The Limits to Peer Production in Security Infrastructures: Technological and Regulatory Challenges to the PGP Web of Trust

Research output: Contribution to conference typesAbstractpeer-review

Abstract

As one of the earliest publicly available encryption programmes, Pretty Good Privacy (PGP) was intended to usher in an era of secure online communication, acting as a bulwark against the perceived overreach of government surveillance. The PGP Web of Trust (WoT) was created as an essential adjunct to PGP, providing a decentralised infrastructure to validate and connect the identities of PGP users to their encryption keys, through a cryptographically secured social network. Since their inception in the 1990s, PGP and the WoT together promised secure online communication independent of any centralised authority, whether government or corporation. PGP and the WoT offer an early example of a successful system based on what we now term commons-based peer production, as PGP users coordinated directly with their immediate acquaintances – through non-hierarchical non-market action – to construct the WoT as what could be termed an “information security commons” providing the basis of a decentralised system for secure online communication. PGP and the WoT have been used extensively around the world since their creation, and remain in active use by information security and open source software communities, with over 6 million PGP keys currently observable in the WoT.
In spite of these successes, the last few years have seen significant technological and regulatory challenges to the infrastructure of the WoT, to the point where the very existence and utility of the WoT today face serious problems. This is most visible from the rapid decline in the global population of PGP keyservers (from a peak of over 120 to less than 40 as of this writing), which constitute a decentralised database of publicly visible PGP keys and cryptographic material that makes the WoT, replicated across keyservers independently operated by volunteers across the world. A robust keyserver infrastructure is essential for the distribution and discovery of relationships across the WoT. As this infrastructure declines, so does the WoT.
In this paper, I explore the technological and regulatory challenges behind this decline. I focus on two cases which have seen significant discussion within the PGP keyserver operator community: the “poison key” attacks via the WoT that effectively denied users’ access to PGP, and GDPR requests which have caused many keyserver operators to take their keyservers offline. The result is a more fragmented keyserver infrastructure, with a new generation of keyservers adopting centralised approaches and abandoning support for the WoT. I employ ethnographic methods to examine these cases, drawing on my experience of operating a PGP keyserver and participating in PGP operational communities for 4 years. I argue that my findings offer broader lessons for the design, operation, and governance of decentralised systems, illustrating limits to peer production that arise internally within systems from technological choices, and externally from regulatory environments.
Original languageEnglish
Publication statusPublished - 2022
EventThe Sixth European Multidisciplinary Conference on Global Internet Governance Actors, Regulations, Transactions and Strategies - Frederick University, Nicosia, Cyprus
Duration: 13 Apr 202214 Apr 2022
https://www-npa.lip6.fr/gig-arts/conference/gig-arts-2022/

Conference

ConferenceThe Sixth European Multidisciplinary Conference on Global Internet Governance Actors, Regulations, Transactions and Strategies
Country/TerritoryCyprus
CityNicosia
Period13/04/202214/04/2022
Internet address

Fingerprint

Dive into the research topics of 'The Limits to Peer Production in Security Infrastructures: Technological and Regulatory Challenges to the PGP Web of Trust'. Together they form a unique fingerprint.

Cite this