GPG Financial Difficulties

Werner Koch, who has been maintaining the GPG e-mail encryption program since 1997, is going broke and considering quitting.

Updates to the article say that, because of the article, he has received substantial contributions to continue.

Slashdot thread. Hacker News thread.

EDITED TO ADD (2/7): Now, what to do with all that money. Slashdot thread. Hacker News thread.

Posted on February 5, 2015 at 7:50 PM • 24 Comments


ThothFebruary 5, 2015 9:06 PM

Scenarios that can arise from chaos:
1.) Nothing happens and the GPG project gets bankrupt. NSA/HSAs dance with joy.
2.) NSA/HSAs would take the chance to invest and subvert him.
3.) GPG project gets bankrupt but community efforts kicks in and takes over revamp GPG after bankruptcy.
4.) Community pushes a donation drive to revive GPG efforts (aid Werner Koch economically).
5.) GPG Community goes into Community drive efforts, replaces Werner Koch (forks project).
... Many more scenarios you guys can imagine.

In simple, the GPG project is a major hinging point which many of us are relying for email secrecy and authenticity. This is a major problem as the GPG project hinges on a single person ... Werner Koch. What is needed is a federated control of source codes so that it cannot be tied to one person and the greater involvement so that if one person goes down, not much is lost.

Although Werner Koch have the OpenPGP smartcard business which requires more visibility and adoption if he wants sales to carry on for income. Upgrade to MicroSD card base smartcard OpenPGP implementation would also make it more acceptable due to increase of mobile computing. Some of you might throw doubts at viability due to "backdoors" of smartcards and crypto-chips but it's just a business plan to take a first step.

Adrian CoheaFebruary 5, 2015 11:36 PM

I am quite confident that because of the Global Surveillance Disclosures of 2013, we'll see continued interest in GPG. I happily kicked them my $20 US.

I don't want to seem too mean, but I don't think the public crypto community did GPG too many favors recently, with Matthew Green laying into PGP (and GPG by extension) based on outdated or crappy information, and unfortunately Bruce gave him a little bit more credence than he was due.

GPG now has ECC implemented. Admittedly, it doesn't have ECDH on trusted curves (probably the only curve anyone trusts right now is Curve25519, which is EdDSA only because they don't have a point compression format yet for ECDH), but it has some non-NIST curves for ECDH, and there is real progress being made.

This is important work, and I hope people will continue to support his efforts.

I also really hope that people will support Daniel Bernstein and Tanja Lange's work on the safe curve project.

Nick PFebruary 5, 2015 11:52 PM

@ Anura

Certain information flow prototypes can do that.

@ Wael

Good to hear. I think I might send him an email soon in case his blog goes down.

@ Thoth

This is the problem I've hinted at with free and open source for security. Useful and widespread as it is, most people wouldn't pay even $1 a year for it. The fact is that most open source projects are barely developed, poorly maintained, and/or disappear just after they start getting useful. Even excellent ones like GPG can collapse easily. The whole concept of everyone be freeloaders except some selfless volunteers or corporate sponsors is broken. The get what you pay for model makes more sense. Yet, it is often structured just for benefit of business owners or is turned into a commodity with negative effects on quality. So, something in between is needed.

We see a little bit of hope in the open source software with paid support or premium features. This has supported quite a bit of software. Yet, more assured offerings will cost even more to develop, evaluate, and support. Especially if they don't have a network of volunteers and I doubt they will. I think one route is a reasonable, simple licensing agreement for software with contractual obligations to follow specific assurance standards and source included. Might let businesses build on the source internally and charge higher licensing + royalties if turning it into a new product. Contract might even specify that a minimum (eg 70-80%) of the licensing fees must go to improving that product.

I have an even better business model idea than that which hasn't been tried in software *that I know of*. I'm just not ready to publicize it until it's had enough private review to determine if it's worth publicizing. The above alternate preserves many of its attributes, though, for meaningful peer review and discussion. Let's call it a Zero Knowledge Business Plan. ;)

FigureitoutFebruary 6, 2015 12:00 AM

Ha, was about to put this in squid thread. Isn't this f*cking shameful that *ONE*, ONE person is responsible for GPG? Like what?! Is this a joke?! Also Enigmail and GPG4WIN. Unbelievable...He's sacrificing so much...Basically says very clearly so few are even capable of making secure programs/systems b/c no one else is stepping up and putting their neck on the line of some neckbeard calling you an idiot when a bug is found (this is just software, the packages can get corrupted in transit or at the source).

Financial difficulties isn't the only thing he needs to worry about, how about the cleanliness of the dev environment? Would he know if his house got broken into? Sh*t gets dark real quick.

Regardless, his efforts need to be recognized. Cheers mate.

Nick PFebruary 6, 2015 12:11 AM

Oops, I didn't see it was a new thread. Anura and Wael: if you respond to off topic part, do it in Squid thread so we keep this one non-cluttered.

Nick PFebruary 6, 2015 12:17 AM

@ Figureitout

" Isn't this f*cking shameful that *ONE*, ONE person is responsible for GPG? Like what?! Is this a joke?! Also Enigmail and GPG4WIN. Unbelievable..."

