On the first day of the sprawling RSA security industry conference in San Francisco, a giant screen covering the wall of the Moscone Centers cavernous lobby cycles through the names and headshots of keynote speakers: steely-eyed National Security Agency director Michael Rogers in a crisp military uniform; bearded and besuited Whitfield Diffie and Ron Rivest, legendary inventors of seminal encryption protocols that made the Internet safe for communication and commerce. And then theres Moxie Marlinspike, peering somberly into the distance wearing a bicycle jersey and an 18-inch-tall helmet shaped like a giant spear of asparagus. It was the only picture I could find, Marlinspike deadpans as we walk into the building.
Even without the vegetable headwear, Marlinspikes wire-thin 6'2" frame and topknot of blond dreadlocks doesnt fit the usual profile of the crypto worlds spooks and academics, nor RSAs corporate types. Walking toward the ballroom where hes set to speak on the annual Cryptographers Panel, however, he tells me its not his first time at the conference.
In fact, when Marlinspike made his debut visit to RSA 20 years ago, as a teenager, he wasnt invited. Lured by the promise of seeing his cryptographer heroes in person, he snuck in, somehow snagging a conference badge without paying the $1,000 registration fee. Later, he made the mistake of handing it off to friends who were more interested in scoring lunch than in hearing about pseudo-random-number generators. They were spotted and kicked out. RSA organizers must have gone so far as to report Marlinspikes mischief to law enforcement, he says; years later he requested his FBI file and discovered a reference to the incident.
A middle-aged man in a sports coat and jeans approaches us, carrying a Wall Street Journal. He shakes Marlinspikes hand and thanks him for creating the encrypted messaging app Signal, which the man says was recommended to him by a friend, a former FBI agent. Marlinspike looks back at me with raised eyebrows.
Signal, widely considered the most secure and easiest-to-use free encrypted messaging and voice-calling app, is the reason hes been invited to speak as part of the very same crypto Jedi Council he had worshipped as a teenager. Marlinspike designed Signal to bring uncrackable encryption to regular people. And though he hadnt yet revealed it at the time of the conference in March, Signals encryption protocol had been integrated into WhatsApp, the worlds most popular messaging app, with over a billion users.
I think law enforcement should be difficult. And it should actually be possible to break the law.
For any cypherpunk with an FBI file, its already an interesting morning. At the very moment the Cryptographers Panel takes the stage, Apple and the FBI are at the height of a six-week battle, arguing in front of the House Judiciary Committee over the FBIs demand that Apple help it access an encrypted iPhone 5c owned by San Bernardino killer Syed Rizwan Farook. Before that hearing ends, Apples general counsel will argue that doing so would set a dangerous legal precedent, inviting foreign governments to make similar demands, and that the crypto-cracking software could be co-opted by criminals or spies.
The standoff quickly becomes the topic of the RSA panel, and Marlinspike waits politely for his turn to speak. Then he makes a far simpler and more radical argument than any advanced by Apple: Perhaps law enforcement shouldnt be omniscient. They already have a tremendous amount of information, he tells the packed ballroom. He points out that the FBI had accessed Farooks call logs as well as an older phone backup. What the FBI seems to be saying is that we need this because we might be missing something. Obliquely, theyre asking us to take steps toward a world where that isnt possible. And I dont know if thats the world we want to live in.
Marlinspike follows this remark with a statement that practically no one else in the privacy community is willing to make in public: that yes, people will use encryption to do illegal things. And that may just be the whole point. I actually think that law enforcement should be difficult, Marlinspike says, looking calmly out at the crowd. And I think it should actually be possible to break the law.
Over the past several years, Marlinspike has quietly positioned himself at the front lines of a quarter-century-long war between advocates of encryption and law enforcement. Since the first strong encryption tools became publicly available in the early 90s, the government has warned of the threat posed by going darkthat such software would cripple American police departments and intelligence agencies, allowing terrorists and organized criminals to operate with impunity. In 1993 it unsuccessfully tried to implement a backdoor system called the Clipper Chip to get around encryption. In 2013, Edward Snowdens leaks revealed that the NSA had secretly sabotaged a widely used crypto standard in the mid- 2000s and that since 2007 the agency had been ingesting a smorgasbord of tech firms data with and without their cooperation. Apples battle with the FBI over Farooks iPhone destroyed any pretense of a truce.
As the crypto war once again intensifies, Signal and its core protocol have emerged as darlings of the privacy community. Johns Hopkins computer science professor Matthew Green recalls that the first time he audited Marlinspikes code, he was so impressed that he literally discovered a line of drool running down my face.
Marlinspike has enabled the largest end-to-end encrypted communications network in history.
While Marlinspike may present himself as an eccentric outsider, his ability to write freakishly secure software has aligned him with some of the tech industrys biggest companies. For a time he led Twitters security team. His deal with WhatsApp means that the Facebook-owned company now uses his tools to encrypt every message, image, video, and voice call that travels over its global network; in effect Marlinspike has enabled the largest end-to-end encrypted communications network in history, transmitting more texts than every phone company in the world combined. In May, Google revealed that it too would integrate Signalinto the incognito mode of its messaging app Allo. And last month, Facebook Messenger began its own rollout of the protocol in an encryption feature called “secret conversations,” which promises to bring Signal to hundreds of millions more users. The entire world is making this the standard for encrypted messaging, Green says.
