PGP Marks 30th Anniversary
6 June 2021
Today marks the 30th anniversary of the release of PGP 1.0.
It was on this day in 1991 that Pretty Good Privacy was uploaded to the Internet. I had sent it to a couple of my friends for distribution the day before. This set in motion a decade of struggle to end the US export controls on strong cryptographic software. After PGP version 1.0 was released, a number of volunteer engineers came forward and we made many improvements. In September 1992 we released PGP 2.0 in ten foreign languages, running on several different platforms, upgraded with much better cryptography and new functionality, including the distinctive trust model that helped PGP become the most widely used method of email encryption.
I became the target of a criminal investigation for violating the Arms Export Control Act by allowing PGP to spread around the world. This further propelled PGP's popularity. The government dropped the investigation in early 1996, but the policy debate raged on, until the US export restrictions finally collapsed in 2000. PGP ignited the decade of the Crypto Wars, resulting in all the western democracies dropping their restrictions on the use of strong cryptography. It was a storied and thrilling decade, and a triumph of activism for the right to have a private conversation.
I wanted PGP to be used for human rights applications. I wanted it to spread all over the world, especially to places where people needed protection from their own governments. But I couldn't say that out loud during the criminal investigation, because it would help the prosecutor prove intent.
The most dramatic PGP stories came from outside the US. PGP helped enable the safe evacuation of 8000 civilians from mortal danger during the Kosovo conflict. While attending the 2014 National Cybersecurity Hall of Fame ceremony, a guy from the HUMINT community approached me to thank me because he said he had some colleagues who were alive today because of PGP. Human rights groups documenting war crimes in Guatemala, protecting witnesses from reprisals from the military. Human rights workers in the Balkans. Political resistance in Burma in the 1990s. There were so many stories like that over the years.
In 2004, Robert Morris Sr., who had retired from NSA, told me that when PGP first appeared on the scene along with its source code, the NSA was particularly worried that the source code would show a lot of people how to develop strong public key crypto software, and the skills would proliferate.
Here we are, three decades later, and strong crypto is everywhere. What was glamorous in the 1990s is now mundane. So much has changed in those decades. That's a long time in dog years and technology years. My own work shifted to end-to-end secure telephony and text messaging. We now have ubiquitous strong crypto in our browsers, in VPNs, in e-commerce and banking apps, in IoT products, in disk encryption, in the TOR network, in cryptocurrencies. And in a resurgence of implementations of the OpenPGP protocol. It would seem impossible to put this toothpaste back in the tube.
Yet, we now see a number of governments trying to do exactly that. Pushing back against end-to-end encryption. We see it in Australia, the UK, the US, and other liberal democracies. Twenty years after we all thought we won the Crypto Wars. Do we have to mobilize again? Veterans of the Crypto Wars may have trouble fitting into their old uniforms. Remember that scene in The Incredibles when Mr. Incredible tries to squeeze into his old costume? We are going to need fresh troops.
The need for protecting our right to a private conversation has never been stronger. Many democracies are sliding into populist autocracies. Ordinary citizens and grassroots political opposition groups need to protect themselves against these emerging autocracies as best as they can. If an autocracy inherits or builds a pervasive surveillance infrastructure, it becomes nearly impossible for political opposition to organize, as we can see in China. Secure communication is necessary for grassroots political opposition in those societies.
It's not only personal freedom at stake. It's national security. The reckless deployment of Huawei 5G infrastructure across Europe has created easy opportunities for Chinese SIGINT. End-to-end encryption products are essential for European national security, to counter a hostile SIGINT environment controlled by China. We must push back hard in policy space to preserve the right to end-to-end encryption.