Encryption for the Internet and for telephony

Zimmermann & ITAR Redux

Professor Ric Steinberger, CISSP is one of the most frequent and highly respected instructors in the Norwich University Master of Science program in Information Assurance (MSIA). He is also one of my favorite colleagues, with wide interests and a keen eye for interesting articles. He often shares his comments and insights and recently sent such an interesting spontaneous essay about current developments in encryption policy that I asked him to expand it for this column. Everything that follows is entirely his own work with minor edits.

* * *

"It's personal. It's private. And it's no one's business but yours. You may be planning a political campaign, discussing your taxes, or having a secret romance…. Whatever it is, you don't want your private electronic mail… [e-mail] or confidential documents read by anyone else.” These words were first written by Phil Zimmerman almost 20 years ago (1991, revised in 1999). 

In 1991, Zimmerman released Pretty Good Privacy (PGP) and made it available, including source code, by FTP, thus allowing virtually anyone with an Internet connection to download it. At that time, PGP (based on the RSA algorithm) was the first freely available public-key based encryption program. The net result was that the Internet and e-mail using public had a relatively easy means to use strong encryption to exchange messages that the U.S. government could not read. Strong encryption was (and is) encryption that is essentially unbreakable by large governments employing professional cryptographers who have the world's most powerful supercomputers at their disposal.

The U.S. government was not amused by PGP, to put it mildly. Zimmerman was accused of violating the Arms Export Control Act and its resultant U.S. International Traffic in Arms Regulations (ITAR) because advanced cryptographic software was considered a munition. Open source cryptography supporters sometimes wore T-shirts that sported a perl-based implementation of the RSA algorithm followed by the words, "This shirt is a munition". [Mich Kabay wrote an inflammatory article in Network World in 1993 lambasting the ITAR.] A three-year investigation of Zimmerman followed and the government finally dropped its case in 1996.

Flash forward to our own time, and the same kinds of battles are being refought by the U.S. and a number of foreign governments (for example India, and U.S., Gulf States). Now, it's not just e-mail that's being targeted. It's commercial mobile telephone networks (especially BlackBerry, where the current design does not allow even RIM, the company that has developed BlackBerry, to decrypt its users' voice communications). Also under government investigation is virtually every form of Internet-based communication, be it for business or personal use. Examples of applications and protocols now being examined by governments include VoIP (such as Skype, Google Voice) and peer-to-peer chat environments (for example AIM, Yahoo! Messenger, IRC, Windows Live Messenger, and Facebook).

In the next column in this two-part commentary, Steinberger discusses the current controversies brewing around the world over encryption of Internet and mobile telephony communications.

* * *

Ric Steinberger, CISSP, is a network security consultant and an adjunct faculty member in Norwich University's MSIA program. He is also helping manage a company focused on iPhone applications.

Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022