Not many software developers can say they've helped strike a blow for democracy, but Aucklander Peter Gutman's open source code has been used to fight oppressive regimes around the world. Gutman, a PhD student at Auckland University, helped to develop the freeware version of the encryption software PGP, which stands for Pretty Good Privacy. He is currently working on encryption and computer security and is also a visiting scientist at IBM's TJ Watson Research Centre in the US. He explains to Andrea Malcolm why he's in the open source movement.
Why do you contribute to open source development? What are the benefits?
Two things. I get to do something I find interesting — for example, there's no way I'd do a business spreadsheet as free software, in fact I wouldn't do that if you paid me — and I get to return something to the community. Some people do volunteer work for charities — I contribute by doing something I'm good at and providing it to anyone who wants to use it.
It's used by students and private individuals for educational purposes in less affluent countries where it's helping people who aren't in a position to get the most expensive stuff.
Another benefit, which is specific to the fact that I work on crypto [encryption] software, is that it's helped an awful lot of people living under very nasty, oppressive regimes. It's been used by the pro-democracy movement in Burma — which has a particularly nasty military dictatorship — in most of eastern Europe — by human rights groups to protect details of refugees, food convoys and to help get people out of areas where ethnic cleansing is going on — and in South America by people investigating human rights violations and torture.
I don't think I'd be much good working with refugees in the South American jungle, but I can help in this way by doing something I'm good at.
Can you elaborate? Have any of these people ever contacted you?
A lot of the people involved have contacted me, but I have to be very careful about how much I reveal because they are — understandably — very nervous about being caught and becoming just another human rights abuse statistic. I also don't store the messages for the same reason, so I have to reconstruct this from memory ... here are some examples:
In Burma, the ruling military junta — the State Law and Order Restoration Council, or SLORC — will imprison you for 15 years for the crime of owning a modem. PGP is used by the Burmese pro-democracy movement, who use it and other crypto software on laptops. Before crypto was used, captured documents or information obtained under torture would result in arrest, torture and death for whole families.
A few years ago I was contacted by someone whose brother worked as a missionary in Africa where, again, it was essential that they used crypto to protect the details of their work because various unpleasant groups would take great interest in their records —they were after things like lists of names of people they'd worked with. He asked for a copy of PGP. I mailed his brother that and a bundle of other encryption software I'd written. He mentioned that it could take up to a year to get mail, but a few months later he contacted me again to say the mission had got the software and were using it in their work.
The place where it was put to the best use a few years ago was in eastern European countries where various forms of what is euphemistically referred to as "ethnic cleansing" was taking place. Crypto is used to protect the details of refugees being moved out of trouble spots, and to protect details of food and medical equipment convoys being sent to the refugees.
I've talked to people who work for aid agencies there and they have to be incredibly careful about all of their communications. If not, the food is intercepted by the groups responsible for the problems — militia/armed forces/local police, etc — and is diverted to feeding them. I've got it pretty easy; I just sit back and write the code, but these people are actually being shot at or tortured for what they do.
Can you explain the open source version of PGP?
The PGP 2.x code has always been free. After PGP 5.x was rewritten by PGP they made the source code available to bypass US export controls — the code was printed and bound, exported from the US in printed form, scanned in in Norway, and put on the Net. Subsequent versions were also released in this form, although by this time the scanning process had been automated so that it ran much faster. The technique was pioneered by Sun with their Skip code.
What is your contribution?
All sorts of things, but the main ones were PGP, an archiver with encryption and signatures called HPACK, and cryptlib, my crypto/security toolkit (www.cs.auck land.ac.nz/~pgut001/cryptlib — HPACK predates the WWW so there's no Web page).
When did you start developing open source software?
I first started giving away software I'd written in the mid-80s. It wasn't called "open source" until quite recently, before that it was just "free software". There's a huge amount of it around.
How much time do you spend on it?
Pretty hard to say, I just do it whenever I have time to it can range from 80 to 100 hours a week to almost nothing.
Are there any drawbacks in developing open source software?
People asking lots of stupid questions which are answered in the documentation anyway. This can get overwhelming at times because there's only one of you and apparently infinite numbers of them.
Do you get to know other developers worldwide or in New Zealand? Do you know any other New Zealanders doing this?
Mostly outside New Zealand. In fact virtually no one in New Zealand; all the contacts are either in the US or Europe, probably 50/50.
How would you like to see the open source movement develop?
I think it's doing fine the way it is. For years this software was available under the name "free-ware" and no commercial organisations would touch it. By renaming it "open source" it's suddenly become acceptable and now every-one wants a piece. This has to be the most successful name change in history.
The one major obstacle still facing it is the view that if you have to pay a huge amount of money for it, it has to be good. I don't think I've ever seen commercial software for which free equivalents weren't far better, but because you have to pay $1000 a pop for the commercial version people think it's somehow better. If you talk to company managers they'll tell you "We're an NT shop, everyone uses Windows", but if you talk to the system administrators you find half their stuff is running on Linux boxes without the management knowing about it.