PGP FAQ
Non-Technical PGP (Pretty Good Privacy) FAQ
by
André Bacard, Author of
Computer Privacy
Handbook ("The Scariest Computer Book of the Year")
[FAQ Updated April 28, 1998]
This article offers a nontechnical overview of PGP to help
you decide whether or not to use this globally popular computer software
to safeguard your computer files and e-mail. I have written this especially
for persons with a sense of humor. You may distribute this unaltered) FAQ
for non-commercial purposes.
What is PGP?
PGP (also called "Pretty Good Privacy") is a computer program that encrypts
(scrambles) and decrypts (unscrambles) data. For example, PGP can encrypt
"Andre" so that it reads "457mRT%$354." Your computer can decrypt this
garble back into "Andre" if you have PGP.
Who created PGP?
Philip Zimmermann wrote the initial program. Phil, a hero to many pro-privacy
activists, worked as a computer security consultant in Boulder, Colorado
during the original days of PGP. Other programmers around the globe have
created subsequent PGP versions and/or shells. The newest versions of PGP
are created by a California based corporation called Network Associates,
which bought a previous company, co-founded by Zimmerman, called PGP, Inc.
Who uses PGP encryption?
People who value privacy use PGP. Politicians running election campaigns,
taxpayers storing IRS records, therapists protecting clients' files, entrepreneurs
guarding trade secrets, journalists protecting their sources, and people
seeking romance are a few of the law abiding citizens who use PGP to keep
their computer files and their e-mail confidential.
Businesses also use PGP. Suppose you're a corporate manager and you
need to e-mail an employee about his job performance. You may be required
by law to keep this e-mail confidential. Suppose you're a saleswoman, and
you must communicate over public computer networks with a branch office
about your customer list. You may be compelled by your company and the
law to keep this list confidential. These are a few reasons why businesses
use encryption to protect their customers, their employees, and themselves.
PGP also helps secure financial transactions. For example, the Electronic
Frontier Foundations uses PGP to encrypt members' charge account numbers,
so that members can pay dues via e-mail.
Thomas G. Donlan, an editor at Barron's [a financial publication
related to The Wall Street Journal], wrote a full-page editorial
in the April 25, 1994 Barron's entitled "Privacy and Security: Computer
Technology Opens Secrets, And Closes Them." Mr. Donlan wrote, in part:
"Without security, the Internet is little more than the world's biggest
bulletin board. With security, it could become the information supermarket
of the world. [Encryption] lets people and banks feel secure putting their
credit-card numbers on the public network. Although it still seems that
computers created an age of snoopery, the age of privacy is at hand."
Aren't computers and e-mail already safe?
Your computer files (unless encrypted) can be read by anyone with access
to your machine. E-mail is notoriously unsafe. Typical e-mail travels through
many computers. The persons who run these computers can read, copy, and
store your mail. Many competitors and voyeurs are highly motivated to intercept
e-mail. Sending your business, legal, and personal mail through computers
is even less confidential than sending the same material on a postcard.
PGP is one secure "envelope" that keeps busybodies, competitors, and criminals
from victimizing you.
I have nothing to hide. Why do I need privacy?
Show me a human being who has no secrets from her family, her neighbors,
or her colleagues, and I'll show you someone who is either an extraordinary
exhibitionist or an incredible dullard. Show me a business that has no
trade secrets or confidential records, and I'll show you a business that
is not very successful.
On a lighter note, a college student wrote me the following:
"I had a part-time job at a dry cleaner. One day I returned a diamond
ring that I'd found in a man's coat pocket to his wife. Unfortunately,
it was NOT her ring! It belonged to her husband's girlfriend. His wife
was furious and divorced her husband over this incident. My boss told me:
'Return jewelry ONLY to the person whose clothes you found it in, and NEVER
return underwear that you find in pockets!' Until that moment, I thought
my boss was a finicky woman. But she taught me the need for PGP."
Privacy, discretion, confidentiality, and prudence are hallmarks of
civilization.
I've heard police say that encryption should be outlawed because criminals
use it to avoid detection. Is this true?
The next time you hear someone say this, ask him if he wants to outlaw
the likes of Thomas Jefferson, the "Father of American Cryptography," who
wrote the American Declaration of Independence.
Many governments, corporations, and law enforcement agencies use encryption
to hide their operations. Yes, a few criminals also use encryption. Criminals
are more likely to use cars, gloves, and ski-masks to evade capture.
PGP is "encryption for the masses." It gives average law abiding citizens
a few of the privacy rights which governments and corporations insist that
they need for themselves.
How does PGP work?
