Abstract
As one of the earliest publicly available encryption programmes, Pretty Good Privacy (PGP) was intended to usher in an era of secure online communication, acting as a bulwark against the perceived overreach of government surveillance. The PGP Web of Trust (WoT) was created as an essential adjunct to PGP, providing a decentralised infrastructure to validate and connect the identities of PGP users to their encryption keys, through a cryptographically secured social network. Since their inception in the 1990s, PGP and the WoT together promised secure online communication independent of any centralised authority, whether government or corporation. PGP and the WoT offer an early example of a successful system based on what we now term commons-based peer production, as PGP users coordinated directly with their immediate acquaintances – through non-hierarchical non-market action – to construct the WoT as what could be termed an “information security commons” providing the basis of a decentralised system for secure online communication. PGP and the WoT have been used extensively around the world since their creation, and remain in active use by information security and open source software communities, with over 6 million PGP keys currently observable in the WoT.
In spite of these successes, the last few years have seen significant technological and regulatory challenges to the infrastructure of the WoT, to the point where the very existence and utility of the WoT today face serious problems. This is most visible from the rapid decline in the global population of PGP keyservers (from a peak of over 120 to less than 40 as of this writing), which constitute a decentralised database of publicly visible PGP keys and cryptographic material that makes the WoT, replicated across keyservers independently operated by volunteers across the world. A robust keyserver infrastructure is essential for the distribution and discovery of relationships across the WoT. As this infrastructure declines, so does the WoT.
In this paper, I explore the technological and regulatory challenges behind this decline. I focus on two cases which have seen significant discussion within the PGP keyserver operator community: the “poison key” attacks via the WoT that effectively denied users’ access to PGP, and GDPR requests which have caused many keyserver operators to take their keyservers offline. The result is a more fragmented keyserver infrastructure, with a new generation of keyservers adopting centralised approaches and abandoning support for the WoT. I employ ethnographic methods to examine these cases, drawing on my experience of operating a PGP keyserver and participating in PGP operational communities for 4 years. I argue that my findings offer broader lessons for the design, operation, and governance of decentralised systems, illustrating limits to peer production that arise internally within systems from technological choices, and externally from regulatory environments.
In spite of these successes, the last few years have seen significant technological and regulatory challenges to the infrastructure of the WoT, to the point where the very existence and utility of the WoT today face serious problems. This is most visible from the rapid decline in the global population of PGP keyservers (from a peak of over 120 to less than 40 as of this writing), which constitute a decentralised database of publicly visible PGP keys and cryptographic material that makes the WoT, replicated across keyservers independently operated by volunteers across the world. A robust keyserver infrastructure is essential for the distribution and discovery of relationships across the WoT. As this infrastructure declines, so does the WoT.
In this paper, I explore the technological and regulatory challenges behind this decline. I focus on two cases which have seen significant discussion within the PGP keyserver operator community: the “poison key” attacks via the WoT that effectively denied users’ access to PGP, and GDPR requests which have caused many keyserver operators to take their keyservers offline. The result is a more fragmented keyserver infrastructure, with a new generation of keyservers adopting centralised approaches and abandoning support for the WoT. I employ ethnographic methods to examine these cases, drawing on my experience of operating a PGP keyserver and participating in PGP operational communities for 4 years. I argue that my findings offer broader lessons for the design, operation, and governance of decentralised systems, illustrating limits to peer production that arise internally within systems from technological choices, and externally from regulatory environments.
Original language | English |
---|---|
Publication status | Published - 2022 |
Event | The Sixth European Multidisciplinary Conference on Global Internet Governance Actors, Regulations, Transactions and Strategies - Frederick University, Nicosia, Cyprus Duration: 13 Apr 2022 → 14 Apr 2022 https://www-npa.lip6.fr/gig-arts/conference/gig-arts-2022/ |
Conference
Conference | The Sixth European Multidisciplinary Conference on Global Internet Governance Actors, Regulations, Transactions and Strategies |
---|---|
Country/Territory | Cyprus |
City | Nicosia |
Period | 13/04/2022 → 14/04/2022 |
Internet address |