Navigation Bar
Navigation Bar

Related Items
Print Edition
Weekend Section
Monday's Washington Business
Front Page Articles

On Our Site
Fast Forward

Deciphering Your Privacy

By Rob Pegoraro

Friday, November 26, 1999; Page E01

Some four years ago, I downloaded a program called Pretty Good Privacy. This seemed like a good idea; it could scramble my outgoing e-mail so only the recipient could read it, while my correspondents could use it to do the same with messages sent to me--plus, any computing guru worth his or her solenoids had a PGP key, and I wasn't about to be caught without one.

So I struggled with the software's brutish user interface, generated my public and private keys (the former to be used by anybody sending me mail, the latter to be used to unlock encrypted messages), added a note about my PGP key to my e-mail signature and my Web page, and waited for the encrypted mail to come in.

It never did. I traded a few messages with friends and then used the software so little that I dweebishly forgot the password to my own private key. My second attempt, with a newer version of the software, fared little better; these days, I use PGP mostly to lock up a text file in which I've stored all of my other passwords.

I'm not happy about this. There are lots of conversations I'd rather not have in plain text, where any technically savvy eavesdropper can read my correspondence. PGP is the best solution to that problem: It uses fiendishly complex math to turn a message or file into unrecognizable alphanumeric gibberish; once you encrypt a message with somebody's "public key," it's gone--only the person holding the matching private key can decipher and read it. You can also use this program to append a "digital signature" to your e-mail, proving that you sent it and that it wasn't tampered with in transit. And it's widely trusted and widely used.

This might sound complex and weird, but it's not terribly different from the technology used to guard your credit-card data when you shop online--without which most Internet users will refuse to make a purchase. The contrast in attitudes puzzles privacy advocates.

"A lot of people are going to be doing online shopping, and they're going to be using pretty good encryption when they type in their credit-card numbers," said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. "But when they send private messages to their friends, those messages are going to be in the clear."

That includes his own circle of friends: "Almost nobody" encrypts e-mail to him.

The usual argument for using encryption is that you wouldn't send personal letters on a postcard, so why send personal e-mail without hiding its contents? "You need envelopes regardless of what kind of paper you're printing your letters on--electrons or pulp," said Phil Zimmermann, the creator of PGP.

On the other hand, I've gotten postcards with some fairly revealing info on them. Millions of people have no problem talking on eavesdropping-friendly, analog cell and cordless phones. There are bigger things to worry about; Rotenberg noted, "The larger risk for most people is that their e-mail will accidentally be sent to the wrong person, or that they will accidentally send it to the wrong person."

Unlike digital spread-spectrum cordless phones, PCS wireless phones or even envelopes, PGP costs nothing extra. It's a free download, it's relatively easy to use, it plugs into many e-mail applications, and it's available for numerous operating systems.

But PGP lacks PR. Network Associates Inc., which bought Zimmermann's company, sells a commercial version of the program, but the free version must be downloaded from a Web page hosted at MIT {lt}http://web.mit.edu/network/pgp. html{gt}. There's no ad budget behind this free program, just word of mouth.

And it's actually gotten harder to obtain. Qualcomm used to bundle PGP with its popular Eudora Pro e-mail program, but it recently stopped. Jeremy James, director of communications for Qualcomm's Eudora division, blamed both U.S. export restrictions and lack of demand for PGP itself. "It was affecting the speed with which we could export Eudora to Europe," he said--the company had to exorcise PGP before shipping this e-mail tool kit overseas.

Blame the government? Yes. Exporting PGP is illegal--the strength of its encryption makes it the legal equivalent of a munition. That MIT Web page will ask you to swear that you are a citizen or permanent resident of the United States and will not ship it abroad. (Meanwhile, the program has circulated internationally for years; see http://www.pgpi.org to download a copy outside the United States.)

After years of lobbying, that law is changing; companies will be able to submit a program such as PGP for a one-time review, then export it to all but a small group of countries. This would remove one big barrier to wider distribution of this program; Qualcomm's James said his company was reconsidering bundling PGP once this "export challenge" is removed. So we may yet see encryption become an everyday envelope for our e-mail.

In the meantime, though, I'm still waiting to get another encoded message. Help me out here: To get my public key, visit http://pgpkeys.mit.edu:11371/ and search for "rob@twp.com" and then send me a message. Without any personal secrets; those are your business, not mine.

Living with technology, or trying to? E-mail Rob Pegoraro at rob@twp.com.

© Copyright 1999 The Washington Post Company

Navigation Bar
Navigation Bar
Yellow Pages