CINDY A. COHN, ESQ.; SBN 145997
McGLASHAN & SARRAIL
Professional Corporation
177 Bovet Road, Sixth Floor
San Mateo, CA 94402
Tel: (415) 341-2585
Fax: (415) 341-1395

LEE TIEN, ESQ.; SBN 148216
1452 Curtis Street
Berkeley, CA 94702
Tel: (510) 525-0817

Attorneys for Plaintiff
Daniel J. Bernstein

IN THE UNITED STATES DISTRICT COURT

FOR THE NORTHERN DISTRICT OF CALIFORNIA

DANIEL J. BERNSTEIN )
) C 95-00582 MHP
Plaintiff, )
) DECLARATION OF
v. ) PHILIP R. ZIMMERMANN
) )
UNITED STATES DEPARTMENT OF )
STATE et al., ) )
Defendants. )
)
)

I, Philip R. Zimmermann, hereby declare:
1. I'm Chairman and Chief Technology Officer for PGP Inc, a newly-formed company that provides cryptographic products.
2. I have devoted much of my professional career to the development and understanding of computer programs for the encryption of data and electronic mail that will allow individuals a high degree of privacy in their communications.
3. To that end, in 1991 I created PGP (Pretty Good Privacy), a public-key encryption software package for the protection of electronic mail. Since PGP was published domestically as freeware in June of 1991, it has spread organically all over the world, and has since become the de facto worldwide standard for encryption of E-mail, winning numerous industry awards along the way.
4. For three years I was the target of a criminal investigation by the US Customs Service, who suspected that I violated the International Traffic in Arms Regulations ("ITAR") when PGP spread outside the US.
5. As part of that investigation, on or about in November 1994, I was temporarily detained and interrogated about my case by Customs authorities at Dulles airport near Washington, D.C., as I attempted to reenter the U.S. after a speaking tour abroad. Despite the fact that Customs knew that I was represented by counsel, and despite my repeated requests to have an attorney present, I was denied access to legal counsel during the interrogation.
6. That investigation was closed without indictment in January 1996.

