LOST IN KAFKA TERRITORY

[Dave Farber <farber () central cis upenn edu>]

Copyright, 1995, U.S. News & World Report All rights reserved.


U.S.NEWS & WORLD REPORT, APRIL 3, 1995


LOST IN KAFKA TERRITORY


THE FEDS GO AFTER A MAN WHO HOPED TO PROTECT PRIVACY RIGHTS


If anyone on Earth can claim to be a cyberspace celebrity, it is Philip
Zimmermann, a soft-spoken data security consultant from Boulder, Colo. Every
day, he is discussed on the Internet and computer bulletin boards in nearly 200
countries and is deluged with E-mail that treats him as a hero, a villain or a
victim.




   This week, the Electronic Frontier Foundation, a cyberspace civil liberties
organization, will give Zimmermann a prestigious Pioneer Award, for helping
protect citizens' privacy by creating a powerful encryption program called
``Pretty Good Privacy'' (PGP) and making it available for free. It has been a
boon to those seeking to protect their E-mail and commercial transactions and,
in some notable cases abroad, shielding communications by human-rights groups
and dissidents in repressive countries.




   But law enforcement and intelligence officials have a different view of
Zimmermann's achievement. He is being investigated for possible violation of
federal arms-export laws because his ``cryptography for the masses'' has slipped
out of America. ``The ability of just about everybody to encrypt their messages
is rapidly outrunning our ability to decode them,'' worries a U.S. intelligence
official. ``It's a lot harder to eavesdrop on a worldwide web than it is to tap
a cable.'' Echoes James Kallstrom, assistant director in charge of the FBI's New
York office: ``We need balanced public policy because it has unbelievable
ramifications for business and law enforcement.''




   ``STRENGTHEN DEMOCRACY.'' There is no coherent policy, and Zimmermann could
end up paying for that. He says he feared for Americans' privacy rights and
decided to give away PGP in 1991 because Congress was considering banning it.
(No law ever passed.) He says he gave the program to friends, asking them to
distribute it only in the United States: ``I wanted to strengthen democracy, to
ensure that Americans could continue to protect their privacy.''




   But the encryption program ended up on the Internet and has been downloaded
by countless foreigners. So a grand jury in San Jose, Calif., has been gathering
evidence since 1993, pondering whether to indict Zimmermann for violating a
federal weapons-export law--a charge that carries a presumptive
three-to-five-year sentence and a maximum $1 million fine. The investigation is
being led by Silicon Valley Assistant U.S. Attorney William P. Keane; a grand
jury indictment must be authorized by the Justice Department in Washington.




   Zimmermann's woes raise big questions. Can machine-age law be applied fairly
to rapidly developing technology? Is putting software on a computer the same as
exporting it? Is he being strung out in a Kafkaesque nightmare as a warning to
others? Some intelligence officials concede that it's too late to keep
cryptography from spreading and say that intimidating distributors is the only
way they can hope to deter code makers.




   Beyond those issues, the case is saturated with irony. Powerful crypto is
already widely available on Internet-accessible computers. An MIT Internet site
distributes PGP, for example, as does a forum on the CompuServe commercial
service. The latter--easily reached via phone lines from Europe and
Asia--carries this impotent disclaimer: IF YOU ARE NOT A CITIZEN OF THE UNITED
STATES, DO NOT DOWNLOAD THIS FILE. Oddest of all, it is perfectly legal for a
foreign bad guy to buy books containing encryption codes and type them into a
computer.


OOPS!


If Zimmermann is indicted as an alleged arms merchant because his cryptography
ended up in foreign hands, then somebody in the U.S. government probably should
be prosecuted, too. In 1993, the National Institute of Standards and Technology
(NIST) inadvertently placed DES, a strong encryption program, on one of its
Internet-linked computers. Word spread quickly in cyberspace, and a U.S. NEWS
reporter easily found a file copy on a computer in Finland. A NIST spokesman
sheepishly admitted that the accidental crypto ``export'' was a mistaken attempt
to help U.S. computer users strengthen their security.




   Zimmermann says his motivation was also security-minded. It isn't comforting
to him, though, that he might be hanging his Pioneer Award in a prison cell.


BY VIC SUSSMAN