So far, governments arent having much luck pushing back. In March, Brazilian police briefly jailed a Facebook exec after WhatsApp failed to comply with a surveillance order in a drug investigation. The same month, The New York Times revealed that WhatsApp had received a wiretap order from the US Justice Department. The company couldnt have complied in either case, even if it wanted to. Marlinspikes crypto is designed to scramble communications in such a way that no one but the people on either end of the conversation can decrypt them (see sidebar). Moxie has brought us a world-class, state-of-the-art, end-to-end encryption system, WhatsApp cofounder Brian Acton says. I want to emphasize: world-class.
For Marlinspike, a failed wiretap can mean a small victory. A few days after Snowdens first leaks, Marlinspike posted an essay to his blog titled We Should All Have Something to Hide, emphasizing that privacy allows people to experiment with lawbreaking as a precursor for social progress. Imagine if there were an alternate dystopian reality where law enforcement was 100 percent effective, such that any potential offenders knew they would be immediately identified, apprehended, and jailed, he wrote. How could people have decided that marijuana should be legal, if nobody had ever used it? How could states decide that same-sex marriage should be permitted?
To some, Marlinspikes logic isnt quite as airtight as his code. Not all criminals are tech masterminds.
He admits that dangerous criminals and terrorists may use apps like Signal and WhatsApp. (ISIS has even circulated a manual recommending Signal.) But he argues that those elements have always had the incentive and ability to encrypt their communications with tougher-to-use tools like the encryption software PGP. His work, he says, is to make those protections possible for the average person without much tech savvy.
To some, Marlinspikes logic isnt quite as airtight as his code. Not all criminals are tech mastermindsthe San Bernardino killers, for example. Former NSA attorney and Brookings Institution fellow Susan Hennessey wonders who determines which lawbreakers deserve to be wiretapped, if not a democratically elected government? Americans have long agreed, she argues, to enable a certain degree of police surveillance to prevent truly abhorrent crimes like child pornography, human trafficking, and terrorism. We could set up our laws to reject surveillance outright, but we havent, she says. Weve made a collective agreement that we derive value from some degree of government intrusion. A spokesman for the FBI, when asked to comment on Marlinspikes law-breaking philosophy, replied, The First Amendment protects people who hold whatever view they want. Some people are members of the KKK. Im not going to engage in a debate with him.
Marlinspike isnt particularly interested in a debate, either; his mind was made up long ago, during years as an anarchist living on the fringes of society. From very early in my life Ive had this idea that the cops can do whatever they want, that theyre not on your team, Marlinspike told me. That theyre an armed, racist gang.
Marlinspike views encryption as a preventative measure against a slide toward Orwellian fascism that makes protest and civil disobedience impossible, a threat he traces as far back as J. Edgar Hoovers FBI wiretapping and blackmailing of Martin Luther King Jr. Moxie is compelled by the troublemakers of history and their stories, says Tyler Reinhard, a designer who worked on Signal. He sees encryption tools not as taking on the state directly but making sure that theres still room for people to have those stories.
Ask Marlinspike to tell his own story, andno surprise for a privacy zealothell often answer with diversions, monosyllables, and guarded smiles. But anyone whos crossed paths with him seems to have an outsize anecdote: how he once biked across San Francisco carrying a 40-foot-tall sailboat mast. The time he decided to teach himself to pilot a hot-air balloon, bought a used one from Craigslist, and spent a month on crutches after crashing it in the desert. One friend swears hes seen Marlinspike play high-stakes rock-paper-scissors dozens of timeswith bets of hundreds of dollars or many hours of his time on the lineand has never seen him lose.
But before Marlinspike was a subcultural contender for most interesting man in the world, he was a kid growing up with a different and far less interesting name on his birth certificate, somewhere in a region of central Georgia that he describes as one big strip mall. His parentswho called him Moxie as a nicknameseparated early on. He lived mostly with his mother, a secretary and paralegal at a string of companies. Any other family details, like his real name, are among the personal subjects he prefers not to comment on.
Marlinspike hated the curiosity-killing drudgery of school. But he had the idea to try programming videogames on an Apple II in the school library. The computer had a Basic interpreter but no hard drive or even a floppy disk to save his code. Instead, hed retype simple programs again and again from scratch with every reboot, copying in commands from manuals to make shapes fill the screen. Browsing the computer section of a local bookstore, the preteen Marlinspike found a copy of 2600 magazine, the catechism of the 90s hacker scene. After his mother bought a cheap desktop computer with a modem, he used it to trawl bulletin board services, root friends computers to make messages appear on their screens, and run a war-dialer program overnight, reaching out to distant servers at random.
Moxie likes the idea that there is an unknown, that the world is not a completely surveilled thing.
To a bored middle schooler, it was all a revelation. You look around and things dont feel right, but youve never been anywhere else and you dont know what youre missing, Marlinspike says. The Internet felt like a secret world hidden within this one.
By his teens, Marlinspike was working after school for a German software company, writing developer tools. After graduating high schoolbarelyhe headed to Silicon Valley in 1999. I thought it would be like a William Gibson novel, he says. Instead it was just office parks and highways. Jobless and homeless, he spent his first nights in San Francisco sleeping in Alamo Square Park beside his desktop computer.
Eventually, Marlinspike found a programming job at BEA-owned WebLogic. But almost as soon as hed broken in to the tech industry, he wanted out, bored by the routine of spending 40 hours a week in front of a keyboard. I thought, Im supposed to do this every day for the rest of my life? he recalls. I got interested in experimenting with a way to live that didnt involve working.
For the next few years, Marlinspike settled into a Bay Area scene that was, if not cyberpunk, at least punk. He started squatting in abandoned buildings with friends, eventually moving into an old postal service warehouse. He began bumming rides to political protests around the country and uploading free audio books to the web of himself reading anarchist theorists like Emma Goldman.