- Email: [email protected]
US encryption policy (part II) — ‘pretty good privacy (PGP)’
US ENCRYPTION POLICY (PART II) -
'PRETTY G O O D PRIVACY (PGP)'
In my last column [1994 10 CLSR 138] I discussed the Clipper Chip/SKIPJACK encryption controversy in the United States and some of its worldwide implications. In this column I will discuss the 'other' encryption controversy that is going on; that of Philip Zimmerman's free encryption program, Pretty Good Privacy (PGP). PGP is a 'freeware' program that can be found on the Internet that is being used all over the world. It has become Internet's defacto standard for encryption. Today PGP is widely used. For example, professors use PGP to secure prepublication material as it is sent from college to college for review. Humanrights activists use PGP to send information back and forth among other human-rights activists and others. William Buckley, in The Wall Street Journal reported that last October Zimmerman got an E-mail message from Latvia during the siege between Boris Yeltzin and the Russian Parliament. The ruessage thanked Zimmerman for developing PGP and noted that PGP was in use from the Baltic to the Far East. How PGP got on the Internet and the resulting legal implications are quite interesting. In the US, the export of cryptographic systems are illegal unless the shipment is authorized by the government, Cryptographic systems, like missiles, bombs, and F-16 jets are considered 'munitions' and are governed by the government's Defense Trade Regulations, formally the International Traffic in Arms Regulations. Right now, a federal grand jury is looking into whether or not Zimmerman was responsible for the exporting of PGP via the Internet. In 1991, Zimmerman, concerned that
don't want your private electronic mail (e-mail) or confidential documents read by anyone else. There's nothing wrong with asserting your privacy. Privacy is as apple-pie as the constitution." In asserting one's right to privacy, Zimmerman makes an analogy to the use of postcards for letters saying, "If you are really a law-abiding citizen with nothing to hide, then why don't you always send your paper mail by postcards?Are you trying to hide something? You must be a subversive if you hide your mail inside envelopes. Or maybe a paranoid nut." "What if everyone believed law-abiding citizens should use postcards for their mail? If some brave soul tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding," Zimmerman argues, "Fortunately, we don't live in that kind of world, because everyone protects their privacy with envelopes. So no one draws suspicion by asserting their privacy with an envelope." Zimmerman wishes everyone used encryption for their dayto-day traffic. That way he reasons, if everyone used encryption, then if you used encryption, you wouldn't draw attention to yourself. He notes that covertly reading mail and tapping phones is a very labour-intensive process for the government stating, "Today, if the government wants to violate the privacy of ordinary citizens, it has to expend a certain amount of expense and labour to intercept and steam open and read paper mail, and listen to and possibly transcribe spoken telephone conversations. This kind of labour-intensive monitoring is not practical on a large scale."
individual privacy within society was becoming more dependent on the security of electronic communications, set out to write a 'high grade' encryption program for the masses, In the PGP documentation, Zimmerman discussing privacy says, "You may be planning a political campaign, discussing your taxes, or having an illicit affair. Or you may be doing something so that you
Zimmerman, in the documentation goes on to note, "More and more of our private communications are being routed through electronic channels. Electronic mail is gradually replacing conventional paper mail. E-mail ruessages are just too easy to intercept and scan for interesting key-words. This can be done easily, routinely, automatically, and undetectable on a grand scale." He
201
notes that international cablegrams are scanned today that way. It took Zimmerman roughly six months of full-time effort to develop PGP. In June of that same year, Zimmerman finished PGP and gave it to some of his friends. In turn, someone placed it on the Internet. From there, in seconds, it went all over the world. This 'export' is what concerns the US government. Zimmerman said in an article in the May 1994 edition of Reason magazine why he wrote PGP and gave it away. He said, "1 didn't do it to make money...I did it to inoculate the body politic." PGP is very well written and uses the International Data Encryption Algorithm (IDEA)for the main encryption engine and a patented algorithm from RSA Data Security Inc, for its key exchange. Zimmerman used the RSA algorithm without permission which causes problems with PGP's use in the United States. The RSA algorithm is protected by copyright and in the documentation, Zimmerman notes, "PGP uses a public key algorithm claimed by US patent #4,405,829. The exclusive rights to this patent are held by a California company called Public Key Partners, and you may be infringing this patent if you use PGP in the USA." Zimmerman notes that the RSA patent does not apply outside the United States. No one has yet been sued by RSA, however, they have asserted their rights when they found PGP in use. That is the reason why most companies and universities keep the 'freeware' version of PGP off their systems. The commercial version, marketed by a Phoenix, Arizona, firm, ViaCrypt, has a license to use the protected algorithm from RSA. While highly secure encryption is good for E-mail, there are problems with 'nonbreakable' encryption in the office place. The general feeling in business is that employees work for a company and the company has a right to all work products that the employee develops in the course of their duties for the company. This includes memos, reports, spreadsheet, programs, and so on. However, some unscrupulous employees have tried to hold their employers hostage by withholding passwords.
