Back to D Post Home Page

Encryption -- It's Not just for Spies Anymore

© 1996 David G. Post. Permission granted to redistribute freely, in whole or in part,with this notice attached.

David G. Post
American Lawyer, November 1994 ("Plugging In")

Computer programmer Phil Zimmerman has probably done more to open up the Internet than all of Al Gore's minions combined -- and the government has rewarded him by initiating a criminal investigation.

 Zimmerman is the developer of a computer program known as PGP -- for "Pretty Good Privacy." PGP is an encryption program -- software that lets you scramble any digital file (that these days can be a legal memorandum, a computer program, the Jurassic Park video, or Dylan's latest CD) in such a way that it can be reconstituted only by those possessing the digital equivalent of the decoder ring [see sidebar].

* * * * * * * * * * * * * * 


The code you may have used to 
encode messages to your friends
in elementary school -- A=1, B=2, 
C=3, D=4, etc. -- is an example
of a single-key encryption system: 
the same "algorithm" is used by
the sender to encrypt the message 
and by the recipient to decrypt
it. Many of enormously powerful 
encryption programs are single-key
systems (with far, far more 
complicated coding algorithms, needless
to say). 

Single-key systems, however, 
have one large drawback: because
the sender and the recipient have 
to first agree on what code they
are using -- i.e., they have to 
have an uncoded conversation during
which the code is exchanged -- 
the system is only as secure as the
medium in which that prior 
communication takes place. That is, if
you and your friend want to 
exchange coded notes in class, you'll
have to meet in a corner of the 
playground to get the system
rolling. You certainly can't send 
your friend a note in class
explaining the code you want to 
use, because then all your
classmates will be able to 
decrypt your messages; if that channel
of communication were secure enough 
for you to use for transmitting
the code, why do you need a code 
at all (other than to have a
little fun)? 

PGP, on the other hand, is a 
public key system. The program
generates two codes, code A and 
code B, for each user. A file
encrypted in code A can only be 
decrypted with code B (and vice
versa), and it is impossible to 
derive code A from code B or vice
versa -- trust me on this (though 
readers wanting more information
can send me an e-mail). Code B 
becomes your public key; think of it
like your telephone number -- 
you give it away, publicize it
widely, allow people to put it 
in publicly-available directories,
etc. Then, if I want to send you a 
file that only you can decrypt,
all I need do is look up your 
telephone number (i.e., public key)
and use that to encrypt the file; 
that file can then be de-crypted
only by the person possessing code 
A (which you have kept secret
from the world and which I, 
therefore, need not ever have seen).
Unlike single-key systems, you and 
I need never have previously
communicated for the system 
to provide complete security, and
therefore there is no need for any 
secure channel over which codes
can be exchanged.
* * * * * * * * * * * * * * 

You would be forgiven for thinking that encryption technology is of interest only to spies and counter-spies. Forgiven, but incorrect; in fact, encryption technology is about to make its way to your desktop.

 The Internet has, as I noted in an earlier column, enormous potential as an electronic marketplace, a place where buyers and sellers of information in digital form can interact and consummate transactions. But that potential remains largely unrealized; the Internet has not yet become a major factor in the commercial world, a major venue for trade of any kind.

 There are many reasons for that; transmission rates, for example, are still slow enough so that I can run down to my local video store to pick up Jurassic Park in less time than it would take to download it from the Net.

 But even when the transmission rate problem is solved, commerce faces a perhaps more fundamental obstacle. The Internet today looks a lot like the Wild West: dazzling, thrilling to ride through, unlimited in potential -- but fundamentally lawless, a small pocket of anarchy in an otherwise regimented world. For many people -- myself included -- that is one of the Internet's peculiar charms. But lawlessness does have its drawbacks. Travelers on the Internet are a bit like travelers on a stagecoach through the Dakota territory; their property may be subject to appropriation at any time without their consent.

 The technology required to intercept anything transmitted over the Net, or to gain access to any file residing on any computer with a direct hook-up to the Internet, is widely available. And to make matters worse, while interception may in some circumstances be illegal -- subject, for example, to the Electronic Communication Protection Act's prohibition against opening electronic mail directed to others -- legal remedies against wrongdoers are uncertain at best. It can be prodigiously difficult to associate a stream of 1's and 0's -- and remember, the only thing actually travelling on the Internet is a stream of 1's and 0's -- with any particular individual. With impersonation and anonymity this easy to achieve, you may often be unable to determine who was responsible for any particular wrongful action or to bring any remedy to bear against them.

