In his mid-twenties, Marlinspike wrote and self-published a handful of zines reflecting on his travels and his time in the Bay Area. I found two of them for sale on the Web site of Red Emma’s, a radical bookstore in Baltimore. They had the dense feel of a Kinko’s production, and the distinct quality of objects that did not belong to me. They seemed clearly intended for a subculture: friends, pen pals, the sort of people who browse radical bookstores in Baltimore. (Inside the package was a handwritten note from the bookseller: "Nice find ☺.") Marlinspike’s writing is earnest, funny, and occasionally swaggering. The zines do not mention his interest in computers.
By the end of the two-thousands, Marlinspike was living in Pittsburgh, in a derelict, eight-bedroom, three-story mansion that he shared with a few people. He occasionally ducked into a cryptography class at Carnegie Mellon, and with some friends formed a kind of haphazard research lab called the Institute for Disruptive Studies, which its members sometimes described as a "radical think tank." "Most of the work we do is in the area of privacy, anonymity, and computer security," the group’s Web site read, "but has also taken the shape of organic gardening techniques, community bicycle repair projects, and musical experiments." Marlinspike had a reputation in hacker communities, but in Pittsburgh he was better known for making fireworks and growing heirloom tomatoes, for his knot-tying skills, and for events that he threw with his friends. A popular one was Hat Band, for which people formed bands by picking names out of a hat, and then performed at house shows several weeks later. Marlinspike’s close friend recalled, "You could have known someone for years before that, and you never thought of them as a musician, or a songwriter, or a poet. It not only changes your perception but it changes who they are, and their perception of themselves." He said, of Marlinspike, "I think some of the things that have always been important to him are trying to find and construct these situations where you can build community and connections with people and have these transformative experiences."
Jackie Wang, an assistant professor of culture and media at the New School, who described her relationship with Marlinspike as sibling-like, met him through an anarchist community on LiveJournal in the early two-thousands, and encountered him in person for the first time at a dance party in Pittsburgh. To try to persuade friends to move to the city, she recalled, Marlinspike and a roommate had designed an "incentive package," which included a place to stay, a blind date, and a bicycle. "They were really into hospitality," Wang said, adding that, when she stayed at the mansion, a mint had been left on the pillow.
In Pittsburgh, Marlinspike uncovered an Internet vulnerability that affected nearly every popular browser. It enabled malicious actors to mount what is called a "man-in-the-middle attack"—a type of exploit in which the attacker can view and potentially alter communications between two parties and siphon data, such as log-in credentials, without detection. In 2009, Marlinspike presented the vulnerability at Black Hat D.C., an annual security conference in Washington. He took the opportunity to politely criticize the keynote speaker, Paul Kurtz, a homeland-security expert who had served under Presidents Bill Clinton and George W. Bush, and who had spoken about the need for the U.S. to take "leadership in cyberspace," arguing for collaboration among the N.S.A., law enforcement, and private industry. "You know," Marlinspike said during his presentation, "ten years ago, I feel like we would have been talking about protecting our communications from the state and the cops—not centralizing them in the hands of the state and the cops." He paused. "So I think a lot has changed." At the end of his talk, he released a new tool, SSLstrip, that automatically mounted man-in-the-middle attacks using the vulnerability he had discovered. SSLstrip elevated Marlinspike to expert status. These days, according to Dan Boneh, a cryptographer and a professor at Stanford, the practice of exposing vulnerabilities so that they can be fixed by other engineers, as SSLstrip has done, is "the bread and butter of computer security." Boneh, who teaches SSLstrip to his undergraduate students, told me, "It changed how browsers work. His attack caused the Web to change."
