Last week Philip Zimmermann got one of the highest honors in high technology: a Pioneer award from the Electronic Frontier Foundation.
Within weeks, however, Zimmermann could receive another, less welcome, form of recognition. He may be indicted -- for the same act that won him the award.
What did Zimmermann, a 41-year-old Colorado computer consultant, do to attract this attention? He created a powerful software program for scrambling information and communications on personal computers, and he distributed it free so that all computer users could have privacy protection. That brought adulation from the computer community, which sees the program as a boon to personal privacy in the information age.
But after a friend put the program on the Internet, the global computer network, anyone around the world with a PC and modem could get a copy. That may constitute a violation of U.S. export laws, which classify encryption technology as a powerful weapon whose export is strictly controlled. If the case ever comes to trial, a court will decide whether putting something on the Internet constitutes exporting it.
Zimmermann said he wrote the software to help individuals guard their own privacy in an increasingly snoopy era. As more and more personal information sharing, electronic mail and commercial transactions take place on-line, Zimmermann reasoned, individuals need to protect themselves from prying eyes.
In the manual for the program, he wrote: "Privacy is as apple-pie as the Constitution.
"Perhaps you think your E-mail is legitimate enough that encryption is unwarranted. If you really are a law-abiding citizen with nothing to hide, then why don't you always send your paper mail on postcards?"
If Zimmermann is indicted and convicted, he could be imprisoned up to five years and fined as much as $1 million. William P. Keane, the U.S. attorney in San Jose, Calif., has been investigating the case, and an indictment could follow.
Keane would not comment directly on the Zimmermann case, but said, "Everybody who has looked at these issues would agree that, A, no court has decided these issues, and B, that these are very tough issues. Sooner or later some tough decisions are going to have to be made." An On-line Cause Since being informed of the investigation two years ago, Zimmermann has become something of an on-line cause with a virtual constituency, which has rallied to his support with letter-writing campaigns and a legal defense fund -- though Zimmermann said he also has a waiting list of lawyers offering pro bono representation.
Lance J. Hoffman, a professor of computer science and author of a new book on cryptography controversies, said a Zimmermann prosecution "would be the Dreyfus trial of this century" -- a landmark case for the culture of cyberspace. "It will put on trial a culture and a set of mores and rules . . . that is in conflict with the established, written-down rules and laws," said Hoffman, who says that the widespread free dissemination of Zimmermann's program has made it one of the de facto cryptography standards. Encryption technology long has been considered an important strategic asset, and breaking Japanese and German codes was instrumental in winning World War II. But since then, computer technology has brought encryption within the reach of anyone who can afford a computer. And criminals, like the rest of society, are becoming computer-literate. Government faces the prospect of criminals and terrorists conducting their business under the cloak of unbreakable codes. One way the government has tried to address the widespread use of encryption is through stringent export regulations to control dissemination of such technologies. Those rules even apply to such garden-variety software as Norton Utilities, which offers encryption as part of its popular package of tools to help computer users manage their machines. The company sells two versions of the software: one for domestic use and an encryption-free version for international markets.
The government also has promoted the "Clipper Chip," a voluntary technology that would allow users to scramble their files and communications but still would be breakable by the government. Widespread opposition to the Clinton administration's initial proposal last year sent the government back to the drawing board to find a more workable solution. A Zimmermann indictment would be a disaster for the administration, said Jerry Berman, who heads the Center for Democracy and Technology, a high-tech policy group.
"It will rightly make Phil Zimmermann a martyr. . . . The Clipper Chip polarized the discussion" of the balance between privacy and security, Berman said, and "Zimmermann will square that -- without accomplishing anything for the government." A Natural With Codes Zimmermann grew up in Miami and, like many children, was fascinated by codes. But while his playmates were shelling out a few dollars to buy a secret decoder wheel to read messages on a local children's television show, Zimmermann cracked the code on his own. "That was pretty satisfying," Zimmermann recalled. "I thought I was smarter than the other kids."
