Bryan Gillson - Senior Director Product Management
Update: As of September 9, 2010, source code downloads of PGP software are again available.
Encryption has always been about trust. Questions about who you trust and who you distrust, are critical to determining whether (and how) to encrypt your data. Of course, trust-related questions go beyond just specific threats and extend directly to the selection of an encryption vendor.
This is why, since its founding, PGP Corporation has made its source code publicly available for cryptographic review. We feel that the ability for the public to study our source code and personally confirm the quality, validity, and security of our cryptographic implementations has been a key reason for the trust placed in PGP Corporation and our products. This belief has been reinforced by many customers across the spectrum: corporate, individual, educational, and government.
Now that PGP Corporation is a part of Symantec, many customers have asked whether we will continue to publish our source code. In other words, does Symantec share this commitment to security and trust? The short answer is “Yes.” Symantec’s management team believes as we do: confidence in cryptographic implementations is critical to securing data against the latest sophisticated threats coming from organized criminals and nation states.
The longer answer is slightly more complex.
As with all U.S. companies selling strong encryption software, Symantec must comply with U.S. federal export regulations. These regulations require the filing of detailed information about ciphers, algorithms, functionality, and implementations. After review by the appropriate federal agencies, the products are assigned a classification and various ID numbers (you can see our existing export information here: http://www.pgp.com/products/export_compliance.html).
As part of the acquisition by Symantec, all of PGP Corporation’s products must be reclassified – and this includes the source code we make available. Standard process would involve removing our source code from our download section during the period of review. However, Symantec understands the potential impact this would have on our customers’ trust, and the questions it could raise.
Consequently, during this review period we have reached a compromise under which we will allow download and review of our source code only from within the United States. This compromise allows us to continue with this important policy while also satisfying the strict regulations under which encryption vendors must operate.
Transparency is another element of trust, so we wanted to be sure to publicly communicate this change and the rationale. While it may cause some frustration for our many users outside of the U.S., we hope you understand. We expect this will be temporary and will update our blog and source code download pages when the review and reclassification is complete.