Is the encryption with the public key fragile?

Encryption: Let the swarm take care of it

On Thursday morning it looked as if Werner Koch would have to give up. He just wasn't making enough money programming. Koch is a security expert and works solely on GnuPG, the most important component for encrypted e-mail communication, if you use the Linux, Mac OS and Windows operating systems. The program helps journalists, the persecuted and people around the world who care about their privacy.

The fact that Koch can now continue - and even get an employee - is thanks to a text from the investigative platform ProPublica. The journalist Julia Angwin describes the difficult financing of the project. Users and corporations reacted within a few hours: Facebook and the financial services provider Stripe promised 50,000 US dollars annually; Koch's stalled crowdfunding campaign overshot the mark.

Then everything is fine, one would think. But that is not the case. Koch is just one of many developers who have to do their work on sensitive projects like a volunteer. Not only do they earn little. User safety also suffers. In the worst case, a relevant update arrives too late. That can endanger life. Ever since the Snowden revelations, it should be clear to everyone how important the right to encryption is. It is negligent to deal with developers of programs like GnuPG in such a lax manner.

It doesn't work without money

The central programs for secure emailing, chatting, saving and deleting are now looked after by a small number of idealists. That is honorable and important. GnuPG is just one example, the KeePass service is another. Dominik Reichl develops one of the few open source password managers. He, too, programs largely on his own and earns his money elsewhere. So while on the one hand billion dollar secret services are working on decryption, on the other hand private individuals sacrifice their free time.

Many believe that the swarm will sort it all out somehow: If everyone just lends a hand and writes a few lines of code, programs like GnuPG and KeePass will be running. A mistake. Koch's problems show that this principle only works moderately. Many can discover a few mistakes on the side. But it takes people like Koch and Reichl to coordinate a project and review suggestions and bug reports from other supporters. And that costs time and money.

Federal government withdraws

For a long time, donations were considered the ideal solution. To raise enough money today, however, you need more than a flattr button the size of a pinhead. Developers compete with organizations and their donation departments to raise money. As happy as the rescue attempt by GnuPG is. It is unlikely that corporate donations will fund an entire network security architecture in the long term. The attempt is being made by the Core Infrastructure Initiative, an alliance of the largest network groups. GnuPG is now also included, but KeePass and many others continue to be overlooked.

That leaves the state. The federal government supported GnuPG for ten years. Payments were stopped last year. In response to a small question in the Bundestag, a member of parliament said that in the case of GnuPG, one relied on the network community. GnuPG almost failed because of this misconception.



Be there live online when our podcasts are created and meet your favorite hosts at the first ZEIT ONLINE podcast festival on Sunday, June 20, 2021.

With your registration you take note of the data protection regulations.

Many Thanks! We have sent you an email.

Check your mailbox and confirm the newsletter subscription.

Non-commercial programs such as GnuPG serve the entire population in safeguarding their basic rights, such as the basic right to informational self-determination. Government funding is therefore by no means a utopia. In Germany there are several agencies that could support such programs. One is the Federal Office for Information Security (BSI), which, however, is itself underfunded.

Another possibility would be funding from research associations endowed with billions, such as the German Research Association, the Helmholtz Association or the Fraunhofer Institute. Either way, it is time for more public money to be devoted to developing programs to keep people safe online. Then Germany can - as the digital agenda demands - become the number one encryption location.