Marlinspike had long harbored concerns that the products and business models of private technology corporations—telecom firms, e-mail providers, search engines, social networks—would be built atop rapacious data-collection networks. It was becoming increasingly clear that the state could augment its sprawling surveillance apparatus with the help of private industry. In late 2009, Eric Schmidt, then the C.E.O. of Google, articulated a common stance on user privacy: "If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place," Schmidt said on CNBC, noting that, under the Patriot Act, which was passed in 2001 to deter and punish terrorism, and to expand the resources available to law enforcement, Internet-service providers could be compelled to share user activity with the authorities. To Marlinspike, this attitude was emblematic of what he saw as a growing threat to everyday Internet users. In response to Schmidt’s comment, and to Google’s business model, Marlinspike began working on a browser extension, GoogleSharing, for Firefox. Google’s business model relies on tying users’ disparate metadata to their activity, which is often achieved by having users log in to their accounts before accessing services. GoogleSharing pooled users’ activity on Google services and anonymized personal information, scrambling individual activity and assigning it to generic proxy identities. This prevented Google from building user profiles, and from collecting information from services that did not require a log-in. Marlinspike no longer maintains the software, but it is still available to download, for free, on GitHub, and has a successor, DuckDuckGo, a search engine that strips queries of identifying data.
In 2010, Marlinspike and Stuart Anderson, a friend and a robotics Ph.D. student at Carnegie Mellon, left Pittsburgh and moved to the Bay Area. They formed a small mobile-security startup, Whisper Systems, and worked on a suite of tools, including RedPhone and TextSecure, two Android apps for encrypted communication. In 2011, at the height of the Arab Spring uprisings, they hurriedly designed international editions of RedPhone and TextSecure, specifically for use by Egyptian protesters.
After less than a year, Marlinspike and Anderson, Whisper Systems’ only employees, sold the startup to Twitter, for an undisclosed sum. (In 2016, Marlinspike told Wired that it was the most money he had ever seen—"but that’s a low bar.") At the time, Tyler Reinhard, a longtime friend of Marlinspike’s, and the original designer of RedPhone (and, later, Signal), considered the apps to be more of a proof of concept than a business. RedPhone and TextSecure, he said, were "the antithesis to the dominant view that encryption would never be user-friendly. If the goal was to make the point, the point was well made." Twitter, then five years old, had become a popular target for hackers; after two security breaches, the Federal Trade Commission had investigated its user-information practices. Reinhard saw the acquisition as a sign that Twitter wanted to take user privacy seriously.
After the acquisition announcement, Twitter temporarily shut down RedPhone. Activists and human-rights advocates worried that revoking the service would put the app’s users in danger, by shutting off a secure-communication channel. (Three weeks later, Twitter announced that it would release the code for RedPhone and TextSecure as open-source projects hosted on GitHub, enabling others to maintain the services.) Marlinspike became Twitter’s head of product security, and prepared to encrypt a large-scale system. A colleague of his from the time recalled that he was quiet, and had a pronounced sense of the company’s responsibility to the user: "It was a vibe of ‘They’re giving us their time and their ideas, and we owe them, in return, the honor and respect of being able to use the product safely and securely.’ " Marlinspike is reticent about his stint at the company, but Nick Bilton, the author of a book about Twitter’s chaotic early years, told me that the boardroom dynamics were constantly compared to "Game of Thrones." "There was so much backstabbing," Bilton said. "There was no one driving the ship. It was sheer dysfunction." Privacy and safety took a back seat to growth. Direct messages on Twitter are still not end-to-end encrypted.
