Taking Back Our Privacy
Moxie Marlinspike, the founder of the end-to-end encrypted messaging service Signal, is "trying to bring normality to the Internet."
By Anna Wiener
- New!
Walking down Abbot Kinney Boulevard, the retail strip in Venice, California, can feel like scrolling through Instagram. One afternoon this July, people sat at outdoor tables beneath drooping strings of fairy lights, sipping cocktails and spearing colorful, modestly dressed salads. The line for Salt & Straw, a venture-funded, "chef-driven" ice-cream shop, stretched up the block, and athleisure-clad twentysomethings photographed themselves eating waffle cones, fabric masks pulled down around their chins like turkey wattles. A month earlier, Abbot Kinney had become a central gathering place for protesters during the mass demonstrations against police brutality and systemic racism. Moxie Marlinspike, who firmly supported the protests, noticed that many of the high-end businesses, fearing looters, had boarded up their windows, then decorated the plywood with murals and messages in support of Black Lives Matter. "It kind of reminded me of how, right after the Russian Revolution, a lot of the zeks—the sort of criminal underclass—would get full-chest tattoos of Marx and Lenin and, later, Stalin because they thought the Bolsheviks would be less likely to kill them," he joked, as we wandered along the Venice Beach boardwalk.
Marlinspike is the C.E.O. of Signal, the end-to-end encrypted messaging service, which he launched in 2014; he is also a cryptographer, a hacker, a shipwright, and a licensed mariner. Tall and sinewy, with the build of a natural athlete who abstains from team sports, he was wearing black jeans, a black T-shirt, black Teva sandals, a denim jacket, and a white N95 mask. He has blond dreadlocks, which he had tucked under a blue cap. An avid surfer, he had been living in the neighborhood with friends for about two years, but, aside from the ocean, it held little appeal for him. "Living in Venice is like living at the end of the world, the end of history," he told me, dryly. "All the decisions have been made. This is the world we get."
Signal’s growth has corresponded to periods in which decisions are questioned or undone—to moments of social and political upheaval. With end-to-end encryption, the content of every communication—a text message, a video chat, a voice call, an emoji reaction—is intelligible only to the sender and the recipient. If an exchange is intercepted, by a hacker or a government agency, the interloper sees a nonsensical snarl of letters and numbers. Signal does not share growth metrics, but in late 2016 Marlinspike told the Times that the number of daily Signal downloads had grown by four hundred per cent since the election of Donald Trump. This summer in the U.S., the service was flooded with an estimated several million new users. In early July, after China imposed a sweeping national-security law, Signal was briefly the most downloaded app in Hong Kong. The Electronic Frontier Foundation includes Signal in its "Surveillance Self-Defense" guide; Edward Snowden, a friend of Marlinspike, has endorsed it for years.
All this has given Signal a halo of subversion, but Marlinspike believes that encrypted-communication tools are necessary not just in times of political tumult. Most people who use social networks and chat services, he argues, assume that their digital communications are private; they want to share their thoughts and photographs with their friends—not with Facebook and Google, not with advertisers, and certainly not on the dark Web. "In a sense, I feel like Signal is just trying to bring normality to the Internet," he said as we sat on a patch of grass near the beach. "A lot of what we’re trying to do is just square the actual technology with people’s intent." He plucked two small feathers out of the grass, rolled them between his fingers, and planted them upright in the dirt.
Since Signal was released, it has evolved from a niche tool, touted by the privacy-minded and the paranoid, into a mainstream product recommended by the Wall Street Journal. Activists use Signal to coördinate protests, lovers to conduct affairs, workers to unionize, finance professionals to exchange sensitive information, drug dealers to contact customers, journalists to communicate with sources. The app has appeared, shimmering with significance, on the TV shows "Mr. Robot," "House of Cards," and "Euphoria." Signal is also reportedly used by the Democratic National Committee, the United States Senate, the European Commission, law-enforcement agencies, Rudy Giuliani, and Melania Trump. "Signal is a piece of public infrastructure, critical infrastructure," Snowden, who met Marlinspike in 2015, in Moscow, told me over the encrypted video-chat service Jitsi.
Marlinspike is punctual, affable, and unassuming; even his gait is mild. Sometimes while he speaks he gently snaps his fingers, like a metronome. He talked about the "diabolical" ways that the Internet has eroded the barrier between our personal and professional identities. "People who aren’t even professional writers have to consider that their communication is being consumed," he told me. "Anything that I’ve ever written or created, one way or another, about anything is sort of embarrassing to me a month later. Even more so five years later."
