The Crypto Wars: How Philip Zimmermann fought for our right to privacy

BY STEVEN JOHNSON

Three decades ago, Philip Zimmermann almost went to jail so that you could send an email without worrying that your personal data would be stolen.

Illustration: Katarzyna Bogucka

Philip Zimmermann

On June 5th, 1991, a puzzling announcement appeared on an online network of political activists known as Peacenet. The announcement was a kind of paradox: a public message that contained instructions for keeping other messages secret. A few hours later, the same note appeared in one of the newsgroups of the global bulletin board USENET. The message volunteered a new standard for encrypting data, based on a scheme known as “public key encryption” that had up to that point mostly been deployed by giant corporations or government agencies. This new standard was designed for the rest of us, and its creator—an anti-nuclear activist and programmer named Phil Zimmermann—was offering it up to the world for free. Zimmermann had given it a memorable if somewhat unassuming name, a play on a grocery store called Ralph’s Pretty Good Groceries featured in one of his favorite public radio shows, A Prairie Home Companion. He called it Pretty Good Privacy, or PGP for short.

Courtesy Philip Zimmermann

But then matters took a surprising turn. Zimmermann’s actions would spark one of the most contentious political fights of early Internet culture, leading to groundbreaking legal decisions that still shape the way we communicate more than 30 years later. Zimmermann would soon find himself the subject of a federal investigation, facing potential jail time. And the most unlikely twist of all was this: the FBI was accusing this longtime peace activist of being an illicit arms dealer.

Zimmermann’s actions would spark one of the most contentious political fights of early Internet culture, leading to groundbreaking legal decisions that still shape the way we communicate.

The dawn of cryptography

The practice of encoding information so that it can be shared privately is almost as old as writing itself. Around 4,000 years ago, Egyptian monks developed a system of non-standard hieroglyphics to conceal their messages from prying eyes. At the height of the Roman Empire, Julius Caesar deployed what is now called a “substitution cipher” to send commands to military officers on the front line, swapping letters in each message according to an agreed-upon pattern. Codes and codebreaking played a central role in the invention of modern computers, most famously in the cracking of the German “Enigma” code overseen by Alan Turing during World War II.

Enigma Machine A16672. Arnold Reinhold, CC BY-SA 4.0, via Wikimedia Commons

Substitution cipher. Illustration: Katarzyna Bogucka

Until the rise of the Internet era, complex encryption schemes were mostly the province of spy agencies, military institutions, and corporations that had trade secrets they needed to protect—not to mention the occasional crime syndicate or terrorist organization. Most ordinary people had no need for intricate ciphers in their lives because privacy was already an abundant resource. As Zimmermann explained in one of his initial notes introducing PGP: “When the United States Constitution was framed, the Founding Fathers saw no need to explicitly spell out the right to a private conversation. That would have been silly. 200 years ago, all conversations were private. If someone else was within earshot, you could just go out behind the barn and have your conversation there… The right to a private conversation was a natural right, not just in a philosophical sense, but in a law-of-physics sense, given the technology of the time.”

“Two hundred years ago, all conversations were private. If someone else was within earshot, you could just go out behind the barn and have your conversation there.”

All that began to change in the 1980s, with the rise of the first mainstream computer networks, first connecting offices and academic institutions, and government agencies. While Zimmermann had graduated from college around that time with a degree in computer science, he found himself exploring these new online spaces thanks to his political engagements.

He had settled in Boulder, Colorado, working a day job as a software engineer, but moonlighting as a policy analyst for an organization known as the Nuclear Weapons Freeze Campaign. “The world was a different place then,” he recalled many years later. “Reagan was in the White House, Brezhnev was in the Kremlin, FEMA was telling cities to prepare evacuation plans, and millions of people feared the world was drifting inexorably toward nuclear war.” Before long, he became an active participant in the anti-nukes protest movement that reached its heyday in the mid-80s. (He was arrested at a famous Nevada protest during that period, alongside the astronomer Carl Sagan and the actors Martin Sheen, Kris Kristofferson, and Robert Blake.) Through his political work—which was by definition global in scope—he came to recognize that activists were going to need new kinds of support. “I wanted to do something with privacy tools back in the 80s—and I felt like peace activists needed protection from the White House and other government agencies.” But his day-job commitments and his anti-nuke activism kept him from pursuing the idea. “I just didn’t have the time,” he says now.