A friend taunted him with a long message in code, daring Zimmermann to break it. "I brought it back in with the plain text the next day," Zimmermann said. "He was amazed -- but kids were pretty easily amazed."
While attending college in Boca Raton, Fla., Zimmermann happened on an article in Scientific American that described an exciting new development: "public key" encryption. It addressed one of the biggest problems with sending coded messages: The person you send the message to needs a "key" to unscramble the message, which can weaken the sender's own security. But in public key encryption, every user has two keys: a "private key" and a "public key." Anyone can use a recipient's public key to send a protected message to that person. But no one -- not even the original sender -- can unscramble the message. That's what the private key is for.
When Zimmermann read the article describing the elegant encryption schemes, he realized that it could be reduced to a software program that would run on personal computers. Several companies were working on commercial products to put cryptography into the hands of business and well-heeled individuals, but that didn't appeal to Zimmermann: "Who cares about that? It's not going to be a force for social change."
To Zimmermann, who was an anti-nuclear war activist in the 1980s, writing a crypto-for-the-masses project was just another form of social activism. He began writing the program in 1986, fiddling with it from time to time.
By 1990, he had become an independent computer consultant, but the cryptography project continued to tantalize him. So he embarked on a six-month crunch to finish the program, neglecting his consulting practice and straining his young family's savings.
By mid-1991, he had a workable program. Zimmermann named it Pretty Good Privacy (PGP), after Ralph's Pretty Good Grocery in Garrison Keillor's mythical Lake Wobegon. He gave it to friends. "I didn't think of this as disobeying anything," Zimmermann recalled. "Publishing this domestically, I thought, was perfectly legal. "I wanted to make cryptography available to the average person before the government tried to make it impossible to do so." Software as Munitions But then a friend put the program on a computer in the United States that was connected to the Internet, distributing it throughout cyberspace. In 1993, Zimmermann got a letter from the U.S. attorney's office in San Jose telling him that he was being investigated over the possible breach of munitions export laws.
To the former anti-war activist, the news came as a shock. "To think of me as an arms exporter is an insulting irony."
Zimmermann knows that his brainchild can be used by criminals, and law enforcement officials bemoan the fact that they could not read an arrested pedophile's PGP-encrypted computer records.
"It's terrible to hear about cases like that," said Zimmermann, who has two young daughters. But he contends that his product, which is now available in a commercial version from Phoenix-based ViaCrypt, is just "a tool" that can be used for good or evil.
One source familiar with the case from the government's point of view called Zimmermann "muddleheaded and naive" for thinking that he could escape prosecution for software that appeared on the Internet: "He's playing at this stuff, and when it has real consequences, he wants to deny it.
"How far do you think you'd get arguing you didn't cause the export of nuclear technology if you sold it in an international airport departure lounge?"
U.S. Attorney Keane said the case raises several questions: "What -- if any -- policing is to be done on the 'Net? Are we going to throw up our hands and say There's no accountability. It's too big to enforce?' "
"It's not our responsibility to determine whether a particular law is good or not," Keane said. "It's only our responsibility to determine whether a particular law applies, or should apply, in a given case."
But the encryption genie is already out of the bottle, industry executives argue, and the government's restrictions needlessly hamstring American companies. "If the export controls are supposed to stem the spread of this technology, it's not working," said Doug Miller, government affairs manager for the Software Publishers Association (SPA). An SPA study found 400 encryption products readily available overseas -- including 164 that use encryption methods that the U.S. government has declared illegal to export.
"They can buy foreign, or they can buy weaker American products. That's not a good situation," Miller said.
The SPA has not taken an official position on the Zimmermann investigation, Miller said, but "it would be a shame if the government was making an example of him, because that misses the point that the export controls . . . need to be liberalized. Under a system that reflects reality, this wouldn't be an issue." CAPTION: Philip Zimmermann's award-winning encryption technology has been sent abroad over computer networks, possibly violating U.S. export law.