Why you should not support Pretty Easy Privacy

There is a new shade of grey: Pretty Easy Privacy (p≡p or pEp). A project that now seeks funding on Indiegogo and tries to make Email encryption easy. Granted it's an open source project - but that alone should not convince you it's good. Granted it tries to connect to and uphold old cypherpunk values - but that does not mean it follows them. Let us take a look at a quote from Pretty Easy Privacys own website:

Instead of inventing cryptography again, we integrate what is pretty good already: GnuPG [...][1]

That is already the point where you should shy away. Let me explain why: GnuPG employs a cryptographic sheme that was - if used for private and not business communication - broken from the beginning. Even for busniess communication its cryptographic properties are questionable.

When you use GnuPG you are not only getting what you want, namely certainty that you are indeed in communication with your friend and not some imposter, but you also getting a situation in which you need to trust your friend, that he is not using what you said against you some day. Why is that? It's because with PGP you and your friend are in a sense having tape recorders running the whole time. That can't be what you want, right?

If you now think "Well, but somehow I need a way to prove to my friend that it's me who is writing" then I am happy to tell you: We have better ways of doing exactly that without increasing your liability! If you want to know more read Why you should not use GnuPG or PGP. The fact that you do not need to put your fingerprint on every message to achive authentication makes Pretty Easy Privacy (p≡p) at least dubious. With big words do they reference the (not too exciting) Cypherpunks Manifesto which among other things says:

Since we desire privacy, we must ensure that each party to a transaction have knowledge only of that which is directly necessary for that transaction.[2]

And that is exactly what GnuPG is not doing. Pretty Easy Privacy (p≡p) is broken, sadly even by its own standards.

PS: If that does not tipp you off, take a look at their stretch goals (heading: "Your contributions will be utilized to ...") and put it into relation to what their fundraiser video and text suggest you will get. Keep in mind that they ask for 50,000 dollars but everything that goes beyond Outlook, Android-only!? SMS and web-site based services like Gmail will not (speedily) be implemented unless they receive at least 6 times the funding.

1. p≡p – pretty Easy privacy (pep-project.org)
2. A Cypherpunk's Manifesto (activism.net)
The author

Written by Per

Free software enthusiast and transhumanist residing in Stuttgart, Germany.

comments powered by Disqus