Editing Pretty Good Privacy (section)

==History==

===Early history===
[[Phil Zimmermann]] created the first version of PGP encryption in 1991. The name, "Pretty Good Privacy" was inspired by the name of a [[grocery]] store, "Ralph's Pretty Good Grocery", featured in radio host [[Garrison Keillor]]'s fictional town, [[Lake Wobegon]].<ref>{{cite book |title=IT manager's handbook: getting your new job done |last1=Holtsnider |first1=Bill |last2=Jaffe |first2=Brian D. |year=2006 |publisher=[[Morgan Kaufmann Publishers|Morgan Kaufmann]] |edition=2nd |page=373 |url=https://books.google.com/books?id=OeQD_QPOYY4C&pg=PA373|isbn=978-0-08-046574-6}}</ref> This first version included a [[symmetric-key algorithm]] that Zimmermann had designed himself, named [[BassOmatic]] after a ''[[Saturday Night Live]]'' sketch. Zimmermann had been a long-time [[Anti-nuclear movement|anti-nuclear activist]], and created PGP encryption so that similarly inclined people might securely use [[bulletin board system|BBS]]s and securely store messages and files. No license fee was required for its non-commercial use, and the complete [[source code]] was included with all copies.

In a posting of June 5, 2001, entitled "PGP Marks 10th Anniversary",<ref>{{cite web |url=https://www.philzimmermann.com/EN/news/PGP_10thAnniversary.html |title=PGP Marks 10th Anniversary |publisher=Phil Zimmermann |access-date=2010-08-23 |archive-date=March 9, 2022 |archive-url=https://web.archive.org/web/20220309030942/https://www.philzimmermann.com/EN/news/PGP_10thAnniversary.html |url-status=live }}</ref> Zimmermann describes the circumstances surrounding his release of PGP:

{{quotation|It was on this day in 1991 that I sent the first release of PGP to a couple of my friends for uploading to the Internet. First, I sent it to Allan Hoeltje, who posted it to Peacenet, an ISP that specialized in grassroots political organizations, mainly in the peace movement. Peacenet was accessible to political activists all over the world. Then, I uploaded it to Kelly Goen, who proceeded to upload it to a Usenet newsgroup that specialized in distributing source code. At my request, he marked the Usenet posting as "US only". Kelly also uploaded it to many BBS systems around the country. I don't recall if the postings to the Internet began on June 5th or 6th.

It may be surprising to some that back in 1991, I did not yet know enough about Usenet newsgroups to realize that a "US only" tag was merely an advisory tag that had little real effect on how Usenet propagated newsgroup postings. I thought it actually controlled how Usenet routed the posting. But back then, I had no clue how to post anything on a newsgroup, and didn't even have a clear idea what a newsgroup was.}}

PGP found its way onto the [[Internet]] and rapidly acquired a considerable following around the world. Users and supporters included dissidents in totalitarian countries (some affecting letters to Zimmermann have been published, some of which have been included in testimony before the US Congress), [[civil libertarians]] in other parts of the world (see Zimmermann's published testimony in various hearings), and the 'free communications' activists who called themselves [[cypherpunk]]s (who provided both publicity and distribution); decades later, [[CryptoParty]] activists did much the same via [[Twitter]].

===Criminal investigation===
Shortly after its release, PGP encryption found its way outside the [[United States]], and in February 1993 Zimmermann became the formal target of a criminal investigation by the US Government for "[[United States Munitions List|munitions]] export without a license". At the time, cryptosystems using keys larger than [[40-bit encryption|40 bits]] were considered munitions within the definition of the [[Export of cryptography in the United States#PC era|US export regulations]]; PGP has never used keys smaller than 128 bits, so it qualified at that time. Penalties for violation, if found guilty, were substantial. After several years, the investigation of Zimmermann was closed without filing criminal charges against him or anyone else.

