The World's Email Encryption Software Relies On One Guy, Who Is Going Broke
from the this-is-unfortunate dept
The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive.
Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.
"I'm too idealistic," he told me in an interview at a hacker convention in Germany in December. "In early 2013 I was really about to give it all up and take a straight job." But then the Snowden news broke, and "I realized this was not the time to cancel."
Like many people who build security software, Koch believes that offering the underlying software code for free is the best way to demonstrate that there are no hidden backdoors in it giving access to spy agencies or others. However, this means that many important computer security tools are built and maintained by volunteers.
Now, more than a year after Snowden's revelations, Koch is still struggling to raise enough money to pay himself and to fulfill his dream of hiring a full-time programmer. He says he's made about $25,000 per year since 2001 — a fraction of what he could earn in private industry. In December, he launched a fundraising campaign that has garnered about $43,000 to date — far short of his goal of $137,000 — which would allow him to pay himself a decent salary and hire a full-time developer.
The fact that so much of the Internet's security software is underfunded is becoming increasingly problematic. Last year, in the wake of the Heartbleed bug, I wrote that while the U.S. spends more than $50 billion per year on spying and intelligence, pennies go to Internet security. The bug revealed that an encryption program used by everybody from Amazon to Twitter was maintained by just four programmers, only one of whom called it his full-time job. A group of tech companies stepped in to fund it.
Koch's code powers most of the popular email encryption programs GPGTools, Enigmail, and GPG4Win. "If there is one nightmare that we fear, then it's the fact that Werner Koch is no longer available," said Enigmail developer Nicolai Josuttis. "It's a shame that he is alone and that he has such a bad financial situation."
The programs are also underfunded. Enigmail is maintained by two developers in their spare time. Both have other full-time jobs. Enigmail's lead developer, Patrick Brunschwig, told me that Enigmail receives about $1,000 a year in donations — just enough to keep the website online.
GPGTools, which allows users to encrypt email from Apple Mail, announced in October that it would start charging users a small fee. The other popular program, GPG4Win, is run by Koch himself.
Email encryption first became available to the public in 1991, when Phil Zimmermann released a free program called Pretty Good Privacy, or PGP, on the Internet. Prior to that, powerful computer-enabled encryption was only available to the government and large companies that could pay licensing fees. The U.S. government subsequently investigated Zimmermann for violating arms trafficking laws because high-powered encryption was subject to export restrictions.
In 1997, Koch attended a talk by free software evangelist Richard Stallman, who was visiting Germany. Stallman urged the crowd to write their own version of PGP. "We can't export it, but if you write it, we can import it," he said.
Inspired, Koch decided to try. "I figured I can do it," he recalled. He had some time between consulting projects. Within a few months, he released an initial version of the software he called Gnu Privacy Guard, a play on PGP and an homage to Stallman's free Gnu operating system.
Koch's software was a hit even though it only ran on the Unix operating system. It was free, the underlying software code was open for developers to inspect and improve, and it wasn't subject to U.S. export restrictions.
Koch continued to work on GPG in between consulting projects until 1999, when the German government gave him a grant to make GPG compatible with the Microsoft Windows operating system. The money allowed him to hire a programmer to maintain the software while also building the Windows version, which became GPG4Win. This remains the primary free encryption program for Windows machines.
In 2005, Koch won another contract from the German government to support the development of another email encryption method. But in 2010, the funding ran out.
For almost two years, Koch continued to pay his programmer in the hope that he could find more funding. "But nothing came," Koch recalled. So, in August 2012, he had to let the programmer go. By summer 2013, Koch was himself ready to quit.
But after the Snowden news broke, Koch decided to launch a fundraising campaign. He set up an appeal at a crowdsourcing website, made t-shirts and stickers to give to donors, and advertised it on his website. In the end, he earned just $21,000.
The campaign gave Koch, who has an 8-year-old daughter and a wife who isn't working, some breathing room. But when I asked him what he will do when the current batch of money runs out, he shrugged and said he prefers not to think about it. "I'm very glad that there is money for the next three months," Koch said. "Really I am better at programming than this business stuff."
Related stories: For more coverage, read our previous reporting on the Heartbleed bug, how to encrypt what you can and a ranking of the best encryption tools.
Republished from ProPublica. ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: email, encryption, gpg, werner koch
Reader Comments
The First Word
“Subscribe: RSS
View by: Time | Thread
What?!
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The REAL place that GPG is used is on pretty much every Linux data repository out there. Among other places, it's used by dpkg. This means that not only is Ubuntu dependent on GPG, so is Cydia.
