This 53-year-old German encryption coder helped the U.S. whistleblower stay one step ahead of the NSA. Now, he's getting financial support from some big players to expand his work.
ERKRATH —Everything Werner Koch needs to prevent the U.S. National Security Agency, NSA, from properly doing its job is right here in a 10-square-meter room in a basement in Erkrath, a small town outside of Düsseldorf.
Koch opens his front door and invites us into his home. The first thing we see are children's drawings plastering the wall. Downstairs is his company "headquarters," all 10 square meters of it. It's a one-man show. And yet financially, things are looking good. "There is finally enough money in my account," he says.
Until a few months ago, that wasn't the case. Everything changed when Koch, 53, attended an event held late last year in Hamburg. He was one of over 3,000 people in a conference hall. Two experts on stage explained in detail how the NSA spies on ordinary citizens and which technological obstacles it can avoid while doing so. All of a sudden, the speaker asked: "Is Werner Koch in the audience? Could you please stand up?"
The audience applauded and cheered him as a stood up. The reason? Because there's one program apparently that the NSA can't decipher. And the person responsible for that program, an email encryption system called Gnu Privacy Guard (GnuPG), is Koch.
GnuPG makes ordinary e-mails unintelligible, even to highly trained computer spies, who only see encrypted codes and word sequences. That's precisely why Edward Snowden, the famous NSA whistleblower, used the program to communicate with journalists.
Labor of love
Koch's basement workshop looks more like a hobby room than a company office. Cables dangle every which way. And yet it was here that he wrote a program in 1997 that trumped the NSA's multi-billion-dollar budget. It is a story that any hacker would love. Evidence that power and money are worthless if pitched against truly clever mathematics.
[rebelmouse-image 27088681 alt="""" original_size="1024x683" expand=1]
Werner Koch in 2011 — Photo: Ola Waagen
Koch named his company G10-Code. The name is a symbol of his leftist leanings, which also explain why he does what he does. The name was chosen in relation to article 10 of the German Basic Law. This particular article determines the circumstances under which intelligence services are allowed to circumvent the confidentiality of telecommunications law. Koch's current work is in many ways an attempt to safeguard correspondence law by enabling people to communicate freely but digitally.
After the event in Hamburg, Koch spoke to a U.S. journalist and told her he was very close to abandoning the project altogether. There was not enough funding to be had as GnuPG is freeware. Anyone can download it for free and, if they're so inclined, develop it even further. People can even view the program code to check if Koch or his co-writers made any mistakes.
Being free means the software is distributed effectively, which definitely constitutes an advantage. But it also eliminates the incentive to support Koch financially. He was able to drum up some business. On rare occasions, companies hired Koch to fix potential problems. And at one point, the federal government invested 600,000 euros in Koch's invention. But all of that was a long time ago.
Without enough revenue to pay for a staff, Koch worked by himself, earning less than a standard entry-level programmer's salary. At one point he considered throwing in the towel. But Snowden's disclosures, he says, gave him a second wind by showing him how important the program apparently is. "I am glad that it is being put to good use," he says.
A few decades ago Koch worked as an IT expert. He found his experiences of German corporate culture disturbing. "I designed a very complex consultancy program for our accounts department but it was never used," he recalls. "Not because it wasn't good enough, but because it was only designed out of competition with the other departments, for the sake of bragging rights. That was not a satisfying experience." He is far more enthusiastic about his current pursuit: going head-to-head with intelligence services.
If Koch really had given up, it's unlikely GnuPG could have survived. The program he wrote has 300,000 lines of code and needs constant updating and removal of input errors. No one but Koch himself truly knows everything about it.
Koch does have his critics. Some complain that the email encryption process is too complex. Others see GnuPG as outdated. With that kind of feedback in mind, Koch decided to create a crowdfunding initiative. Money has been pouring in. When the aforementioned U.S. journalist published her article about Koch (on the news site Propublica) donors ponied up 100,000 euros — in just a single day. Contributors said they were concerned that such an elementary function was being undertaken by only one person.
Other donors include Facebook and Stripe, which both pledged $50,000 annually. The Linux Foundation has contributed as well ($60,000). "The willingness to donate is quite high but many people were simply not aware of the need," Koch says.
Koch now wants to hire a new developer. He's also given himself a raise: he now earns an entry-level salary.