path: root/transcripts/proof-of-work-summit/2023/zimmermann.mdwn

Philip Zimmermann

Proof of Work Summit

2023-09-26

I have been struggling to figure out what topic to discuss today. I wanted to talk with the conference attendees before deciding. I wanted to talk about the history of how we got here and the crypto wars of the 1990s.

It used to be illegal to export strong cryptography from the United States and the Western allies like Britain and France. US had only export controls but no domestic controls although they tried to impose domestic controls with the Clipper chip. Have you guys heard about the Clipper chip? It was a chip that the FBI was promoting to put in every phone to make secure phone calls and each chip had a unique key for encrypting the phone calls that the FBI had a copy of that key in a vast government database for wiretap purposes. Oddly enough much to the surprise of the FBI the free market did not choose to purchase products with the Clipper chip in it. Can't imagine why. Then the FBI said if people don't buy products with the Clipper chip in it then they would have no choice but to seek legislative relief, which means passing laws that would compel people to use the Clipper chip.

In the 1990s, it was a hostile environment for strong cryptography. The reason why the government had this attitude was because going back to World War II the outcome of the war was strongly influenced by the ability of the Allies to break the encryption algorithms of their enemies. Bleachly Park had the thousands of people working there and they broke the Enigma cypher. That was Alan Turing and his team was able to break that. They were also to break the Japanese codes. The Battle of Midway was decided by the fact that the Americans were able to read the Japenese traffic. This shortened the war by a few years. Also breaking Enigma and other German ciphers shortened the war by a couple of years and saving millions of lives.

You can see why they developed this attitude that it was important after WW2 it was important for the US and Britain and I guess I don't know what the French position was because they didn't have export controls on crypto but they did have export controls. It was important to the US and the UK that they continue to be able to break the encryption of their enemies in case there was another war. So they implemented export controls.

Fast forwarding several decades to the Internet age, and now in order to build the information society we have come to rely upon, the rest of society needed to have access to strong cryptography. It wasn't easy for the government to let go of their old attitudes about cryptography. We had to fight them for this in the 1990s. Part of that battle was PGP. When I published PGP in 1991, the government took the position that this was a violation of the Arms Export Control Act and they thought that publishing something on the Internet is the same as exporting. It goes everywhere like a dandelion in the wind. So they launched a criminal investigation and I was the target of this investigation for 3 years. From my point of view, the crypto wars of the 1990 was largely about me keeping out of prison. After the 3 years was passed and the government finally dropped the case against me without indicting me, we had several more years to go.

We had to fight for changing the laws until the end of the 1990s. It was in 2000 when the US government dropped the export controls on strong cryptography. The French had dropped their domestic controls a few years earlier. When the US dropped their export controls, the British did too, and they dropped their domestic controls as well.

We had to fight for the whole decade of the 1990s.

During that decade, we had broad participation from the whole of society. In this debate, we had the FBI which never changed their mind and they continued to doggedly insist that we hang on to the export controls. The NSA had dropped out of the debate because they decided that they were going to solve the problem in a different way. Rather than having export controls, they would concentrate their abilities on inserting malware in the endpoints and this became much more apparent when Snowden revealed how the NSA was doing that. We had broad participation from academia, journalists, Congress, from the court system, from human rights activists, from tech companies, just about everyone got involved. We kept pushing pressure on the Clinton Whitehouse to drop the export controls. 2000 was an election year and the Democrats felt that they had to win California and they felt it would be harder if they did not have the support of Silicon Valley. Almost all the entire roster of companies in Silicon Valley wanted the export controls to be gone.

There was also litigation going on to force the hand from getting the judiciary to have a say in the matter. Congress was also considering legislation to drop the export controls. The Executive decided to drop it because the other two branches were exerting pressure and they would force it if they didn't drop it. So, the executive branch dropped the export controls.

Since that time, we have seen the proliferation of strong cryptography in all kinds of products. Every web browser had SSL which we know today as TLS. They started upping the key length and making it stronger. Mail clients used also TLS to connect to mail servers. PGP was exported all over the world. VPNs emerged later. SSH. All kinds of protocols emerged that use strong cryptography. It was perfectly legal and it proliferated all over the world.

But now we find that 20 years later after we thought we won the struggle, some of the important Western democracies are coming back with kind of push back against end-to-end encryption. In particular, the Five Eyes plus India and Japan have been pushing to regulate end-to-end encryption. They don't care about client to server encryption because the law enforcement agencies can go to the bank, the server, or ecommerce site and demand that they turn over whatever records of your conversations with them. But end-to-end encryption they insist that we re-impose controls on end-to-end encryption which has been going on for the last few years.