When we first spoke, Marlinspike stressed that he didn’t want to discuss his personal life, a stipulation to which I agreed. Later, after a series of mutually fraught conversations, it became clear that we did not have a common definition of personal information. For him, it included basic biographical facts: age, home town, birth name. (Moxie was a childhood nickname; he declined to elaborate on his surname’s origins.) During several days of conversations in Venice, he was chatty, pleasant, and guarded, avoiding specificities and controversial comments. In the coming weeks, we continued talking, always on the phone, via Signal, and mostly off the record. The telephone is an inherently intimate medium, and the reassurance of an encrypted connection made it feel more so. Still, Marlinspike remained a little opaque to me. I felt that I understood him better through his blog and his social-media runoff—exactly the material he wanted to keep separate from his professional life.
Brit Marling, the actor and writer, who has been a friend of Marlinspike’s for more than a decade, described his "daring and dazzling" discussions with friends. "There’s nothing that you can say to him that’s going to hit a wall," she said. But she related to his desire for privacy: "As people start to tell you who you are, you start to be boxed in by that impression. I think that’s something Moxie has actively resisted, with a lot of energy." Snowden described Marlinspike as "phenomenally interesting," "remarkable," "wickedly funny," and a "wild, almost literary figure," but, not wanting to discourage others from following Marlinspike’s example in challenging the status quo, advised against mythologizing him: "He is an exceptional individual. But, also, what is the seed of him that is ordinary?"
Marlinspike will share that he was born in the early eighties, in Georgia. He spent much of his youth immersed in anarchist literature and communities, and anarchism’s inherent critique of authority is still important to him. This orientation is unusual in the tech world, although its right-wing analogue, libertarianism, is pervasive. "Liberalism basically says that we should all be free to talk about the world we want, and then we have a marketplace of ideas that we can select from," he said. "I think anarchism’s comment on that is it’s not enough just to talk about things—that you can’t actually know unless you experience or experiment with something."
Signal, as a nonprofit, is an outlier in the tech industry. It runs entirely on donations. "Signal’s mission has always been to make end-to-end encryption as ubiquitous as possible, rather than a commercial success," Marlinspike said. Its code base is open-source—publicly available for anyone to download and comment on—and subject to peer review. Most tech companies readily coöperate, and make contracts, with governments, but Signal was founded on the premise that mass surveillance, particularly by governments and corporations, should be impossible. Signal itself cannot read the messages that its users send, and does not collect user metadata. It keeps no call logs or data backups. Signal claims that it has no "backdoors"—built-in circumvention methods designed to give law enforcement or corporations access to encrypted content. In 2016, Signal received a subpoena as part of a federal grand-jury investigation, accompanied by a gag order. A similar request to Google or Facebook likely would have yielded subscriber records with information such as names, credit-card numbers, I.P. addresses, and activity logs. A search warrant would produce e-mails and chat transcripts. Signal could only proffer the relevant phone number’s account-creation date and the date when it had last connected to Signal’s servers. This was a point of pride: Marlinspike posted responses to the gag order and subpoena on Signal’s blog. "Electronic service providers—who have dual roles as custodians of Americans’ private data and as necessary actors in the execution of government surveillance requests—have a critical role to play, and perspective to share publicly, about government surveillance practices," the author of the responses, an A.C.L.U. lawyer, wrote.
Advocates of end-to-end encryption argue that any backdoor into an otherwise secure system will immediately become a target for foreign adversaries, terrorists, and hackers. But critics claim that end-to-end encryption could shield terrorist plots, child sexual exploitation, and other criminal activities. Some people note that strong encryption could preclude content moderation, potentially allowing disinformation, hate speech, propaganda, harassment, and incitements of violence to flourish. Governments have pushed hard for backdoor access to encrypted systems; China, Iran, and Russia have banned various messaging apps and services that provide end-to-end encryption. In 2016, Britain passed the Investigatory Powers Act, which authorizes the government to compel communications providers to remove "electronic protection" from any communications and data; in 2018, Australia passed controversial data-encryption laws that allow law-enforcement agencies to demand that private companies include backdoors in their products. Earlier this year, Attorney General William Barr praised a new bill in Congress, the Lawful Access to Encrypted Data Act, that, among other things, would require communications providers, hardware manufacturers, tech companies, and others to decrypt data upon provision of a warrant. (Marlinspike told me, "Every time Bill Barr talks about cryptography, I’m, like, Damn, I really wish I could read his Signal messages.")
