Why Use Encryption? Because Business Needs a Free Flow of Ideas.
David Kalat
How what was once considered “spy stuff” went on to facilitate online commerce, foster free expression and protect individual privacy around the world
On the morning of January 11, 1996, a computer programmer named Philip Zimmermann received welcome news that the US Attorney’s Office had dropped its case against him, and he no longer faced the risk of a million-dollar fine and five years in prison. Zimmermann’s alleged offense? He created the enormously popular PGP software, the first commercially available email encryption platform.
In 2019, this might not sound like much of a crime. But in the mid-1990s—in the internet’s relative infancy—government officials were grappling with how to deal with information that could cross the globe in a matter of minutes. They also discounted the potential benefits cryptographic tools could have for ordinary people and businesses.
Why use encryption if you’re aboveboard?
Historically, cryptography had been almost exclusively the domain of spies. But the advent of the Information Age moved more and more important functions onto networked computer systems, creating a need to protect those documents, communications and transactions. In the 1970s, several civilian mathematicians developed groundbreaking cryptographic algorithms, wrenching these previously arcane techniques out of the cloak-and-dagger world and into the hungry arms of consumers and businesses. The National Security Agency (NSA) and other three-letter government bodies charged with national security were aghast, fearful that their missions would be compromised once secure encryption became widespread.
Policing that new technology was absurdly difficult, however. The one meaningful leverage that the government could use to stem the flow of encryption technology was the issue of export controls.
The Department of State has the authority to regulate the export of so-called “munitions”—that is, anything that the State Department decrees has a fundamentally military purpose. Cryptography was considered a munition, meaning that the State Department could control whether any given encryption algorithm could be legally exported. Because software companies did not want to restrict their market to US buyers, this incentivized them to cooperate with the NSA in weakening encryption systems in ways that compromised their security and commercial value but appeased the spooks who wanted to keep their eavesdropping efforts unimpeded.
For decades, this remained at an impasse. The technology existed to provide greater security to consumers and users, and the businesses that made that technology wanted to provide it to their customers, who were in turn happy to pay for it—but governmental regulation stood in the way of cryptography reaching its full potential.
Then Philip Zimmermann came along.
Taking the use of encryption mainstream
Zimmermann’s playfully named “Pretty Good Privacy” software (or PGP), introduced in 1991, integrated strong encryption technologies into a user-friendly package and, crucially, was distributed over the internet as freeware, with the complete source code in every copy. Through a combination of naiveté, willful blindness and political chutzpah, he paid no heed to the prohibition on international distribution. Although he claimed that he had no role in distributing the program outside the US, it was not surprising when PGP began appearing around the world.
For the next three years, Zimmermann was a target of criminal investigations for exporting munitions without a license. The potential penalties were severe, and he did not have deep pockets to fund his defense.
In 1995, Zimmermann pulled a gonzo stunt that—depending on who tells the story—was either a bizarrely provocative gimmick or a clever ploy that ended the investigation. He arranged with MIT Press to publish the PGP source code in book form and then sought an export license for the book.
This put the government in a bind. Longstanding tradition, First Amendment principles and direct on-point precedent meant that the government would have to permit the export of the book—which would expose the prosecution of Zimmermann as a farce. How could it be a crime to distribute electronically something that could be lawfully distributed on paper? Alternatively, the government could oppose the export license—knowing that such a position would be overturned by the courts, creating a ruinous ruling for any continued regulation of cryptography.
Within months, the government dropped the case against Zimmermann. At around the same time, the Clinton administration began relaxing export controls on cryptography technologies generally. By 2000, there had been a complete about-face on crypto policy, all but removing meaningful regulations on the development and distribution of encryption systems.
What history tells us about when to use encryption
It is always difficult to put the genie back into the bottle—once the concepts behind secure encryption technologies started to circulate among computer scientists, those ideas were certain to propagate. Even if the NSA could go back in time and prevent the publication of various 1970s research papers that inaugurated this field, the ideas in question remain mathematical facts, waiting to be discovered.
The conflict arose because government agencies that attempted to regulate cryptography approached it from an antiquated viewpoint. While the government continued to think of cryptography as “spy stuff,” demand for these technologies grew because of the potential positive benefits to individual users and societies at large. While it is true that the advent of strong, commercially widespread cryptography has hampered law enforcement and complicated the ability of agencies like the NSA to protect national security, these same technologies have facilitated online commerce, fostered free expression and protected individual privacy for countless users around the world.