Marlinspike and a friend owned a Hobie Cat 15, a light fibreglass catamaran. One day in March, 2012, four months into Marlinspike’s job at Twitter, they decided to anchor it in San Francisco Bay, to avoid paying dockage fees. Marlinspike took the catamaran out, and his friend followed in a rowboat. It was dusk, and the conditions were rough; both boats were blown into the bay. As they began to change course, a gust of wind capsized the catamaran, turning it upside down. Marlinspike, who later wrote about the incident in a blog post, tried swimming to shore, but his body began to shut down; the temperature of the bay in early spring averages fifty-four degrees. He returned to the boat, clung to the hull, and tied a line around his wrist, to make his body easier to find. As his vision began to tunnel and his limbs lost sensation, a tugboat passed. The crew pulled Marlinspike out of the water and tried to warm him in the engine room. At the hospital, he went in and out of consciousness; his temperature was too low to register on the digital thermometers, which tend to have a floor of just under ninety degrees. "There’s a tension between how the world works and the feelings after a near-death experience," Marlinspike said, as we sat on the beach in our masks. "You’re sort of questioning, ‘What are we all doing here?’ You can’t feel that forever, because you’re constantly confronted with a different reality."
In early 2013, Marlinspike left Twitter, forgoing about a million dollars in stock. (Anderson stayed at the company for another year.) Soon after, Marlinspike started a nonprofit, Open Whisper Systems, returning to work on the open-source versions of RedPhone and TextSecure.
Marlinspike does not take credit for the growth of Signal in the twenty-tens. "I think it’s possible to look at technology in the same way that Marxists would talk about history, as this thing that has its own agency and force and inevitability," he said. "It’s this thing that’s just happening, and you’re moving with it." Instead, he cites a number of factors as having led to a resurgence of interest in encryption, including the rise of mobile devices, which offered software engineers a new forum in which to experiment, and the proliferation of chat applications. And, in the spring of 2013, Snowden, at the time a National Security Agency contractor and a former C.I.A. employee, disclosed classified information about the N.S.A.’s sprawling surveillance programs, which were bolstered by user data obtained from Google, Facebook, Yahoo, Microsoft, A.T. & T., and Verizon. Snowden revealed that the N.S.A. had subverted the National Institute of Standards and Technology (N.I.S.T.), a government agency that, among other things, developed guidelines for cryptography. The N.I.S.T.’s cryptography standards included four algorithms that generated random strings of numbers, which were used to encode data. The N.S.A. had created a backdoor to one of these algorithms, rendering it insecure. Until that point, Marlinspike said, the N.I.S.T. and other working groups "had a sort of monopoly on defining what was acceptable and thus what was possible." He described what ensued as a "brief renaissance."
Open Whisper Systems operated out of a rickety office in the Mission; a CrossFit gym directly above made the ceiling shake. It had a fiscal sponsor, the Freedom of the Press Foundation, and ran on a shoestring budget, assisted by grants from the Shuttleworth Foundation, the Knight Foundation, and the Open Technology Fund. Marlinspike calculates that, in the organization’s first five years, there were, on average, "2.3 full-time software developers." He worked on the TextSecure Protocol with Trevor Perrin, another cryptographer. Software protocols are robust descriptions of how systems should function; Marlinspike’s aim was to write something straightforward and compelling enough that other messaging platforms would want to adopt it, adding end-to-end encryption to their existing tools. At the time, most popular encryption protocols were designed for interactive applications that required all parties to be online simultaneously. These protocols included properties such as "forward secrecy": the regular changing of secret keys over time, which corrected the vulnerability of using a single private key across all encrypted correspondence. TextSecure’s innovation was to adapt these protocols, and replicate their properties, for the mobile chat environment, in which conversations are asynchronous, long running, and unpredictable: connections drop; people come and go. Perrin told me, "Most prior systems put encryption in the foreground: users had to jump through hoops to create and manage their secret keys and other people’s keys." He and Marlinspike had wanted their end-to-end encryption to work "so smoothly that it would be invisible."