I think this is a terrible mistake to regulate end-to-end encryption. It's thoroughly entrenched in so many products already. PGP was end-to-end encryption. Signal protocol is end-to-end encryption. Whatsapp uses the Signal protocol so that's another 2 billion users. There's no way to roll the clock back here, and there shouldn't be a way to do stop end-to-end encryption.

They have been complaining so much about being shut out of end-to-end encryption. Earlier today we heard another speaker Amir Taaki talking about "going dark" which was a quote from a 2013 FBI director. We're in the golden age of surveillance, you know. The FBI and other law enforcement peers are enjoying a period of pervasive surveillance. In the UK there are tens of millions of cameras all over the UK with facial recognition algorithms behind those cameras. The level of surveillance that the government has today is enormous. Imagine we have a huge 4k flat panel display with a few missing pixels and saying "oh my god we're going dark". No, it's just a few pixels they have not been able to penetrate. I would suggest that we should fight for the right to keep those few remaining pixels that still belong to us.

PGP started out as a human rights project. It was not a commercial product in the beginning. It was a human rights project. I wanted to make a tool to protect human rights workers in countries with autocratic governments and that they were operating in a very dangerous life-threatening environment and they needed to have some ways to secure their communications. That's what PGP was for. There was other encryption software at the time but it was weak encryption. That may have been good enough for commercial use because companies at that time were mainly concerned about their competitors. They didn't worry too much about their competitors being able to decrypt their communications because their competitors did not have significant cryptography capabilities anyway. So who cares if it was only 56 bit DES? That was good enough for companies.

But PGP was designed for a different threat model: the assumed intelligence agencies of the superpowers of the world. ... PGP had to have strong encryption. It had to do things in a way that made it accessible to the average person to use. It can't be a top-down architecture with trust dictated from on high. The prevailing wisdom in the 90s was that public keys should be signed by a certificate authority and there was really only one certificate authority which was RSA. It later spun out another company called Verisign and you would be forced to trust Verisign to sign keys and they would collect fees because they had a patent on public key cryptography.

PGP made it possible to do this in a more decentralized way where anyone could sign anyone else's keys. Keys would collect signatures from a lot of different people. As long as one of those signatures was from someone you trust, then you could assume that the name on the key goes with the key. Whoever signed it, was someone that you previously verified yourself. You assume that the name goes with the key because someone vouched for it, someone that you know and trust. Someone else might look at the same key with the same 20 signatures and they might trust it for a different reason because they know someone else in the 20 set of signers or something.

This was a decentralized grassroots trust model. I thought this was important for avoiding the centralized top-down trust model which was the prevailing wisdom at the time. You know the tears for fear song where everyone wants to rule the world? Everyone wanted to be at the top of the pyramid. PGP allowed a more grassroots approach. They would have groups of people and they would call it "PGP keysigning parties"- if you ever want to see a bunch of nerds in one place, that's a lot of nerds. Yes, they still happen.

That decentralized trust model I felt was more democratic and more immune to single points of failure of someone at the top being corrupt and signing a key that they shouldn't sign. For example, many years ago there was a certificate authority in the Netherlands called DigiNotar and they were in the business of signing TLS keys for money as a fee. A hacker broke into their servers and got their hands on the top-level signing key and then used that to forge certificates for lots and lots of websites like gmail, facebook, US government agencies, various social networks and mail server providers. And then he used those forged credentials, he gave them to the Iranian government who then used it to attack man-in-the-middle attacks on all the Iranian dissidents who were communicating their ideas about freedom in Iran. They then arrested the Iranian dissidents and put them in prison. If you need examples of what goes wrong in centralized trust models, look no further than the DigiNotar case where people were put in prison, tortured and maybe even killed because of a single point of failure where someone compromised a top-level signing key for certificate authority.

PGP has a decentralized trust model where you can decide which keys you want to trust. In a world of PGP, when DigiNotar happens then people could invalidate the DigiNotar key. The trust model made PGP unique.

That wasn't the only thing that we did to end the export controls. We also did something to make it easy to export strong cryptographic software source code by publishing the source code of PGP in a book. First it was MIT Press in 1994 or maybe it was 1995 when they published the source code to PGP. That was because I was planning to use it at trial if I was indicted and had to use it in trial I could point to the source code published by MIT Press and say see you don't have export controls on books it was published how can you send me to prison for publishing something that is in a book?

This is the last session? I have a few stories to tell.

