hn-classics/_stories/1999/10581971.md

---
created_at: '2015-11-17T16:11:01.000Z'
title: Why I Wrote PGP (1999)
url: https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html
author: pdkl95
points: 149
story_text: 
comment_text: 
num_comments: 47
story_id: 
story_title: 
story_url: 
parent_id: 
created_at_i: 1447776661
_tags:
- story
- author_pdkl95
- story_10581971
objectID: '10581971'
year: 1999

---
![](../../images/pixel.gif) ![Picture of
Phil](../../images/photos/prz.jpg)

## Why I Wrote PGP

*Part of the Original 1991 PGP User's Guide (updated in 1999)  
*

*"Whatever you do will be insignificant, but it is very important that
you do it." -Mahatma Gandhi*

It's personal. It's private. And it's no one's business but yours. You
may be planning a political campaign, discussing your taxes, or having a
secret romance. Or you may be communicating with a political dissident
in a repressive country. Whatever it is, you don't want your private
electronic mail (email) or confidential documents read by anyone else.
There's nothing wrong with asserting your privacy. Privacy is as
apple-pie as the Constitution.

The right to privacy is spread implicitly throughout the Bill of Rights.
But when the United States Constitution was framed, the Founding Fathers
saw no need to explicitly spell out the right to a private conversation.
That would have been silly. Two hundred years ago, all conversations
were private. If someone else was within earshot, you could just go out
behind the barn and have your conversation there. No one could listen in
without your knowledge. The right to a private conversation was a
natural right, not just in a philosophical sense, but in a
law-of-physics sense, given the technology of the time.

But with the coming of the information age, starting with the invention
of the telephone, all that has changed. Now most of our conversations
are conducted electronically. This allows our most intimate
conversations to be exposed without our knowledge. Cellular phone calls
may be monitored by anyone with a radio. Electronic mail, sent across
the Internet, is no more secure than cellular phone calls. Email is
rapidly replacing postal mail, becoming the norm for everyone, not the
novelty it was in the past.

Until recently, if the government wanted to violate the privacy of
ordinary citizens, they had to expend a certain amount of expense and
labor to intercept and steam open and read paper mail. Or they had to
listen to and possibly transcribe spoken telephone conversation, at
least before automatic voice recognition technology became available.
This kind of labor-intensive monitoring was not practical on a large
scale. It was only done in important cases when it seemed worthwhile.
This is like catching one fish at a time, with a hook and line. Today,
email can be routinely and automatically scanned for interesting
keywords, on a vast scale, without detection. This is like driftnet
fishing. And exponential growth in computer power is making the same
thing possible with voice traffic.

Perhaps you think your email is legitimate enough that encryption is
unwarranted. If you really are a law-abiding citizen with nothing to
hide, then why don't you always send your paper mail on postcards? Why
not submit to drug testing on demand? Why require a warrant for police
searches of your house? Are you trying to hide something? If you hide
your mail inside envelopes, does that mean you must be a subversive or a
drug dealer, or maybe a paranoid nut? Do law-abiding citizens have any
need to encrypt their email?

What if everyone believed that law-abiding citizens should use postcards
for their mail? If a nonconformist tried to assert his privacy by using
an envelope for his mail, it would draw suspicion. Perhaps the
authorities would open his mail to see what he's hiding. Fortunately, we
don't live in that kind of world, because everyone protects most of
their mail with envelopes. So no one draws suspicion by asserting their
privacy with an envelope. There's safety in numbers. Analogously, it
would be nice if everyone routinely used encryption for all their email,
innocent or not, so that no one drew suspicion by asserting their email
privacy with encryption. Think of it as a form of solidarity.

Senate Bill 266, a 1991 omnibus anticrime bill, had an unsettling
measure buried in it. If this non-binding resolution had become real
law, it would have forced manufacturers of secure communications
equipment to insert special "trap doors" in their products, so that the
government could read anyone's encrypted messages. It reads, "It is the
sense of Congress that providers of electronic communications services
and manufacturers of electronic communications service equipment shall
ensure that communications systems permit the government to obtain the
plain text contents of voice, data, and other communications when
appropriately authorized by law." It was this bill that led me to
publish PGP electronically for free that year, shortly before the
measure was defeated after vigorous protest by civil libertarians and
industry groups.

The 1994 Communications Assistance for Law Enforcement Act (CALEA)
mandated that phone companies install remote wiretapping ports into
their central office digital switches, creating a new technology
infrastructure for "point-and-click" wiretapping, so that federal agents
no longer have to go out and attach alligator clips to phone lines. Now
they will be able to sit in their headquarters in Washington and listen
in on your phone calls. Of course, the law still requires a court order
for a wiretap. But while technology infrastructures can persist for
generations, laws and policies can change overnight. Once a
communications infrastructure optimized for surveillance becomes
entrenched, a shift in political conditions may lead to abuse of this
new-found power. Political conditions may shift with the election of a
new government, or perhaps more abruptly from the bombing of a federal
building.

