Keeping e-mail encryption alive

R. A. Hettinga rah at shipwright.com
Sun Apr 21 23:29:01 EDT 2002


http://www.cnn.com/2002/TECH/ptech/04/21/encryption.future.ap/index.html
 
Keeping e-mail encryption alive

NEW YORK (AP) --Phil Zimmermann knows a thing or two about adversity.

His invention for encrypting e-mail, Pretty Good Privacy, was so good that
the government considered it munitions subject to tough export controls.
Prosecutors threatened him with criminal charges when others leaked it
overseas.

The government ultimately backed off. But now, the company that makes the
most popular version of PGP is the one pulling the plug.

It's yet another setback, but Zimmermann isn't rattled.

"PGP has been around for 10 years and has endured incredible obstacles and
hardships," Zimmermann said. "Powerful forces have been arrayed to stop PGP
and yet those obstacles were overcome."

PGP's future now lies with a handful of voluntary and entrepreneurial
efforts that follow Zimmermann's designs. None carry the PGP name, though,
as Network Associates Inc. retains trademark rights.

"People are very concerned about this development and would like to do
something about it," Zimmermann said. "A way will be found."

Network Associates, which bought PGP from Zimmermann's PGP Inc. in 1997,
sought a buyer last year for its e-mail and file encryption products. The
company said it didn't get an attractive offer, so it dropped the products
earlier this year.

Though some longtime PGP users insist Network Associates could have
marketed the product better, others say the demand simply wasn't there.

"People aren't spending for encrypted e-mail," said Austin Hill, chief
strategy officer at Zero-Knowledge Systems Inc.

He ought to know. His company dropped plans for PGP as well.

Encryption is difficult for average users to grasp, products aren't all
that easy to use and the threats of not protecting e-mail from prying eyes
aren't all that easy to explain, Hill said.

Private as a postcard

Internet users won't worry about using regular e-mail for credit card
numbers, medical discussions and other sensitive information until they are
directly harmed or see a well-publicized breach, security experts say.

Only then would they understand or care that using unencrypted e-mail is as
private as sending a postcard. Without encryption, network administrators
at Internet service providers, employers, intelligence agencies and hackers
can snoop on e-mail in transit.

Network Associates will fix programming bugs for a year and honor existing
service contracts, but it will no longer sell PGP or renew contracts.
Though a free version remains available elsewhere, the company won't update
it or make it compatible with newer operating systems, like Windows XP.

Having Network Associates aside will encourage others -- particularly
volunteers -- to increase development efforts, said Yair Frankel, a
cryptography consultant in Westfield, New Jersey.

"Many people believe that PGP from (Network Associates) was the only thing
that existed," said Fabian Rodriguez, associate director of business
development at Toxik Technologies Inc., a PGP vendor. "Now that it's not
there, it sets the ground level equal for everybody."

PGP alternatives include the Gnu Privacy Guard, developed by volunteers
under a license that permits anyone to freely use, modify and further
distribute the product.

Lok Technology Inc. offers Web-based e-mail accounts that use PGP, while
Authora Inc. makes PGP work with Outlook e-mail software and any Web-based
e-mail system. Toxik handles data sent through online forms.

Other encryption methods exist, but none has PGP's popularity.

Alternative answers?

The alternatives still need work.

Authora, for instance, lacks compatibility with non-Microsoft e-mail
software such as Eudora and Lotus Notes.

Gnu is only a command-line program and needs a graphical interface to be
attractive to the vast majority of users. A few interfaces, including
Windows Privacy Tray, have been developed but none are as versatile or
simple as Network Associates' program.

The Gnu project "is the thing that comes close to what PGP from (Network
Associates) was, and it's really not there yet," said David Del Torto,
executive director of the CryptoRights Foundation, which promotes
encryption for human rights workers.

Zimmermann, who chairs the OpenPGP Alliance and works with some commercial
distributors, thinks any viable alternative will also need extensive
marketing. And if the PGP user base is to expand, he said, tools must be
easier to use.

John Miller, Lok's chief operating officer, described the Network
Associates move as "a double-edge sword" for alternatives.

"They are leaving a hole in the marketplace, but when you're out there
trying to get venture capital, backers and clients, they say, 'If a big
company like (Network Associates) couldn't pull it off, what makes you
think a smaller company could?"' Miller said.

Even if a viable PGP alternative comes along, whether e-mail encryption
will ever grow in usage is another matter.

PGP developers believe there is growing interest in privacy, given new
federal regulations governing financial and medical data.

But so far, PGP is limited primarily to niche markets, like human rights
and organized crime -- authorities say mob suspect Nicodemo S. Scarfo Jr.
used it to encode gambling records.

"I don't think it's going to die," said Bruce Schneier, chief technology
officer for Counterpane Internet Security Inc. "It will just be what it is,
a niche security product. (Network Associates) apparently felt the niche
wasn't large enough."

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list