Philip Zimmermann

Letters to Phil from human rights groups

Date: Tue, 03 Aug 1999 18:02:47 -0400
From: <> Patrick Ball
Subject: PGP & Guatemala


Dear Phil --

When you came to Guatemala with me in January, 1999, you met some of the human rights activists who had been using PGP to keep their sensitive data safe. But I've learned since then that all four of the big human rights monitoring projects used PGP for one or another purpose.

You met staff from the International Center for Human Rights Research (CIIDH in the Spanish acronym). They used PGP to encrypt their databases every night so that if a death squad attacked the office, the data would not be accessible. Since the databases contained the names of witnesses who could have been threatened or injured if perpetrators of atrocities had known about the testimonies, our security was very important. As far as we know, no information leaked from the project.

You also met a few staff from the Commission for Historical Clarification (CEH), where PGP was used to encrypt email that was sent to and from researchers working on the Commission's behalf in other countries. The investigations were secret, and even though the results of the investigations were eventually published, the process had to be conducted in absolute confidentiality. Other strong cryptographic applications were used to secure information (lists of witnesses, report drafts, etc) on researchers' hard disks. There were no allegations of leaks that resulted from electronic surveillance on the Commission.

Recently, a technical worker formerly at the UN Verification Mission (MINUGUA) has written about how people there used PGP to encrypt email that they sent across public telephone lines. The encrypted email contained reports from the field offices, much of which included information on ongoing investigations and other highly sensitive data. PGP made possible much faster reactions and better analysis in the central office, which in some cases probably saved the lives of people on behalf of whom MINUGUA intervened.

Another technical worker, this one from the Catholic Church's Project for the Recuperation of Historical Memory (REMHI), recently sent me a letter in which he described REMHI's use of PGP. Like the CEH, REMHI needed to communicate with researchers in the US and Europe about sensitive investigations using documents available in those countries. The content of the information was not itself sensitive, but the if the existence of the investigation had been known, reprisals could have been directed at REMHI staff.

Remember that three days after the publication of REMHI's report in April, 1998, the director of the project (Monseñor Juan Jose Gerardi) was murdered. The perpetrators have still not been identified, but it is very likely that they were linked to the Guatemalan military. If the perpetrators of this murder had known about REMHI's investigations -- perhaps by tapping REMHI's email, if it had not been encrypted -- the reprisals may have come earlier (potentially preventiing the release of the report) and the violence could have been directed against more people.

All of these projects used freeware, DOS versions they obtained from Europe. As you once remarked to me, using the drag-and-drop versions we forget how difficult the old DOS versions were to use. But human rights workers in Guatemala, many of whom were not terribly technically sophisticated five years ago, needed security badly enough to learn how to do it.

As early as 1994, people in Guatemala were talking about the importance of using strong cryptography, and how they could legally obtain the tools they needed. As a AAAS consultant and later as a staff person, I trained activists in all four of these groups to use PGP, and I can testify that they were very eager students. Human rights groups are committed to the rule of law, and so using the software legally was and is important to them. It wasn't easy, but it was possible to arrange for people to bring floppy disks from Europe. Now, with the Internet, it is much easier for human rights groups to get PGP from the PGP International site.

On behalf of human rights workers in Guatemala, I want to repeat the thanks that many of them told you personally when you visited in January. Freeware PGP has been and continues to be a tremendous service to human rights, and we appreciate your efforts on our behalf.

Patrick Ball, Ph.D.
Deputy Director
Science and Human Rights Program
American Association for the Advancement of Science


PGP saved lives in Kosova!

The following email I received in 2000 from Sweden tells quite a compelling story. I've deleted the sender's name, and corrected some minor typos. - Philip Zimmermann

From: [name and email address deleted]
Subject: PGP saved lives in Kosova!
Date: Tue, 14 Mar 2000 16:42:56 +0100
Organization: Kosova Information Office, Stockholm

Mr. Zimmermann,

I'm a new user of the PGP, who has found out about the usefulness of it from my younger brother.  My kid brother F. is 24 and served as a rebel freedom-fighter with KLA in Kosova during winter 1998 and spring 1999. He was stationed at a crucial KLA Command & Control center in a secret location in south Kosova, near border with neighboring Albania, one which survived the Serb outrage and remained fully operational even at the last stages of NATO air assault.