A year after the CALEA passed, the FBI disclosed plans to require the
phone companies to build into their infrastructure the capacity to
simultaneously wiretap 1 percent of all phone calls in all major U.S.
cities. This would represent more than a thousandfold increase over
previous levels in the number of phones that could be wiretapped. In
previous years, there were only about a thousand court-ordered wiretaps
in the United States per year, at the federal, state, and local levels
combined. It's hard to see how the government could even employ enough
judges to sign enough wiretap orders to wiretap 1 percent of all our
phone calls, much less hire enough federal agents to sit and listen to
all that traffic in real time. The only plausible way of processing that
amount of traffic is a massive Orwellian application of automated voice
recognition technology to sift through it all, searching for interesting
keywords or searching for a particular speaker's voice. If the
government doesn't find the target in the first 1 percent sample, the
wiretaps can be shifted over to a different 1 percent until the target
is found, or until everyone's phone line has been checked for subversive
traffic. The FBI said they need this capacity to plan for the future.
This plan sparked such outrage that it was defeated in Congress. But the
mere fact that the FBI even asked for these broad powers is revealing of
their agenda.

Advances in technology will not permit the maintenance of the status
quo, as far as privacy is concerned. The status quo is unstable. If we
do nothing, new technologies will give the government new automatic
surveillance capabilities that Stalin could never have dreamed of. The
only way to hold the line on privacy in the information age is strong
cryptography.

You don't have to distrust the government to want to use cryptography.
Your business can be wiretapped by business rivals, organized crime, or
foreign governments. Several foreign governments, for example, admit to
using their signals intelligence against companies from other countries
to give their own corporations a competitive edge. Ironically, the
United States government's restrictions on cryptography in the 1990's
have weakened U.S. corporate defenses against foreign intelligence and
organized crime.

The government knows what a pivotal role cryptography is destined to
play in the power relationship with its people. In April 1993, the
Clinton administration unveiled a bold new encryption policy initiative,
which had been under development at the National Security Agency (NSA)
since the start of the Bush administration. The centerpiece of this
initiative was a government-built encryption device, called the Clipper
chip, containing a new classified NSA encryption algorithm. The
government tried to encourage private industry to design it into all
their secure communication products, such as secure phones, secure
faxes, and so on. AT\&T put Clipper into its secure voice products. The
catch: At the time of manufacture, each Clipper chip is loaded with its
own unique key, and the government gets to keep a copy, placed in
escrow. Not to worry, though–the government promises that they will use
these keys to read your traffic only "when duly authorized by law." Of
course, to make Clipper completely effective, the next logical step
would be to outlaw other forms of cryptography.

The government initially claimed that using Clipper would be voluntary,
that no one would be forced to use it instead of other types of
cryptography. But the public reaction against the Clipper chip was
strong, stronger than the government anticipated. The computer industry
monolithically proclaimed its opposition to using Clipper. FBI director
Louis Freeh responded to a question in a press conference in 1994 by
saying that if Clipper failed to gain public support, and FBI wiretaps
were shut out by non-government-controlled cryptography, his office
would have no choice but to seek legislative relief. Later, in the
aftermath of the Oklahoma City tragedy, Mr. Freeh testified before the
Senate Judiciary Committee that public availability of strong
cryptography must be curtailed by the government (although no one had
suggested that cryptography was used by the bombers).

The government has a track record that does not inspire confidence that
they will never abuse our civil liberties. The FBI's COINTELPRO program
targeted groups that opposed government policies. They spied on the
antiwar movement and the civil rights movement. They wiretapped the
phone of Martin Luther King. Nixon had his enemies list. Then there was
the Watergate mess. More recently, Congress has either attempted to or
succeeded in passing laws curtailing our civil liberties on the
Internet. Some elements of the Clinton White House collected
confidential FBI files on Republican civil servants, conceivably for
political exploitation. And some overzealous prosecutors have shown a
willingness to go to the ends of the Earth in pursuit of exposing sexual
indiscretions of political enemies. At no time in the past century has
public distrust of the government been so broadly distributed across the
political spectrum, as it is today.

Throughout the 1990s, I figured that if we want to resist this
unsettling trend in the government to outlaw cryptography, one measure
we can apply is to use cryptography as much as we can now while it's
still legal. When use of strong cryptography becomes popular, it's
harder for the government to criminalize it. Therefore, using PGP is
good for preserving democracy. If privacy is outlawed, only outlaws will
have privacy.

It appears that the deployment of PGP must have worked, along with years
of steady public outcry and industry pressure to relax the export
controls. In the closing months of 1999, the Clinton administration
announced a radical shift in export policy for crypto technology. They
essentially threw out the whole export control regime. Now, we are
finally able to export strong cryptography, with no upper limits on
strength. It has been a long struggle, but we have finally won, at least
on the export control front in the US. Now we must continue our efforts
to deploy strong crypto, to blunt the effects increasing surveillance
efforts on the Internet by various governments. And we still need to
entrench our right to use it domestically over the objections of the
FBI.

PGP empowers people to take their privacy into their own hands. There
has been a growing social need for it. That's why I wrote it.

**Philip R. Zimmermann**  
Boulder, Colorado  
June 1991 (updated 1999)