLA is a known terrorist group with direct ties to Osama Bin Laden's network. Their funding doesn't come from Albania (Albania doesn't like the "ethnic Albanian Kosovars" any more than Serbia does), it comes from the Middle East and oil rich former Soviet Republics -- around Afghanistan.
How do we feel about that? There is speculation that the terrorists who attacked us recently "may" have "had access to" PGP or some other form of encryption, but here is a case of a terrorist allegedly sending a thank you letter directly to Phil Zimmerman.
Is it a case of the lesser of two evils because our government didn't like Milosevich? Remember, though, that the Taliban was considered the lesser evil by our goverment at one time. Actually, as recently as this year, George Bush gave millions of dollars to the Taliban for verbally denouncing the opium trade, which he now says is their primary source of income. The KLA is a main European drug distributor, coincidentally.