“I wanted to do something with privacy tools back in the 80s—and I felt like peace activists needed protection from the White House and other government agencies.”

The Nuclear Freeze movement

Initiated by Randall Forsberg, a young defense and disarmament researcher, the Nuclear Freeze movement was a call to halt the nuclear arms race between the US and the Soviet Union. The idea arose in the early stages of the Cold War. Both countries together already possessed more than 50,000 nuclear weapons at the time and planned to build another 20,000. The freeze campaign escalated into a mass movement that swept across the United States, attracting most American peace organizations and endorsed by numerous public leaders, intellectuals, and activists. More than 2,300,000 Americans signed anti-nuclear petitions and referenda, covering about one-third of the US electorate. The campaign was “the most significant citizens’ movement of the last century,” as reported by Patrick Caddell, one of the nation's leading pollsters.

Anti-nuke movements across the USA

The 80s witnessed a wave of anti-nuke protests triggered by the heightened Cold War politics of the Reagan/Thatcher era, including a march in Central Park in June of 1982 that attracted around a million participants. At the time, it was one of the largest political protests in American history. While activists marched through the streets of major cities around the world, a series of rolling protests also took place at the Nevada Test Site, the area 65 miles northwest of Las Vegas where the military had detonated more than 1,000 nuclear weapons since the early days of the Atomic Age. While the Nevada protests were generally associated with high-profile scientists and actors like Carl Sagan and Martin Sheen, the first protests on the Test Site property had been a series of vigils organized by a pacifist Christian group.

If most of our communications were going to travel over digital channels, that would open up whole new possibilities for governments to eavesdrop on conversations.

During the 1980s, tools like email or the wider Internet were not yet on the radar screen of the average person, even in high-tech societies like the United States. But to the individuals who had dabbled in the technology, it was increasingly clear that society was on the verge of a momentous transition from the world of top-down mass media to online networks. And those networks were going to change the balance of power where privacy was concerned in fundamental ways. If most of our communications—and much of our commerce—were going to travel over digital channels, that would open up whole new possibilities for governments to eavesdrop on conversations, or cyber-criminals to steal personal information like social security numbers or bank routing information.

“Until recently,” Zimmermann explained back in the early 90s, “if the government wanted to violate the privacy of ordinary citizens, they had to expend a certain amount of expense and labor to intercept and steam open and read paper mail…. This kind of labor-intensive monitoring was not practical on a large scale. This is like catching one fish at a time, with a hook and line. Today, email can be routinely and automatically scanned for interesting keywords, on a vast scale, without detection. This is like driftnet fishing.”

“Today, email can be routinely and automatically scanned for interesting keywords, on a vast scale, without detection. This is like driftnet fishing.”

The days of securing your privacy by heading out behind the barn to have a chat were over, Zimmermann realized. Ordinary people were going to need access to encryption. And the timing was fortuitous. The processing power of ordinary PCs had improved enough to make powerful encryption available to people who didn’t have access to mainframes. But even more importantly, a handful of brilliant mathematicians had recently solved a problem that had bedeviled codemakers for centuries: not the problem of designing clever ciphers, but rather the problem of sharing the keys that allow recipients to decipher them.

Closing the back door

You can think of the relationship between ciphers and keys as being the equivalent of a film first played forwards and then in reverse. A cipher transforms an intelligible message into an unintelligible one, and a key returns the message to its original state. However much mathematical ingenuity you put into inventing your cipher—making it impossible for any potential eavesdroppers to crack—if your intended recipient doesn’t have the key, the message will be noise to them, a jumble of letters or zeroes and ones, utterly meaningless. This is why the problem of figuring out how to share the key—technically known as the “key distribution” problem—is a significant part of the art and science of cryptography. If you can just meet your recipient behind the barn and whisper the key to them, you’re fine. But these kinds of in-person approaches don’t work if you’re dealing with ciphers—like all modern digital encryption formats—that involve complex mathematical functions that can’t be conveyed in a private conversation. It also doesn’t work well if you want to change the cipher at regular intervals, to confound would-be codebreakers. During World War II, the Germans struggled mightily, distributing the daily changes to the Enigma key to all of its communications operators, including the ones submerged on u-boats. All of which meant that, for most of the history of cryptography, your code was only as secure as your key distribution plan was.

