PGP, the Universe, and Everything

WASHINGTON, DC -- While on my first vacation in two years, I sat down at a friend's house not far from the Pentagon to research this month's column. It's about a software program that has caused all sorts of trouble and could be -- if the powers-to-be are to believed -- a terrible threat to the national security of... well, somebody.

Pretty Good Privacy (commonly known as PGP) was the creation of Phillip Zimmerman, who first uploaded the source code into a USENET newsgroup in June 1991. His personal belief was that everyone in cyberspace should have the best encryption software money could (or couldn't) buy. Unfortunately for him, everything that has anything to do with encryption comes under the direct control of the spooks at the US National Security Administration (NSA). The feds later went after the guy for violating US export control laws, but eventually dropped the charges in January 1996.

For those who are not familiar with it, PGP is, as its name suggests, pretty good stuff. Computer files encrypted to work with PGP are said to be almost unbreakable. Don't count on it.

The whole issue of encrypting messages on the Internet comes about because an e-mail message is no more secret than a postcard; whoever handles it can read it. Encryption, then, is just a way of adding an envelope to the electronic version of a letter.

Paranoia -- on the part of both governments and the general public -- is also a growing factor. Governments are worried about drug dealers, child pornographers, and good old-fashioned terrorists using the Internet to plot their dirty deeds. And the general public is, with some justification, worried about Big Brother getting a little bit too nosy.

While in Washington doing my research into PGP and software encryption in general, I was able to speak to some one-time spooks who were quite familiar with the topic, including an expert on cryptography. I learned that PGP is good stuff but, in their opinion, a waste of time for more than just casual secrecy.

They suggested that, with so many Internet messages flying around, the only ones capable of targeting and intercepting a given e-mail message would be a government agency like the NSA. And that will only happen if they are specifically interested in you. If your e-mail is being intercepted by the government, then your phone is certainly tapped as well, and two guys are always sitting in a parked car in front of your house. (Feel a sudden urge to peek out the window?)

They also told me that no encryption scheme is foolproof. Codes and cryptography have been around and evolving as long as there have been secrets. Wars have been lost, and empires have crumbled, because users believed that their codes could not be broken. (Just ask the Japanese how well their "purple code" worked during World War II.)

Just because something like PGP cannot be broken by anyone today (And who can be certain it can't?) does not mean it won't be kid stuff in a few years. The fact that the source code is available to the public virtually insures that the NSA and their counterparts have been working on cracking it for some time.

Still, credit card numbers, business secrets, and stuff less dramatic than nuclear weapon blueprints need be kept from prying eyes. Is PGP a good tool to use? Yes. Is it legal to use? Yes, although there are restrictions depending on where you live.

As of November, the most recent implementation of PGP was version 2.6.3 in the United States. Overseas, there is a version called 2.6.3i (the "i" for international), which is based on PGP source code illegally exported from the US. (But not illegal to be in possession of, so relax.) Among the reasons why PGP has a lot of legal baggage is that it uses certain patented algorithms that are the property of others.

Possessing and using any version of PGP in Japan is not illegal -- at this time. One problem that might occur, though, would be if you fly to the US and then return to Japan. If you have PGP on your laptop when you leave the US, be advised that you are breaking the law.

This could open up a whole can of legal worms over the status of the contents of your laptop computer. Customs searches your baggage, after all. Is it reasonable for them to search the contents of your hard disk when you enter or leave a country? To my knowledge, there have been no cases to date of this happening, but give it time.

Encryption issues aside, PGP is a difficult program to set up and learn how to use. For best results, run it under DOS or Unix. (The Mac version, I am told, is not that reliable.) You'll need a Windows front-end to get it to work properly with other Windows programs.

To learn more about PGP, or to obtain a copy, the best place to go on the Net is a Norwegian-based site called "The International PGP Web Page" (http://www.ifi.uio.no/pgp/). The latest information on PGP's legal status is also posted there.

In closing, I would like to stress that none of the information here should be in any way taken as endorsing illegal activity. Even though many people (myself among them) think that many of the laws surrounding software encryption are silly and outdated, they are still laws. Breaking them, and facing the consequences, just to insure that nobody knows what you are buying Aunt Sue for her birthday is stupid.


Thomas Caldwell is a radio correspondent and Japan marketing manager for the United Press International Tokyo Bureau. E-mail:caldwell@gol.com.