Zimmermann challenged these regulations in an imaginative way. In 1995, he published the entire [[source code]] of PGP in a hardback book,<ref name="zimmermann2">{{cite book |last= Zimmermann |first= Philip |author-link= Phil Zimmermann |title= PGP Source Code and Internals |year= 1995 |publisher= [[MIT Press]] |isbn= 0-262-24039-4}}</ref> via [[MIT Press]], which was distributed and sold widely. Anybody wishing to build their own copy of PGP could cut off the covers, separate the pages, and scan them using an [[Optical character recognition|OCR]] program (or conceivably enter it as a [[type-in program]] if OCR software was not available), creating a set of source code text files. One could then build the application using the freely available [[GNU Compiler Collection]]. PGP would thus be available anywhere in the world. The claimed principle was simple: export of ''munitions''—guns, bombs, planes, and software—was (and remains) restricted; but the export of ''books'' is protected by the [[First Amendment to the United States Constitution|First Amendment]]. The question was never tested in court with respect to PGP. In cases addressing other encryption software, however, two federal appeals courts have established the rule that cryptographic software source code is speech protected by the First Amendment (the [[United States Court of Appeals for the Ninth Circuit|Ninth Circuit Court of Appeals]] in the [[Bernstein v. United States|Bernstein case]] and the [[United States Court of Appeals for the Sixth Circuit|Sixth Circuit Court of Appeals]] in the [[Junger v. Daley|Junger case]]).

[[Export of cryptography in the United States#PC era|US export regulations]] regarding cryptography remain in force, but were liberalized substantially throughout the late 1990s. Since 2000, compliance with the regulations is also much easier. PGP encryption no longer meets the definition of a non-exportable weapon, and can be exported internationally except to seven specific countries and a list of named groups and individuals<ref>{{cite web |title=Lists to Check |url=https://www.bis.doc.gov/complianceandenforcement/liststocheck.htm |work=US Department of Commerce, Bureau of Industry and Security |access-date=December 4, 2011 |archive-url=https://web.archive.org/web/20100112230807/https://www.bis.doc.gov//complianceandenforcement/liststocheck.htm |archive-date=January 12, 2010 |url-status=dead }}</ref> (with whom substantially all US trade is prohibited under various US export controls).

The criminal investigation was dropped in 1996.<ref>{{cite web |last1=Zimmermann |first1=Phil |title=Significant Moments in PGP's History: Zimmermann Case Dropped |url=https://philzimmermann.com/EN/news/PRZ_case_dropped.html |website=philzimmermann.com |quote=The U.S. Attorney's Office for the Northern District of California has decided that your client, Philip Zimmermann, will not be prosecuted in connection with the posting to USENET in June 1991 of the encryption program Pretty Good Privacy. The investigation is closed. |access-date=February 16, 2024 |archive-date=October 5, 2024 |archive-url=https://web.archive.org/web/20241005182852/https://philzimmermann.com/EN/news/PRZ_case_dropped.html |url-status=live }} &ndash; page also contains NPR morning radio recording on this matter</ref>

===PGP 3 and founding of PGP Inc.===
During this turmoil, Zimmermann's team worked on a new version of PGP encryption called PGP 3. This new version was to have considerable security improvements, including a new certificate structure that fixed small security flaws in the PGP 2.x certificates as well as permitting a certificate to include separate keys for signing and encryption. Furthermore, the experience with patent and export problems led them to eschew patents entirely. PGP 3 introduced the use of the [[CAST-128]] (a.k.a. CAST5) symmetric key algorithm, and the [[Digital Signature Algorithm|DSA]] and [[ElGamal]] asymmetric key algorithms, all of which were unencumbered by patents.

{{anchor|PGP_Inc}}After the Federal criminal investigation ended in 1996, Zimmermann and his team started a company to produce new versions of PGP encryption. They merged with Viacrypt (to whom Zimmermann had sold commercial rights and who had [[licensed]] RSA directly from [[RSADSI]]), which then changed its name to PGP Incorporated. The newly combined Viacrypt/PGP team started work on new versions of PGP encryption based on the PGP 3 system. Unlike PGP 2, which was an exclusively [[command line]] program, PGP 3 was designed from the start as a [[software library]] allowing users to work from a command line or inside a [[GUI]] environment. The original agreement between Viacrypt and the Zimmermann team had been that Viacrypt would have even-numbered versions and Zimmermann odd-numbered versions. Viacrypt, thus, created a new version (based on PGP 2) that they called PGP 4. To remove confusion about how it could be that PGP 3 was the successor to PGP 4, PGP 3 was renamed and released as PGP 5 in May 1997.