:
Most business software with password protection capabilities can be broken. WordPeffect, Word, PKZIP, Excel, Quattro Pro, Q&A, Quicken, Lotus 1-2-3, all have third-party decryption software available for them. This is not an inclusive list, there are many other software packages with password protection that can be broken. One employee with a manufacturing firm recently told company officials that if he didn't get a raise he would not release the password to a critical spreadsheet. The company, not to be intimidated, fired the employee on the spot. The employee didn't realize the company knew where to obtain the password cracking software before making this "career limiting decision", The current version of PGP (PGP 2.3a) is available from a number of sites around the world, some European anonymous FTP sites include: UK-src. doc.ic.a.c.uk, directory:/computing/security/software/ PGP; Italy- ghost.dsi.unimi.it, directory: / pub/security/; and Finland - nic.funet./fi, directory:/pub/unix/security/crypt/. For a more complete list of Internet sites, send an E-mail message to Hugh Miller at [email protected]. The cornmercial version by ViaCrypt is available at most software stores, A defence fund for Zimmerman has been set up to help cover Zimmerman's lega! fees. Information about this fund can be obtained from Zimmerman's a t t o r n e y , Philip Dubois, at [email protected], To quote Zimmerman, "If privacy is outlawed, only outlaws will have privacy...PGP empowers people to take privacy into their own hands. There's a growing social need for it. That's why l wrote it."
Landmark $22 Million J u r y Award for Software Investor The Chicago intellectual property firm of Willian, Brinks, Hofer, Gilson, and Lione, have won a $22 million software case~ for individual investor Delos M. Palmer, in a jury trial in Toledo, Ohio. Palmer, who retired from Palmer & Associates, a Toledo consulting engineering firm in 1987, sued his former lawyers and a software developer for malpractice and damages • from diverted software royalties and merger proceeds, The principle defendants were Richard LaValley, Palmer's former Toledo attorney and David Fulton, now a vicepresident at Microsoft. Fulton was the president of Palmer's company and the author of FoxBASE. Additional defendants were Fox Software Inc, and Fox Holdings Inc, the two companies that merged in 1992 with Microsoft for 2 million shares of Microsoft stock; worth $140 million at the time of the merger, now worth approx mately $185 million. " Palmer brought suit claiming that after the FoxBASE program became popular in 1984 and 1985, LaValley and Fulton took the next program opportunities, FoxBASE+, FoxBASE+/Mac, and FoxPRO, to their own separate company, Fox Holdings Inc. was whether or not One of the issues Fox Software reused source code in its later programs after Palmer's investment of $40 000 in 1983 and 1984. Dr Eugene Spafford, a computer software forensics expert at Purdue University, established that the FoxBASE code was reused and that the structure of the earlier program had been used as an outline for subsequent Fox Software products.