 As a place to carry on commerce, this resembles a flea market in the early days of Dodge City: there are few laws to appeal to if someone walks over and grabs something off your table, and even if there were, everybody here -- not just the bad guys -- wears a mask. If you want people to buy your products, this is hardly the environment you would choose to display your wares. If the Net is going to become a place where commerce can flourish -- where money and other (intellectual) property can actually change hands, where confidential information and documents can be exchanged -- users need to have more assurance that some degree of security for their property, and authentication of individual identity, has been achieved.

 In previous epochs of human history, people looked to the law to solve this problem -- Wyatt Earp cleaning up Dodge City or, more generally, some institutional structure emerging to define and enforce property, contract, and personal rights in the new jurisdiction. But the Net may be a good deal harder for Marshal Earp to get control over than Dodge City was. Whose law, for example, is the Marshall going to apply when an unauthorized copy of a file stored on a computer in California is posted on a bulletin board in Finland, as a result of instructions received from a computer in Japan, from which the file is downloaded to a Brazilian computer for distribution by e-mail to a variety of Net addresses worldwide? And, assuming that the Marshall is persuaded that this is indeed "unlawful" activity, how will the perpetrators be identified? And even if this chain of events can be traced to individual machines -- a task that even unsophisticated "hackers" can make exceedingly difficult -- how will the Marshall identify the people standing behind those machines (let alone assert personal jurisdiction over them)?

 Enter Phil Zimmerman and his Pretty Good Privacy. We, as lawyers, may at times forget that legal protection is not the only form of protection on which people can rely. Think of encryption as the ultimate form of self-help, a way both to keep your property secure and to verify the identity of the person at the other end of your transaction without the need for the intervention of the lawman.

 Using a program like PGP, I can send you a file with complete security that you, and only you, will be able to make any use of it whatsoever; even if it is intercepted, it is of absolutely no value to the interceptor. Even better, I can simply make the file available somewhere on the Internet (for a price, if I choose) in encrypted form, secure in the knowledge that anyone who comes along and downloads it cannot use it without my authorization. And keeping in mind that these files can be video or audio performances, books, videogames -- anything that can exist in digital form and therefore can be transmitted over the Net -- the commercial significance of encryption -- perhaps even the commercial necessity of encryption -- starts to come into focus.

 This security function might be enough to make encryption an important commercial force over the next few years. But there's more. Encryption also allows me to verify the identity of individuals with whom I am communicating over the Net.

 How? Here's the true beauty of public-key encryption systems (see sidebar): there is only one person who can encrypt a file that is decrypt-able with Al Gore's "public key," and that is the possessor of Al Gore's private key. So, if I receive an encrypted email message that I can decrypt with Gore's public key, I can relatively safely presume that it came from Gore himself; because Gore need never reveal his private key to anyone at any time, the risk that someone has appropriated his private key is manageably small -- about the same risk I run if I were to hear the Vice President's voice over the telephone and presume that he is speaking of his own free will, notwithstanding the fact that someone may be holding a gun to his head to make him say the words that I'm hearing.

 Taken together, these two features -- security and authentication -- may well make encryption technology a critical tool for commercial interactions over the Internet. All aspects of the interaction -- the confidential messages regarding negotiation positions, the relevant purchase and sale documents, and the goods themselves -- can avail themselves of this new medium without compromising basic security.

 So if encryption is this wonderful, why is the government, as I noted at the beginning of this column, investigating whether PGP's developer should be thrown in jail? Could it be because the regulators cannot abide the idea that people can get along just fine without them? Perhaps -- but to give this question its due will require a more careful look at the threat that encryption may pose for traditional government functions -- a topic I will address in next month's column.

© 1996 David G. Post. Permission granted to redistribute freely, in whole or in part,with this notice attached.

Contact David Post by e-mail at Counsel Connect:

Back to D Post Home Page

Web page design and HTML encoding © 1996 Alan Lewine, OwlLex Consulting.
Contact info: OwlLex web site, OwlLex e-mail.