When Network Associates halted development of its widely respected PGP (Pretty Good Privacy) desktop encryption software in late February, Julian Koh worried about his “postcards.”
Koh considers everything that passes across the Internet — e-mail, mailing list postings, Web pages — as no more private than postcards that can be read by anyone along their path. That realization long ago inspired an epiphany for the Northwestern University network engineer: “I was really amazed at the ease with which my network traffic could be intercepted and examined, even with no malicious intent whatsoever.”
It wasn’t a question of Koh having secrets. There are just some things that are no one else’s business. So for the past five years, both at work and at home, he has used PGP to routinely encrypt potentially sensitive communication, turning ordinary data into bits and bytes of meaningless gibberish readable only by those with the proper digital key.
“Typically, I [digitally] sign most of my outgoing messages, and several people and organizations with whom I correspond regularly also require encryption of messages,” he says.
But online security, just like everything else, is subject to the ebb and flow of capitalism — and the relentless releases of new software products with which one must be compatible. Updated operating systems from Microsoft and Apple require updated versions of PGP, but Network Associates is currently not making the necessary improvements. Koh and tens of thousands of other PGP users have been forced to seek alternatives.
Increasingly, they’re finding haven in a small corner of the open-source software world, bringing both opportunity and new users to an oddly named and heretofore little-known programming effort fueled by volunteers: GnuPG.
The synergies of the relationship are obvious: open-source software and cryptography are two sublimely geeky obsessions that go well together. But the story of how GnuPG is coming to the cryptogeek rescue also illuminates some of the limitations of open-source, or free software. Even a relatively slick consumer product like PGP has been deemed too technically challenging by many normal computer users — despite widespread anxieties about privacy on the part of the general Internet-using population. And making a software program easy to use is exactly the challenge that open-source software has historically been weakest at meeting.
When programmer Phil Zimmermann dubbed his pet encryption software “Pretty Good Privacy” it was a master stroke of subtle understatement. PGP’s mathematical heart is so complex that it defies any meaningful lay description. The result of using it, however, is easily grasped: data so jumbled that, according to its developers and some cryptography experts, our sun would burn out before all computers now in existence, working together, would have time to find the correct key for a single message. New advances in computing could ultimately change that, but for the moment, PGP is more than just pretty good.
PGP is an implementation of public key cryptography in which the “keys” that lock and unlock the meaning of a message are produced in pairs, public and private. The public key is just that, and is distributed to anyone who might wish to send the user an encrypted message. The private key is kept by the user for decrypting messages, turning them back into readable form. Cryptographer and security specialist Bruce Schneier, in his book “Applied Cryptography,” called the public key system “the most striking development in the history of cryptography.”
Software engineer and privacy activist Zimmermann put the system to practical use in 1991, creating the first crude version of PGP and releasing it as freeware. “PGP empowers people to take their privacy into their own hands,” Zimmermann wrote in the original program’s user guide. “There has been a growing social need for it. That’s why I wrote it.”
PGP spread worldwide on the Internet, and Zimmermann faced a three-year federal investigation for violating then strict regulations regarding the export of cryptographic software. When the government case was dropped in 1996, Zimmermann formed PGP Inc., and the modern age of consumer desktop encryption was born. PGP Inc. became a part of Network Associates in 1997.
Like the system itself, PGP is both public and private. While Network Associates’ source code is proprietary and no longer released to the general public, PGP, as a concept, lives in the open through the OpenPGP movement, a set of design specifications intended to make all forms of PGP-like public key systems interoperable.
Enter GNU (pronounced “guh-NEW”) Privacy Guard, also called GnuPG.
GNU (a “recursive acronym” meaning “GNU’s Not Unix”) was launched in 1984 to develop and maintain a free and open-source “Unix-like” operating system. The GnuPG project is an OpenPGP offshoot managed by the German Unix Users Group and begun in response to U.S. export restrictions.
In a move seen as a rebuff of American pressure to tighten its restrictions on cryptographic technologies, the German government awarded the fledgling software effort a $177,000 grant in 1999. “In Germany, we are really free to do anything now,” Werner Koch, head of the GnuPG movement, said of the German funding.
Now, just two years later, Koch and his GnuPG team have a robust application available for multiple platforms — and a new pool of potential users with which to grow.
“I expected something like this,” Koch said of PGP’s demise. “They (Network Associates) have moved away from an encryption tool to a ‘do everything security solution with the name PGP.’ [But] it might have turned out that the name PGP didn’t help that much in marketing.”
GnuPG’s marketing amounts to little more than word-of-mouth and Web sites. But those appear adequate. Discussion of GnuPG slipped onto the scene in PGP-related newsgroups and e-mail lists with surprising stealth. No announcements, no fanfare. It was just there one day, being recommended to an increasing number of inquisitive Windows and Macintosh users as a possible replacement for PGP.