All of that changed in the 70s with the invention of “public key” cryptography. The core breakthrough behind the “public key” approach lay in the idea of splitting the key into two parts: a public key, and a private key. A public key allows the sender to encrypt the message in such a way that it can only be deciphered by the recipient’s private key. That means that public keys can be openly available for anyone to see and use without worrying about compromising the privacy of the communication.

Multiple discoveries of the public key cryptography

For years the invention of the public key approach was attributed to several teams of cryptographers at Stanford and MIT, though it was later revealed that an earlier version of the approach had been devised by a team of codemakers in the UK’s Government Communications Headquarters (GCHQ)—the British equivalent of the National Security Agency in the US. Their work was uncredited for 27 years, until the British government unclassified it in 1997. These parallel inventions are an example of a pattern that recurs throughout the history of innovation, a phenomenon called simultaneous discovery, or multiple discovery, where separate creators working entirely independently of one another stumble across similar solutions at almost the exact same moment in history.

The best way to imagine how public key cryptography works—without getting into the complex mathematics of it, which involves one-way functions and factoring large prime numbers—is to use a metaphor from Simon Singh’s first-rate history of encryption, The Code Book. Imagine you want to send a package to your friend Emily and guarantee that only she can open it. In this system, Emily has a special padlock designed with a “private key” that only she has access to. She distributes copies of the padlock to post offices all over the world. When you want to ship your secret box to your friend, you simply go to the post office and request an “Emily” padlock and use it to secure the box. Once you click the padlock shut, anyone who intercepts the package will be unable to open it—even you, the sender, can’t get access to the contents. But when the package arrives on Emily’s doorstep, she can open it instantly with her private key.

How the Pretty Good Privacy protocol works. More about PGP on Zimmermann’s website.

By the time Phil Zimmermann started tinkering with encryption software in the early 90s, a number of public key standards had been developed by security firms, including a patented system—called RSA—developed by the MIT scientists who had initially helped invent the public key approach back in the 70s. If you were a large corporation or a government agency who could afford to license these privacy tools, robust encryption was readily available to you. But an ordinary user just trying to send an email without worrying about someone snooping on them was mostly out of luck.

RSA patent

Named after the initials of its three inventors, the RSA encryption technique led to the founding of the private company RSA Data Security, which would eventually be acquired by EMC in 2006 for $2.1 billion. One of Phil Zimmermann’s other legal troubles in the 90s involved a longstanding accusation by RSA Data Security that Zimmermann had illegally infringed on their patent for RSA by incorporating it into the PGP software he distributed for free around the world. The dispute was ultimately resolved in the late 90s.

For a stretch of time, Zimmermann’s work on what would become PGP was more of a hobby than a central pursuit. But then, in January of 1991, then-Senator Joe Biden co-sponsored a bill known as the “Comprehensive Counter-Terrorism Act” that included a clause that triggered alarm bells in Zimmermann’s mind—and in the minds of other privacy advocates around the country. “It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law.” The proposed bill made it clear that Congress was getting ready to mandate that all encryption schemes include a “back door” where government agencies could get access to the data if a judge signed off on the surveillance request.

The proposed bill made it clear that Congress was getting ready to mandate that all encryption schemes include a “back door” where government agencies could get access to the data if a judge signed off on the surveillance request.

Counter-terrorism legislation and human rights

Counter-terrorism legislation has been on the international agenda since the 30s, but only in the late 20th century did the motivation to use more national instruments to neutralize and conquer terrorists gain momentum. The counter-terrorism legislation usually includes amendments allowing the state to bypass its own legislation, which raises concerns about abusing the national power under alleged suspicion of terrorism. Measures designed to tighten security, like the 1991 bill that forced communication equipment manufacturers to provide ”back doors" for the government in their products, have been seen as abuses of power or even violations of human rights.

Back door. Illustration: Katarzyna Bogucka

“I missed five mortgage payments developing the software in the first half of 1991.”

