The World's Email Encryption Software Relies On One Guy, Who Is Going Broke
from the this-is-unfortunate dept
The man who built the free email encryption software used by whistleblower Edward Snowden, as well as hundreds of thousands of journalists, dissidents and security-minded people around the world, is running out of money to keep his project alive.
Werner Koch wrote the software, known as Gnu Privacy Guard, in 1997, and since then has been almost single-handedly keeping it alive with patches and updates from his home in Erkrath, Germany. Now 53, he is running out of money and patience with being underfunded.
“I’m too idealistic,” he told me in an interview at a hacker convention in Germany in December. “In early 2013 I was really about to give it all up and take a straight job.” But then the Snowden news broke, and “I realized this was not the time to cancel.”
Like many people who build security software, Koch believes that offering the underlying software code for free is the best way to demonstrate that there are no hidden backdoors in it giving access to spy agencies or others. However, this means that many important computer security tools are built and maintained by volunteers.
Now, more than a year after Snowden’s revelations, Koch is still struggling to raise enough money to pay himself and to fulfill his dream of hiring a full-time programmer. He says he’s made about $25,000 per year since 2001 ? a fraction of what he could earn in private industry. In December, he launched a fundraising campaign that has garnered about $43,000 to date ? far short of his goal of $137,000 ? which would allow him to pay himself a decent salary and hire a full-time developer.
The fact that so much of the Internet’s security software is underfunded is becoming increasingly problematic. Last year, in the wake of the Heartbleed bug, I wrote that while the U.S. spends more than $50 billion per year on spying and intelligence, pennies go to Internet security. The bug revealed that an encryption program used by everybody from Amazon to Twitter was maintained by just four programmers, only one of whom called it his full-time job. A group of tech companies stepped in to fund it.
Koch’s code powers most of the popular email encryption programs GPGTools, Enigmail, and GPG4Win. “If there is one nightmare that we fear, then it’s the fact that Werner Koch is no longer available,” said Enigmail developer Nicolai Josuttis. “It’s a shame that he is alone and that he has such a bad financial situation.”
The programs are also underfunded. Enigmail is maintained by two developers in their spare time. Both have other full-time jobs. Enigmail’s lead developer, Patrick Brunschwig, told me that Enigmail receives about $1,000 a year in donations ? just enough to keep the website online.
GPGTools, which allows users to encrypt email from Apple Mail, announced in October that it would start charging users a small fee. The other popular program, GPG4Win, is run by Koch himself.
Email encryption first became available to the public in 1991, when Phil Zimmermann released a free program called Pretty Good Privacy, or PGP, on the Internet. Prior to that, powerful computer-enabled encryption was only available to the government and large companies that could pay licensing fees. The U.S. government subsequently investigated Zimmermann for violating arms trafficking laws because high-powered encryption was subject to export restrictions.
In 1997, Koch attended a talk by free software evangelist Richard Stallman, who was visiting Germany. Stallman urged the crowd to write their own version of PGP. “We can’t export it, but if you write it, we can import it,” he said.
Inspired, Koch decided to try. “I figured I can do it,” he recalled. He had some time between consulting projects. Within a few months, he released an initial version of the software he called Gnu Privacy Guard, a play on PGP and an homage to Stallman’s free Gnu operating system.
Koch’s software was a hit even though it only ran on the Unix operating system. It was free, the underlying software code was open for developers to inspect and improve, and it wasn’t subject to U.S. export restrictions.
Koch continued to work on GPG in between consulting projects until 1999, when the German government gave him a grant to make GPG compatible with the Microsoft Windows operating system. The money allowed him to hire a programmer to maintain the software while also building the Windows version, which became GPG4Win. This remains the primary free encryption program for Windows machines.
In 2005, Koch won another contract from the German government to support the development of another email encryption method. But in 2010, the funding ran out.
For almost two years, Koch continued to pay his programmer in the hope that he could find more funding. “But nothing came,” Koch recalled. So, in August 2012, he had to let the programmer go. By summer 2013, Koch was himself ready to quit.