History of Computers and Cryptography
7. When computers were first developed ordinary people did not have access to them because they were few in number and expensive. Some people postulated that there would never be a need for more than half a dozen computers in the country, and assumed that ordinary people would never have a need for computers. I believe that some of the government's attitude toward cryptography today were formed in that period, and mirrors the old attitudes toward computers. They think that ordinary people would have no need for good cryptography.
8. In addition to the limited availability of computers, another problem with cryptography in those days was that cryptographic keys had to be distributed over secure channels so that both parties could send encrypted traffic over insecure channels. Governments solved that problem by dispatching key couriers with satchels hand-cuffed to their wrists. Governments could afford to send guys like these to their embassies overseas. But the great masses of ordinary people would never have access to practical cryptography if keys had to be distributed this way. No matter how cheap and powerful personal computers might someday become, you just can't send the keys electronically without the risk of interception. This widened the feasibility gap between government and personal access to cryptography.
9. Today, we live in a new world that has had two major breakthroughs that have an impact on this state of affairs. The first is the coming of the personal computer and the information age. The second breakthrough is public-key cryptography.
10. With the first breakthrough comes cheap ubiquitous personal computers, modems, FAX machines, the Internet, E-mail, the World Wide Web, digital cellular phones, personal digital assistants (PDAs), wireless digital networks, and ISDN. This information revolution is catalyzing the emergence of a global economy.
11. But this renaissance in electronic digital communication brings with it a disturbing erosion of our privacy. In the past, if the government wanted to violate the privacy of ordinary citizens, it had to expend a certain amount of effort to intercept and steam open and read paper mail, and listen to and possibly transcribe spoken telephone conversation. This is analogous to catching fish with a hook and a line, one fish at a time. Fortunately for freedom and democracy, this kind of labor-intensive monitoring is not practical on a large scale.
12. Today, electronic mail is gradually replacing conventional paper mail, and is soon to be the norm for everyone, not the novelty it is today. Unlike paper mail, E-mail messages are just too easy to intercept and scan for interesting keywords. This can be done easily, routinely, automatically, and undetectably on a grand scale. Advances in automatic voice recognition technology can also lead to massive filtering of millions of phone calls, searching for the voices of political dissention. This is analogous to driftnet fishing-- making a quantitative and qualitative Orwellian difference to the health of democracy. A future incumbant government or rival political party could use these unprecedented surveillance capabilities to monitor every move of their political opposition, giving them an omnicience that could give rise to a police state that would be nearly immune to democratic challenge.
13. The second breakthrough came in the late 1970s, with the mathematics of public key cryptography. This allows people to communicate securely and conveniently with people they've never met, with no prior exchange of keys over secure channels. No more special key couriers with black bags are needed. This, coupled with the trappings of the information age, means the great masses of people can at last use cryptography. This new technology also provides digital signatures to authenticate transactions and messages, and allows for digital money, with all the implications that has for an electronic digital economy.
14. This convergence of technology-- cheap ubiquitous PCs, modems, FAX, digital phones, information superhighways, et cetera-- is all part of the information revolution. Encryption is just simple arithmetic to all this digital hardware. All these devices will be using encryption. Encryption is used throughout the world. The need for encryption is part and parcel of the world's growing reliance on computers and electronic communications as long as we value privacy and the freedom of speech and association which make democracy possible. The development of cryptography is as much a part of scientific progress as the invention of computers.
Why I Wrote PGP
16. In 1991, Senate Bill 266 included a non-binding resolution, which if it had become real law, would have forced manufacturers of secure communications equipment to insert special "trap doors" in their products, so that the government could read anyone's encrypted messages. Before that measure was defeated, I wrote and released Pretty Good Privacy. I did it because I wanted cryptography to be made available to the American public before it became illegal to use it. I gave it away for free so that it would achieve wide dispersal, to inoculate the body politic.
Attempts to Receive Approval for Export of PGP Book
17. I am also the author of PGP: Source Code and Internals, a book published by the Massachusetts Institute of Technology Press. The book was published in March of 1995. It is priced at $55. It has ISBN 0-262-24039-4.
18. On January 24, 1995, the MIT Press submitted a Commodity Jurisdiction Request to the Office of Defense Trade Controls in the U.S. Department of State regarding the book. The purpose of the Request was to confirm MIT's conclusion that the book was not subject to export controls under the ITAR.
19. This Request indicated that the book set out the source code for PGP (Version 2.6.2), and it contains the latest version of PGP. It went on to note that the source code in the book is all the code that is required for a full implementation of the PGP applications. The Request also stated that the source code is printed in the book in a standard font so that it can be
read by humans. The font used is also capable of being scanned by computer scanners. If the source code were scanned in and then run through a compiler program, it would be translated into an executable application or object code, which could then be read and executed by a computer to encrypt text and binary files.
20. The Request stated that the book is within the definition of the term "public domain" in the ITAR and that it is not subject to the export control jurisdiction of the Department of State.
21. After waiting, MIT Press sent a second letter to State asking them to confirm or deny within 10 days that the book was outside ITAR jurisdiction, and stating that they would go ahead and publish it if no response was received.
22. To date, there had been no response from the State Department to the Request.
23. I am informally advised that the three major agencies (State, NSA and Commerce) involved in the CJ process for PGP: Source Code and Internals have been unable to agree on whether the book is outside ITAR jurisdiction. -- In other situations concerning export controls on cryptography, the government has deemed cryptographic source code published in a book to be in the "public domain." However, when Mr. Karn sought to export on a floppy disk containing essentially the same cryptographic source code as contained in that book, the government stated that the disk was a defense article and not technical data, and thus could not be "public domain."
24. When Mr. Karn brought a legal challenge to this decision, the government stated in its litigation papers that it is reconsidering its policy of allowing the publication of print books containing source code. I believe that the government was referring to the pending CJ Request for PGP: Source Code and Internals.
Human Rights and Democracy Uses for Cryptography
25. Today, human rights organizations are using PGP to protect their people overseas. Amnesty International uses it. The human rights group in the American Association for the Advancement of Science uses it. It is used to protect witnesses who report human rights abuses in the Balkans, in Burma, in Guatemala, in Tibet.
26. Some Americans don't understand why I should be this concerned about the power of government. But I do not have to explain it to people in Eastern Europe. They already get it-- and they don't understand why we don't.
27. Attached hereto as Exhibit A are true and correct copies of e-mail messages which I have received thanking me for creating PGP software and attesting to its use by human rights organizations to protect the privacy of their speech. At the request of the authors of these messages, who have told me that their human rights work would be jeopardized if their
identities are revealed, I have deleted their names and addresses.
28. Below is a quote from some E-mail I received in October 1993 from a Mr. Harry Bush in Latvia, on the day that Boris Yeltsin was shelling his Parliament building:
Phil I wish you to know: let it never be, but if dictatorship takes over Russia your PGP is widespread from Baltic to Far East now and will help democratic people if necessary. Thanks.

I declare under penalty of perjury that the foregoing is true and correct
and that this Declaration was executed at Redwood Shores, California.

Date: __________________________________
Philip R. Zimmermann