Sun, July 15, 2001 — CIO — In the early ’90s the technical culture, usually of one mind on issues of importance developed a crack. Popular technical culture, based in campuses and the online hacker communities, fell head over heels in love with encryption, especially as embodied in the method called public key. This, they proclaimed, was a revolutionary technology that would dissolve the privacy, authentication and security problems that constrained online communities, secure vital human freedoms like free speech and association, and even (some thought) usher out central governments in favor of the libertarian utopia. The talisman of this movement was Phil Zimmerman’s program Pretty Good Privacy; its bible, Bruce Schneier’s Applied Cryptography (Wiley, John & Sons, October 1995), sold more than 100,000 copies in two editions.

Meantime, the corporate technical community was relatively indifferent to the technology. To some this seemed paradoxical. The risk the average Unix programmer ran by leaving his Quake cheats unencrypted was probably pretty low. Companies, however, routinely sent and stored information of real value on their networks and file servers.

The reason for the difference was that both the corporate and popular communities were focusing on the same feature but with different perspectives: In the early ’90s encryption was primarily an end-to-end technology, run by users from the edge of the network. This appealed to the popular community, since users liked the idea of being responsible for enforcing their rights with their own hands. For CIOs, end-to-end was a bug, not a feature, because such services carry significant training and installation costs. There were other problems: Encryption made it harder for network diagnostic tools to peer into the traffic flow.

The argument between encryption developers and vendors, and the national intelligence and law enforcement agencies looked like a good one to avoid. There were no open standards.

Thus on the corporate side, even though encryption was available in theory (Lotus had built a decent module into Notes) the security products that drew the most enthusiasm were firewalls. Firewalls did not demand as many resources, and they protected against some of the same threats as encryption. Our own coverage mirrored that attitude. When we wrote about security (as we did in our Feb. 15, 1994, issue), we concentrated on firewalls, good practices and smarter management. Encryption seldom merited more than a line or two. "Crypto companies were begging for someone to pay attention to them," remembers Vin McLellan, managing director of the Privacy Guild, a security consultancy in Chelsea, Mass.