But after the Snowden news broke, Koch decided to launch a fundraising campaign. He set up an appeal at a crowdsourcing website, made t-shirts and stickers to give to donors, and advertised it on his website. In the end, he earned just $21,000.
The campaign gave Koch, who has an 8-year-old daughter and a wife who isn’t working, some breathing room. But when I asked him what he will do when the current batch of money runs out, he shrugged and said he prefers not to think about it. “I’m very glad that there is money for the next three months,” Koch said. “Really I am better at programming than this business stuff.”
Related stories: For more coverage, read our previous reporting on the Heartbleed bug, how to encrypt what you can and a ranking of the best encryption tools.
Republished from ProPublica. ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.
Filed Under: email, encryption, gpg, werner koch
Comments on “The World's Email Encryption Software Relies On One Guy, Who Is Going Broke”
What?!
You write an article like that, with no crowdfunding link? Come on Koch, place your hat on the sidewalk.
The Link to donate: https://gnupg.org/donate/index.html
Email encryption? s/mime?
Re: Re:
Yeah; it’s a bit misleading. S/MIME is the alternate to GPGMail, and is probably slightly more prevalent, even if GPG got there first (I used PGPMail back in the day, prior to Enigmail and S/MIME).
The REAL place that GPG is used is on pretty much every Linux data repository out there. Among other places, it’s used by dpkg. This means that not only is Ubuntu dependent on GPG, so is Cydia.
What Koch needs
What Koch needs is not a programmer, but a business partner who can set up the company for profitability, probably by providing consulting services or custom solutions (but there are a large number of other ways). Not only can it be done, it has been done many times before — sometimes resulting in great success (hello, Red Hat!).
Re: What Koch needs
Considering that Phil Zimmerman made a pretty good go out of PGP, this is likely exactly what he needs. Anyone in Germany willing to help fund him as a consulting service?
Re: What Koch needs
I was thinking the same thing. Inability to properly monetize your project is not the same as your project being unappreciated. Just because you build it and they come doesn’t mean that they come with money in tow, that requires some finesse.
Re: Re: What Koch needs
um, tee shirts ? ? ?
i’d buy a tee shirt, pay double if its a hemp tee shirt…
hee hee hee
but i would…
I use GPG regularly as a Linux user (it’s an excellent option for protecting your documents in cloud storage and IMHO handles large files better than OpenSSL), this is a good wake up call for me. I donate annually to the FSF, but I’m not sure how that money gets dispersed to all of the GNU projects. I do find it it sad that the FSF has to set such low fund raising goals as it is, so I don’t mean that as a criticism of them at all.
Re: Re:
“I donate annually to the FSF, but I’m not sure how that money gets dispersed to all of the GNU projects.”
My understanding is that, by and large, donations to FSF don’t get passed on to individual projects at all. It’s used for FSF’s activities (legal defense, educational programs, maintenance of shared infrastructure). But I could be wrong.
He should close the project and get a better job. Or he should have linked to a kickstarter page if those that use his software want continued support. If his software was really that widely used and needed and required such expensive and time consuming maintenance and maintaining it was just a matter of funding then the economy of those that use it should be sufficient to easily pay for it. Perhaps it is and it’s just a matter of him asking those that use it for the funding. If that’s not the case then, from an economics perspective, I would argue that his time is better spent serving the economy doing something else. From a free market capitalistic perspective free markets will automatically allocate his time where the market needs it most, that is where his time will do the most social good. If his project is to be funded by those that don’t use the software then we are basically subsidizing a product that doesn’t provide the economic value to make it worth its economic cost. He should go do something else.
Re: Re:
If you use what he has to offer then, by all means, donate. If you don’t then I would argue that subsidizing it is a burden on the economy and your money can be better spent on things that are more economically valuable.
Re: Re: Re:
If you use any service provided by a Linux server, you use what he has to offer; GPG is used for signing all the code packages to ensure you get legit software updates.
So yes, a significant portion of the internet is secured by code he wrote. Subsidizing it isn’t a burden, but more of his due. The fact that he hasn’t been trying to unduly profit off of this when he quite easily could have speaks for both his character and his business acumen.