So I was at a computer freedom and privacy conference in 1994. I was approached by Bob Prior who was the editor in chief of the MIT Press. It was a prestigious academic press that publishes computer science texts among others. He wanted to have them publish the PGP user manual. I said sure, why not. At that moment, I was still under criminal investigation by US customs for exporting PGP. So I asked to publish two books: first, the one he just asked for, the PGP user guide, and then I want a source code book published I want that published by MIT press. He asked why would I want something so strange? Well, at the same time that was going on, an engineer who worked for Qualcomm in california a guy named Phil Karn was suing the government because earlier he went down to the bookstore and bought a copy of Bruce Schneier's book Applied Cryptography and in that book there is some source code for the Federal encryption standard in an appendix of the book. He sent this book to the State department and applied for permission to export the book. It was called the commodities jurisdiction. He said he would like to export this book and the state department looked at this and said why are you bothering us with this question we don't have any rules against exporting books we're not in the business of preventing people from exporting books and of course you can have permission don't even ask us for permission. So they granted him permission to publish Applied Cryptography, Bruce's book. At the time I don't think he even knew Bruce Schneier. It wasn't Amazon at the time, it was probably bought from Borders book store. What the State department didn't know is that Phil had laid a trap for them. As soon as he got permission to export that book, he sent them a floppy disk and sent them a request to export a floppy disk and he said this floppy disk has source code for the federal standard. The State department said, well obviously not, we will not allow you to permission to export encryption software we don't give you permission for this. Phil then said wait a second, wait a second, you just gave me permission to publish and export this book, and the source code is identical. He took what was in the appendix of the book, he put it on a floppy disk, and now they were prohibiting them from exporting the floppy disk. He said you have to give me permission to export this because you already gave permission on this. They asked the NSA for advice and they said no, do not give them permission. So he had to appeal it through a few layers of administrative appeals and they kept saying no. And then he sued them in federal court.

At the time, when Bob Prior asked me about publishing a book and I said no let's do two books-- MIT Press did two books like I asked. They applied for the same form that Phil Carn filled out, asking for permission to export the book from MIT Press. It wasn't some subroutine or whatever. It was the full source code of PGP. It was 900 pages of source code. Even the makefiles were in there. Suddenly the State department realized they were in a real shitstorm of trouble because they were defendants in civil litigation in federal court. Phil Carn had trapped them with this and I was taking advantage of this trap along with MIT Press. By the way, they did not wait for permission: they started exporting the book immediately to their overseas resellers.

The State department never responded and never gave them permission nor ever denied them permission. They asked the NSA what to do and they said well whatever you do, don't say yes. They didn't say to say no. If they would have said no, then it would have been a big first amendment case in court. They just remained silent and never got back to MIT Press which is too bad because I was planning on using it at trial if I was indicted.

I didn't really care if they were going to say no, because I was going to use it. If they said yes, then I would use that at trial because it means that what I did wouldn't be so bad because- if they said yes to MIT Press, they know they would get a floppy disk in the mail the very next day. ((Didn't books used to get sold with floppy disks? or CDs?))

That was part of my strategy to win at trial in the event that I was indicted. In 1996, the government dropped the case against me. I started a company to sell PGP. The first thing we did was make a more advanced PGP with GUIs and windows and such. It was 5,000 pages of source code. We published it into a book. This time we made some effort into making it scanable with OCR. We had some friends in Europe that put a lot of effort into scanning it and it turns out it's not easy to scan C source code with OCR. You can do OCR with English because you can use dictionaries to resolve spelling ambiguities when you scan.

We found that it took about 1,000 man hours for them to hand-correct 5000 pages of C source code. We realized we had a terrible mistake by underestimating the difficulty of doing OCR scans of thousands of pages of C source code. We had 3 engineers myself included on making some special tools. Europe sent news about what kind of errors they had when they tried to scan it and we made tables out of those and tried to figure out what the most frequent errors were from OCR scanning. We wrote some software that had some heuristics for correcting those errors. We published that also in a book called "Tools for publishing source code via OCR". You could bootstrap the book because the first page in the book was a perl script that was smart enough to scan and fix the errors on the 2nd page and the 2nd page was another perl script but more dense than the first page and more complexity. Then that one was smart enough to fix the problems of the next 100 pages. There were 100 pages of C source code that had this really highly sophisticated heuristic to scan millions of lines of C source code and to automatically fix the errors based on the knowledge we gained from the inadequate effort we put into publishing the first attempt. When we tried it, it took 30 man hours.

After that, we were able to export arbitrary quantities of C source code without errors. I heard later from people in intelligence agencies that they realized they had lost and they were no longer able to stop the export of strong cryptography because now we had "Tools for exporting arbitrary amounts of C source code" or any source code. This was part of our strategy for bringing an end to the export controls.

In 2000, they relaxed the export controls and the crypto wars were over. I'd like to open it up for questions.

Q: Do you have any advice for advice for folks of a dissident orientation operating today? How to avoid going to jail? You have successfully done that. You fought your fight and didn't end up behind bars. What is a winning strategy?

