Testimony of Philip Zimmermann to
     Subcommittee for Economic Policy, Trade, and the Environment
                     US House of Representatives
                             12 Oct 1993
     Mr.  Chairman and members of the committee, my name is Philip
Zimmermann, and I am a software engineer who specializes in cryptography
and data security.  I'm here to talk to you today about the need to
change US export control policy for cryptographic software.  I want to
thank you for the opportunity to be here and commend you for your
attention to this important issue.
     I am the author of PGP (Pretty Good Privacy), a public-key
encryption software package for the protection of electronic mail.
Since PGP was published domestically as freeware in June of 1991, it has
spread organically all over the world and has since become the de facto
worldwide standard for encryption of E-mail.  The US Customs Service is
investigating how PGP spread outside the US.  Because I am a target of
this ongoing criminal investigation, my lawyer has advised me not to
answer any questions related to the investigation.
     I.  The information age is here.
     Computers were developed in secret back in World War II mainly to
break codes.  Ordinary people did not have access to computers, because
they were few in number and too expensive.  Some people postulated that
there would never be a need for more than half a dozen computers in the
country.  Governments formed their attitudes toward cryptographic
technology during this period.  And these attitudes persist today.  Why
would ordinary people need to have access to good cryptography?
     Another problem with cryptography in those days was that
cryptographic keys had to be distributed over secure channels so that
both parties could send encrypted traffic over insecure channels.
Governments solved that problem by dispatching key couriers with
satchels handcuffed to their wrists.  Governments could afford to send
guys like these to their embassies overseas.  But the great masses of
ordinary people would never have access to practical cryptography if
keys had to be distributed this way.  No matter how cheap and powerful
personal computers might someday become, you just can't send the keys
electronically without the risk of interception.  This widened the
feasibility gap between Government and personal access to cryptography.
     Today, we live in a new world that has had two major breakthroughs
that have an impact on this state of affairs.  The first is the coming
of the personal computer and the information age.  The second
breakthrough is public-key cryptography.
     With the first breakthrough comes cheap ubiquitous personal
computers, modems, FAX machines, the Internet, E-mail, digital cellular
phones, personal digital assistants (PDAs), wireless digital networks,
ISDN, cable TV, and the data superhighway.  This information revolution
is catalyzing the emergence of a global economy.
     But this renaissance in electronic digital communication brings
with it a disturbing erosion of our privacy.  In the past, if the
Government wanted to violate the privacy of ordinary citizens, it had to
expend a certain amount of effort to intercept and steam open and read
paper mail, and listen to and possibly transcribe spoken telephone
conversation.  This is analogous to catching fish with a hook and a
line, one fish at a time.  Fortunately for freedom and democracy, this
kind of labor-intensive monitoring is not practical on a large scale.
     Today, electronic mail is gradually replacing conventional paper
mail, and is soon to be the norm for everyone, not the novelty is is
today.  Unlike paper mail, E-mail messages are just too easy to
intercept and scan for interesting keywords.  This can be done easily,
routinely, automatically, and undetectably on a grand scale.  This is
analogous to driftnet fishing-- making a quantitative and qualitative
Orwellian difference to the health of democracy.
     The second breakthrough came in the late 1970s, with the
mathematics of public key cryptography.  This allows people to
communicate securely and conveniently with people they've never met,
with no prior exchange of keys over secure channels.  No more special
key couriers with black bags.  This, coupled with the trappings of the
information age, means the great masses of people can at last use
cryptography.  This new technology also provides digital signatures to
authenticate transactions and messages, and allows for digital money,
with all the implications that has for an electronic digital economy.
(See appendix)
     This convergence of technology-- cheap ubiquitous PCs, modems, FAX,
digital phones, information superhighways, et cetera-- is all part of
the information revolution.  Encryption is just simple arithmetic to all
this digital hardware.  All these devices will be using encryption.  The
rest of the world uses it, and they laugh at the US because we are
railing against nature, trying to stop it.  Trying to stop this is like
trying to legislate the tides and the weather.  It's like the buggy whip
manufacturers trying to stop the cars-- even with the NSA on their side,
it's still impossible.  The information revolution is good for
democracy-- good for a free market and trade.  It contributed to the
fall of the Soviet empire.  They couldn't stop it either.
     Soon, every off-the-shelf multimedia PC will become a secure voice
telephone, through the use of freely available software.  What does this
mean for the Government's Clipper chip and key escrow systems?
     Like every new technology, this comes at some cost.  Cars pollute
the air.  Cryptography can help criminals hide their activities.  People
in the law enforcement and intelligence communities are going to look at
this only in their own terms.  But even with these costs, we still can't
stop this from happening in a free market global economy.  Most people I
talk to outside of Government feel that the net result of providing
privacy will be positive.
     President Clinton is fond of saying that we should "make change our
friend".  These sweeping technological changes have big implications,
but are unstoppable.  Are we going to make change our friend?  Or are we
going to criminalize cryptography?  Are we going to incarcerate our
honest, well-intentioned software engineers?
