FITUG e.V.
Förderverein Informationstechnik und Gesellschaft
FITUG e.V.Förderverein Informationstechnik und Gesellschaft |
|
------- Forwarded message follows ------- Date sent: Sun, 21 Apr 2002 23:29:01 -0400 To: Digital Bearer Settlement List <dbs@philodox.com>, dcsb@ai.mit.edu, mac-crypto@vmeng.com, cryptography@wasabisystems.com From: "R. A. Hettinga" <rah@shipwright.com> Subject: Keeping e-mail encryption alive
http://www.cnn.com/2002/TECH/ptech/04/21/encryption.future.ap/index.html
Keeping e-mail encryption alive
NEW YORK (AP) --Phil Zimmermann knows a thing or two about adversity.
His invention for encrypting e-mail, Pretty Good Privacy, was so good that the government considered it munitions subject to tough export controls. Prosecutors threatened him with criminal charges when others leaked it overseas.
The government ultimately backed off. But now, the company that makes the most popular version of PGP is the one pulling the plug.
It's yet another setback, but Zimmermann isn't rattled.
"PGP has been around for 10 years and has endured incredible obstacles and hardships," Zimmermann said. "Powerful forces have been arrayed to stop PGP and yet those obstacles were overcome."
PGP's future now lies with a handful of voluntary and entrepreneurial efforts that follow Zimmermann's designs. None carry the PGP name, though, as Network Associates Inc. retains trademark rights.
"People are very concerned about this development and would like to do something about it," Zimmermann said. "A way will be found."
Network Associates, which bought PGP from Zimmermann's PGP Inc. in 1997, sought a buyer last year for its e-mail and file encryption products. The company said it didn't get an attractive offer, so it dropped the products earlier this year.
Though some longtime PGP users insist Network Associates could have marketed the product better, others say the demand simply wasn't there.
"People aren't spending for encrypted e-mail," said Austin Hill, chief strategy officer at Zero-Knowledge Systems Inc.
He ought to know. His company dropped plans for PGP as well.
Encryption is difficult for average users to grasp, products aren't all that easy to use and the threats of not protecting e-mail from prying eyes aren't all that easy to explain, Hill said.
Private as a postcard
Internet users won't worry about using regular e-mail for credit card numbers, medical discussions and other sensitive information until they are directly harmed or see a well-publicized breach, security experts say.
Only then would they understand or care that using unencrypted e-mail is as private as sending a postcard. Without encryption, network administrators at Internet service providers, employers, intelligence agencies and hackers can snoop on e-mail in transit.
Network Associates will fix programming bugs for a year and honor existing service contracts, but it will no longer sell PGP or renew contracts. Though a free version remains available elsewhere, the company won't update it or make it compatible with newer operating systems, like Windows XP.
Having Network Associates aside will encourage others -- particularly volunteers -- to increase development efforts, said Yair Frankel, a cryptography consultant in Westfield, New Jersey.
"Many people believe that PGP from (Network Associates) was the only thing that existed," said Fabian Rodriguez, associate director of business development at Toxik Technologies Inc., a PGP vendor. "Now that it's not there, it sets the ground level equal for everybody."
PGP alternatives include the Gnu Privacy Guard, developed by volunteers under a license that permits anyone to freely use, modify and further distribute the product.
Lok Technology Inc. offers Web-based e-mail accounts that use PGP, while Authora Inc. makes PGP work with Outlook e-mail software and any Web-based e-mail system. Toxik handles data sent through online forms.
Other encryption methods exist, but none has PGP's popularity.
Alternative answers?
The alternatives still need work.
Authora, for instance, lacks compatibility with non-Microsoft e-mail software such as Eudora and Lotus Notes.
Gnu is only a command-line program and needs a graphical interface to be attractive to the vast majority of users. A few interfaces, including Windows Privacy Tray, have been developed but none are as versatile or simple as Network Associates' program.
The Gnu project "is the thing that comes close to what PGP from (Network Associates) was, and it's really not there yet," said David Del Torto, executive director of the CryptoRights Foundation, which promotes encryption for human rights workers.
Zimmermann, who chairs the OpenPGP Alliance and works with some commercial distributors, thinks any viable alternative will also need extensive marketing. And if the PGP user base is to expand, he said, tools must be easier to use.
John Miller, Lok's chief operating officer, described the Network Associates move as "a double-edge sword" for alternatives.
"They are leaving a hole in the marketplace, but when you're out there trying to get venture capital, backers and clients, they say, 'If a big company like (Network Associates) couldn't pull it off, what makes you think a smaller company could?"' Miller said.
Even if a viable PGP alternative comes along, whether e-mail encryption will ever grow in usage is another matter.
PGP developers believe there is growing interest in privacy, given new federal regulations governing financial and medical data.
But so far, PGP is limited primarily to niche markets, like human rights and organized crime -- authorities say mob suspect Nicodemo S. Scarfo Jr. used it to encode gambling records.
"I don't think it's going to die," said Bruce Schneier, chief technology officer for Counterpane Internet Security Inc. "It will just be what it is, a niche security product. (Network Associates) apparently felt the niche wasn't large enough."