Exactly. It's incredibly messed up. The kind of thing that either shouldn't happen or should go away after significant uptake. Most projects won't get a lucky influx of cash thanks to an article being published. This is where better funding models are needed.

AlexFebruary 6, 2015 2:15 AM

Now if only there was somewhere I could send my donations to keep TrueCrypt alive...

GrauhutFebruary 6, 2015 4:11 AM

@figureitout: "Ha, was about to put this in squid thread. Isn't this f*cking shameful that *ONE*, ONE person is responsible for GPG? Like what?! Is this a joke?! Also Enigmail and GPG4WIN. Unbelievable..."

I already squidded it some weeks ago.

Every f*kn *n*x distributor uses it for package signing, our hole open source software infrastructure security depends on it and no one supports it. Fears the NSA could hate them for supporting GPG?

Even Apple with hundreds of billions spare money in Europe uses GPG officially.

I did myselft some pr in the english language community for Werner about this and gave my share. Hope it helped.

GrauhutFebruary 6, 2015 5:28 AM

Looks like Werner is out of trouble, he asks us to support others now! :)

"A big Thanks to all supporters

Due to this ProPublica article we received more than 120,000 € of individual donations on a single day. There is even more: The Core Infrastructure Initiative granted 60,000 $ for 2015. Our payment service Stripe and Facebook will each give 50,000 $ to the project. And finally the Wau Holland Stiftung is collecting tax deductible funds for GnuPG (7000 € in December; numbers for January will be posted soon).

As the main author of GnuPG, I like to thank everyone for supporting the project, be it small or large individual donations, helping users, providing corporate sponsorship, working on the software, and for all the encouraging words.

GnuPG does not stand alone: there are many other projects, often unknown to most people, which are essential to keep the free Internet running. Many of them are run by volunteers who spend a lot of unpaid time on them. They need our support as well.

— Werner, 2015-02-06"

I dont think he will ever forget this.

And we should remember this to. It means in the end we will win.

"First they ignore you, then they laugh at you, then they fight you, then you win."
Mahatma Gandhi

Dirk PraetFebruary 6, 2015 5:38 AM

It's nothing new that a capable and well-respected engineer is not by definition also a savvy business man and fundraiser. And that's where people like Julia Angwin and the international community need to step in.

@ Alex

Now if only there was somewhere I could send my donations to keep TrueCrypt alive...

You can. By donating to Veracrypt. Mounir Idrissi, the French guy who forked the original Truecrypt code in June 2013, is pretty much in the same boat as GPG's Werner Koch.

@ Gerard van Vooren

But something tells me that not a single USD from that budget goes to any of the GNU/FSF projects or the BSD's (especially not OpenBSD).

That's not entirely true. The USG does fund quite some open source projects, for example the DARPA Open Catalog

PaulFebruary 6, 2015 7:32 AM

Does the world "really" want encryption? Through government action - no. Through citizen inaction - no. I fear that the average "joe" is ok with convenience over security.

boogFebruary 6, 2015 10:50 AM

@Paul: "I fear that the average 'joe' is ok with convenience over security."

Too bad the average "joe" doesn't realize that absent security is mostly convenient for hackers/thieves/oppressors.

Nick PFebruary 6, 2015 1:15 PM

@ Dirk Praet

When I was younger, such an announcement would have excited me. Today, I know it's going to be a giant waste of money primarily benefiting big companies, defense contractors, and Congressional districts whose reps had defense campaign contributions. I'd love to get face-time with Obama and others to explain just what will be necessary with practical tradeoffs that would benefit all parties involved (even NSA).

The problem is that nobody authorizing cyber security seems to understand the situation or have ever seen anything actionable. "We're vulnerable and must do something!" isn't actionable, for instance. They need to be shown how we're attacked, proven solutions for that, precedents supporting how to motivate industry properly, a gradual path from current situation to better one, and specific actions to take along the way. The contract layout should also benefit as many big companies and Congressional districts as possible.

AlexFebruary 6, 2015 1:28 PM

When I read how much he was making, I thought, "Wow, I'm surprised he didn't get corrupted by someone."

I'm kind of surprised the spooks didn't set up a bogus company for the sole purpose of establishing a consulting relationship with him, so they could get a sense of whether he could be bought.

Coyne TibbetsFebruary 6, 2015 1:48 PM

This is only a short-term solution (the donation). It is dangerous to have only one expert in such a critical infrastructural element.

RealisticFebruary 6, 2015 2:27 PM

@Grauhut: The big corps using this need to step forward and fund it. Fork the code to their own in house version if that makes them feel better.

Leon WolfesonFebruary 7, 2015 12:06 AM

Gerard - Going to be honest here, taking US government cash is a strong negative afaik on security. What strings does it come with?

Stripe and Facebook stepping up for 50k $ each per year is a good step.

AndrewFebruary 8, 2015 6:01 AM

Has this just been fast tracked because of the little taste of cyber warfare with North Korea recently?
Sounds like this is mainly for the bigger companies to me.

Financial ProblemsFebruary 9, 2015 12:48 AM

You cannot imagine a life without money. Even the place of a nation is judged on the basis of its economic health and economic progress. Know how to overcome financial problems with the Trivedi effect.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.