~
~ ~ i
"
~
i~ i
Under cross-examination, Fulton admitted that approximately 20% of the FoxBASEsource code had been reused. The case was initially presented as a copyright case, however, Mr Palmer's attorneys William J. Cook and John R. Crossan, were able to introduce the investment opportunities issue and legat malpractice which then dominated the proceedings. The Toledo jury found that the lawyers and software developer took the opportunity to develop a more lucrative version of the initial program from Palmer. Cook said that he and Crossan have petitioned the Court for an additional $88 million punitive damages saying, "The goal of punitive damages in this case is to deprive the defendants of the benefit of their fraud scheme against Palmer." Commenting on the verdict, Crossan said this was, "An important decision for the computer industry. This finding also sends a loud, clear message that conflicts of interest involving corporate officers and lawyers will not be tolerated." Crossan went on to say, "This case demonstrates again the high ethical obligations of lawyers, why lawyers shouldn't do business with their clients, why full disclosure of conflicts of interest is essential, and why corporate officers may not conceal important facts." Bernard P. Zajac, Jr2
(N6 O6io) ~Copydgh~(C)]994, Bema)rd P Zaja(i Jr
Opinio~pre~dhere!nate~hoseof
tion Distr~ of ~reate~ ~h~ago
BOOK REVIEW
....
i
INFORMATION POLICIES
i
Information Transfer Policy 7 Issues of Control and Access by Tamara S Eisenschitz, 1993, hard-cover. Library Ass~:iation Publishing, London, 175 pp., £28.00, ISBN 0853658293.
the impact of the gap between the information rich and the
. This book deals with the policies required to implement information transfer, whether enshrined in law or, less formally,
sion cannot be tied down to national boundaries; and the tension between information professionals and general managers, where
in working practises. The first part of the book considers the
the latter want to control budgets at the time when the former find ,
nature of information in its social context and the channels by
their tools becoming increasingly complex. The text is recom-
information poor in a society; the internationalization problem,
whereby the use of information and its generation and transmis-
which it is communicated. Change and combining the use of
mended for those studying courses leading to an information
information with its dissemination are explored, together with the
science and technology qualification. Available from Book Point
effect of trends on existing policies. Among the issueswhich the .... author believes arise from the analysis are: what is information?;
Ltd, 39 Milton Park, Abingdon, Oxon, OX14 4TD, UK tel: + 44 (0)235 835001.
202
'PRETTY G O O D PRIVACY (PGP)'
In my last column [1994 10 CLSR 138] I discussed the Clipper Chip/SKIPJACK encryption controversy in the United States and some of its worldwide implications. In this column I will discuss the 'other' encryption controversy that is going on; that of Philip Zimmerman's free encryption program, Pretty Good Privacy (PGP). PGP is a 'freeware' program that can be found on the Internet that is being used all over the world. It has become Internet's defacto standard for encryption. Today PGP is widely used. For example, professors use PGP to secure prepublication material as it is sent from college to college for review. Humanrights activists use PGP to send information back and forth among other human-rights activists and others. William Buckley, in The Wall Street Journal reported that last October Zimmerman got an E-mail message from Latvia during the siege between Boris Yeltzin and the Russian Parliament. The ruessage thanked Zimmerman for developing PGP and noted that PGP was in use from the Baltic to the Far East. How PGP got on the Internet and the resulting legal implications are quite interesting. In the US, the export of cryptographic systems are illegal unless the shipment is authorized by the government, Cryptographic systems, like missiles, bombs, and F-16 jets are considered 'munitions' and are governed by the government's Defense Trade Regulations, formally the International Traffic in Arms Regulations. Right now, a federal grand jury is looking into whether or not Zimmerman was responsible for the exporting of PGP via the Internet. In 1991, Zimmerman, concerned that
don't want your private electronic mail (e-mail) or confidential documents read by anyone else. There's nothing wrong with asserting your privacy. Privacy is as apple-pie as the constitution." In asserting one's right to privacy, Zimmerman makes an analogy to the use of postcards for letters saying, "If you are really a law-abiding citizen with nothing to hide, then why don't you always send your paper mail by postcards?Are you trying to hide something? You must be a subversive if you hide your mail inside envelopes. Or maybe a paranoid nut." "What if everyone believed law-abiding citizens should use postcards for their mail? If some brave soul tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what he's hiding," Zimmerman argues, "Fortunately, we don't live in that kind of world, because everyone protects their privacy with envelopes. So no one draws suspicion by asserting their privacy with an envelope." Zimmerman wishes everyone used encryption for their dayto-day traffic. That way he reasons, if everyone used encryption, then if you used encryption, you wouldn't draw attention to yourself. He notes that covertly reading mail and tapping phones is a very labour-intensive process for the government stating, "Today, if the government wants to violate the privacy of ordinary citizens, it has to expend a certain amount of expense and labour to intercept and steam open and read paper mail, and listen to and possibly transcribe spoken telephone conversations. This kind of labour-intensive monitoring is not practical on a large scale."