Re: Re: Re: Re:
I agree, I am not criticizing his character whatsoever, I’m just speaking from an economics perspective.
and you’re right, to the extent that people use it they should definitely fund it and if they don’t then he should go do something else and the community of those that use it should suffer the consequences.
Re: Re: Re:
Wait, so only things that you personally use are economically valuable? And the only things that are of value to society are things that have direct economic value?
If that’s the case, then I need to stop all charitable giving completely.
Re: Re: Re: Re:
Not exactly what I’m saying. You don’t give to charity based on the economic value it provides those that fund it. But something like this should be funded by those that economically benefit from it because those that economically benefit are the ones that are best able to determine its social value and how much they are willing to contribute to it based on the fraction of social value it provides them. Charity is not a deadweight to society, it’s (hopefully) going to others that do, in fact, benefit from it. But to subsidize a project that you don’t benefit from because you think others benefit from it when, in fact, no one else hardly cares is an unnecessary burden. If enough people funded it based on how much it benefits them then it will receive an economic funding proportional to its economic contribution. If everyone funded a project expecting it to help someone else then it could be the case that its economic contribution isn’t really worth its economic burden and subsidizing it is harmful. Those that use it should fund it so that it can receive funding proportional to its contribution from those it contributes to. Unless, of course, those it contributes to are only the underprivileged unable to sufficiently fund it. But since a project like this may contribute to a very large audience with very diverse incomes and since it only requires a relatively small fraction of that audience’s funding to maintain it should be relatively easy for a fraction of those that benefit from it to sufficiently fund its continued support if it is substantially economically beneficial. The benefits of charitable contributions, OTOH, are more directly proportional to the amount spent (ie: two dollars can buy twice as much food as a dollar). With a software project you can spend $10K and it could help 100 people or it could help 100 million people, providing way more utility, depending on how many people use it.
Re: Re: Re:2 Re:
“But to subsidize a project that you don’t benefit from because you think others benefit from it when, in fact, no one else hardly cares is an unnecessary burden.”
This isn’t an example of that. This is software that literally everyone who uses the internet derives real benefit from.
“If enough people funded it based on how much it benefits them then it will receive an economic funding proportional to its economic contribution”
I think this is where I begin to get confused. It appears to me that this argument is confusing two different things: economic benefit vs actual benefit. Unless I misunderstand, and you’re arguing that actual benefit and economic benefit are adequate proxies for each other — in which case we simply disagree.
“With a software project you can spend $10K and it could help 100 people or it could help 100 million people, providing way more utility, depending on how many people use it.”
This is a general comment and no longer really on topic, but the societal benefit of software (like many things) is not always related to how many people use it. There is a lot of software that is used by a small number of people who do things with it that benefit millions. Easy examples are tools like specialty compilers, CAD systems, etc.
Re: Re:
I think you are missing the point – software released under a free license (the GPL) does not generate revenue based on usage. The issue is making the people who use it understand that this isn’t a shareware model, if you use and care about software, but want it to continue existing, you should support it financially. It may not happen, sometimes great projects go away, but applying anything like Smithian economic theory to FSF software is just sily.
Re: Re: Re:
“The issue is making the people who use it understand that this isn’t a shareware model, if you use and care about software, but want it to continue existing, you should support it financially.”
Agreed and my point is that those that fund it should be those that use it and funding shouldn’t come from someone subsidizing it that doesn’t use it. If the economy of those that use free software don’t want to fund it and they have the money to support it and it dies then it’s the fault of those that use it and they deserve it to die.
Re: Re: Re: Re:
It’s almost guaranteed that you use a service that depends on GPG, even if you don’t use it yourself. It has become such an integral part of Linux that most people don’t think of it as a discrete product anymore.
Re: Re: Re:2 Re:
Then maybe the solution is to better educate people about its unseen uses (which, arguably, is part of the point of this post).
Re: Re:
Maybe he does not consider himself a servant of economy. It’s not like she has a shortage of those willing to do her bidding no matter the price.
I encrypt all my e-mails in plaintext.
Re: Re:
Better to ROT-26 encrypt like I do.
