Interview with Werner Koch, GnuPG creator

GnuPG is a powerful free software developed by Werner Koch that allows to encrypt and sign data and communications by using a combination of assymetric and symmetric cryptography. It has many features and it also supports symmetric encryption algorithms (default: CAST5). It is a command-line replacement of PGP that supports many algorithms such as: DSA, RSA, AES, Blowfish and more. For example, I can use GnuPG to sign a message with my private key and forward it to my friend. Then, my friend, as long as he has my public key by using GnuPG he will be able to verify me as the original dispatcher. Here is the official GnuPG manual.

As I wanted to include the voice of an expert for this article, I decided to contact Werner Koch, the creator of GnuPG and hold a conversation with him about his tool and its history, his opinion about privacy and more.

Q: What is GnuPG? How did the idea about GPG come?

A: GnuPG is a free replacement of PGP, a software written in 1992 to allow for confidential communication over electronic networks and bulletin board services. PGP was not free because it was affected by at least two software patents and an unclear legal status. PGP's slogan was "encryption for the masses" in contrast to the fact that usable encryption was only available to governments and the military. GnuPG does the same as PGP but as fully free software and in way that it is better usable on Unix systems. In April 1997 a first patent on public key encryption expired and thus it was possible to deploy free software unaffected from patents in the US. The patent was only valid in the US. Now the US had some stupid rules on the export of cryptography software which were only lifted years later. The result was that an people in the US could not write any cryptographic software because that software would inevitable leak outside of the US and face the authors with criminal investigations. Thus it was required that non-US natives outside of the US had to take up this part. Importing into the US was never restricted. In autumn 1997 I attended a talk by Richard Stallman in Aachen/Germany where he asked the attendees to start working on cryptographic software because that is now possible and it needs to be done outside the US. Maybe due to Germany's wire tapping scandals in the 1970s, I have always been interested in systems to make this harder. Thus I found my self hacking on a PGP replacement in after that talks and finally released a first version by the end of that year.

Q: My classmates, friends and a large amount of people, even today, think that there is no reason to encrypt and sign their data and communications because they have nothing to hide or because nobody will ever intercept their communications. Are they correct?

A: I doubt that anyone can seriously state the latter after the Snowden revelations. Even before, in 2000, the Echelon spy project raised quite some attention on what secret services are doing and triggering hearings in the European parliament. Nothing to hide: They should think again about it. Taking notes about experiences with illegal drugs - should the police know about this? Stupid things one did in the past - should that be on the record for all time? How should journalists protect their sources - sure there are things to hide. Many people in Germany with lots of money won't like that the tax office gets notice that they have secret accounts in Switzerland (well that might actually be a counter-argument). Love letters all readable by others? Nothing to hide? We decide what to hide and what to publish. We and only we - not the state. For businesses it should be pretty clear that encryption is important. Commercial espionage has always been a major threat for many businesses.

Q: So, according to your previous answer, would you recommend everyone encrypts his/her communications/data?

A: Sure. It is a bit more work but we also put letters into envelopes for a reason. Well if you want to publish something you should of course not encrypt it. Thus most of _my_ mails are not encrypted because they are addressed to public mailing list. However, I encrypt all private and business communication if the recipient has an encryption key. If I have to send real sensitive data and there is no way to encrypt it, I resort to paper+envelope even if the recipient wants me to send it by mail.

Q: Yes, but as we saw on the paragraph above - about Tor - criminals, drug users/sellers and others use encryption tools to encrypt their communications. Will the Feds knock on my door if I use GnuPG to communicate with my friends for example?

A: Unless you are living in a police state the human right to keep communication private has always been held up. I am pretty sure that Greece is currently not a police state (although the Mrs. Merkel and her neo-liberal followers are working hard to change that); I am not so sure about some of the other high tech countries. To quote Phil Zimmermann: If privacy is outlawed only outlaws will have privacy. A bit more seriously: Encryption is a requirement of our economy and it can not be banned simply because that would bust the banks. They entirely rely on fast secure electronic communication. GPG is actually used by a lot of payment providers behind the scenes to protect web based payments.

Here I would also like to mention something. As said before, many people think that they have nothing to hide because they don't participate in illegal activities or because they simply don't care. Even if you have nothing to hide - which is a selfish argument - think of this: It is true that I may not be ill, it may be true that I am not blind, I still want to live in a world that has hospitals. I still want to live in a world where the street has accessibility for blind people. And it is also the case that I want to have a world where everyone has privacy and thus confidentiality and integrity in their daily lives without having to ask for it [...]


>>> GNUPG web page.

[Nikos Danopoulos]

  • Σχόλια


Scroll to Top