March 12, 2001, 2:34 PM — I WAS THINKING ABOUT cryptography the other day while reading about the rift between Phil Zimmerman and Network Associates over just how much of the PGP (Pretty Good Privacy) source code will be published. For crypto fans, this is the equivalent of Martin Luther nailing his Theses to the cathedral door. For the rest of us, it's just another corporate fight. But bigger questions in my head won't go away. Why haven't we taken more interest in encryption and digital signing of e-mail? More importantly, why aren't we using the tools we already have? Even I, your Security Watch guru, can't be bothered to use the crypto and signing features of my e-mail.
Although the stories contained in crypto books are ancient history in Internet time, the peoples' squeamishness about crypto remains. When the Feds -- be they CIA, FBI, NSA, or Treasury Department -- discuss crypto, they make it sound as if anyone using it must be a child pornographer, drug smuggler, or terrorist. This attitude pervades mainstream media, despite the observation that journalists might be more interested than others in acquiring secure communication tools. I wonder if the various governmental smear campaigns against crypto are achieving their goals.
Not that these tools are hard to come by. On Windows, crypto and signing are included in the bundled Outlook Express, and more advanced features can be had for little or no cost or effort from a number of vendors. Of course, in countries other than the Land of the Free and the Home of the Braves, there are restrictions on what you can use. Even if you don't use PGP, having Netscape Navigator or Windows 2000 can be enough to get a traveler into hot water with another country's customs service. I'm planning to leave my laptop at home when I visit the West Indies next month, in part to avoid the possibility of a hassle with U.S. Customs.
It seems that few people are taught how to enable crypto, perhaps because many IT shops just don't want to deal with the backlash from users inconvenienced by the extra resources that a PC uses during encryption and decryption routines or by the problems of lost keys and unreadable messages.
In today's flood of e-mail messages, encrypted traffic sticks out like a sore thumb. If I were investigating a criminal enterprise, I'd be tempted to assume that when folks are using crypto, they must be hiding something. But this contradicts casual observations that underground organizations often prefer low-tech, but proven methods of communication. The slogan "When crypto is outlawed, only outlaws will have crypto" may ring true, but I expect that outlaws prefer to use more open channels and hide in the crowd.