NetWorld! What People Are Really Doing on the Internet and What It Means to You - David H. Rothman

RSA was the encryption method here. Named after its three originators—Ronald Rivert, Adi Shamir, and Len Adleman—RSA was a virtually uncrackable form of public key encryption. So what did public key mean? Well, you didn’t have to worry about the wrong set of eyes seeing the jumble of letters and other characters that made up keys for messages transmitted to you. You could freely spread it around. Then someone who wanted to send something confidential to you didn’t have to contact you for a secret key known only to you. He could use your public key by way of his RSA software.

Simply put, the public key approach did away with a major problem: how to send descrambling tools over networks if the information itself wasn’t secured. People who didn’t know each other could trade public keys, then share secrets from the start. They could even use the same software to verify their identities with the help of trusted third parties, who “signed” the keys with sequences of their own. Imagine the many possibilities for allowing safe business transactions on networks between strangers. A lucrative business just might await Zimmermann if he added his own wrinkles.

With RSA, however, came a series of legal nightmares for Zimmermann. Starting work on his own software using RSA, he hadn’t any idea at the start that Rivert, Shamir, and Adleman would be claiming a patent on it.

The trio farmed their rights out to RSA Data Security and, eventually, Public Key Partners. Jim Bidzos, negotiating for RSA, in many ways stood out as a political and philosophical opposite of Zimmermann. Bidzos carried a Greek passport for business reasons but at the same time felt patriotic enough to have volunteered for the U.S. Marines. The way Bidzos tells the story (to Simson Garfinkel, author of PGP: Pretty Good Privacy), Zimmermann asked for a “free license” for use of RSA. “When I told him ‘No,’” Bidzos said, “he was really upset. He told me that he was behind on his mortgage payments and that he had invested years in writing this piece of software.” Bidzos said he suggested that Zimmermann try licensing the patent from a larger company.[^[6.14]]

Zimmermann’s own side of the story differed starkly—in 1991 he wrote Jim Bidzos a letter saying that Bidzos and Ron Rivert had told him that “you would grant me a free license to make and sell products with your algorithm.”[^[6.15]] A few years later he would note to the Wall Street Journal that he hadn’t sold PGP before his contract with ViaCrypt, one of RSA’s licensees.[^[6.16]] He steadfastly maintained he had not broken any laws. Many on the Internet would have agreed, if for no other reason than that they considered software patents to be abominations. Without patents to limit them, many programmers felt they could be more creative. Their ethos was quite in line with the traditional Net ethos. The predecessor of the Internet, after all, hadn’t just been started to allow the Pentagon to survive nukes. It also existed to share knowledge.

By 1991 the patent issue wasn’t the only one dogging Zimmermann. The U.S. Senate was considering a law that would in effect ban Fedproof encryption here in the United States and potentially prevent him from selling the software on which he had been toiling for years now. Washington already forbade export of encryption abroad. The Cold War was winding down, but export controls were still draconian. Hadn’t we won World War II because our technology was better, because we had had nukes, because we could even snoop on secret code transmissions from the enemy? The export laws and the Pentagon put strong encryption equipment in the same category as munitions.

But what about at home? Not surprisingly, the FBI didn’t want the wrong technology to fall into the hands of dope rings, Mafiosi, and others planning or coordinating crimes. In 1991, then, perhaps at the Bureau’s request, Senator Joseph Biden of Delaware inserted the following language into an omnibus crime bill: “It is the sense of Congress that providers of electronic communications services and manufacturers of electronic communications service equipment shall ensure that communications systems permit the government to obtain the plain text contents of voice, data, and other communications when appropriately authorized by law.”

A Senate staffer assured civil libertarians that the measure would not ban strong encryption. Many disagreed. Computer Professionals for Social Responsibility, library groups, academics, and industry managed to get Washington to drop the offending language.

By then PGP was all over the Net. Smart lobbying, not the software, killed the Biden plan. But Zimmermann’s work was still a good, sound precaution against a relapse. Via bulletin boards and the Internet, a free version was circulating from one end of Planet Earth to the other, having gone overseas within a day of its release. In Zimmermann’s words, it spread “like thousands of dandelion seeds blowing in the wind.” PGP reached Russia and scores of other countries. It wasn’t like nuclear weapons or mini-computers; you couldn’t stop a ship from loading or search the luggage of the suspicious. No, PGP just moved silently over the wires as hackers throughout the world shared Zimmermann’s craft. The way Zimmermann told it, however, he had not broken any of the export laws. And others supported him.

Jim Warren, founder of InfoWorld and a software man respected for his civic activism on the Net, would later recall that Zimmermann gave PGP to an acquaintance named Kelly Goen, who “studiously” limited the uploads to electronic bulletin boards and Internet sites within the United States. Warren was aware of the uploading process while it happened. “The whole idea was to provide it to Americans,” he would remember, “so Americans could have personal privacy and security” in case the U.S. Senate tried to bottle up decent encryption.[^[6.17]]