CDH Open: Technological and Regulatory Challenges in the PGP Web of Trust

Limits to Peer Production: Technological and Regulatory Challenges in the PGP Web of Trust

Speaker

Dr. Ashwin Mathew is an ethnographer of Internet infrastructure, studying the technologies and technical communities involved in the operation of the global Internet. He is interested in how the Internet is built and maintained in everyday practice; and how the cultures of the Internet’s technical communities circulate and are re-articulated across Global South and Global North in the process of operating the Internet.

He joined the Department of Digital Humanities in September 2019. He holds a PhD in Information Management and Systems from the UC Berkeley School of Information. Prior to his doctoral work, he spent a decade as a programmer and technical architect in companies such as Adobe Systems and Sun Microsystems.

Abstract

As one of the earliest publicly available encryption programmes, Pretty Good Privacy (PGP) was intended to usher in an era of secure online communication, acting as a bulwark against the perceived overreach of government surveillance. The PGP Web of Trust (WoT) was created as an essential adjunct to PGP, providing a decentralised infrastructure to validate and connect the identities of PGP users to their encryption keys, through a cryptographically secured social network. Since their inception in the 1990s, PGP and the WoT together promised secure online communication independent of any centralised authority, whether government or corporation. PGP and the WoT offer an early example of a successful system based on what we now term commons-based peer production, as PGP users coordinated directly with their immediate acquaintances – through non-hierarchical non-market action – to construct the WoT as what could be termed an 'information security commons' providing the basis of a decentralised system for secure online communication. PGP and the WoT have been used extensively around the world since their creation, and remain in active use by information security and open source software communities, with over 7 million PGP keys currently observable in the WoT.

In spite of these successes, recent years have seen significant technological and regulatory challenges to the infrastructure of the WoT, to the point where the very existence and utility of the WoT today face serious problems. This is most visible from the rapid decline in the global population of PGP keyservers (from a peak of over 120 to less than 40 as of this writing), which constitute a decentralised database of publicly visible PGP keys and cryptographic material that makes the WoT, replicated across keyservers independently operated by volunteers across the world. A robust keyserver infrastructure is essential for the distribution and discovery of relationships across the WoT. As this infrastructure declines, so does the WoT.

In this paper, I explore the technological and regulatory challenges behind this decline. I focus on two cases which have seen significant discussion within the PGP keyserver operator community: the 'poison key' attacks via the WoT that effectively denied users’ access to PGP, and GDPR requests which have caused many keyserver operators to take their keyservers offline. The result is a more fragmented keyserver infrastructure, with a new generation of keyservers adopting centralised approaches and abandoning support for the WoT. I employ ethnographic methods to examine these cases, drawing on my experience of operating a PGP keyserver and participating in PGP operational communities for 4 years. My findings offer broader lessons for the design, operation, and governance of decentralised systems, illustrating limits to peer production that arise internally within systems from technological choices, and externally from regulatory environments. These lessons are especially salient as governments around the world increasingly demand backdoors for access to encrypted communications – the very challenge that PGP was meant to counteract.

Access

Events are free and open to all unless otherwise stated.

If you have specific accessibility needs for this event please get in touch. We will do our best to accommodate any requests.

Image: Lone Thomasky & Bits&Bäume / https://betterimagesofai.org / https://creativecommons.org/licenses/by/4.0/