Our ideals of usable crypto have not been served well by PGP. So what should we do?
On Feb. 24, Moxie Marlinspike, head of Open Whisper Systems and former head of security at Twitter, wrote about the trials of using PGP encryption, a cryptographic tool for encrypting and decrypting files and e-mails:
Eventually I realized that when I receive a GPG encrypted email, it simply means that the email was written by someone who would voluntarily use GPG. I don’t mean someone who cares about privacy, because I think we all care about privacy. There just seems to be something particular about people who try GPG and conclude that it’s a realistic path to introducing private communication in their lives for casual correspondence with strangers.
Increasingly, it’s a club that I don’t want to belong to anymore.
Before I respond to his opinions on PGP, here’s some background on me and my relation to cryptography.
2014 became the year of the cypher for me — someone’s “I prefer to receive encrypted e-mail” prompted me to learn about this PGP thing. I got to know some activists at the Electronic Frontier Foundation who encouraged me to organize events around PGP and online privacy more generally. I’ve teamed up with organizations like Verso Books and Bluestockings Activist Center to teach crypto, and held smaller events on and around the NYU campus.
I feel a part of the crypto community, but I’m not an active developer — I’m an interpreter, someone who (mostly) understands the underlying technical aspects of crypto, but who spends their time teaching non-technical people about this software and teaches them how to use it.
The more I spoke to activists and interested parties, the more I started to notice a lack of communication between encryption evangelists and the people I think should be thinking about privacy: activists and journalists.
Most journalists know basic infosec is important, but there’s a disconnect between demand for trainings and supply by volunteer instructors like me.
So from my perspective, getting those journalists trained in some form of basic infosec is more important than being very particular with the choice of tools. PGP is a total mess, but I think we’d be wrong to abandon it entirely until a more user-friendly e-mail encryption standard comes along in which we have similarly high levels of confidence.
Moxie is right: PGP is broken, probably hopelessly so. It’s been around for 20 years and the overarching ideals of cypherpunks (activists advocating widespread use of strong cryptography as a route to social & political change) are no closer to being realized.
But I disagree with Moxie’s view that PGP is totally unusable and should cease being used immediately. We’re confident it’s cryptographically secure, it solves the problem of secure e-mail (which TextSecure and such don’t).
But I’ll be the first to admit it has a ton of problems. Every time I do a workshop, the same issues come up.
- It’s relatively hard to make private keys mobile. Private keys can live on USB sticks, but if your intention is to get people using PGP, carrying another piece of technology around is yet another behavioral change to ask them to make.
- Setup requires administrative privileges. This is, I think, the main barrier to comprehensive PGP installations in workplaces and, crucially, newsrooms. Activists aren’t talking to IT departments yet.
- Our metaphors don’t make a lot of sense. What’s a key? What’s a keyring? Is it different to a keychain? How do I find people’s keys? How do I use them?
So what do we do?
The solution, I think, has to come from two sides:
- Make sure journalists have a decent grounding in infosec — not just PGP. They should know about good password habits, hard-disk encryption, and other strategies. I agree with Chris Soghoian on this one, who maintains that J-schools and newsrooms are ‘failing to provide reporters with digital security skills’: “They’re forcing journalists to figure it out for themselves,” he said.
The workshops I’ve been running are not “PGP 101.” They’re more general than that because they have to be. You can’t just budget 3 hours for a PGP installation workshop and expect everyone to get it. Trainings work best when you get repeat attendance and a build-up of skills and understanding over time.
- Develop new cryptographic tools for e-mail. We can’t drop PGP until we have something more user-friendly to replace it that doesn’t compromise on security.
This is why the disconnect between developers and not-very technical users is so harmful, and it’s one I’m currently trying to bridge. Paul Graham once wrote that startups have to aggressively aquire the early users. Developers have to do something similar — sit down with users and see for themselves where the pain points are, and then fix them.
PGP has many, many shortcomings. But ultimately I’m optimistic. The privacy landscape has changed irrevocably since Snowden: it’s no longer a question of “can the NSA surveil journalists?” but a question of “how are we going to mitigate this problem?”. That’s a tectonic shift in the conversation.
I write a weekly column about student life and technology for the Washington Square News, NYU’s daily student newspaper. My job is to contextualize the latest tech news, answering the fundamental question of how this applies to readers. I feel like an interpreter, translating between computer to human. It’s a role I want to embrace more fully teaching journalists about digital information security.
Thanks to Dani Grant, Freia Lobo and Star Simpson for reading drafts of this.
Tommy Collison is a writer interested in privacy and the future of journalism in a post-Snowden world. His columns focus on technology, security, and student life. He studies journalism and politics at New York University. When not writing, he teaches journalists, activists, and others how to use privacy software. He can be found on Twitter as @tommycollison.