PGP could have lived on

In 1994 Philip Zimmerman wrote the book “PGP Source Code and Internals“. This book contained boring source code. It was a means to and end to get PGP shipped overseas, legally, so other people, besides Americans, can use this tool to securely communicate with each other.

Exporting this encryption software was not allowed. Why?
The United States Government had long regarded cryptographic software as a munition, and thus subject to arms trafficking export controls. So it was on the munitions list together with other items that are not allowed to be exported without a license. So exporting software that is deemed like a gun is not allowed but then again exporting a book is. So the thinking was: write a book, ship it, read the code in (OCR), compile it and you have legally obtained software of the other side.

Phil Zimmerman mentioned the clipper chip program in the preface of his book. That was actually superseded by having so much data from tapping every phone in the USA that the data hawks laid low for a while. However, this ridiculous thought is back on the table again since now encryption has become mainstream. Why a ridiculous thought? Anyone can make their own encryption library and use it to have encrypted communications. There exists a world outside Gmail, Facebook, Apple and Microsoft.

Now this article from Wired states that PGP is dead since it was to cumbersome to use and mentions that even Edward Snowden forgot to include his public key when sending an encrypted message. Then there was a vulnerability that was a bit overhyped.

For me it was Symantec who killed it. When they took it over from PGP Corporation in 2010 they had a beautiful product: email encryption with file and full disk encryption. They could have taken it further from there by creating some Public Key store and by having other people vetted for the authenticity of someone’s public key, comparible with the voting system in Ebay of being a reliable vendor. Or integrate it with Linkedin by linking to your public key and people voting that they verified the public key.  They had all the knowledge since they took over some companies (Verisign, Bugtraq) with some good people. We could have had it all. Well that’s at least my humble opinion.

So the Wired article says it has been replaced by Telegram, Signal and Whatsapp. Then there is protonmail and Tutanota. The downside is that you need to use the same app/e-mail program in order to exchange securely. Keybase comes close but has some drawbacks as well.  The beauty of PGP is that it supersedes all the flavors of e-mail clients and operating systems. It’s cross platform and cross e-mail clients.

Or is that an old school thought, taking into account we are now going to have Facebook Messenger end-to-end encryption? I am sure the lawyers in Facebook are now discussing the meaning of the word ‘end’ from a legal perspective. 😉