Enforcing laws, Marlinspike believes, should be difficult. He likes to say that "we should all have something to hide," a statement that he intends not as a blanket endorsement of criminal activity but as an acknowledgment that the legal system can be manipulated, and that even the most banal activities or text messages can be incriminating. In his view, frequent lawbreaking points to systemic rot. He often cites the legalization of same-sex marriage and, in some states, marijuana as evidence that people sometimes need to challenge laws or engage in nominally criminal activity for years before progress can be made. "Before, it was inconceivable," he said. "After, it was inconceivable that it was ever inconceivable." Privacy, he says, is a necessary condition for experimentation, and for social change. He compares the need for a secure digital space to the need for a private domestic one—where, for instance, a child might safely experiment with gender identity or expression. "If I’m dissatisfied with this world—and I think that I might be—a problem is that you can only desire based on what you know," Marlinspike said. "You have certain experiences in this world, they produce certain desires, those desires reproduce the world. Our reality today just keeps reproducing itself. If you can create different experiences that manifest different desires, then it’s possible that those will lead to the production of different worlds."
In the U.S., for most of the twentieth century, encryption was considered a tool of national security. Most cryptography research was done by the National Security Agency; elsewhere, the topic was considered taboo. Academic papers on encryption were classified. Cryptographic devices were categorized as munitions, and subject to export controls. The government’s caution had to do with the fragility of cryptosystems at the time: to decode encrypted messages, correspondents had to agree in advance on a shared private key, a piece of information that radiated liability. Then, in 1976, Whitfield Diffie and Martin Hellman, researchers at Stanford, published a paper that introduced what would come to be called the Diffie-Hellman key exchange. In this system, a software program generates for every correspondent two cryptographic "keys"—one public, one private—that are mathematically linked. The public key is used to encrypt messages sent by others; the private key, which is kept secret, is used to decrypt them. In such a system, there is no prearranged code, no third-party item of information. The invention, which Stanford patented, effectively ended the N.S.A.’s stranglehold on encryption technology.
In the early nineties, with the advent of the commercial Internet, businesses argued that encryption—often referred to as "crypto," before the moniker was co-opted by digital-currency enthusiasts—was necessary for secure transactions. In what became known as the Crypto Wars, the U.S. government, worried that encryption would make the Internet impossible to control, attempted to crack down on encryption software, in part by invoking the munitions-export law. The cypherpunks, a loose group of engineers and activists who saw encryption as fundamental to a free society, responded by distributing encryption software online and via floppy disk. The resistance had a prankster spirit. To get around the export controls, cypherpunks printed encryption source code on T-shirts and in books.
In 1993, when telecom systems were widely computerized, the N.S.A. proposed a "key escrow" system: a piece of silicon called a Clipper Chip would be implanted in all new telephones and electronic-communication devices. Such hardware would allow standard encryption while giving the government a backdoor that it could use to intercept otherwise private conversations. The Clipper Chip was abandoned within three years, after a security researcher uncovered a flaw that effectively allowed would-be attackers to bypass the entire system. In any case, the export controls by that point had relaxed, and, by the late nineties, encryption software was circulating in abundance.
As a child, Marlinspike was only ambiently aware of the Crypto Wars. He took a liking to computers in middle school, and spent hours in the library and local bookstore reading about them. The principles of cryptography "have a childhood appeal," he told me, noting how children "write in invisible ink with lemon juice, they speak in pig Latin, they come up with their own codes, they do Caesar ciphers, stuff like that." He began learning about more advanced cryptography, like the Diffie-Hellman key exchange, and found it unintuitive and surprising—magical. "Without prearranging anything, two people can start talking to each other in a way that nobody can understand, even if they hear the entire conversation," he said. "You wouldn’t think that would be true. You can just start with nothing."
As the commercial Web developed, Marlinspike found like-minded people on Internet Relay Chat (I.R.C.), a messaging service that was popular among early Internet users, including hackers. Hacking was a way to access useful information: copyrighted software manuals, intel on how to make long-distance phone calls for free. In his view, the insecurity of the nascent commercial Web was a threat to corporations, not to people. Relatively few companies collected the kind of sensitive user data—Social Security numbers, credit-card details, banking information—that is now regularly stolen, and sold, in data breaches. "The stakes were just so low," he told me. "The economy was not connected to the Internet, for the most part."
