March 08, 2001, 2:20 PM — Philip Zimmermann, the inventor of the widely used Pretty Good Privacy (PGP) encryption protocol, last week said he had left the company that owns the protocol because he and the company no longer agree about how much source code should be released to the public.
The world-renowned cryptographer in 1996 founded Pretty Good Privacy Inc. based on the PGP freeware encryption algorithm he invented. Santa Clara, Calif.-based Network Associates Inc. acquired the company in 1997.
The company, now called PGP Security, has continued to release open versions of PGP source code but has also built enterprise applications based on the code. Zimmermann contended that the firm intends to release less source code than it has in the past.
"New senior management [at Network Associates] assumed control of PGP Security in the final months of 2000 and decided to reduce how much PGP source code they would publish," Zimmermann wrote in a letter to PGP users. He told Computerworld that he thinks Network Associates will still publish some source code, but he doesn't know how much.
Zimmermann will take the post of chief cryptographer at Dublin-based Hush Communications Inc. and will spearhead other security efforts.
Business as Usual?
Sandra England, president of PGP Security, said that nothing has changed. The company is committed to publishing the encryption algorithms and all portions of the source code related to encryption, she said.
"What we are not publishing is source code that has no value in the encryption world," she said, such as the graphical user interface, management features, personal firewall code and intrusion-detection system code related to Network Associates products. To do that would be the equivalent of "turning over the crown jewels of our product line," said England.
Network Associates CEO George Samenuk dismissed the departure. "Phil Zimmermann left Network Associates as an employee two years ago and has been on contract with us ever since. We simply decided not to renew that contract," he said.
This June marks the 10-year anniversary of the release of PGP to the public. PGP was originally designed to protect privacy and civil liberties, and the process hasn't always been smooth. Corporate control and the issue of "back doors" -- code inserted surreptitiously allow let third parties to read encrypted e-mail -- have been the subject of many heated battles among users, software engineers and vendors.
Zimmermann last week assured PGP users that all versions of the protocol that he has worked on, including the current release, PGP 7.0.3, are free of back doors.
England said, "You have my word that there will never be a back door in PGP."
John Pescatore, a security analyst at Gartner Group Inc. in Stamford, Conn., downplayed the role that PGP has played in information security since Network Associates bought the company.