[ link to this | view in chronology ]
What Koch needs
[ link to this | view in chronology ]
Re: What Koch needs
[ link to this | view in chronology ]
Re: What Koch needs
[ link to this | view in chronology ]
Re: Re: What Koch needs
i'd buy a tee shirt, pay double if its a hemp tee shirt...
hee hee hee
but i would...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
My understanding is that, by and large, donations to FSF don't get passed on to individual projects at all. It's used for FSF's activities (legal defense, educational programs, maintenance of shared infrastructure). But I could be wrong.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
So yes, a significant portion of the internet is secured by code he wrote. Subsidizing it isn't a burden, but more of his due. The fact that he hasn't been trying to unduly profit off of this when he quite easily could have speaks for both his character and his business acumen.
[ link to this | view in chronology ]
Re: Re: Re:
and you're right, to the extent that people use it they should definitely fund it and if they don't then he should go do something else and the community of those that use it should suffer the consequences.
[ link to this | view in chronology ]
Re: Re:
If that's the case, then I need to stop all charitable giving completely.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
This isn't an example of that. This is software that literally everyone who uses the internet derives real benefit from.
"If enough people funded it based on how much it benefits them then it will receive an economic funding proportional to its economic contribution"
I think this is where I begin to get confused. It appears to me that this argument is confusing two different things: economic benefit vs actual benefit. Unless I misunderstand, and you're arguing that actual benefit and economic benefit are adequate proxies for each other -- in which case we simply disagree.
"With a software project you can spend $10K and it could help 100 people or it could help 100 million people, providing way more utility, depending on how many people use it."
This is a general comment and no longer really on topic, but the societal benefit of software (like many things) is not always related to how many people use it. There is a lot of software that is used by a small number of people who do things with it that benefit millions. Easy examples are tools like specialty compilers, CAD systems, etc.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
Agreed and my point is that those that fund it should be those that use it and funding shouldn't come from someone subsidizing it that doesn't use it. If the economy of those that use free software don't want to fund it and they have the money to support it and it dies then it's the fault of those that use it and they deserve it to die.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
Re:
Maybe he does not consider himself a servant of economy. It's not like she has a shortage of those willing to do her bidding no matter the price.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Donations are tax deductible for EU citizens
[ link to this | view in chronology ]
Donated €50
Not much but if 200 individuals did it every year, it would go a long way.
[ link to this | view in chronology ]
Thanks, Julia.
I've used Hr. Koch's software for years and I'm not sure if I ever donated. In any case, I've made a donation - he deserves it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
The popular books which review the studies from behavioral econ that "FREE !" is the difference between becoming a very popular product or becoming a zero-user-base product are very limited and not shown to apply to all populations.
Too many devs, good ones like this fellow, who have real value to offer think they have to give it away for free or they're either being greedy, cutting off some deserving yet impoverished user or otherwise betraying the applicable zeitgeist. It's just nto true. People buy .99 apps and devs make a living from their offerings. It's OK to charge, even for open source and it's OK to charge and NOT have a "FREE button asvailable. People downloading this especially are likely to *get* the need to contribute.
[ link to this | view in chronology ]
Broke?
Now he also gets $50k per year from Stripe and Facebook:
https://twitter.com/stripe/status/563449352635432960
That is far from being broke and doesn't need any form of donation from the general public. Otherwise I'd like to ask for a donation because I earn about that per year too.
Also he gets $60k from the Linux Foundation.
https://twitter.com/gnupg/status/563456662024228865
[ link to this | view in chronology ]
Apparently you can't read
And as for Stripe/Facebook/Linux Foundation tweets, you really need to look at timestamps, it's not hard. All those tweets are from 2015/02/05, aka, TODAY. In fact, the times on both are after the time of this post. Meaning they happened after the fact. This post got attention and now he's got funding he didn't have yesterday.
[ link to this | view in chronology ]
Re: Apparently you can't read
And don't try to justify the donations because he hired a programmer. First that was his decision which means that I could hire a programmer too which I cant afford but that still doesnt mean I can ask for donations and second the volume or size of the patches released can be done in free time without any professional help.
And do you really need that ad hominem? Imho that just degrades an argument.
[ link to this | view in chronology ]
wow.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Geez, dire times we live in. And unrelated, but they will be even more if Nuts N Yahoo fucks with congress enough (and god knows they are bought and paid for by at least 75% by Israel's AIPAC) to fuck with Obama's deal for making full peace with Iran.
Israel, Nuts-n-Yahoo, those people who gave weapons to Iran in the IranContra scam (they went through Israel first, of course).
I think zionist jews have been pushing their "woe-is-our people" schtick for too long now and yes, imitating your tormentors is as classic as apple pie...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Exchange rates can matter too. If Mr. Programmer is to be paid in a currency that has a bad exchange rate with the currency Mr. Koch keeps in reserve, his effective earnings may be much worse.
[ link to this | view in chronology ]
Re:
That entirely depends on where you live, due to varying costs of living. If you live in New York City, $137k is a decent salary, but not a huge one.
[ link to this | view in chronology ]
https://blog.fefe.de/?ts=aa2d1983
The gist: don't whine if you chose an unsustainable business model. Get a proper day job and do your open source coding in your spare time as a hobby ;)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]