In late 2013, Marlinspike met Brian Acton, a founder of WhatsApp, and expressed interest in adding end-to-end encryption to the messaging service. Shortly thereafter, in early 2014, WhatsApp was acquired by Facebook, for twenty-two billion dollars. That year, Open Whisper Systems merged RedPhone and TextSecure into a single communication tool for Android and iOS, and called it Signal. Marlinspike spent much of 2015 making trips to Mountain View, where he worked closely with Acton on implementing the Signal Protocol in WhatsApp. Acton is about a decade older than Marlinspike, and in some ways his foil: a Stanford graduate who worked in security at Apple, Adobe, and Yahoo before launching his own company. Acton was taken with Marlinspike’s technical vision. "The dude can get stuff done with high quality and high output," he said. "He naturally emerges as a leader because of his capability and his proficiency. To have done that with less formal training than the normal guy, I think, is outstanding." He also liked Marlinspike’s low-key nature. "He’s a very thoughtful and conscientious person," he said. "In corporate America, security incidents often result in what I would call the corporate freakout. A guy like Moxie is sort of unflappable."
In 2017, Marlinspike and Perrin were awarded, for their work on the Signal Protocol, the Levchin Prize—a new accolade, established by the entrepreneur and PayPal co-founder Max Levchin, for real-world applications of cryptography. During Marlinspike’s acceptance speech, which he requested go unrecorded, he deferred to history, saying that the celebration should be of technological progress rather than of any particular individual. Boneh, the Stanford professor, who chaired the award committee, said that the message was "really, really beautiful," but he didn’t entirely buy the idea that, without Marlinspike, widespread end-to-end encryption would have been inevitable. "Maybe it is true, but it would have taken many more decades," he said.
That year, Acton left Facebook, later attributing his departure to intractable differences about privacy practices. At the heart of the conflict was tension with Facebook’s top executives, Sheryl Sandberg and Mark Zuckerberg, who wanted to extend Facebook’s targeted-ad network to WhatsApp. End-to-end encryption precluded the collection of message content that would be valuable to advertisers. In early 2018, Acton and Marlinspike announced the formation of the Signal Foundation, a nonprofit. Acton, the foundation’s chairman and sole member, seeded it with a no-interest, fifty-million-dollar loan.
Acton and Marlinspike wanted to demonstrate that it is possible to build mainstream technology that is not beholden to the incentives of venture capital, or to markets, despite the overwhelming cost of producing and maintaining software. Signal has always been remote. Its nonprofit status protects it from outside interests demanding rapid returns. Nonprofits cannot be acquired by for-profit companies, so there will be no repeat of what happened between Whisper Systems and Twitter, or between WhatsApp and Facebook. Acton told me, "The user is the customer, and we can actually put them first in terms of what their needs and their desires are, rather than a corporate bottom line or a profit motive or anything else. To me, it’s a powerful message to deliver."
Signal is compensated for implementations of the Signal Protocol on a pay-as-you-wish basis. Skype has used the protocol for its "Private Conversations" setting, and Facebook Messenger has used it in a feature called "Secret Conversations"; Marlinspike declined to say how much either company donated. He thinks a lot about how to bring the Signal Protocol to the "long tail of the Internet"—the galaxy of smaller apps and services that could be encrypted, given enough time and resources. Signal’s employees are paid competitively; still, the organization has trouble vying with major corporations for engineers. As C.E.O., Marlinspike takes a salary in the low six figures, modest for the software industry, and makes less than the median salary at Facebook. He is still ambivalent about Silicon Valley’s professional security culture. He described recent industry conferences in Las Vegas, where, he said, "you’d go to this club and there’d be a bouncer with a velvet rope or whatever. I’d always want to ask the bouncer, ‘How can you take yourself seriously, man? You should be trying to prevent us from getting out. It’s, like, a negative-cool space inside.’ "
Signal now has thirty-six employees. Marlinspike told me that he tries to find ways to facilitate collective decision-making. Nora Trapp, Signal’s iOS lead, said, "If there has to be a person who is representing us, it’s good that Moxie is that person. But I also think that having just one individual serve that role is a little bit counter to the way we work and the way we function." Perrin told me that, despite appearances, "Moxie leads from the front, and he just leads by doing. One of his favorite quotes is ‘The only secret is to begin.’ If you want to get good at something or do something, you just do it, and you figure it out along the way."