A: It depends on what you are allegedly doing. I tried to conduct my legal defense team in such a way that we would previal. Each struggle has its own limits that it is testing. I would have to know something about each struggle to give advice on that. What I did was I tried to avoid appearance of being a fist-shaking libertarian saying let's stick it to the man. No, I was non-confrontional. I had a good legal defense team. I followed their advice. I did not insist on speaking in public about it. Most legal criminal defense lawyers would ever let their client speak in public. I was convinced that I had a better chance of winning if I would speak in public. I had multiple press interviews every week for years. I wore a suit in all interviews. I wanted to portray myself as a respectable professional. I was never a "sovereign citizen". I wasn't trying to take an anarchist or libertarian approach. I was trying to take a very sort of conservative respectable image that I was cultivating carefully and that seemed to work pretty well. 100% of the press interviews were sympathetic to me and critical to the government. I have done 1,500 press interviews and every single one of them turned out sympathetic. Even then, it still took years to get the export controls lifted. Even now, there is push back against end-to-end encryption. We have to push back against that. When I push back against it now, I don't take a controversial position by calling them stupid or misguided. I say this is a matter of national security. It used to be that they said national security. But no, I'm switching the tables now: I'm saying end-to-end encryption is important for national security. Today, we find ourselves in an environment where China has deployed lots of 5G infrastructure all over Europe. European countries are starting to realize that buying all this 5G gear from Huawei is a bad idea. I think they are trying to pull back. I don't know how long it will take them to clean this up. This means the entirety of society is dependent on this network infrastructure that is under the control of a potential adversary that we could be fighting a war against at some point. And so, this gives the Chinese an ability to do signals intelligence in Europe that is comparable to what the NSA can do. You might say well it's morally equivalent and there's no moral difference between China and the NSA but the NSA is not a sovereign state, it's under the direction of whoever we elect into the Whitehouse which was the problem with George W. Bush directing the NSA to spy on Americans and spy on everyone and violate enough laws that Edward Snowden to blow the whistle. But now I argue in favor of national security by saying all the European countries that have deployed Huawei gear are banking their national security apparatus and their tech companies and the whole of civil society is using a network under the control of a potential adversary and that's a bad place to be, and you need end-to-end encryption. I did some software development in Ukraine, and when I first visited there about 15 years ago I talked with some Ukrainian military guys and I asked about what would happen if Russia invaded. They said it would destroy us because all our battlefield radios are made in Russia. That's the same situation we find ourselves in when we use Chinese infrastructure for 5G. The one countermeasure we have against them-- well the best way against it is to dismantle their equipment and buy someone else's equipment. Besides that, if you are forced to use a communication network controlled by your adversary then you better be using end-to-end encryption. If law enforcement doesn't want end-to-end encryption because it makes their job slightly harder, then I would point out that if the cops have to work a little bit harder to avoid our nations getting owned by China then we need to end-to-end encryption to do that.

Q: How do we fight back-- how do we keep those black pixels on that 4k television you talked about earlier?

A: You can try to use the national security argument. I don't know if the European countries have a divergence between the law enforcement agencies and the national intelligence agencies. The information security directorate was the one that came out and recommended everyone get ready for post-quantum or quantum computers. The other part was signals intelligence. These two parts are not always on the same page. But the part of the NSA that is responsible for safe-guarding American communications... they participated in the NIST.. that was before the NSA changed their behavior, in the late 90s. I don't know what the European intelligence agencies feel about this. But I think there should be a split in the approach taken by law enforcement vs the intel agencies. I think intel agencies should recognize the need for end-to-end encryption to protect the whole of society against foreign intelligence agencies. Right now we are fighting a war in Ukraine. As much as the NSA was creating a lot of problems for me back in the 90s, but when I see what's going on in Ukraine today I'm glad the NSA is out there doing their job in the battlefield and intercepting Russian communications. That's what we pay them to do. It's not just NSA but also other Western nato intel agencies are participating in that. There's a legitimate need for intel agencies especially if there is a war like right now. But they were doing the wrong thing when George W Bush directed them to spy on Americans and people inside the NSA found moral objection to like Edward Snowden. He wasn't the only one. Half a dozen people before him were blowing the whistle.

During WW2, there were thousands of people working at Blechly Park breaking Enigma or breaking Japanese codes. None of them were blowing the whistle. Why? Because the UK was getting bombed every night. They had the moral certitude that what they were working on was morally important to do. Of course there were no whistleblowers. If you don't want whistleblowers, then you should have your intel agency do things that people agree is moral. And that's not what the NSA was doing. Instead they were doing morally questionable things, and that's why Snowden and the other whistleblowers came forward.