     Law enforcement and intelligence interests in the Government have
attempted many times to suppress the availability of strong domestic
encryption technology.  The most recent examples are Senate Bill 266
which mandated back doors in crypto systems, the FBI Digital Telephony
bill, and the Clipper chip key escrow initiative.  All of these have met
with strong opposition from industry and civil liberties groups.  It is
impossible to obtain real privacy in the information age without good
     The Clinton Administration has made it a major policy priority to
help build the National Information Infrastructure (NII).  Yet, some
elements of the Government seems intent on deploying and entrenching a
communications infrastructure that would deny the citizenry the ability
to protect its privacy.  This is unsettling because in a democracy, it
is possible for bad people to occasionally get elected-- sometimes very
bad people.  Normally, a well-functioning democracy has ways to remove
these people from power.  But the wrong technology infrastructure could
allow such a future government to watch every move anyone makes to
oppose it.  It could very well be the last government we ever elect.
     When making public policy decisions about new technologies for the
Government, I think one should ask oneself which technologies would best
strengthen the hand of a police state.  Then, do not allow the
Government to deploy those technologies.  This is simply a matter of
good civic hygiene.
     II.  Export controls are outdated and are a threat to privacy and
economic competitivness.
     The current export control regime makes no sense anymore, given
advances in technology.
     There has been considerable debate about allowing the export of
implementations of the full 56-bit Data Encryption Standard (DES).  At a
recent academic cryptography conference, Michael Wiener of Bell Northern
Research in Ottawa presented a paper on how to crack the DES with a
special machine.  He has fully designed and tested a chip that guesses
DES keys at high speed until it finds the right one.  Although he has
refrained from building the real chips so far, he can get these chips
manufactured for $10.50 each, and can build 57000 of them into a special
machine for $1 million that can try every DES key in 7 hours, averaging
a solution in 3.5 hours.  $1 million can be hidden in the budget of many
companies.  For $10 million, it takes 21 minutes to crack, and for $100
million, just two minutes.  That's full 56-bit DES, cracked in just two
minutes.  I'm sure the NSA can do it in seconds, with their budget.
This means that DES is now effectively dead for purposes of serious data
security applications.  If Congress acts now to enable the export of
full DES products, it will be a day late and a dollar short.
     If a Boeing executive who carries his notebook computer to the
Paris airshow wants to use PGP to send email to his home office in
Seattle, are we helping American competitivness by arguing that he has
even potentially committed a federal crime?
     Knowledge of cryptography is becoming so widespread, that export
controls are no longer effective at controlling the spread of this
technology.  People everywhere can and do write good cryptographic
software, and we import it here but cannot export it, to the detriment
of our indigenous software industry.
     I wrote PGP from information in the open literature, putting it
into a convenient package that everyone can use in a desktop or palmtop
computer.  Then I gave it away for free, for the good of our democracy.
This could have popped up anywhere, and spread.  Other people could have
and would have done it.  And are doing it.  Again and again.  All over
the planet.  This technology belongs to everybody.
     III.  People want their privacy very badly.
     PGP has spread like a prairie fire, fanned by countless people who
fervently want their privacy restored in the information age.
     Today, human rights organizations are using PGP to protect their
people overseas.  Amnesty International uses it.  The human rights group
in the American Association for the Advancement of Science uses it.
     Some Americans don't understand why I should be this concerned
about the power of Government.  But talking to people in Eastern Europe,
you don't have to explain it to them.  They already get it-- and they
don't understand why we don't.
     I want to read you a quote from some E-mail I got last week from
someone in Latvia, on the day that Boris Yeltsin was going to war with
his Parliament:
     "Phil I wish you to know: let it never be, but if dictatorship
takes over Russia your PGP is widespread from Baltic to Far East now and
will help democratic people if necessary.  Thanks."
     Appendix -- How Public-Key Cryptography Works
     In conventional cryptosystems, such as the US Federal Data
Encryption Standard (DES), a single key is used for both encryption and
decryption.  This means that a key must be initially transmitted via
secure channels so that both parties have it before encrypted messages
can be sent over insecure channels.  This may be inconvenient.  If you
have a secure channel for exchanging keys, then why do you need
cryptography in the first place?
     In public key cryptosystems, everyone has two related complementary
keys, a publicly revealed key and a secret key.  Each key unlocks the
code that the other key makes.  Knowing the public key does not help you
deduce the corresponding secret key.  The public key can be published
and widely disseminated across a communications network.  This protocol
provides privacy without the need for the same kind of secure channels
that a conventional cryptosystem requires.
     Anyone can use a recipient's public key to encrypt a message to
that person, and that recipient uses her own corresponding secret key to
decrypt that message.  No one but the recipient can decrypt it, because
no one else has access to that secret key.  Not even the person who
encrypted the message can decrypt it.
     Message authentication is also provided.  The sender's own secret
key can be used to encrypt a message, thereby "signing" it.  This
creates a digital signature of a message, which the recipient (or anyone
else) can check by using the sender's public key to decrypt it.  This
proves that the sender was the true originator of the message, and that
the message has not been subsequently altered by anyone else, because
the sender alone possesses the secret key that made that signature.
Forgery of a signed message is infeasible, and the sender cannot later
disavow his signature.
     These two processes can be combined to provide both privacy and
authentication by first signing a message with your own secret key, then
encrypting the signed message with the recipient's public key.  The
recipient reverses these steps by first decrypting the message with her
own secret key, then checking the enclosed signature with your public
key.  These steps are done automatically by the recipient's software.
     Philip Zimmermann 3021 11th Street Boulder, Colorado 80304 303
541-0140 E-mail: prz@acm.org