individual privacy within society was becoming more dependent on the security of electronic communications, set out to write a 'high grade' encryption program for the masses, In the PGP documentation, Zimmerman discussing privacy says, "You may be planning a political campaign, discussing your taxes, or having an illicit affair. Or you may be doing something so that you
Zimmerman, in the documentation goes on to note, "More and more of our private communications are being routed through electronic channels. Electronic mail is gradually replacing conventional paper mail. E-mail ruessages are just too easy to intercept and scan for interesting key-words. This can be done easily, routinely, automatically, and undetectable on a grand scale." He
201
notes that international cablegrams are scanned today that way. It took Zimmerman roughly six months of full-time effort to develop PGP. In June of that same year, Zimmerman finished PGP and gave it to some of his friends. In turn, someone placed it on the Internet. From there, in seconds, it went all over the world. This 'export' is what concerns the US government. Zimmerman said in an article in the May 1994 edition of Reason magazine why he wrote PGP and gave it away. He said, "1 didn't do it to make money...I did it to inoculate the body politic." PGP is very well written and uses the International Data Encryption Algorithm (IDEA)for the main encryption engine and a patented algorithm from RSA Data Security Inc, for its key exchange. Zimmerman used the RSA algorithm without permission which causes problems with PGP's use in the United States. The RSA algorithm is protected by copyright and in the documentation, Zimmerman notes, "PGP uses a public key algorithm claimed by US patent #4,405,829. The exclusive rights to this patent are held by a California company called Public Key Partners, and you may be infringing this patent if you use PGP in the USA." Zimmerman notes that the RSA patent does not apply outside the United States. No one has yet been sued by RSA, however, they have asserted their rights when they found PGP in use. That is the reason why most companies and universities keep the 'freeware' version of PGP off their systems. The commercial version, marketed by a Phoenix, Arizona, firm, ViaCrypt, has a license to use the protected algorithm from RSA. While highly secure encryption is good for E-mail, there are problems with 'nonbreakable' encryption in the office place. The general feeling in business is that employees work for a company and the company has a right to all work products that the employee develops in the course of their duties for the company. This includes memos, reports, spreadsheet, programs, and so on. However, some unscrupulous employees have tried to hold their employers hostage by withholding passwords.
:
Most business software with password protection capabilities can be broken. WordPeffect, Word, PKZIP, Excel, Quattro Pro, Q&A, Quicken, Lotus 1-2-3, all have third-party decryption software available for them. This is not an inclusive list, there are many other software packages with password protection that can be broken. One employee with a manufacturing firm recently told company officials that if he didn't get a raise he would not release the password to a critical spreadsheet. The company, not to be intimidated, fired the employee on the spot. The employee didn't realize the company knew where to obtain the password cracking software before making this "career limiting decision", The current version of PGP (PGP 2.3a) is available from a number of sites around the world, some European anonymous FTP sites include: UK-src. doc.ic.a.c.uk, directory:/computing/security/software/ PGP; Italy- ghost.dsi.unimi.it, directory: / pub/security/; and Finland - nic.funet./fi, directory:/pub/unix/security/crypt/. For a more complete list of Internet sites, send an E-mail message to Hugh Miller at [email protected]. The cornmercial version by ViaCrypt is available at most software stores, A defence fund for Zimmerman has been set up to help cover Zimmerman's lega! fees. Information about this fund can be obtained from Zimmerman's a t t o r n e y , Philip Dubois, at [email protected], To quote Zimmerman, "If privacy is outlawed, only outlaws will have privacy...PGP empowers people to take privacy into their own hands. There's a growing social need for it. That's why l wrote it."