Koch, who oversees GnuPG development from Germany, said the number of visitors to the GnuPG site each week has almost doubled since Jan. 6, rising from 11,249 to 20,689. While download numbers are difficult to measure since approximately 30 sites mirror the GnuPG files, Koch said GnuPG’s main server is registering approximately 2,000 downloads per week for the application’s Windows version and about the same for the Unix version. That’s up from approximately 1,700 each earlier this year, he said.
Downloads of the relatively new GnuPG version designed for Apple’s new operating system, Mac OS X, have also jumped sharply, and new user interface tools for OS X have been introduced within the past month — and updated since then.
“I don’t really have time for a full quantitative analysis, but I think that interest is about three times what it was,” said Gordon Worley, a 19-year-old Orlando, Fla., computer science student who oversees the Mac OS X version of GnuPG. “A lot of work is getting done in the MacGPG project because users of PGP are realizing that they have to find a solution when migrating to OS X.”
Zimmermann, now a consultant who remains active in the OpenPGP movement, indicated the Network Associates experience should be an example to privacy advocates.
“… It is dangerous to put all your eggs in one basket, and we can clearly see now how bad it can be to allow PGP to be buried by a company that owns it exclusively,” he said. “We are all fortunate that GPG was developed.”
After Network Associates purchased PGP, commercial releases began to include services not required by the average user — virtual private networking, software firewall protection, key sharing and even a third-party corporate key recovery system. GnuPG, on the other hand, concentrates on the basics of digital signatures, e-mail and file encryption, and key management.
And that’s all that is required to protect Koh’s postcards: “My prediction is that I will eventually end up with GnuPG installed on my machine.”
But what about the rest of the world?
The open-source software movement, long the domain of highly talented and motivated programmers working toward a socio-technical ideal and for love of the craft, now is confronting the different expectations of a PGP consumer base unwilling to surrender ease of use.
Network Associates, building on Zimmermann’s work after purchasing his company, made significant strides in hiding the arcane and promoting the simple. Both Windows and Mac users finally could point-and-click their way to a more secure desktop and communications environment. At least a rudimentary understanding of the nature of public and private keys, and how to use them, was still required, but a comprehensive guide accompanying the software put the issues in as plain terms as possible.
“Ease of use is critical,” said Zimmermann. “E-mail encryption is used by only a small segment of the population of e-mail users largely because of ease-of-use issues.”
The GnuPG project isn’t yet that advanced when it comes to the user experience, Koch concedes.
GnuPG is the engine that drives the encryption system: encrypting, decrypting, signing and verifying, and creating and managing public and private keys. Yet it relies on command-line entries. Installation requires some minimal direct input of text commands. Graphical interfaces are available, but they are separate, not part of the basic GnuPG package.
Even Mac OS X users will find that installation of the basic MacGPG package requires inputting text commands. And Worley, the Mac team’s leader, is very aware that Mac users are accustomed to more polish. “We have preliminary versions of most of the software that the average PGP user will need on OS X, but more work is needed. Our software does not fulfill the expectations of the Mac experience yet.”
Open-source can also mean “closed climate,” with developers working only to meet their own desires and those of a relatively small and stable base of users and fans. The strength of the movement — distributed development by volunteer programmers worldwide — isn’t geared toward the sudden appearance of clamoring consumers with questions, complaints and wish lists in hand.
Eric S. Raymond, president and co-founder of the Open Source Initiative, says the system will adjust.
“In fact, I think this kind of bombardment is a good thing. I think it is exactly what open-source developers need to get a clue about the way actual end-users think.”
The commercial adage that the customer is always right still rules, he said.
“Much of the open-source community is still weak at end-user UI. Most hackers have not yet assimilated the knowledge or the attitude necessary to serve end-users like these. This will change, but it won’t change overnight.”
Despite its surge in user popularity, GnuPG may not remain the long-term sole source for new PGP applications. Network Associates’ new code is locked away, but the company still hopes to sell it. And the OpenPGP standard means that anyone with the will or the money — or both — can create and market a new product. Privacy advocates say that’s precisely the point.
“The general public seems very unaware and unconcerned with basic issues of privacy and how their use of the Internet contributes to major loss of privacy,” said Tom McCune, a PGP user from Holland Patent, N.Y., who maintains a popular Web site dedicated to PGP issues. “For those with some level of awareness, there is a basic attitude of just not wanting to be bothered with doing something about it, and this is tremendously complicated by general lack of technical skill.”
Advocates believe open development by several companies, private organizations and individual programmers will lead to even more improvements, wider use and, ultimately, greater protection of personal privacy.