In An Open Letter About Our Future, the GPG Tools team announces the future versions of their software won’t be free anymore. The GPG Suit is the best personal PGP graphical interface on Mac OS X, and the only one that integrates well with Mail.
I understand the GPG Tools team position and I’ll even pay the price for a good personal cryptography experience. Since I’ve started using Max OS X 10.10 beta a few months ago, I’ve been using nerdy workarounds to keep using PGP with Mail. This is not the experience I want.
15 years ago, I had that no software but free software state of mind. I spent nights and days compiling and configuring poorly integrated software to make them work together and ensure a decent user experience. A young know it all, I considered code had to be free both as in freedom and free beer before everything else.
At 36, I’ve switched to a no software but good software (better if free) state of mind. I want to do things with my computer instead of doing things for my computer. I’ve been working in the software world for too long too understand the value of code and the value of a good user experience, and to pay for it or donate to my favorite project.
I understand the move of the GPG Suit team, but I strongly disagree with it.
I’m concerned it makes a precedent and becomes a major step back for the global personal cryptography use outside of the computer science sphere.
For a few years personal data protection has been a major concern. Wikileaks and Edward Snowden revelations have raised awareness of the data privacy situation outside of the nerdy and global conspiracy spheres. It raised an interest in what corporations and governments actually do with our communications and data far beyond the usual security scene. If it did not really change anything, at least people can’t say we didn’t know anymore.
However, I don’t feel like the use of personal cryptography has improved in any way in the general public neither for personal nor professional use.
Despite some user experience improvement, using personal cryptography is still a pain in the ass. You need to understand the basics of applied cryptography: public / secret key, key exchange, signature, expiry date… Signing or encrypting an email, connecting to a VPN still needs you to add some operations to your usual, simple workflow.
And no one wants you to use personal cryptography anyway. Your government doesn’t. Your ISP doesn’t. Your employer doesn’t.
A strong example is about man in the middle attack (MITM). MITM is a technique where an attacker intercepts a data stream, spoofing the emitter he’s the legitimate receiver before letting it go. In a corporate environment, MITM works even on encrypted trafic.
15 years ago, man in the middle was a strong little known attack. Today, it has turned into a corporate security measure. That’s why no one wants you to use encryption, and that’s why Google giving a better rank to SSL using sites makes corporate ITs crazy.
Personal cryptography is a pain, so no one wants to use it. Having to pay for it won’t improve anything. If we want a strong adoption, personal cryptography must be free, and being free is part of a good general user experience: it removes adoption friction.
12 years ago, I was doing lots of CSS. Internet Explorer 6 had 90% of the global market, people used table based layouts and Web standards was a geek thing.
Hopefully, Firefox came, and spread. Web standards started to spread too and most people quickly stopped using table based layouts. It was a hard time for evangelization, and even in 2006 I still had to develop for IE6, tables and inline style.
Geeks started to install Firefox on their friend’s, parents and school computers. They were able to do it because it was free, both as in free beer and free speech. What would have happened if they had to pay a small fee to use Firefox? It would have known the same fate as advertisement powered Opera.
This was made possible because despite many people working full time on Firefox, they found another way (I.E. Google) for funding. As Truecrypt is dead, we need more general public level cryptographic projects, and we need them to be free. It’s a question of freedom.