PGP is a type of "public key cryptography." When you start using PGP, the
program generates two "keys" that belong uniquely to you. Think of these
keys as computer counterparts of the keys in your pocket. One PGP key is
SECRET and stays in your computer. The other key is PUBLIC. You give this
second key to your correspondents. Here is a sample PUBLIC KEY:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.7
mQCNAi44C30AAAEEAL1r6ByIvuSAvOKIk9ze9yCK+ZPPbRZrpXIRFBbe+U8dGPMb
9XdJS4L/cy1fXr9R9j4EfFsK/rgHV6i2rE83LjOrmsDPRPSaizz+EQTIZi4AN99j
iBomfLLZyUzmHMoUoE4shrYgOnkc0u101ikhieAFje77j/F3596pT6nCx/9/AAUR
tCRBbmRyZSBCYWNhcmQgPGFiYWNhcmRAd2VsbC5zZi5jYS51cz6JAFUCBRAuOA6O
7zYZz1mqos8BAXr9AgCxCu8CwGZRdpfSs65r6mb4MccXvvfxO4TmPi1DKQj2FYHY
jwYONk8vzA7XnE5aJmk5J/dChdvfIU7NvVifV6AF
=GQv9
-----END PGP PUBLIC KEY BLOCK-----
Suppose the PUBLIC KEY listed above belongs to you and that you e-mail
it to me. I can store your PUBLIC KEY in my PGP program and use your PUBLIC
KEY to encrypt a message that only you can read. One beauty of PGP is that
you can advertise your PUBLIC KEY the same way that you can give out your
telephone number. If I have your telephone number, I can call your telephone;
however, I cannot answer your telephone. Similarly, if I have your PUBLIC
KEY, I can send you mail; however, I cannot read your mail. This PUBLIC
KEY concept might sound a bit mysterious at first. However, it becomes
very clear when you play with PGP for a while.
How safe is PGP?
Will it really protect my privacy? Perhaps your government or your mother-in-law
can "break" PGP messages by using supercomputers and\or pure brilliance.
I have no way of knowing. Three facts are certain. First, top-rate civilian
cryptographers and computer experts have tried unsuccessfully to break
PGP. Second, whoever proves that he or she can unravel PGP will earn quick
fame in crypto circles. He or she will be applauded at banquets and attract
grant money. Third, PGP's most knowledgeable users around the world will
broadcast this news at once.
Almost daily, someone posts a notice such as "PGP Broken by Omaha Teenager."
Take these claims with a grain of salt. The crypto world attracts its share
of paranoids, provocateurs, and UFO aliens. To date, nobody has publicly
demonstrated the skill to outsmart or outmuscle PGP.
Is PGP legal in the United States?
Yes. However, it is ILLEGAL to export PGP out of the United States without
the proper government approval. Do not even think of doing so! To communicate
with friends in, say, England, have your friends get PGP from sources outside
the United States.
Is PGP legal outside the United States?
PGP's legality varies from country to country. Plus, laws constantly change
around the globe. You'll have to check the laws where you live.
What is a PGP digital signature?
Suppose I signed this FAQ with my PGP "digital signature". This would allow
persons who have PGP and my PUBLIC KEY to verify that 1) I, Andre Bacard,
(not a Sports Illustrated superstar pretending to be me!) wrote
this document, and 2) Nobody has altered this text since I signed it. PGP
signatures might be helpful for signing contracts, transferring money,
and verifying a person's identity.
How difficult is it to learn PGP?
PGP is easier to use than, say, a word processing program. The latest Windows
versions allow you to encrypt and decrypt files and e-mail messages with
a simple mouse click..
Is PGP available for my machine?
Versions are available for DOS and Windows, as well as various Unixes,
Macintosh, Amiga, Atari ST, and OS/2 systems. Many persons are working
to expand PGP's usability. Read the Usenet <alt.security.pgp> news group
for the latest developments.
Are these versions of PGP mutually compatible?
In general, yes. For example, a document encrypted with PGP on a PC can
be decrypted with someone using PGP on a Unix machine. You will also find
that the "international" versions of PGP are compatible with the "domestic"
(United States) versions.
Where do I get PGP?
PGP is easy to download on the Internet, but the sources keep changing.
Therefore, I recommend you go to Bacard's
Privacy Page and check the PGP links for both "domestic" and "international"
sources. If you want super-detailed sources for PGP, such as Bulletin Board
System providers, go to the Usenet group <alt.security.pgp> and read
Michael Johnson's FAQ about where to find PGP.
How expensive is PGP?
Many PGP versions are "freeware." This means that they are free. People
from New Zealand to Mexico use these versions every day. The corporate-produced
versions of PGP are normally priced software. Again, follow the PGP links
at Bacard's Privacy
Page.
Go to Bacard's
Home Page
This page maintained by abacard@well.com