A Statement from Philip R. Zimmermann

Senior Fellow, Network Associates
Founder, PGP Inc.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'd like to address the rumors concerning the cryptographic integrity of PGP, including recent versions made by Network Associates, as well as recent freeware versions built and released by Stale Schumacher on his website in Norway at http://www.pgpi.org. These rumors allege that these versions of PGP contain back doors for the US Government to access the plaintext messages or keys. I do not know how such sensationalist conspiracy theories get started, but they seem to come from people who believe that The X-Files is a documentary. Let me assure everyone that all versions of PGP that are released from Network Associates have the same cryptographic integrity as all previous versions of PGP that were released since the old days before I started my company, PGP Inc. In fact, no version of PGP in which I have been personally involved has ever had any back doors or any other mechanism to intentionally weaken PGP. That includes versions released by MIT, PGP Inc, Network Associates, or Stale Schumacher. After all the hardship and legal persecution that I endured to bring PGP to the world, I find it surprising and offensive that anyone would think that I would quietly stand by and tolerate any compromise in the cryptographic integrity of PGP. When Network Associates acquired my company in December 1997, they also acquired the same engineering team that we had put together at PGP Inc, a team dedicated to the same principles of personal privacy that led me to create PGP. This team is still working on PGP today, and will continue to help me protect the integrity of PGP. Network Associates has not shown the slightest interest in compromising the integrity of PGP. They recognize that it would not be in their business interests to do so. We have always published the source code for every version of PGP for peer review purposes, and Network Associates has carried on that tradition. Anyone may download the source code for PGP from www.pgpi.org and examine it for any back doors. Stale Schumacher, an independent PGP activist who is not an employee of Network Associates, has done all the builds since PGP 5.0i for the freeware versions of PGP in Europe. I have known Stale for several years and I know that he is committed to the same political principles of privacy as I am. I feel confident that Stale would never compromise the integrity of PGP in the versions that he builds for distribution on his site. Nonetheless, anyone who worries if the binary executables for PGP are trustworthy may compile the code themselves and rebuild the binaries for their own personal use, as long as they do not redistribute such rebuilt binaries for others to use. Philip Zimmermann http://www.pgp.com/phil 28 October 1999 -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBOBjV4GPLaR3669X8EQItwACfd/1OGzgiemOiWzB6Zw23W8XKpTAAoPLE hAZjB37PKSmSwMe40hcEiEbk =MYsO -----END PGP SIGNATURE-----