(A Javascript-enabled browser is required to email me.)

TBTF for 1996-01-14: PGP flies free

Keith Dawson (dawson dot tbtf at gmail dot com)
Sun, 14 Jan 1996 16:25:48 -0500

TBTF is back. After keeping to the rough twice-a-week publishing schedule through a busy holiday season, TBTF succumbed in early January to the demands of my day job. That New Year's resolution sure lasted quick...

Government drops prosecution of Philip Zimmermann, author of PGP

On January 11 the U.S. Attorney in San Jose announced the closing of the grand jury investigation of Philip Zimmermann. Since 1993 the Justice Department had been looking into whether Zimmermann exported PGP (Pretty Good Privacy), a program he wrote and gave to friends in 1991. PGP was the first freely available program that allowed ordinary people to encrypt messages sent over the Internet. PGP uses "strong cryptography" and so is officially classified as a munition under US law: the Munitions Control Act of 1954, commonly called "ITAR." Strong crypto is defined as any that uses a key length greater than 40 bits (the PGP key with which I sign these issues is 1024 bits long). It is illegal to export strong crypto from the US in digital form without a license from the State Department; the penalties are severe.

In 1991 someone posted PGP to the Internet. Zimmermann has maintained from the first that it was not he. The program quickly appeared on FTP sites around the world. PGP causes problems for other governments than that of the US; a few nations, including France, Iraq, Russia, and Iran, outlaw any use of encryption by their citizens.

The Federal case had been opened in 1993, but Zimmermann's legal troubles started earlier, when the president of RSA Data Securities phoned the Commerce Department and requested that they prosecute Zimmermann for theft. RSA held patents on some of the basic algorithms used in public-key cryptography and Zimmermann arguably had used these algorithms without obtaining a license. Now, patent infringement is not a federal crime but a rather a matter for the civil courts; and Zimmermann didn't appear to have enough resources to make a civil suit worthwhile. Cypherpunk opinion holds that RSA literally "made a Federal case out of it" in order to frighten any other would-be infringers into compliance. (PGP also makes use of the IDEA algorithm, for which a worldwide patent has been granted in Switzerland.)

Privacy advocates, cypherpunks, and opponents of software patents have been watching this case closely, and not only for its mythic resonance (can you say "Prometheus"?). The US courts have consistently chosen not to interfere with the ITAR regulations, but the Zimmermann case presented a veritable forest of legal hairs ripe for splitting. Does the act of posting a program to the Internet constitute "exporting" it? Assuming you can prove who posted it, can you prove unequivocally that this person at the time of posting sufficiently understood the workings of the Net to know that this act made the program available to non-citizens? What might a clever lawyer not make of the ITAR provisions that outlaw exporting a program in binary form but allow it if the algorithm is printed on paper? How about if it is printed on a tee shirt (see TBTF for 1995-06-07) or tattooed onto a body?

Thus PGP and its author, users, and distributors have existed under several clouds since its inception. In June 1994 MIT dispelled some of the clouds when it took over distribution of PGP. MIT negotiated with the patent holders of both RSA and IDEA and arranged for distribution to US nationals only. The PGP 2.6 distribution removed all legal controversy from the use of PGP in the US.

The US Attorney for Northern California, as a matter of policy, did not say why the case was dropped. There has been much speculation on the Net as to the reasons, but no-one who actually knows has weighed in. A theory that the government no longer cared about the case because the NSA had cracked PGP was debunked by crypto experts. The best estimate of the amount of effort needed to break a 1024-bit key remains at 2.8 x 10^15 MIPS-years, or 200,000 10-MIPS computers running flat out for the estimated age of the universe to date.

My own guess is that the Justice Department foresaw difficulty in proving that Zimmermann had done anything to violate ITAR. The passage of time had rendered some of the complaints moot (for example, RSA no longer has rights to the public-key patents, which have reverted to Cylink -- see TBTF for 1995-09-24). And the ITAR regulations themselves are coming under fire from the commercial sector.

On the same day that the prosecutor dismissed the PGP case the Commerce Department released a study showing that American firms are being hurt by restrictions on the export of encryption software; a news report claimed that Commerce plans to recommend easing the export controls. The study was carried out with the help of the National Security Agency. One week before this the Computer Systems Policy Project had released a study claiming that as a result of export restrictions American companies stood to lose billions in computer system sales by the year 2000. (The CSPP is an association made up of the CEOs of 13 US computer and software manufacturers. See their page at <http://www.podesta.com/cspp/>.)

Threads German censorship of the Net
See also TBTF for
1999-12-16, 1997-04-04, 1996-08-08, 05-31, 02-04, 01-31, 01-22, 01-14, 1995-12-31

Followup: Compuserve, Usenet, and the German prosecutors

The German law that attempts to assure the protection of minors from influences pornographic is called Jugendschutzgesetz.

Here are some developments since the last issue:

The German magazine Stern reported a rumor that Compuserve's restrictions were enacted in response to legislation pending in the US Congress against "indecent" digital content, rather than in reaction to complaints from German authorities. As a motive Stern guesses at a desire boost Compuserve's reputation as a morally responsible online service provider.
The most light shed in public on the history of this murky affair has come from Michael Kunze, who is on the editorial staff of Spiegel Online (run by the German magazine der Spiegel). His posting to alt.censorship has been reposted widely; I received no reply to my request to archive the article on TBTF, so instead will point you elsewhere.

Threads The Alta Vista search engine
See also TBTF for
1997-10-20, 08-11, 04-04, 1996-12-24, 01-14, 1995-12-18

Followup: More on Digital's Alta Vista spider

Flash Crowd: In three weeks the Alta Vista search engine went from 300,000 hits per day to 2M hits/day, making it one of the most visited sites in Cyberspace. I noticed no degradation in performance during Alta Vista's nosebleed acceleration in popularity. (To make searches even speedier I use the text-only interface at <http://altavista.digital.com/cgi-bin/query?text=yes>.) After its launch on 1995-12-15 (TBTF covered it on 12/18), Alta Vista won the "Too Cool" site award on 12/19 and the "Cool Site of the Day" award on 12/20. On 1996-01-10 Digital announced plans to commercialize Alta Vista, licensing the technology and possibly offering advertising. The search engine that many of us have come to depend upon will remain free, Digital said.

The following profile of the five servers that constitute Alta Vista is summarized from the Alta Vista About page.

TBTF alerts you twice a week to bellwethers in computer and communications
technology, with special attention to commerce on the Internet. See the
archive at <http://www.tbtf.com/>. To subscribe send the
message "subscribe" to tbtf-request@world.std.com. Commercial use prohib-
ited. For non-commercial purposes please forward and post as you see fit.
Keith Dawson dawson dot tbtf at gmail dot com dawson@atria.com
Layer of ash separates morning and evening milk.


Copyright © 1994-2017 by Keith Dawson. Commercial use prohibited. May be excerpted, mailed, posted, or linked for non-commercial purposes.