PGPfreeware 8.0: Not so good news for crypto newcomers

[pplf]

For info, an opinion about the new PGPfreeware 8.0 (some ideas for 
PGPfreeware 8.1 are included)

-----------------



PGPfreeware 8.0: Not so good news for crypto newcomers
------------------------------------------------------

2002/12/05

pplf <pplf@wanadoo.fr>
webmaster of "OpenPGP in french" site http://www.openpgp.fr.st

Michel Bouissou <michel@bouissou.net>
network administrator



Philip Zimmermann created PGP in 1992 as a freeware and a tool to
promote free encryption. He even described it as being "guerilla
software". PGP is the legendary piece of software that forced
governments, in the USA and in several other countries, to rethink and
soften their anti-crypto regulations.

In 1996, Philip Zimmermman and associates created a compagny called PGP
Inc to make profit from PGP. They started to sell it, but also committed
to continue promoting free encryption by giving a version called
"freeware" which individuals and non-profit organizations could use
without charges. This freeware version contained easy-to-use e-mail
plugins to automatically encrypt / decrypt / sign / verify e-mails in
Outlook Express or Eudora.

PGP Inc couldn't generate enough revenue from PGP software sales, and
collapsed. Then, in 1997 NAI acquired PGP Inc. Despite NAI was
interested in PGP only as a commercial product, they kept on giving a
PGPfreeware with e-mail plugins. But NAI didn't succeed in making
revenue from it better than PGP, Inc had done, and decided to terminate
the PGP product line.

In 2002, the PGP creators (including Phil Zimmermann) created PGP Corp
and bought the PGP rights back from NAI.

PGPfreeware 8.0, the new PGP version produced by PGP Corp, was released
December 3, but it doesn't contain any e-mail plugin. If you want
plugins, you have to purchase the commercial version. PGPfreeware 8.0
only includes clipboard and file encryption features.

The issue is that newbies to crypto are unable to use PGP for e-mail
encryption if it doesn't come with at least one plugin for a widely used
e-mail software.

PGPfreeware 8.0 is bad news for encryption freedom because people will
download the most famous encryption software, PGP in its freeware
version, to discover encryption, and the first thing they will discover
is its great deal of complexity (public key encryption being genuinely
complex) without understanding how they could possibly send or receive
encrypted e-mails, which is the very reason for which they first
downloaded it.

In our opinion, PGPfreeware 8.0 will be of little help to crypto
newcomers, and as such, won't help promote free encryption for the masses.

Furthermore, to be really accessible to beginners, besides offering an
e-mail software plugin and proposing the creation of a keypair at
installation time, PGPfreeware should offer to the user the opportunity
of sending the newly generated public key by e-mail to the user's usual
correspondents, along with a short notice explaining the purpose of this
key, and a link for downloading PGPfreeware.

With PGPfreeware 8.0, the PGP 2.3 dream is over, Philip Zimmermann
himself confirms this on his web site with a very deceiving sentence
which is a parody of the Free Software slogan (and could even be
considered as an attack against GnuPG, the OpenPGP UNIX free version) :
"You may have a constitutional right to use crypto software, but someone
has to pay the developers. Free Speech is not the same as Free Beer."
(http://www.philzimmermann.com/findpgp.shtml)

PGP corp has the right to sell PGP, which is a very good software. But
PGP is not a software like others and PGP Corp has a moral obligation,
in regard to its history since 1992, to promote free encryption.

We think that making a PGPfreeware 8.1 version that would include a
MS-Outlook Express plugin (Windows) and an AppleMail (MacOS X) plugin,
and the file encryption support, but without clipboard encryption
support, nor PGP keyservers direct access, or free space wipe, or
PGPdisk, would be a better move, which would respect the free encryption
promotion spirit as well as PGP Corp business.

We also suggest that PGP price should be urgently reconsidered: in
Europe, $ 165 (165 euros) is much too expensive for personal users; most
utilities that personal users are used to purchase being priced around
40-50 E.

It's already often difficult enough to convince "the average computer
user" of the interest of using crypto, and to convince him to make the
effort of learning its basics and understanding its principles. So,
having personal crypto software priced much too high will be very
dissuasive in such a context, and thus will be an obstacle to the
spreading of cryptography -- and to PGP software sales as well.

Furthermore, having PGP priced too high will probably lead newcomers to
turn to a lot of "snake oil" encryption softwares and "personal security
suites" that already encumber the shelves of computer software shops and
are much cheaper than PGP. So there is a risk that uninformed users will
turn away from PGP, and purchase cheaper snake oil instead.

Last thing : PGPfreeware 8.0 is a good piece of software, much better
that PGPfreeware 7.0.3 was. It is compact, quick and smart, and it
worked really fine when we tested it under Windows 98. Unfortunately,
the choice that was done of "free features" vs. "paying features" is
wrong. And this is highly regrettable.



pplf & Michel Bouissou.


----------------------