Zimmermann realized that he was now racing against the clock. “It was a hard road to get to the release of PGP,” he later recalled. “I missed five mortgage payments developing the software in the first half of 1991.” But by June, he had the code in working order, including some clever tweaks to the approach to make it usable on ordinary home computers. Given his long history in the anti-nukes movement, Peacenet was a fitting platform to debut his software. Zimmermann made a modest, but ultimately ineffective, attempt to limit the spread of the encryption to the United States, a decision that would later prove critical to his legal battles. The version uploaded to USENET by a friend contained the tag “US only.” Zimmermann later confessed that he was confused about the way USENET handled geographic limitations. “In 1991,” he later explained, “I did not yet know enough about USENET newsgroups to realize that a ‘US only’ tag was merely an advisory tag that had little real effect on how USENET propagated newsgroup postings. I thought it actually controlled how USENET routed the posting.”

They were just two, seemingly insignificant, posts tossed out into a vast sea of digital information, one on Peacenet and one on USENET. But the gesture was a decisive one nonetheless. PGP now belonged to the world.

Racing against the clock. Illustration: Katarzyna Bogucka

From a peace activist to an illicit arms dealer

For the first year or so after the release, Zimmermann’s gambit seemed to have paid off. PGP began quietly circulating around the globe in the still-fringe community of cyber activists. In late 1991, someone in Latvia sent Zimmermann an email—typical of many he received during this period—that said: “Phil, I wish you to know: let it never be, but if dictatorship takes over Russia, your PGP is widespread from Baltic to Far East now and will help democratic people if necessary. Thanks.” The anti-terrorism bill that had prodded Zimmermann to release the software so quickly never actually became law, in part because of protests from civil liberties groups who argued that the surveillance it would enable was Orwellian in its scope.

But Zimmermann’s public release of PGP was ultimately threatened by the long history of encryption being used in military affairs. On a legal level, strong encryption was considered to be the equivalent of munitions, given the prominent role it had played in conflicts like World War II. And the United States had laws on the books that prevented arms dealers from exporting weapons to foreign countries without a special license from the State Department. Traditionally, those restrictions targeted machine gun or fighter jet manufacturers who were selling their physical goods to Saudi Arabia or Brazil. But if the legal definition of munitions included encryption software as well, then technically speaking, there was a case that it should also apply to a coder uploading data to the Internet for anyone in the world to use.

A successful prosecution could have put Zimmermann in jail for up to five years, accompanied by fines of up to a million dollars.

In February of 1993, Zimmermann got a call from two federal agents. “They said they wanted to talk about PGP,” he recalls now. “I just assumed they needed some advice—maybe they’d encountered it somewhere and just wanted to ask some questions. But then they said they wanted to visit me in Boulder, even though they were located in San Jose in California. And I thought: wait a minute—this doesn’t sound like they’re just looking for advice.“

Zimmermann hired a criminal lawyer named Phil DuBois, who arranged to have the agents conduct their interview in his office. Within a matter of months, a grand jury in California had been assembled, gathering evidence on whether Zimmermann had violated weapons-export law. A successful prosecution could have put Zimmermann in jail for up to five years, accompanied by fines of up to a million dollars. Asked now if the federal scrutiny was stressful, Zimmermann lets out a rueful laugh. “Oh yes,” he says. “I had a family and small children—I needed to protect them. Who was going to pay the mortgage if I was in prison? It was a pretty miserable experience.”

“I had a family and small children—I needed to protect them. Who was going to pay the mortgage if I was in prison? It was a pretty miserable experience.”

Many years later, after the statute of limitations on the alleged crime had expired, Zimmermann confessed: “My defense lawyers wouldn’t let me tell people that it was a human rights project, because that would be tantamount to admitting that I wanted it to be exported, since most of the human rights problems were overseas.” But his lawyers’ advice —and the looming pressure of the federal investigation—did not deter Zimmermann from spreading the gospel of PGP. He was detained by customs agents at Dulles Airport after returning from a trip to Hungary and Romania. “I don't have to explain to Eastern Europeans why it is important for the government not to get too powerful,” he told Wired Magazine at the time. Zimmermann’s bags were searched twice, and he was warned to expect similar treatment each time he attempted to return to the United States.

Crypto wars. Illustration: Katarzyna Bogucka

Zimmermann’s clash with the feds became one of the defining skirmishes in the “crypto wars” of the early 1990s, drawing attention to the importance of strong encryption and the dangers of giving governments back door access to enormous private communications channels. In part, these battles had been prompted by courageous acts of digital resistance undertaken by software activists like Phil Zimmermann. But they were also set in motion by a series of increasingly ambitious surveillance plans enacted by the US government. After the passing of a 1994 bill forced phone companies to install automated wiretapping architecture in their digital networks, the FBI announced plans to ramp up its wiretapping capacity to enable it to monitor up to 1 percent of all phone calls, a massive increase compared to what it had previously been able to monitor using manual alligator clips on phone lines.

