September 26, 2001

Call them irresponsible: Others much more to blame for terrorism than PGP

Author: JT Smith

- by Jack Bryar -
Open Source Business -
Open Source and the free distribution of software has been called a lot of things, but
did it play any role in the disaster of September 11? I read a recent
Washington Post article that claimed that privacy advocate Phil Zimmermann was "overcome with feelings of guilt" for the role his free encryption
software, PGP may have played in the disasters of September 11. The article implied that federal officials and the public at large thought
PGP was the reason that the terrorists were able to plot the destruction of the World Trade Center and avoid detection, and Zimmermann
worried that they might be right.

Since the article was distributed, Zimmermann
has complained
that his views were distorted. Certainly PGP didn't
help federal agents track down terrorists in the United States, but there's a long
line of others whose actions or inactions had a lot more to do with the
biggest U.S. intelligence failure since Pearl Harbor.

There's no question that powerful, free software has made it easier
for individuals to avoid government scrutiny. That was its purpose.
It's also true that the NSA
has been worried about PGP
for years. But Zimmermann and PGP have
nothing to apologize for. There are many others who have done more to
frustrate and derail legitimate law enforcement than Zimmermann.

The list is a long one, but worth recounting here. Let's start with
other brethren in the software industry and some of their creations. For
example -- is it irresponsible to let people set up anonymous email? One way
agencies used to track suspicious activities had little to do with what was
communicated in an email or phone call, and far more to do with who it was sent to.
Federal agencies used to make a specialty of tracking suspicious
communications patterns -- tracking the calls of a suspected terrorist and seeing if he
or she communicated regularly with other suspected terrorists and
whether they both contacted the same third parties. This tool of law
enforcement has been destroyed by products such as Hotmail
and Yahoo mail
, which let people set up remote mail accounts in a
few minutes and use them for just a few messages -- the equivalent of using
a pay phone to call a pay phone.

In my local mall, I've seen people walk
into a Circuit City store, go to a PC on the sales floor and download
and send email messages. As a means for evading detection by the feds,
Hotmail is pretty hard to beat.

There's absolutely no question that PGP could be used to frustrate a
CIA or FBI security clerk, but frankly, most terrorists could simply
communicate in a code nobody in these agencies can decipher: Arabic.
Nearly 30 years after the Israeli occupation of the West Bank, over
20 years after extremists from all over the Arab speaking world first
began to collect in Afghanistan, after repeated bombings, kidnappings, and
guerilla wars, the lack of Arabic language competency in U.S. security agencies is
a scandal. Apparently there was no room to make the needed hires -- there
were too many Russian and Czech speaking guys left over from the Cold
War, still filling up slots, marking time until retirement.

Email communication isn't as informative as some might expect. A
lot more valuable information has been hidden away in bank records. Hidden
is the proper word, too. Who helped hide that information? Not Phil
Zimmermann. Consider instead the super-patriotic U.S. senator from Texas, Phil Gramm.
Gramm personally pushed through legislation to make sure that banks couldn't
share "personal information"
with security officials about people
doing business with that bank, even if they were laundering money for your
local drug kingpin or Al Qaeda. Elsewhere, our "closest ally," Great Britain,
has long tolerated open money laundering by "banks" operating in
British territories like the Cayman Islands.

Even if all the information desired by the U.S. government was
accessible to U.S. security snoops and was written in English, it still wouldn't
solve the feds' problem. The government hasn't been suffering from a lack of
information, it's
being swamped by too much
. In one day this week, U.S. security
agencies received more pages of data than there are pages in the Library of
Congress. Lacking the processing power to handle the volume of content it has to
investigate today, new security legislation proposed by U.S. Attorney General John Ashcroft would only bury U.S. security agencies under even greater piles of data that it couldn't analyze.

Some time back, U.S. Comptroller General David Walker has
warned that the United States didn't have a comprehensive IT strategy
relative to security. It still doesn't.

Ashcroft's proposal isn't a security strategy. It isn't even
coherent. It certainly doesn't address any relevant security issues uncovered to
date. Instead it proposes that script kiddie pranks be considered the
criminal equivalent of second-degree murder, and suggests we override
a number of constitutional guarantees
. The United Kingdom already has
legislation on the books that treats hackers as terrorists. Such legislation treats
the Taleban and the kid who took down the
home page as moral equivalents. Surely, this is a stretch.

The problems with U.S. security have far more to do with the lax,
self-interested attitudes of corporations and governments who put profits and
bureaucratic comfort ahead of public safety.

Take the airline industry -- please. While thousands of flight
attendants and baggage handlers and reservation clerks have lost their jobs, it
was their bosses who thought that they could save a few dollars by not
having secure doors leading to airplane cockpits. Airline executives were the
guys who figured that the lives of their passengers were so precious
that they could get away with paying security personnel a dollar an hour
less than the average cook flipping burgers at your local McDonalds. That's
half what airlines pay in Europe. Those execs were the ones who
tolerated the
failure to detect weapons in FAA tests 75% of the time
. It was the
airlines who frequently spent more time guarding against FAA security agents than against terrorists. It was the
airline management who hired William Webster to successfully lobby Congress and Al Gore to roll back requirements for security checks of airline personnel.
Despite the recent tragedies and a complete loss of consumer confidence they
still fighting
security regulations, according to U.S. News.

Consider the government officials who let them get away with it.
Take the former head of the FAA during the '80s, who exempted knives up to four inches long from the ban on on-board weaponry. Consider government officials like former Massachusetts Governor William Weld who thought airport security was so important he gave the job of managing security at Boston's Logan Airport, to his former chauffeur. National security has been a joke. Its been a cover for patronage and pork barrel politics. That's why there are
three Air Force bases ready to protect the citizens of Tallahasee, Fla.,
and not a single installation in either New York or Connecticut. Check
out a map

And the United States has been a paragon of responsibility compared to some of
its friends and neighbors. Canada had been told for years that lax
immigration and security laws made the place a haven for terrorists and disaster. Much was promised. Nothing
was done
. The Saudis knew the potential danger posed by bin Laden
and did little about it. Instead they continued to use Afghanistan as
dumping ground
for all their political crazies.

So while Zimmermann and PGP may not have helped the feds track
down the madmen that attacked New York and Washington, it wasn't a factor in
what happened. There are a lot of others whose acts and omissions
continue to be bigger problems for national security. Zimmermann shouldn't feel
guilty. However, there are plenty of other people who should.


  • Open Source
Click Here!