===Network Associates acquisition===
In December 1997, PGP Inc. was acquired by [[Network Associates, Inc.]] ("NAI"). Zimmermann and the PGP team became NAI employees. NAI was the first company to have a legal export strategy by publishing source code. Under NAI, the PGP team added disk encryption, desktop firewalls, intrusion detection, and [[IPsec]] [[VPN]]s to the PGP family. After the export regulation liberalizations of 2000 which no longer required publishing of source, NAI stopped releasing source code.<ref>{{cite web |url=https://www.proliberty.com/references/pgp/ |title=Important Information About PGP & Encryption |publisher=proliberty.com |access-date=2015-03-24 |archive-date=January 28, 2022 |archive-url=https://web.archive.org/web/20220128002134/https://proliberty.com/references/pgp/ |url-status=live }}</ref>

===Asset split===
In early 2001, Zimmermann left NAI. He served as Chief Cryptographer for [[Hush Communications]], who provide an OpenPGP-based e-mail service, [[Hushmail]]. He has also worked with Veridis and other companies. In October 2001, NAI announced that its PGP assets were for sale and that it was suspending further development of PGP encryption. The only remaining asset kept was the PGP E-Business Server (the original PGP Commandline version).  In February 2002, NAI canceled all support for PGP products, with the exception of the renamed commandline product.<ref name="sdsusa.com">[https://www.sdsusa.com/newsdocs/130811.sds.ebs.pdf "Long Live E-Business Server for Enterprise-Scale Encryption."] {{Webarchive|url=https://web.archive.org/web/20220303022955/https://www.sdsusa.com/newsdocs/130811.sds.ebs.pdf |date=March 3, 2022 }} Software Diversified Services. 2013-08-11. Retrieved 2015-06-30.</ref><ref name="techcrunch.com">[https://techcrunch.com/2017/04/03/intel-security-is-mcafee-again/ "Intel Security is McAfee again."] {{Webarchive|url=https://web.archive.org/web/20241005182853/https://techcrunch.com/2017/04/03/intel-security-is-mcafee-again/ |date=October 5, 2024 }} 2017-04-03. Retrieved 2018-01-08.</ref>

====McAfee====
NAI, now known as [[McAfee]], continued to sell and support the commandline product under the name McAfee E-Business Server until 2013.<ref name="kc.mcafee.com">[https://kc.mcafee.com/corporate/index?page=content&id=KB79203 "McAfee partners with Software Diversified Services to deliver E-Business Server sales and support."] {{Webarchive|url=https://web.archive.org/web/20150701050638/https://kc.mcafee.com/corporate/index?page=content&id=KB79203 |date=July 1, 2015 }} 2014-01-17. Retrieved 2015-06-30.</ref> In 2010, [[Intel Corporation]] acquired [[McAfee]]. In 2013, the McAfee E-Business Server was transferred to Software Diversified Services (SDS), which now sells, supports, and develops it under the name SDS E-Business Server.<ref name="kc.mcafee.com"/><ref name="sdsusa.com"/>

For the enterprise, Townsend Security currently{{when|date=February 2024}} offers a commercial version of PGP for the [[IBM i]] and [[z/OS|IBM z]] mainframe platforms. Townsend Security partnered with Network Associates in 2000 to create a compatible version of PGP for the IBM i platform. Townsend Security again ported PGP in 2008, this time to the IBM z mainframe. This version of PGP relies on a free z/OS encryption facility, which utilizes hardware acceleration. SDS also offers a commercial version of PGP (SDS E-Business Server) for the [[z/OS|IBM z]] mainframe.

====PGP Corporation====
In August 2002, several ex-PGP team members formed a new company, [[PGP Corporation]], and bought the PGP assets (except for the command line version) from NAI. The new company was funded by Rob Theis of Doll Capital Management (DCM) and Terry Garnett of Venrock Associates. PGP Corporation supported existing PGP users and honored NAI's support contracts. Zimmermann served as a special advisor and consultant to PGP Corporation while continuing to run his own consulting company. In 2003, PGP Corporation created a new server-based product called PGP Universal. In mid-2004, PGP Corporation shipped its own command line version called PGP Command Line, which integrated with the other PGP Encryption Platform applications. In 2005, PGP Corporation made its first acquisition: the [[Germany|German]] software company Glück & Kanja Technology AG,<ref>{{cite web |url=https://glueckkanja.com/ |title=glueckkanja.com |publisher=glueckkanja.com |access-date=2013-08-06 |archive-date=April 11, 2021 |archive-url=https://web.archive.org/web/20210411005144/https://glueckkanja.com/ |url-status=live }}</ref> which became PGP Deutschland AG.<ref>{{cite web |url=https://pgp.de/ |title=pgp.de |publisher=pgp.de |access-date=2013-08-06 |archive-date=April 25, 2019 |archive-url=https://web.archive.org/web/20190425163743/http://pgp.de/ |url-status=dead }}</ref> In 2010, PGP Corporation acquired Hamburg-based certificate authority TC TrustCenter and its parent company, [[ChosenSecurity]], to form its PGP TrustCenter<ref>{{cite web |url=https://www.pgptrustcenter.com |title=pgptrustcenter.com |publisher=pgptrustcenter.com |date=January 26, 2010 |access-date=2013-08-06 |archive-url=https://web.archive.org/web/20140109130044/https://www.pgptrustcenter.com/ |archive-date=January 9, 2014 |url-status=dead }}</ref> division.<ref>{{cite web |url=https://www.pgp.com/insight/newsroom/press_releases/pgp_corporation_acquires_chosensecurity.html |title=News Room – Symantec Corp |publisher=Pgp.com |access-date=2012-03-23 |archive-date=May 10, 2010 |archive-url=https://web.archive.org/web/20100510153018/http://www.pgp.com/insight/newsroom/press_releases/pgp_corporation_acquires_chosensecurity.html |url-status=live }}</ref>