Marlinspike described himself as the type of teen-ager who was always searching for "secret doors": chutes and ladders to escape the drudgery of routine. He did not like school, and took software-engineering jobs at local technology companies, heading to work after classes let out. In 1995, he saw the movie "Hackers," a thriller about teen-agers in New York City who are framed for cybercrimes by a computer-security professional. The film is full of neon animations, nineties tech references ("RISC architecture is gonna change everything"), and packs of leather-clad teens with nontraditional haircuts huddled around bulky laptops. It is also a Gen X sellout narrative: the villain is an erstwhile hacker seduced to the dark side by corporate America. Sitting in the theatre, Marlinspike felt a new excitement about the future. (He has since seen the movie more than two dozen times.) Soon after, he travelled to New York to meet friends from I.R.C. They got around the city on Rollerblades and went to an arcade, where his friends hacked the payment system. The M.T.A. had recently introduced the MetroCard, part of a complex new computer network; his friends hacked that, too. "It was just like ‘Hackers,’ " Marlinspike recalled.
In the late nineties, after graduating from high school, he moved to San Francisco. He spent his first few nights in Alamo Square Park, sleeping across from the Painted Ladies—the row of pastel Victorians associated with the cozy domesticity of "Full House"—with his backpack and computer beside him. Within a few days, he found a couch to sleep on; within a few weeks, he found a job at the software company WebLogic—"a normal dot-com thing of that era." The company had free beer on Fridays, which made him feel like he was getting away with something. Still, he found it difficult to make friends with his colleagues. "I was just trying to pass, because I was way younger than everyone else," he said. He was eighteen.
In Silicon Valley, the underground hacker subculture that Marlinspike had admired was morphing into the security industry. As more companies moved online, they built cybersecurity departments, to defend against "black hat" (malicious) hackers. Software engineers began marketing themselves as "white hat" (ethical) hackers, charging high consulting rates. "In retrospect, the only color hat was green," Marlinspike said. "On either side of that thing, it had all somehow become about money." Marlinspike disliked the Silicon Valley security culture, which he found exclusive and self-congratulatory, and instead found community in the Bay Area punk scene.
At the height of the dot-com bubble, he left his software job and spent a while hitchhiking and freight hopping around the country. He lived cheaply, occasionally dumpster diving and squatting on rooftops, charging his electric toothbrush in coffee shops. He built a Web site, the Distributed Library Project, where people could catalogue their home libraries and swap books with other readers. (The site, which was never meant to be a commercial enterprise, attracted a few hundred users but never quite took off: people liked creating and updating their own reading lists but were less inclined to meet up in person.) He helped establish Station 40, an anti-capitalist housing collective and event space in San Francisco’s Mission District, and volunteered with Food Not Bombs, a nebulous international network of activist groups that prepare and serve free vegan food, in protest of consumerism, poverty, and war.
When I asked about his experience with anarchist groups at the time, he responded warily. "It’s a fraught thing, in the sense that people think about anarchism, anarchy, anarchists in a lot of different ways," he said. "If anarchy is a tension away from authority, and toward collective decision-making, individual responsibility, creating a world that we want, that we control ourselves—that is a lot of work. I feel it’s a project of improving the world, and also of self-improvement. But it can look really messy." Mostly, he found himself in a lot of meetings, discussing the finer points of governance.
In the early two-thousands, he taught himself to sail by taking a solo two-month round trip to Mexico on a twenty-seven-foot Catalina with a broken engine. Later, he and three friends bought a fibreglass boat on Craigslist for a thousand dollars, restored it, and sailed through the Florida Keys to Grand Bahama Island. That trip, and another the following year, to the Dominican Republic, cost them less than five hundred dollars each. "Hold Fast," a "video zine" made by Marlinspike about their travels, gives the impression that they are graced with the sort of freedom and youth that stops time. In the film, Marlinspike introduces his crewmates. "If Lisa’s single greatest fear is collision at sea, Allie’s is running aground," he says in a voice-over. "And then, of course, there’s me. My greatest fear is routine."
Marlinspike’s outsized adventures were balanced with meticulous, solitary programming projects. He primarily did independent security research—a polite term for ethical hacking. In 2002, he discovered a major vulnerability in Microsoft’s Internet Explorer, and published on his personal Web site, thoughtcrime.org, a software program that replicated the attack. Web-site operators could use the program to find weaknesses in their own sites and services; savvy Internet users could test the security of the sites they visited. Marlinspike received attention from the hacker and security communities for his work, but was disinclined to capitalize on it. Eventually, he added a donation button, like a tip jar, to his Web site. A close friend of his told me, "I think Moxie is someone who’s luckily not motivated by making money."