The fight for privacy

The “crypto wars” were a series of clashes between the US Government and a group of newly politicized technology experts that took place during the first half of the 90s, triggered by the growing use of network-connected computers during that period. While Phil Zimmermann’s run-in with the FBI over PGP encryption was arguably the most prominent skirmish in the crypto wars, it was rivaled by the government’s failed attempt to coerce manufacturers to include the so-called “Clipper Chip” on their telecommunications devices. Developed by the NSA, the chip included a cryptographically protected “backdoor” that would enable government agencies to intercept communications, along the lines of the wiretaps that had characterized government surveillance in the days of analog phones. Promoted heavily by the Clinton Administration, the Clipper Chip was ultimately defeated by watchdog groups like the Electronic Frontier Foundation, and an alliance between libertarian Republicans and civil-liberties-minded Democrats.

All these developments slowly turned popular opinion towards the side of the crypto advocates. MIT came to Zimmermann’s defense by publishing a 600-page book that included the PGP code, which meant that if Phil Zimmermann was an illegal arms dealer, then so was one of America’s most prestigious universities. The newly formed Electronic Frontier Foundation took on the case of another embattled cryptographer, leading to a landmark 1995 decision that declared that software code was a form of speech, and thus protected under the first amendment. In 1996, the feds announced that they were no longer pursuing a criminal indictment for the international release of PGP. After a strange, unwanted interlude as a rogue arms dealer, Phil Zimmermann went back to being what he had been all along: a programmer and civil liberties activist.

The foundation that protects our Internet civil rights

Now more than 40 years old, the Electronic Frontier Foundation (EFF) describes its mission as supporting “user privacy, free expression, and innovation through impact litigation, policy analysis, grassroots activism, and technology development.” The organization’s roots date back to an ill-conceived 1990 Federal raid on a game book publisher known as Steven Jackson Games, who were wrongly suspected of trafficking in information goods that might be exploited by terrorists. Outrage over the unwarranted search and seizure operation prompted three members of the online community the WELL—Lotus Software founder Mitch Kapor, Grateful Dead lyricist John Perry Barlow, and Sun Microsystem’s John Gilmore—to create a new organization devoted to protecting civil liberties on the emerging frontier of “cyberspace.”

[It led] to a landmark 1995 decision that declared that software code was a form of speech, and thus protected under the first amendment.

Code as speech

Zimmermann’s heroic stand—and the legal arguments put forth by the EFF—inspired a whole new generation of thinkers and software designers who recognized from the beginning that there were invariably political consequences to the software we use. “The crypto wars made a big impression on me,” says science-fiction author and long-time EFF board member Cory Doctorow says now. “I was a larvum when Zimmermann released his code, but it did do something to radicalize me, and EFF's ‘code is speech’ legal victory is one of my pole stars.”

Philip Zimmermann. Courtesy Philip Zimmermann

PGP was later codified into a new standard known as OpenPGP, overseen by a working task force like many of the other shared protocols that provide the foundation for all of our online communications today. It remains the most popular method of encrypting email. Thanks to the widespread adoption of other forms of encryption, secure commerce has flourished on the Internet—and despite the FBI’s worries about sinister networks deploying Zimmermann’s tools to evade law enforcement, global terrorism has declined.

Freedom of code. Illustration: Katarzyna Bogucka

When journalists began sifting through the trove of data released publicly by Edward Snowden in 2012, documenting the vast extent of the NSA’s surveillance of private communication, they discovered one telling limitation in the leaked documents: countless intercepted messages that were left undeciphered, with only the note: “No decrypt available for this PGP encrypted message." More than two decades after Phil Zimmermann uploaded his initial message to Peacenet, the most powerful spy agency in the world still couldn’t crack his code.

PGP remains the most popular method of encrypting email.

Steven Johnson is the bestselling author of 13 books, including Where Ideas Come From. He’s the host of the PBS/BBC series Extra Life and How We Got to Now. He regularly contributes to The New York Times Magazine and has written for Wired, The Guardian, and The Wall Street Journal. His TED Talks on the history of innovation have been viewed more than ten million times.