According to him, both sides took shots on surveilling each other's comlines during the war, as it usually happens, the central government definitely though having the upper hand in both resources and manpower. The peasant guerillas of KLA took heavy casualties during fall 1998, partially due to the fact that they had to rely on couriers to pre-coordinate any action, which in effect made them simply too slow. Phones, faxes, emails were, according to him, all taped by the government, who had bought an English system (2001 something? sorry, but I'm not in with the details), which, he says, surveilled a great many calls/min and got activated with code-words. I'm not quite sure, as I said, about the details of all this, but this is just so that you get the big picture.

And then, some within KLA came up with the PGP! Soon, all their C&C centers had cheap laptops and Internet connections through cellular phones. My brother is totally convinced that it saved the lives of hundreds of good men, who otherwise would have had no chance. According to him, PGP made KLA sharper and able to save thousands of refugees from being slaughtered. In one particular episode, in a hillside area in SE of Kosova called the Berisha mountains, he says KLA units were able to make an orderly retreat, together with some 8000 civilians and, during all this time, to communicate their plight to the outside world, with the help of PGP.

I guess what I'm trying to say is that I'm grateful to have my brother back alive, and that I very strongly feel that the US government, France and others should let PGP be. Sometimes, even the best of the governments make mistakes; and then, it would be nice for the little people to have a life of their own to fall back to.

Thanks for the PGP, Mr. Zimmermann! You did the right thing.


[name deleted]
[phone number deleted]

In 1996 I received the following letters by email from Central Europe. With the sender's permission, I released the letters to the public, with the sender's name deleted, and some minor typos corrected. - Philip Zimmermann

Thanks from Central Europe

Date: Sat, 09 Mar 1996 19:33:00 +0000 (GMT)
From: [name and email address deleted]
Subject: Thanks from Central Europe
To: Philip Zimmermann

Dear Phil,

This is a short note to say a very big thank you for all your work with PGP.

We are part of a network of not-for-profit agencies, working among other things for human rights in the Balkans. Our various offices have been raided by various police forces looking for evidence of spying or subversive activities. Our mail has been regularly tampered with and our office in Romania has a constant wiretap.

Last year in Zagreb, the security police raided our office and confiscated our computers in the hope of retrieving information about the identity of people who had complained about their activites.

In every instance PGP has allowed us to communicate and protect our files from any attempt to gain access to our material as we PKZIP all our files and then use PGP's conventional encryption facility to protect all sensitive files.

Without PGP we would not be able to function and protect our client group. Thanks to PGP I can sleep at night knowing that no amount of prying will compromise our clients.

I have even had 13 days in prison for not revealing our PGP pass phrases, but it was a very small price to pay for protecting our clients.

I have always meant to write and thank you, and now I am finally doing it. PGP has a value beyond all words and my personal gratitude to you is immense. Your work protects the innocent and the weak, and as such promotes peace and justice, quite frankly you deserve the biggest medal that can be found.

Please be encouraged that PGP is a considerable benefit people in need, and your work is appreciated.

Could you please tell us where in Europe we can find someone who can tell us more about using PGP and upgrades etc. If you can't tell us these details because of the export restriction thing, can you point us at someone who could tell us something without compromising you.

Many thanks.

[ I sent him a response and asked him if I could disclose his inspiring letter to the press, and also possibly use it in our ongoing legislative debates regarding cryptography if the opportunity arises to make arguments in front of a Congressional committee. I also asked him to supply some real examples of how PGP is used to protect human rights. He wrote back that I can use his letters if I delete his organization's name "to protect the innocent". Then he sent me the following letter. --PRZ ]

More News from [Central Europe]

Date: Mon, 18 Mar 1996 15:32:00 +0000 (GMT)
From: [name and email address deleted]
Subject: More News from [Central Europe]
To: Philip Zimmermann

Dear Phil,

I have been thinking of specific events that might be of use to your Congressional presentation. I am concerned that our brushes with Governments might be double-edged in that Congress might not like the idea of Human Rights groups avoiding Police investigation, even if such investigations violated Human Rights.