In his mid-twenties, Marlinspike wrote and self-published a handful of zines reflecting on his travels and his time in the Bay Area. I found two of them for sale on the Web site of Red Emma’s, a radical bookstore in Baltimore. They had the dense feel of a Kinko’s production, and the distinct quality of objects that did not belong to me. They seemed clearly intended for a subculture: friends, pen pals, the sort of people who browse radical bookstores in Baltimore. (Inside the package was a handwritten note from the bookseller: "Nice find ☺.") Marlinspike’s writing is earnest, funny, and occasionally swaggering. The zines do not mention his interest in computers.
By the end of the two-thousands, Marlinspike was living in Pittsburgh, in a derelict, eight-bedroom, three-story mansion that he shared with a few people. He occasionally ducked into a cryptography class at Carnegie Mellon, and with some friends formed a kind of haphazard research lab called the Institute for Disruptive Studies, which its members sometimes described as a "radical think tank." "Most of the work we do is in the area of privacy, anonymity, and computer security," the group’s Web site read, "but has also taken the shape of organic gardening techniques, community bicycle repair projects, and musical experiments." Marlinspike had a reputation in hacker communities, but in Pittsburgh he was better known for making fireworks and growing heirloom tomatoes, for his knot-tying skills, and for events that he threw with his friends. A popular one was Hat Band, for which people formed bands by picking names out of a hat, and then performed at house shows several weeks later. Marlinspike’s close friend recalled, "You could have known someone for years before that, and you never thought of them as a musician, or a songwriter, or a poet. It not only changes your perception but it changes who they are, and their perception of themselves." He said, of Marlinspike, "I think some of the things that have always been important to him are trying to find and construct these situations where you can build community and connections with people and have these transformative experiences."
Jackie Wang, an assistant professor of culture and media at the New School, who described her relationship with Marlinspike as sibling-like, met him through an anarchist community on LiveJournal in the early two-thousands, and encountered him in person for the first time at a dance party in Pittsburgh. To try to persuade friends to move to the city, she recalled, Marlinspike and a roommate had designed an "incentive package," which included a place to stay, a blind date, and a bicycle. "They were really into hospitality," Wang said, adding that, when she stayed at the mansion, a mint had been left on the pillow.
In Pittsburgh, Marlinspike uncovered an Internet vulnerability that affected nearly every popular browser. It enabled malicious actors to mount what is called a "man-in-the-middle attack"—a type of exploit in which the attacker can view and potentially alter communications between two parties and siphon data, such as log-in credentials, without detection. In 2009, Marlinspike presented the vulnerability at Black Hat D.C., an annual security conference in Washington. He took the opportunity to politely criticize the keynote speaker, Paul Kurtz, a homeland-security expert who had served under Presidents Bill Clinton and George W. Bush, and who had spoken about the need for the U.S. to take "leadership in cyberspace," arguing for collaboration among the N.S.A., law enforcement, and private industry. "You know," Marlinspike said during his presentation, "ten years ago, I feel like we would have been talking about protecting our communications from the state and the cops—not centralizing them in the hands of the state and the cops." He paused. "So I think a lot has changed." At the end of his talk, he released a new tool, SSLstrip, that automatically mounted man-in-the-middle attacks using the vulnerability he had discovered. SSLstrip elevated Marlinspike to expert status. These days, according to Dan Boneh, a cryptographer and a professor at Stanford, the practice of exposing vulnerabilities so that they can be fixed by other engineers, as SSLstrip has done, is "the bread and butter of computer security." Boneh, who teaches SSLstrip to his undergraduate students, told me, "It changed how browsers work. His attack caused the Web to change."
