Informsec2013: Final Report (Milestone #4)

Period: March 25, 2013 - August 30, 2013

Delivered: 2013-08-30

Analysis

["A discussion of the overall performance of the program, including details of any discrepancies between expected and actual results and any recommendations for improving the design of the program; how unforeseen circumstances affected overall performance compared to original assumptions (if applicable), how activities were accordingly adjusted or retargeted. This should not be a description of activities, but rather a broader analysis that examines progress in the context of program objectives and expected results."]

The goal of this Gpg4win related program was to enable more users worldwide to use cryptography for the exchange of files and emails. New technical improvements of the crypto software Gpg4win were to be made and "field tested" by interaction with the user community.

The project can be considered a success. Especially the new comfort functions for newer versions of Outlook (2010 and 2013) and the 64bit Explorer plugin were met by good user feedback. The group of international users that can use Gpg4win for their version of Windows and Outlook was substantial extended.

On some points the results deviated from the original plans by a small margin, sometimes above, sometimes below initial expectations, but always within the normal course of an IT project:

1. The tests for Windows 8 and Outlook 2013 ran fine, so these platforms fully benefit from the improvements, especially from the Outlook and Explorer plugins.
2. Some smaller technical internationalization issues could not be fully resolved during the timeframe. Main reason is that international feedback was slower to come as expected. These type of defects can only be found by good international testing and the timeframe was too short for this.
3. Basic crypto support of GpgOL for Outlook 2010 and 2013 did not see as much field testing and feedback from the community as envisioned. A likely explanation is that the label "beta" did not draw enough attention for users to perform the test and internationally the availability of new versions of Gpg4win needed to trickle through to potential users.

The project was completed within the given timeframe.

The 1st milestone was delayed one week because of an unexpected severe technical defect. The remaining timeline was unaffected, all following milestones were delivered at due date.

Recommendations for future programs for Gpg4win

Given the timeframe and the budget the design of the project was good. A followup project would choose different technical improvements as goals, but could use the same procedural setup. Small improvements are possible in the area of allowing more time for initiating and collecting international feedback.

Summary of activities and achievements

["This section should highlight individual activities and include a description of progress towards results and relevant trends. Other pertinent information including, when appropriate, success stories (if available) which illustrate the direct positive effects of the program, and quotes from participants that reveal the need for project activities, learning, and impact."]

Since project start in April 2013 we have released 2 stable and 4 beta '''Gpg4win versions''':

• Gpg4win 2.2.0 (2013-08-21)
• Gpg4win 2.2.0-beta56 (2013-08-13)
• Gpg4win 2.2.0-beta34 (2013-07-17)
• Gpg4win 2.2.0-beta31 (2013-07-15)
• Gpg4win 2.1.1 (2013-05-31)
• Gpg4win 2.1.1-beta197 (2013-05-16)

During the duration of the project we have interacted with the user community via public channels (mailing lists, issue trackers). We get a lot of user feedback about Gpg4win releases, but less than expected. Feedback from German users were overrepresented during the project.

A new '''wiki''' (http://wiki.gnupg.org) was set up to add important and helpful information about GnuPG and Gpg4win ''together'' with the community.

As the PRISM program of the NSA was published in early June the public discussion in Germany triggered a strongly increased interest in email encryption, especially in Gpg4win. Since this time the '''number of Gpg4win downloads''' (from the primary download server gpg4win.org) have more than doubled: from ca. 2000 downloads per day (January to May 2013) to ca. 4100 downloads per day (in July/August 2013). It cannot be determined which part of the increase is from the upcoming of the debate or the release of new versions. The publication of new versions always let to higher download numbers in the past.

Also the (non-technical) '''press''' recognize the value of the software product Gpg4win in their reports (see https://wiki.gnupg.org/press for a list of German press reports).

During the project there was more traffic on the '''public Gpg4win mailing lists''', especially the German users list saw a clear increase caused by the discussion about PRISM in Germany (July 2013: 103 mails, January to June 2030: <12 mails) and the publication of the Gpg4win releases.