Re: Re: Re:
I use ROT-52, so I’m twice as secure.
Re: Re: Re: Re:
I use ROT-39 plus a round of ROT-13 just to be extra safe.
Re: Re:
THATS!Thats!………BRIIiiliant!
Donations are tax deductible for EU citizens
If you’re an EU citizen, you can make a tax deductible donation through the Wau Holland Foundation: https://www.wauland.de/en/donation.nojs.html#61
Donated €50
Just donated €50.
Not much but if 200 individuals did it every year, it would go a long way.
Thanks, Julia.
..for the reminder.
I’ve used Hr. Koch’s software for years and I’m not sure if I ever donated. In any case, I’ve made a donation – he deserves it.
i dont suppose he’s related to the Koch brothers in the USA, is he? they should have a few billion $ to spare, given the amount they are prepared to donate to politicians to get what they want!
Re: Re:
Koch is an extremely common surname, and given that it is occupationally derived, one would not necessarily expect even a distant relationship.
He needs to charge for the software. Despite being freely available elsewhere, most people will pony up some decent amount, (say 5 bucks? what are his user base numbers?) because they believe if they use it it’s in their best interest to make sure it stays current. This is how I am about libre office and a slew of other “free” stuff I use. I do my part. Many people do the same, but even MORE would if there wasn’t that cursed “free download” button.
The popular books which review the studies from behavioral econ that “FREE !” is the difference between becoming a very popular product or becoming a zero-user-base product are very limited and not shown to apply to all populations.
Too many devs, good ones like this fellow, who have real value to offer think they have to give it away for free or they’re either being greedy, cutting off some deserving yet impoverished user or otherwise betraying the applicable zeitgeist. It’s just nto true. People buy .99 apps and devs make a living from their offerings. It’s OK to charge, even for open source and it’s OK to charge and NOT have a “FREE button asvailable. People downloading this especially are likely to *get* the need to contribute.
Broke?
You must be kidding me. He got various funds from the German government over the years and released only a few patches that others manage to do with less funding. So he had more than enough time to get a normal job and work on gnupg in his free time. If he can’t manage to create a working business model it’s not the peoples fault no matter how usefull his work might be.
Now he also gets $50k per year from Stripe and Facebook:
https://twitter.com/stripe/status/563449352635432960
That is far from being broke and doesn’t need any form of donation from the general public. Otherwise I’d like to ask for a donation because I earn about that per year too.
Also he gets $60k from the Linux Foundation.
https://twitter.com/gnupg/status/563456662024228865
Re: Apparently you can't read
The article mentioned both grants from the German government, and that the last one ran out in 2010. It further mentions he continued to pay the programmer he’d hired for two more years in hopes more funding would come in. That should account for all the German grant funds.
And as for Stripe/Facebook/Linux Foundation tweets, you really need to look at timestamps, it’s not hard. All those tweets are from 2015/02/05, aka, TODAY. In fact, the times on both are after the time of this post. Meaning they happened after the fact. This post got attention and now he’s got funding he didn’t have yesterday.
Re: Re: Apparently you can't read
The tweets are one point but that he chose a business model that isn’t sustainable by itself is another. If you develope free software and think you can make a living with it that is just pure bs imho unless you create a company around that software.
And don’t try to justify the donations because he hired a programmer. First that was his decision which means that I could hire a programmer too which I cant afford but that still doesnt mean I can ask for donations and second the volume or size of the patches released can be done in free time without any professional help.
And do you really need that ad hominem? Imho that just degrades an argument.
wow.
I didn’t know what a shoestring gnupg (and by extension libgcrypt) ran on, though it should have been no surprise. I’ve done a lot of bitching about the UI, the lack of docs, and the site snafus… no wonder. Ugh.
one would think that our taxes would somehow find their way to THESE kind of individuals by default…., the ones where its more then about the job, the money, but more about the ideology….. a drive to do something to help and benefit others, that knowing they’ve helped others is also a reward in itself…..in this case, an individual deciding to take their own initiative to spend their time to beef up the defensive security of the internet…….the hobbyists, the visionaries, the inovaters……i salute you, theres not many actions i respect more then the years of conviction that i see has been put to this project, a project i beleive would do much GOOD for everyone.
