From arms violations to gathering dust: The strange history of PGP

Computerworld - It all started in 1991, when Phil Zimmermann released Pretty Good Privacy, providing powerful encryption, signing and authentication capabilities as freeware. The software eliminated the need for third-party key authorities to issue and manage the keys that lock and unlock the data. Suddenly, very good encryption was open to almost anyone.
And that was the trouble. There were all sorts of people the federal government didn't want protected by almost unbreakable encryption. Zimmermann fought a three-year legal battle to keep from going to jail on charges that he violated the International Traffic in Arms Regulations for exporting munitions.
"I learned a lot about criminal law," says Zimmermann of that struggle, which he eventually won.
And then things really started to go wrong. In 1996, Zimmermann founded PGP Inc. in Redwood Shores, Calif., on the same spit of land that Oracle Corp. stands upon.
But after blowing through $17 million in its first year, PGP's funding dried up. The company needed a savior -- fast. Zimmermann found that savior in security software vendor Network Associates Inc. (NAI), which bought PGP for $36 million in 1997, just three weeks before PGP was to declare bankruptcy.
But Santa Clara, Calif.-based NAI had its own market-transition problems, having purchased six other software companies for a total of nearly $2 billion in cash and stock in order to rebrand itself as a "four-pillar" security company. PGP was upgraded from basic encryption and signing to include preconfigured disk encryption and a key server. Then NAI integrated PGP into an all-in-one desktop firewall, virtual private network and intrusion-detection appliance, says Ryan McGee, group product marketing manager at McAfee Security, a division of NAI.
But NAI couldn't carve out a market for the desktop PGP product, says McGee. Customers simply didn't want to pay for something they were used to getting for free, he adds. Nor could NAI sell the code base to any other vendor.
So in February, NAI pulled its commercial support for Zimmermann's PGP code, effectively freezing it at Version 6.5.8. And as Zimmermann's time-tested, flexibly interoperable code sits on NAI's shelves, commercial support for PGP products -- and the code base with which NAI was entrusted -- could dry up.
Zimmermann is trying to strike a deal with NAI to retrieve his code so he can rerelease it in a more useable format for the masses, he says. Zimmermann has been busy consulting with companies such as Hush Communications in Dublin, which in December announced PGP-encrypted message capability for its private e-mail users. AndZimmermann is also seeing to it that PGP support becomes part of other encryption development tool kits, such as those from Veridis, an encryption tool kit vendor in Brussels.
"PGP's going to live on," Zimmermann says. "The question is just, In what form?"
Links to more information:

• www.pgpi.org: Builds of PGP based on older NAI code.


• www.gnupg.org: New PGP freeware from Germany that's compliant with the Open PGP standard.


• http://Web.mit.edu/network/pgp.html: MIT distribution site for PGP keys and information.