Earlier this week I wrote about the importance of deploying open source encryption as widely as possible. We are fortunate in that we already have several key tools available as free software. One of them is GNU Privacy Guard:
GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh).
GnuPG is Free Software (meaning that it respects your freedom). It can be freely used, modified and distributed under the terms of the GNU General Public License .
In the wake of Edward Snowden's revelations, I would say that GnuPG is now one of the most important pieces of software on the planet. Against that background, this is appalling:
The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive.
Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.
"I'm too idealistic," he told me in an interview at a hacker convention in Germany in December. "In early 2013 I was really about to give it all up and take a straight job." But then the Snowden news broke, and "I realized this was not the time to cancel."
Werner Koch is a hero, and we owe him so much for selflessly carrying on his work despite that lack of money, because he recognised that it was more important than ever. Fortunately, I am not the only one to think so, and to be ashamed that I/we have allowed this situation to arise. Yesterday, when the article by Julia Angwin appeared on the Pro Publica site, people across the world started donating on a massive scale. As an update by Angwin explains:
since our story was posted, donations flooded Werner's website donation page and he reached his funding goal of $137,000.
In addition, Facebook and the online payment processor Stripe each pledged to donate $50,000 a year to Koch’s project, and the Linux Foundation is making a one-time grant of $60,000 as part of its Core Infrastructure Initiative .
These are all hugely welcome, and our thanks go to the people, companies and organisations for stepping in like this. However, we have come perilously close to losing the unique skills of a coder who has not only spent the best part of two decades working on GnuPG, but often done so at great personal cost to himself and his family. We cannot let this happen again - either to GnuPG, or to other critical free software security programs.
We must set up a formal structure that allows funding to be gathered in advance - not weeks before shutdown - and to be distributed to projects in a timely and guaranteed fashion. We need the big Internet companies to follow the example of Facebook and Stripe and to make regular donations to the the central pot of money - and to name and shame those who do not. We also need to make ordinary Internet users aware of how much we all owe these projects and the (few) coders that keep them going.
Yesterday's GnuPG story had a happy ending - for the moment - but must serve as another wake-up call, since the Heartbleed incident doesn't seem to have been enough. The small collection of core security programs like GnuPG and OpenSSL is the only real shield we have for fundamental liberties; if we let those projects totter through neglect or indifference, so does our freedom.