After the 2002 purchase of NAI's PGP assets, PGP Corporation offered worldwide PGP technical support from its offices in [[Draper, Utah]]; [[Offenbach am Main|Offenbach]], [[Germany]]; and [[Tokyo]], [[Japan]].

===== Symantec =====
On April 29, 2010, [[NortonLifeLock|Symantec Corp.]] announced that it would acquire PGP Corporation for $300 million with the intent of integrating it into its Enterprise Security Group.<ref>{{cite web |url=https://www.computerworld.com/s/article/9176121/Symantec_buys_encryption_specialist_PGP_for_300M |title=Symantec buys encryption specialist PGP for $300M |publisher=Computerworld |date=April 29, 2010 |access-date=2010-04-29 |archive-date=July 4, 2014 |archive-url=https://web.archive.org/web/20140704095759/http://www.computerworld.com/s/article/9176121/Symantec_buys_encryption_specialist_PGP_for_300M |url-status=live }}</ref> This acquisition was finalized and announced to the public on June 7, 2010. The source code of PGP Desktop 10 is available for peer review.<ref>{{cite web|url=https://www.symantec.com/connect/downloads/symantec-pgp-desktop-peer-review-source-code |archive-url=https://web.archive.org/web/20111116233448/http://www.symantec.com/connect/downloads/symantec-pgp-desktop-peer-review-source-code |url-status=dead |archive-date=November 16, 2011 |title=Symantec PGP Desktop Peer Review Source Code |publisher=Symantec.com |date=September 23, 2012 |access-date=2013-08-06}}</ref>

In May 2018, a bug named [[EFAIL]] was discovered in certain implementations of PGP which from 2003 could reveal the plaintext contents of emails encrypted with it.<ref>{{cite web |url=https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/ |website=arstechnica.com |date=May 14, 2018 |title=Critical PGP and S/MIME bugs can reveal encrypted emails—uninstall now [Updated] |access-date=May 14, 2018 |archive-date=October 5, 2024 |archive-url=https://web.archive.org/web/20241005182854/https://arstechnica.com/information-technology/2018/05/critical-pgp-and-smime-bugs-can-reveal-encrypted-e-mails-uninstall-now/ |url-status=live }}</ref><ref>{{Cite web|url=https://efail.de/|title=EFAIL|website=efail.de|language=en-US|access-date=2018-05-18|archive-date=May 14, 2018|archive-url=https://web.archive.org/web/20180514100313/https://efail.de/|url-status=live}}</ref> The chosen mitigation for this vulnerability in PGP Desktop is to mandate the use [[SEIP]] protected packets in the ciphertext, which can lead to old emails or other encrypted objects to be no longer decryptable after upgrading to the software version that has the mitigation.<ref>{{Cite web|url=https://knowledge.broadcom.com/external/article/173613/cannot-decrypt-pgp-zip-files-created-wit.html|language=en-US|access-date=2021-10-18|title=Cannot decrypt PGP Zip files created with earlier releases of Encryption Desktop|archive-date=October 18, 2021|archive-url=https://web.archive.org/web/20211018095014/https://knowledge.broadcom.com/external/article/173613/cannot-decrypt-pgp-zip-files-created-wit.html|url-status=live}}</ref>

=====Broadcom=====
On August 9, 2019, [[Broadcom Inc.]] announced they would be acquiring the Enterprise Security software division of Symantec, which includes PGP Corporation.