The '''donations''' - accepted by the Gpg4win initiative for the maintenance - increased in the first 8 month of 2013 at the total value of 1258,-- EUR. This reflects the increased user acceptance - compared with the previous years:

  2013*  1.258,-- EUR
  2012   1.490,-- EUR
  2011     513,-- EUR
  2010     582,-- EUR
  2009     257,-- EUR
  2008      44,-- EUR
  2007     325,-- EUR
  2006      68,-- EUR
  -------------------
  Total: 4.537,40 EUR

*) as of: 2013-08-27

Here are some selected quotes from donors in 2013:

• "Thanks for your hard works folks - I appreciate it!"
• "Danke!"
• "Keep up your work!"''
• "Thank you very much for providing software that helps people protect and safeguard their personal and private data. I especially thank you for keeping the software constantly updated!!"''
• "Thank you."''
• "A big thank you. Vielen Dank. Keep up the good work."
• "Keep up the excellent work."
• "Thanks for your hard work."
• "Guys,... this is an amazing piece of software! Keep on the good (-Important-)work ;-)"
• "it's a major improvement in the UI experience for users."

Monitoring and evaluation

["Provide data on project indicators as per Delivery Instructions in Appendix D, Schedule of Millstones."]

Several Gpg4win product releases were done, as outlined above. The participation on the mailing lists, trackers and the in download numbers and pick up of news items were monitored. The monitoring showed that the project made successive progress during its timeframe. Increase in participation of users and in the download number showed that the work was matching the need of world wide users, though community participation was much higher from Germany than from other countries.

Challenges

["Problems encountered, reasons why established goals were not met, if appropriate, the impact on the program objective(s), and how challenges or problems were addressed."]

There are some technical challenges during the development of Gpg4win:

• Before milestone 1 we migrated our Gpg4win build system on a new (i686-w64-mingw32) tool chain. This was more difficult and consumed more efforts than expected (e.g. fixes for many included Gpg4win packages were required to allow the use of that tool chain). That was one reason for the delay in milestone 1.
• Improvement of GpgOL was the biggest development part in the project - with the highest project risk. Outlook 2010 and 2013 use a new plugin interface which required a redevelopment of the Outlook plugin GpgOL based on Outlook 2003/2007. A full crypto support for the newer Outlook versions was not possible in the given timeframe - that was already expected. Technical issues in using the (partly closed and not well documented) Outlook API was an important challenge to realize the existing support for Outlook 2010/2013. One example: GpgOL currently inserts signature and encryption directly in the mail body ("no-mime") instead of adding attachments and using the MIME standard (desired solution). Technical details are reported and discussed already on mailing list and in the public GnuPG wiki. Some potentially usability issues of this GpgOL version are known but related to the 'using-mime-challenge' mentioned above.

A non-technical challenge in the project was triggered by the public debate about PRISM and privacy (partly discussed on Gpg4win mailing lists). It allocated extra attention of our Gpg4win development team and required e.g. answers about technical and historical information of Gpg4win to convince new users.

Recommendations

["Recommendations for networking and future events."]

The work done was very valuable for Gpg4win and raised the chances of more crypto usage worldwide. Because both the concepts behind and crypto and the OpenPGP standards for files and emails are not yet part of widespread cultural knowledge. Anything to spread this knowledge is useful. Here are some idea:

• Provide courses about getting started using secure email communication with Gpg4win. This means both organizing courses and train-the-trainer events as well as course material based on the Gpg4win compendium.
• Public Gpg4win user and development meetings as crypto events (with signing parties, workshops and code sprints).
• More public relations work to propagate the idea of end-to-end encryption with Gpg4win and OpenPGP.
• Collecting ideas for new Gpg4win features from the user community.
• Build up the Gpg4win community. (See the remarks about a balanced participant structure in ''Reiter, B., Wagner, J.-O: Sustainable Free Software: From project to permanent activity, using the example Gpg4win - Short study, June 2006.'' (http://www.gpg4win.de/ShortStudy-Sustainable-FS-example-Gpg4win.html)
• Promote OpenPGP to increase the number of people that are able to act as crypto communication partners. See the STEED concept, especially ''Koch, W., Brinkmann, B.: STEED — Usable End-to-End Encryption Whitepaper g10code, 2011-07.'' (accessible from http://g10code.com/steed.html)