Why we’re donating €1,000 to GnuPG

“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.” – Edward Snowden.

When a Redditor asked former NSA contractor Edward Snowden: “how should he keep his secrets safe from government spies?”, that was Snowden’s authoritative reply.

Snowden had previously released a video to help journalists use email encryption more effectively. It’s tangible, credible advice for people who care about privacy.

Without encryption, internet email is fakeable — anyone can send an email claiming to be from anyone else. It’s also not secure from infrastructure owners snooping on it.

At Bytemark we’ve relied on email encryption since we were founded in 2002. So our customers can trust encryption to identify our staff, and we trust it to identify our customers. As they’re trusting us completely with their electronic infrastructure, it’s crucial we both know we’re talking to the people we expect. We’ve also used encryption to protect credit card details and other sensitive internal company information.

To be absolutely certain, use GNU Privacy Guard (GnuPG). GnuPG is the best piece of software for protecting an email-based business like Bytemark.

Snowden’s reassurance wasn’t just that GnuPG was secure, it was that, if used carefully,  the most powerful spy agency in the world couldn’t read the encrypted messages. That’s why it was a crucial tool in disseminating the scandalous state of global spying to journalists around the world. If it’s good enough for that, it’s good enough for everyone.

GnuPG can already be used everywhere. It is well-integrated into Mozilla Thunderbird, Apple Mail, and is a central feature of the webmail program Mailpile. It’s not yet very easy to use, but it is also not hard to use if you are keen — and maybe that is essential to an email crypto program. That is to say, if you’re not worrying a little bit about how it works, you’re at risk of being misled.

Writing encryption is hard

GnuPG has been largely developed since the late 90s by one person, Werner Koch. And development is difficult, specialised work.

Even if you understand the mathematical principles that make modern encryption work, implementing those principles in a piece of useful software is full of pitfalls. That is because, to the user, flawed encryption software looks and works exactly like good encryption software.  A lot of engineering skills are needed that are not used in the development of other types of software.

If GnuPG had a reputation for security holes, it wouldn’t be the trusted tool it was (it’s had less than one breach per year, even after the blazing publicity of the Snowden revelations).

If its author wasn’t an expert, and ended up taking advice from the spies he was trying to protect (as the US National Institute for Standards and Technology were), GnuPG could be considered less than trustworthy.

If GnuPG wasn’t a Free Software project, nobody could believe it didn’t have back-doors.

And if GnuPG wasn’t usable, complete, full of integrations into lots of different mail programs and operating systems, it wouldn’t help anybody.

Lonely, underpaid & crucial

So it seems like a lonely job. Big tech companies push closed solutions which are “good enough” for many corporates. Even banks and lawyers still don’t tend to care about encrypting or signing their email to customers. And it is Free Software, which means it’s very difficult to charge just for access – GnuPG needs to be everywhere to be trusted at all.

As a result it has never had a very steady source of funding.

Werner executed a small but successful crowdfunding campaign a year ago, but the modest 36,000EUR could only go so far in funding it as a full time project.  As Werner writes, he nearly went back to full-time employment:

Now, how viable is it to run a company for the development of free security software? Not very good I had to realize … In the last years we had problems to get new GnuPG-related development contracts, which turned the company into a one-person show by fall 2012. I actually planned to shut it down in 2013 and to take a straight coder job somewhere. However, as a side effect of Edward Snowden‘s brave actions, there was more public demand for privacy tools and thus I concluded that it is worth to keep on working on GnuPG.

Werner is now looking for a more ambitious target of 120,000 to fund GnuPG through his two-man company for a much longer period. He’s asking for donations, and if you care about privacy on the internet, it’s the best money you can spend right now.

So pay what you can

Users of Kickstarter will fund whimsical gadgets, games, art projects and software to the tune of millions of dollars, often within weeks. The internet community is amazing at making big projects happen with their small change.

So now it’s time for them (us) to support a tool that is fundamental to private citizens, businesses, and democracy. Please join Bytemark in giving some money to GnuPG and help keep this important project alive.