State Secrets

At a conference recently, I handed my business card to a young FOSS person, and as he accepted the card he pointed to the PGP ("Pretty Good Privacy") number on the bottom of my business card and asked, "What does this mean?" In the age of Wikileaks, PRISM, and XKeyscore, I find it disturbing that people do not know about PGP and its FOSS offshoot, GPG.

I have been dealing with the US government and issues with encryption for a long time. In the early days of commercial Unix, a lot of companies were shipping either a System V or a BSD version of Unix. Of course, both of these systems rely on encrypted passwords and both systems (at the time) also had a simple crypt(1) command for encrypting data.

Back then, I was working for Digital Equipment Corporation (DEC) and the company was just about to ship its first Unix system for the VAX architecture, when our export department asked the fatal question: "Is there any encryption software in this product?"

At that time, the United States did not allow encryption to be shipped outside the country to many countries, even to some countries we might have considered "friends." After all, the British (yes, they were on the list) did burn our White House in 1814, and there was that nasty skirmish in 1776…

DEC reacted to the encryption rules by removing the crypt(1) command and libraries and putting them in a separate "export restricted" software kit, but we needed the encryption functionality to be linked into the login(1) program and to allow people to change their passwords.

We appealed to the US State Department, but they were firm, so we went back to Bell Laboratories to find out whether they had an argument that would allow the encryption. Bell Labs pointed out that the encryption was basically "one-way" (i.e., it could not be decrypted) and that it was just for authentication. We took this information back to the State Department, and they relented.

After we looked at the issue further, however, we realized that the State Department was really too late. Sun Microsystems was already shipping SunOS all over the world with the encryption in place. System V from Bell Labs and BSD from the University of Berkeley were also being used in many countries with the encryption in place. It was only DEC's export department that raised the issue.

The law around cryptography was so draconian that if DEC had bought a package of encryption software from Canada, had not opened it, but then wanted to sell it back to Canada, we could not have done so. Around that time, I had a good friend working for DEC who was heavily into cryptography. He was Canadian, and because Canada did not have these issues with shipping cryptographic products, he returned to Canada and started a consulting firm around encryption. Some of our best cryptographers were leaving and going to other countries for better opportunities.

Then, in 1991, Phil Zimmerman developed PGP, and when that "escaped" to other countries, all sorts of "investigations" happened. At the time, encryption was considered a "munition," and Phil was investigated for violating the Arms Export Control Act. Somewhere, I still have my t-shirt with the PGP algorithm on the back that says, "I am exporting munitions, so sue me."

Fortunately, President Clinton relaxed this law, and good encryption was able to be shipped. Right after September 11, 2001, however, a senator (who will remain nameless) from my state of New Hampshire ("Live Free or Die") introduced a bill that would reverse President Clinton's decision because some of the planners of 9/11 had used encrypted email. I wrote that senator a four-page letter, discussing encryption and how it is the basis of authentication. I pointed out that most "evil" countries already had knowledge of encryption and that such a law would hurt our allies, not just our enemies. Shortly after I sent my letter, the senator cancelled his bill.

In light of what has recently occurred with the NSA, some major companies are now looking at privacy a little more rigorously than before. Jimmy Wales of Wikipedia, for example, pointed out that his company will be looking at methods and how much data they gather on articles that people read. Jimmy feels that the right of privacy extends to what we read and that no one should be able to see what we have or have not read.

Along these lines, readers might want to review how PGP and GPG work and think about how to use them. Encryption of filesystems might also take a higher priority. Can a determined entity still decrypt encrypted data? Probably, but the careful use of PGP can give you "pretty good" privacy.