Is this serious? Me learning how to use Enigmail in Thunderbird just now and converting a few friends to using will be useless sometimes in the near future? Motherfuck…!
Re: Re:
As always, it depends on your threat model. Even if Hr Koch were killed by the proverbial bus tomorrow, copies of GnuPG source would remain available and usable. What might not happen is any future development, meaning that while adversaries could continue to develop ways to attack GnuPG, the program might not continue evolving to counter those attacks. So if your threat model is advanced adversaries who would benefit from GnuPG being abandoned, yes, it might become less valuable. On the other hand, if you do not use GnuPG or an alternative, then your mail is completely vulnerable to anyone who gets a copy of it (at minimum, your mail provider and your recipient’s mail provider, and possibly some transit providers if your mail providers do not use TLS while transferring the message). The only reason not to encrypt your mail is if you have nothing that unauthorized parties would want to see (which differs from “nothing to hide” and sometimes differs from “nothing illegal”) or if you are stuck communicating with people who refuse to set up working e-mail encryption. Be aware that some countries outlaw quality encryption or use the existence of well-encrypted content as evidence that the plaintext (which they cannot see) must obviously be illegal.
Does he have a brother who can help….so we can have the Good Koch Brothers ?
I’ve used the internet since 1997. Only since last year am I giving money to things I enjoy/find important. It shouldn’t be this way. The guys behind gpg should be viewed as important as the guys who invented http or html…if I gave money to all the causes I care for, I’d be left with fasting 3 times a week (apparently that’s not bad for you…but my mind wouldn’t take it heh).
Geez, dire times we live in. And unrelated, but they will be even more if Nuts N Yahoo fucks with congress enough (and god knows they are bought and paid for by at least 75% by Israel’s AIPAC) to fuck with Obama’s deal for making full peace with Iran.
Israel, Nuts-n-Yahoo, those people who gave weapons to Iran in the IranContra scam (they went through Israel first, of course).
I think zionist jews have been pushing their “woe-is-our people” schtick for too long now and yes, imitating your tormentors is as classic as apple pie…
Maybe he should hire a two full-time programmers for half that much each. I don’t care what your qualifications are, $137 is a huge salary, not a “decent” one, unless you really hate your job (in which case sure your employer will have to pay more to keep someone in the chair.)
Re: Re:
$137 is pocket change. $137,000 is real money. As the article notes, the desired $137,000 was to be split between Werner Koch and the full-time programmer. Consider also that this is the gross amount, before taxes. As the employer, Mr. Koch (or a holding company he operates, if he keeps the funds strictly separated from his personal assets) would be responsible for any employer-paid taxes, in addition to whatever taxes are levied on the employees — Mr. Koch and Mr. Programmer. I don’t know the details of German tax law, but for US law, expect to spend 6.2%+1.45% on FICA (Social Security / Medicare) from the employer and an equal amount from the employee. That is 15.3% of funds right off, before we even look at income tax or job benefits. Since we are discussing treating both of them as full time employees, job benefits or a cash equivalent is reasonable if you want to compete with traditional corporate employment. Germany does not have FICA as such, but most Western nations have fairly heavy taxes if you start tallying all the little things that come out of the top line personnel budget.
Exchange rates can matter too. If Mr. Programmer is to be paid in a currency that has a bad exchange rate with the currency Mr. Koch keeps in reserve, his effective earnings may be much worse.
Re: Re:
“I don’t care what your qualifications are, $137 is a huge salary, not a “decent” one”
That entirely depends on where you live, due to varying costs of living. If you live in New York City, $137k is a decent salary, but not a huge one.
For those speaking German, here’s Fefe’s take on this:
https://blog.fefe.de/?ts=aa2d1983
The gist: don’t whine if you chose an unsustainable business model. Get a proper day job and do your open source coding in your spare time as a hobby 😉
I have no ability to make online payments, but if I did, you can be sure I’d make one for £50 to Werner Koch.
Re: Re:
You can’t buy a prepaid credit card? Buy a Discover card to stay on the DL.