A Weapon Called Privacy

Phil Zimmermann, PGP, and the criminalisation of encryption

This is the fourth in a series exploring the hidden history of crypto: where it came from, who shaped it, and the systems of power it sought to subvert.

---

In 1991, a 36-year-old software developer named Phil Zimmermann uploaded a small programme to a US-based FTP server. It was called Pretty Good Privacy—PGP for short. The code allowed anyone with a personal computer to encrypt and decrypt messages with military-grade security.

Phil Zimmerman, creator of PGP.

Zimmermann didn’t make any money from it. But he would soon be under criminal investigation for "munitions export" violations. His crime? Sharing strong encryption.

It was a continuation of a battle first glimpsed in 1976. As discussed in The Door Unlocked, when Diffie and Hellman published their paper on public key cryptography, they challenged the US state’s monopoly on secrecy. At the time, cryptography was not treated as science but as weaponry. It was grouped into the US Munitions List alongside missile systems and nuclear devices. The export of cryptographic tools without government approval was, therefore, an act of smuggling.

Zimmermann’s story picked up where that left off.

The Cold War may have ended, but the state’s war on secrecy was just beginning.

From Public Keys to Private Battles

Whitfield Diffie and Martin Hellman had upended the assumptions of the crypto world with their paper on public key cryptography. No longer would keys need to be shared over insecure channels. The idea was revolutionary—but it remained largely theoretical.

Then, in the 1980s, David Chaum extended the idea to anonymity, mix networks, and digital cash. His work inspired both hope and fear: a digital world where identity could be shielded and transactions untraceable. But Chaum’s implementations, like DigiCash, were still reliant on trusted intermediaries.

Zimmermann took the next step. PGP was distributed, peer-to-peer, and available to anyone.

He wasn’t alone. Throughout the 1980s, a growing cypherpunk movement (a loose group of privacy activists, libertarians, and hackers) had begun to explore how cryptography could serve civil liberties. They saw encryption not as a weapon, but as a form of speech.

As Eric Hughes would later write in A Cypherpunk’s Manifesto:

Privacy is necessary for an open society in the electronic age... We cannot expect governments, corporations, or other large, faceless organisations to grant us privacy. We must defend our own privacy if we expect to have any.

Notable figures in the movement included Tim May, who coined the term "crypto anarchy," and John Gilmore, a founder of the Electronic Frontier Foundation. Their rallying cry: strong encryption as a tool for individual freedom.

At the same time that Zimmermann was building tools to protect privacy, another quiet battle elsewhere was being fought over the shape of the web itself. As discussed in The Garden and the Gate, Tim Berners-Lee had tried to preserve the openness of the internet. But already, the fences were rising. If Berners-Lee fought to keep the web open, Zimmermann fought to keep it safe.

A Political Act in Code

Zimmermann developed PGP on his own, writing most of the code on a Mac SE in his spare time. He used RSA for public key encryption, IDEA for symmetric encryption, and a web-of-trust model that allowed users to verify one another without relying on a central authority.

He released it free of charge. He later said:

If privacy is outlawed, only outlaws will have privacy.

PGP spread quickly. Activists, journalists, and dissidents around the world began using it.

Daniel Ellsberg, the Pentagon Papers whistleblower, publicly supported Zimmermann. Human rights organisations like Amnesty International used PGP to protect sensitive communications. Investigative journalists working under authoritarian regimes depended on it to shield their sources.

But the US government treated encryption as a weapon. Under ITAR (International Traffic in Arms Regulations), exporting strong crypto software was akin to smuggling missiles.

The US Customs Service launched a multi-year criminal investigation. Zimmermann recalled:

I was under a cloud for three years. I had to get a criminal lawyer. It cost me hundreds of thousands of dollars just to defend myself for writing software.

No formal charges were ever filed, but the message was clear: strong encryption was not for the people.

The Code That Couldn’t Be Contained

To circumvent the export restrictions, supporters printed the PGP source code in book form, because books, unlike software, were protected under the First Amendment. The absurdity of the situation only strengthened the cypherpunk cause.

PGP became a rallying cry. It wasn’t just software. It was a declaration: privacy is a right, not a privilege.

Zimmermann was joined by a growing number of figures in the cypherpunk scene, including:

Eric Hughes, author of the Cypherpunk Manifesto.

Tim May, ex-Intel physicist and crypto-anarchist.

John Gilmore, EFF co-founder and internet pioneer.

They didn’t just support Zimmermann during the investigation. They began laying a broader ideological and technical foundation: publishing manifestos, creating mailing lists, advocating open cryptographic standards, and seeding a global conversation about digital self-sovereignty. Theirs was a philosophy of adversarial design: to build systems that could not be co-opted.

The Quiet Revolution

PGP’s open model anticipated what would later become common in decentralised technologies: trustless networks, user sovereignty, and adversarial thinking.

In the years that followed, Zimmermann would found PGP Inc., testify before Congress, and watch as his creation was adopted, forked, and built upon. OpenPGP became an international standard. Signal and WhatsApp now use similar principles for end-to-end encryption.

But the fight over who gets to use strong crypto has never ended. In 2016, Apple refused FBI demands to weaken iPhone encryption. Debates rage over backdoors and lawful access.

Yet Zimmermann’s act in 1991 still resonates. One man, one programme, and the belief that some secrets are worth protecting.

As Zimmermann later reflected:

You can’t make the availability of strong cryptography depend on who you are. It’s either available to everyone or it’s not worth having.

Bibliography

• Zimmermann, P. (1995). The Official PGP User’s Guide

• Levy, S. (2001). Crypto: How the Code Rebels Beat the Government

• Greenberg, A. (2012). This Machine Kills Secrets

• May, T. (1988). The Crypto Anarchist Manifesto

• Hughes, E. (1993). A Cypherpunk’s Manifesto

• Interviews with Phil Zimmermann and early cypherpunks

• EFF archives and ITAR legal documents

• Ellsberg, D. (1995). Public statements in support of encryption rights