Landmark $22 Million J u r y Award for Software Investor The Chicago intellectual property firm of Willian, Brinks, Hofer, Gilson, and Lione, have won a $22 million software case~ for individual investor Delos M. Palmer, in a jury trial in Toledo, Ohio. Palmer, who retired from Palmer & Associates, a Toledo consulting engineering firm in 1987, sued his former lawyers and a software developer for malpractice and damages • from diverted software royalties and merger proceeds, The principle defendants were Richard LaValley, Palmer's former Toledo attorney and David Fulton, now a vicepresident at Microsoft. Fulton was the president of Palmer's company and the author of FoxBASE. Additional defendants were Fox Software Inc, and Fox Holdings Inc, the two companies that merged in 1992 with Microsoft for 2 million shares of Microsoft stock; worth $140 million at the time of the merger, now worth approx mately $185 million. " Palmer brought suit claiming that after the FoxBASE program became popular in 1984 and 1985, LaValley and Fulton took the next program opportunities, FoxBASE+, FoxBASE+/Mac, and FoxPRO, to their own separate company, Fox Holdings Inc. was whether or not One of the issues Fox Software reused source code in its later programs after Palmer's investment of $40 000 in 1983 and 1984. Dr Eugene Spafford, a computer software forensics expert at Purdue University, established that the FoxBASE code was reused and that the structure of the earlier program had been used as an outline for subsequent Fox Software products.
~
~ ~ i
"
~
i~ i
Under cross-examination, Fulton admitted that approximately 20% of the FoxBASEsource code had been reused. The case was initially presented as a copyright case, however, Mr Palmer's attorneys William J. Cook and John R. Crossan, were able to introduce the investment opportunities issue and legat malpractice which then dominated the proceedings. The Toledo jury found that the lawyers and software developer took the opportunity to develop a more lucrative version of the initial program from Palmer. Cook said that he and Crossan have petitioned the Court for an additional $88 million punitive damages saying, "The goal of punitive damages in this case is to deprive the defendants of the benefit of their fraud scheme against Palmer." Commenting on the verdict, Crossan said this was, "An important decision for the computer industry. This finding also sends a loud, clear message that conflicts of interest involving corporate officers and lawyers will not be tolerated." Crossan went on to say, "This case demonstrates again the high ethical obligations of lawyers, why lawyers shouldn't do business with their clients, why full disclosure of conflicts of interest is essential, and why corporate officers may not conceal important facts." Bernard P. Zajac, Jr2
(N6 O6io) ~Copydgh~(C)]994, Bema)rd P Zaja(i Jr
Opinio~pre~dhere!nate~hoseof
tion Distr~ of ~reate~ ~h~ago
BOOK REVIEW
....
i
INFORMATION POLICIES
i
Information Transfer Policy 7 Issues of Control and Access by Tamara S Eisenschitz, 1993, hard-cover. Library Ass~:iation Publishing, London, 175 pp., £28.00, ISBN 0853658293.
the impact of the gap between the information rich and the
. This book deals with the policies required to implement information transfer, whether enshrined in law or, less formally,
sion cannot be tied down to national boundaries; and the tension between information professionals and general managers, where
in working practises. The first part of the book considers the
the latter want to control budgets at the time when the former find ,
nature of information in its social context and the channels by
their tools becoming increasingly complex. The text is recom-
information poor in a society; the internationalization problem,
whereby the use of information and its generation and transmis-
which it is communicated. Change and combining the use of
mended for those studying courses leading to an information
information with its dissemination are explored, together with the
science and technology qualification. Available from Book Point
effect of trends on existing policies. Among the issueswhich the .... author believes arise from the analysis are: what is information?;
Ltd, 39 Milton Park, Abingdon, Oxon, OX14 4TD, UK tel: + 44 (0)235 835001.
202