Hoe kunnen we betere privacy tools bouwen?

Matthew Green plaatst een paar interessante bedenkingen bij het recente nieuws over de financiële problemen en de redding van GnuPG.

Is this model really sustainable? I’m pretty skeptical. Sooner or later this money will run out. And next time this happens, the Internet might not have a quarter million in spare change to fork over. In fact, that’s already the normal state of affairs for most privacy tools — software ranging from GPGTools to OTR — most of which subsist on meager donations and volunteer time. The scary part is that thousands of people depend on these tools for their privacy and even their physical safety.

Green zet op een rijtje hoe het ontwikkelen en onderhouden van privacy tools vandaag gefinancierd wordt.

  • Self-funding
  • Donations, charges and crowd-funding
  • Industry grants
  • Government and NGOs
  • Internal industry funding
  • Academic research funding

Bij elk van die bronnen plaatst Green grotere of kleinere, maar meestal serieuze vraagtekens. Hij benadrukt dat meer geld niet noodzakelijk ook een betere privacy tool betekent.

So yes, people need to eat — that’s a baseline. But beyond that what developers also need are things like expert guidance, security audits, analysis tools, and collaboration with other developers. They also really need help with the hardest problem in computer science, which is turning a pile of code into a product that people want to use.

En hij maakt dit vervolgens concreet.

What’s really needed is a privacy incubator. A place that provides both funding (or at least, guides funding) as well as in-house technical staff and researchers, non-technical help such a communications, infrastructure, a great advisory board, and access to tools and engineers.

I’m not advocating the creation of an entirely new organization. Instead, the goal should be to identify organizations that are already working and either connect that, or build up their capabilities with a large infusion of cash.

Of dit effectief zal gebeuren, valt af te wachten. Het zal volgens Green van verschillende factoren afhangen.

I guess it depends on the will and the money. It also depends on us: that is, on the willingness of the technically focused privacy/security community to accept that many of the elements we need to succeed are outside of our personal realm of expertise, and we need help with them.

How do we pay for privacy?