Zimmerman is the developer of a computer program known as PGP
-- for "Pretty Good Privacy." PGP is an encryption program -- software
that lets you scramble any digital file (that these days can be a legal
memorandum, a computer program, the Jurassic Park video, or Dylan's latest
CD) in such a way that it can be reconstituted only by those possessing
the digital equivalent of the decoder ring [see sidebar].
* * * * * * * * * * * * * *
The code you may have used to
The Internet has, as I noted in an earlier column, enormous potential as an electronic marketplace, a place where buyers and sellers of information in digital form can interact and consummate transactions. But that potential remains largely unrealized; the Internet has not yet become a major factor in the commercial world, a major venue for trade of any kind.
There are many reasons for that; transmission rates, for example, are still slow enough so that I can run down to my local video store to pick up Jurassic Park in less time than it would take to download it from the Net.
But even when the transmission rate problem is solved, commerce faces a perhaps more fundamental obstacle. The Internet today looks a lot like the Wild West: dazzling, thrilling to ride through, unlimited in potential -- but fundamentally lawless, a small pocket of anarchy in an otherwise regimented world. For many people -- myself included -- that is one of the Internet's peculiar charms. But lawlessness does have its drawbacks. Travelers on the Internet are a bit like travelers on a stagecoach through the Dakota territory; their property may be subject to appropriation at any time without their consent.
The technology required to intercept anything transmitted over the Net, or to gain access to any file residing on any computer with a direct hook-up to the Internet, is widely available. And to make matters worse, while interception may in some circumstances be illegal -- subject, for example, to the Electronic Communication Protection Act's prohibition against opening electronic mail directed to others -- legal remedies against wrongdoers are uncertain at best. It can be prodigiously difficult to associate a stream of 1's and 0's -- and remember, the only thing actually travelling on the Internet is a stream of 1's and 0's -- with any particular individual. With impersonation and anonymity this easy to achieve, you may often be unable to determine who was responsible for any particular wrongful action or to bring any remedy to bear against them.
As a place to carry on commerce, this resembles a flea market in the early days of Dodge City: there are few laws to appeal to if someone walks over and grabs something off your table, and even if there were, everybody here -- not just the bad guys -- wears a mask. If you want people to buy your products, this is hardly the environment you would choose to display your wares. If the Net is going to become a place where commerce can flourish -- where money and other (intellectual) property can actually change hands, where confidential information and documents can be exchanged -- users need to have more assurance that some degree of security for their property, and authentication of individual identity, has been achieved.
In previous epochs of human history, people looked to the law to solve this problem -- Wyatt Earp cleaning up Dodge City or, more generally, some institutional structure emerging to define and enforce property, contract, and personal rights in the new jurisdiction. But the Net may be a good deal harder for Marshal Earp to get control over than Dodge City was. Whose law, for example, is the Marshall going to apply when an unauthorized copy of a file stored on a computer in California is posted on a bulletin board in Finland, as a result of instructions received from a computer in Japan, from which the file is downloaded to a Brazilian computer for distribution by e-mail to a variety of Net addresses worldwide? And, assuming that the Marshall is persuaded that this is indeed "unlawful" activity, how will the perpetrators be identified? And even if this chain of events can be traced to individual machines -- a task that even unsophisticated "hackers" can make exceedingly difficult -- how will the Marshall identify the people standing behind those machines (let alone assert personal jurisdiction over them)?
Enter Phil Zimmerman and his Pretty Good Privacy. We, as lawyers, may at times forget that legal protection is not the only form of protection on which people can rely. Think of encryption as the ultimate form of self-help, a way both to keep your property secure and to verify the identity of the person at the other end of your transaction without the need for the intervention of the lawman.
Using a program like PGP, I can send you a file with complete security that you, and only you, will be able to make any use of it whatsoever; even if it is intercepted, it is of absolutely no value to the interceptor. Even better, I can simply make the file available somewhere on the Internet (for a price, if I choose) in encrypted form, secure in the knowledge that anyone who comes along and downloads it cannot use it without my authorization. And keeping in mind that these files can be video or audio performances, books, videogames -- anything that can exist in digital form and therefore can be transmitted over the Net -- the commercial significance of encryption -- perhaps even the commercial necessity of encryption -- starts to come into focus.
This security function might be enough to make encryption an important commercial force over the next few years. But there's more. Encryption also allows me to verify the identity of individuals with whom I am communicating over the Net.
How? Here's the true beauty of public-key encryption systems (see sidebar): there is only one person who can encrypt a file that is decrypt-able with Al Gore's "public key," and that is the possessor of Al Gore's private key. So, if I receive an encrypted email message that I can decrypt with Gore's public key, I can relatively safely presume that it came from Gore himself; because Gore need never reveal his private key to anyone at any time, the risk that someone has appropriated his private key is manageably small -- about the same risk I run if I were to hear the Vice President's voice over the telephone and presume that he is speaking of his own free will, notwithstanding the fact that someone may be holding a gun to his head to make him say the words that I'm hearing.
Taken together, these two features -- security and authentication -- may well make encryption technology a critical tool for commercial interactions over the Internet. All aspects of the interaction -- the confidential messages regarding negotiation positions, the relevant purchase and sale documents, and the goods themselves -- can avail themselves of this new medium without compromising basic security.
So if encryption is this wonderful, why is the government, as I noted at the beginning of this column, investigating whether PGP's developer should be thrown in jail? Could it be because the regulators cannot abide the idea that people can get along just fine without them? Perhaps -- but to give this question its due will require a more careful look at the threat that encryption may pose for traditional government functions -- a topic I will address in next month's column.
Contact David Post by e-mail at Counsel Connect: firstname.lastname@example.org.