A brief history of GnuPG: vital to online security but free and underfunded

Most people have never heard of the software that makes up the machinery of the internet. Outside developer circles, its authors receive little reward for their efforts, in terms of either money or public recognition.

One example is the encryption software GNU Privacy Guard (also known as GnuPG and GPG), and its authors are regularly forced to fundraise to continue the project.

GnuPG is part of the GNU collection of free and open source software, but its story is an interesting one, and it begins with software engineer Phil Zimmermann.

We do not know exactly what Zimmermann felt on January 11, 1996, but relief is probably a good guess. The United States government had just ended its investigation into him and his encryption software, PGP or “Pretty Good Privacy”.

In the 1990s, the US restricted the export of strong cryptography, viewing it as sensitive technology that had once been the exclusive purview of the intelligence and military establishment. Zimmermann had been facing serious punishment for posting PGP on the internet in 1991, which could have been seen as a violation of the Arms Export Control Act.

To circumvent US export regulations and ship the software legally to other countries, hackers even printed the source code as a book, which would allow anyone to scan it at its destination and rebuild the software from scratch.

Zimmermann later worked with the PGP Corporation, which helped define PGP as an open internet standard, OpenPGP. A number of software packages implement this standard, of which GnuPG is perhaps the best-known.

What is PGP?

PGP implements a form of cryptography that is known as “asymmetric cryptography” or public-key cryptography.

The story of its discovery is itself worth telling. It was invented in the 1970s by researchers at the British intelligence service GCHQ and then again by Stanford University academics in the US, although GCHQ’s results were only declassified in 1997.

Asymmetric cryptography gives users two keys. The so-called “public” key is meant to be distributed to everyone and is used to encrypt messages or verify a “signature”. The “private” or “secret” key must be known only to the user. It helps decrypt messages or “sign” them - the digital equivalent of a seal to prove origin and authenticity.

Zimmermann published PGP because he believed that everybody has a right to private communication. PGP was meant to be used for email, but could be used for any kind of electronic communication.

The challenge facing security software

Despite Zimmermann’s work, the dream of free encryption for everyone never quite came to full bloom.

Neither Zimmermann’s original PGP nor the later GnuPG managed to become entirely user-friendly. Both use highly technical language, and the latter is still known for being accessible only by typing out commands - an anachronism even in the late 1990s, when most operating systems already used the mouse.

Many users did not understand why they should encrypt their email at all, and attempts to integrate the tools with email clients were not particularly intuitive.

Big corporations such as Microsoft, Google and Apple shunned it – to this day, they do not ship PGP with their products, although some are now implementing forms of end-to-end encryption.

Finally, there was the issue of distributing public keys - they had to be made available to other people to be useful. Private initiatives never gathered much attention. In fact, a number of academic studies in the early and late 2000s showed that these attempts never managed to attract widespread public usage.

The release of the Edward Snowden documents in 2013 spurred renewed interest in PGP. “Crypto parties” became a global phenomenon when people met in person to exchange their public keys, but this was ultimately short-lived.

PGP today

When I met Zimmermann in Silicon Valley in 2015, he admitted that he did not currently use PGP. In a more recent email, he said this is because it does not run on current versions of macOS or iOS. “I may soon run GnuPG,” he wrote.

By today’s standards, GnuPG – like all implementations of OpenPGP – lacks additional security features that are provided by chat apps such as WhatsApp or Signal. Both are spiritual descendants of PGP and unthinkable without Zimmermann’s invention, but they go beyond what OpenPGP can do by protecting messages even in the case of a private key being lost.

What’s more, email reveals the sender and receiver names anyway. In the age of data mining, this is often enough to infer the contents of encrypted communication.

Nevertheless, GnuPG (and hence OpenPGP) are alive and well. Relative to the increased computational power available today, their cryptography is as strong today as it was in 1991. GnuPG just found new use cases - very important ones.

Journalists use it to allow their sources to deposit confidential data and leaks. This is a vital and indispensable method of self-protection for the leaker and the journalist.

But even more importantly, digital signatures are where GnuPG excels today.

Linux is one of the world’s most common operating system (it even forms the basis of Android). On internet servers that run Linux, software is downloaded and updated from software repositories - and most of them sign their software with GnuPG to confirm its authenticity and origin.

GnuPG works its magic behind closed curtains, once again.