However we have one case where you could highlight the value of PGP to "Good" citizens, we were working with a young woman who was being pursued by Islamic extremists. She was an ethnic Muslim from Albania who had converted to Christianity and as a result had been attacked, raped and threatened persistently with further attack.

We were helping to protect her from further attack by hiding her in Hungary, and eventually we helped her travel to Holland, while in Holland she sought asylum, which was granted after the Dutch Government acknowledged that she was directly threatened with rape, harrassment and even death should her whereabouts be known to her persecutors.

Two weeks before she was granted asylum, two armed men raided our office in Hungary looking for her, they tried to bring up files on our computers but were prevented from accessing her files by PGP. They took copies of the files that they believed related to her, so any simple password or ordinary encryption would eventually have been overcome. They were prepared to take the whole computer if necessary so the only real line of defence was PGP.

Thanks to PGP her whereabouts and her life were protected. This incident and the young woman's circumstances are well documented.

We have also had other incidents where PGP protected files and so protected innocent people. If the US confirms the dubious precedent of denying privacy in a cavalier fashion by trying to deny people PGP , it will be used as a standard by which others will then engineer the outlawing of any privacy. Partial privacy is no privacy. Our privacy should not be by the grace and favour of any Government. Mediums that ensured privacy in the past have been compromised by advances in technology, so it is only fair that they should be replaced by other secure methods of protecting our thoughts and ideas, as well as information.

I wish you well with your hearing.

Yours most sincerely

[name deleted]

New Message from Europe

Date: Tue, 19 Mar 1996 10:35:00 +0000 (GMT)
From: [name and email address deleted]
Subject: New Message from Europe
To: Phil Zimmermann

I hope our story helps. Here is a little tale of pre-PGP days.

In the bad old days before we had PGP and before the revolution in Romania, we used to send couriers to Romania to meet with dissidents and help collate information about their troubles.

Organizing such trips was a nightmare because briefing couriers to be able to find people, and then bring out accurate reports was quite difficult. Any document was liable to be confiscated, and any notebook with names and addresses would be taken if found by the Police and every Romanian in the book would be visited by the security Police. Yet sometimes we would be given large files of documents to take to the Human Rights Agencies in the West, and couriers would have to visit several dissidents.

As Foreigner's you were required to stay in designated hotels, it was illegal to stay in a private home. You were followed, and meetings with dissidents were a stressful experience for everyone.

We eventually started to use handheld psion computers to carry information about travel directions, name and addresses, and to input files etc. No sensitive information was carried in the memory of the psion but in a separate memory cartridge. The cartridge resembled a battery, and the psion looked like a sophisticated calculator, so we relied on the Romanians ignorance of that technology, and on keeping the two items separate when travelling.

This worked very well until the late eighties when a courier was arrested at the Romanian\Hungarian border, during the initial search the memory cartridge was overlooked, and as such the courier was able to keep the memory cartridge. Later in the day, he was being walked between two buildings when he had opportunity to throw the memory cartridge into a fast moving river ! All very heady stuff, but everyone back in the office was off the wall for several days until the courier was eventually released and able to confirm the destruction of the memory cartridge.

Since PGP, we have been able sleep better at nights.

The following story is not for publication as we could easily be identified... [story deleted] ...

So as you can see the issue of Privacy here is not about tax evasion or child pornography, but the on-going determination by various groups including parts of the media, and Government Agencies, to know everything and to then to profit by such knowledge financially or by the destruction of those opposed to them.

In this part of the world PGP is a common sense idea that protects ordinary people from those who have power that they are prepared to abuse. There is no Constitution, enforced by capable courts in this part of the world able to protect us from such abuses, so we must have the right to protect ourselves from abuse.

If the NSC considers PGP a restricted weapon system that can't be legally exported, why can't at least Americans who have the right to bear arms have an ongoing guaranteed right to keep uncompromised encryption\PGP under their pillow at night along with their magnum. If you are allowed fatal force to protect your physical person, why can't you have equally powerful protection for your personal thoughts.

Now I am no fan of the Gun Lobby, but if Americans can ensure their right to uncompromised encryption, the rest of us can argue for the same more effectively.

Anyway I must get back to work...

Do keep in touch sometimes...

Best regards
[name deleted]