Marlinspike had long harbored concerns that the products and business models of private technology corporations—telecom firms, e-mail providers, search engines, social networks—would be built atop rapacious data-collection networks. It was becoming increasingly clear that the state could augment its sprawling surveillance apparatus with the help of private industry. In late 2009, Eric Schmidt, then the C.E.O. of Google, articulated a common stance on user privacy: "If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place," Schmidt said on CNBC, noting that, under the Patriot Act, which was passed in 2001 to deter and punish terrorism, and to expand the resources available to law enforcement, Internet-service providers could be compelled to share user activity with the authorities. To Marlinspike, this attitude was emblematic of what he saw as a growing threat to everyday Internet users. In response to Schmidt’s comment, and to Google’s business model, Marlinspike began working on a browser extension, GoogleSharing, for Firefox. Google’s business model relies on tying users’ disparate metadata to their activity, which is often achieved by having users log in to their accounts before accessing services. GoogleSharing pooled users’ activity on Google services and anonymized personal information, scrambling individual activity and assigning it to generic proxy identities. This prevented Google from building user profiles, and from collecting information from services that did not require a log-in. Marlinspike no longer maintains the software, but it is still available to download, for free, on GitHub, and has a successor, DuckDuckGo, a search engine that strips queries of identifying data.
In 2010, Marlinspike and Stuart Anderson, a friend and a robotics Ph.D. student at Carnegie Mellon, left Pittsburgh and moved to the Bay Area. They formed a small mobile-security startup, Whisper Systems, and worked on a suite of tools, including RedPhone and TextSecure, two Android apps for encrypted communication. In 2011, at the height of the Arab Spring uprisings, they hurriedly designed international editions of RedPhone and TextSecure, specifically for use by Egyptian protesters.
After less than a year, Marlinspike and Anderson, Whisper Systems’ only employees, sold the startup to Twitter, for an undisclosed sum. (In 2016, Marlinspike told Wired that it was the most money he had ever seen—"but that’s a low bar.") At the time, Tyler Reinhard, a longtime friend of Marlinspike’s, and the original designer of RedPhone (and, later, Signal), considered the apps to be more of a proof of concept than a business. RedPhone and TextSecure, he said, were "the antithesis to the dominant view that encryption would never be user-friendly. If the goal was to make the point, the point was well made." Twitter, then five years old, had become a popular target for hackers; after two security breaches, the Federal Trade Commission had investigated its user-information practices. Reinhard saw the acquisition as a sign that Twitter wanted to take user privacy seriously.
After the acquisition announcement, Twitter temporarily shut down RedPhone. Activists and human-rights advocates worried that revoking the service would put the app’s users in danger, by shutting off a secure-communication channel. (Three weeks later, Twitter announced that it would release the code for RedPhone and TextSecure as open-source projects hosted on GitHub, enabling others to maintain the services.) Marlinspike became Twitter’s head of product security, and prepared to encrypt a large-scale system. A colleague of his from the time recalled that he was quiet, and had a pronounced sense of the company’s responsibility to the user: "It was a vibe of ‘They’re giving us their time and their ideas, and we owe them, in return, the honor and respect of being able to use the product safely and securely.’ " Marlinspike is reticent about his stint at the company, but Nick Bilton, the author of a book about Twitter’s chaotic early years, told me that the boardroom dynamics were constantly compared to "Game of Thrones." "There was so much backstabbing," Bilton said. "There was no one driving the ship. It was sheer dysfunction." Privacy and safety took a back seat to growth. Direct messages on Twitter are still not end-to-end encrypted.
Marlinspike and a friend owned a Hobie Cat 15, a light fibreglass catamaran. One day in March, 2012, four months into Marlinspike’s job at Twitter, they decided to anchor it in San Francisco Bay, to avoid paying dockage fees. Marlinspike took the catamaran out, and his friend followed in a rowboat. It was dusk, and the conditions were rough; both boats were blown into the bay. As they began to change course, a gust of wind capsized the catamaran, turning it upside down. Marlinspike, who later wrote about the incident in a blog post, tried swimming to shore, but his body began to shut down; the temperature of the bay in early spring averages fifty-four degrees. He returned to the boat, clung to the hull, and tied a line around his wrist, to make his body easier to find. As his vision began to tunnel and his limbs lost sensation, a tugboat passed. The crew pulled Marlinspike out of the water and tried to warm him in the engine room. At the hospital, he went in and out of consciousness; his temperature was too low to register on the digital thermometers, which tend to have a floor of just under ninety degrees. "There’s a tension between how the world works and the feelings after a near-death experience," Marlinspike said, as we sat on the beach in our masks. "You’re sort of questioning, ‘What are we all doing here?’ You can’t feel that forever, because you’re constantly confronted with a different reality."
In early 2013, Marlinspike left Twitter, forgoing about a million dollars in stock. (Anderson stayed at the company for another year.) Soon after, Marlinspike started a nonprofit, Open Whisper Systems, returning to work on the open-source versions of RedPhone and TextSecure.
Marlinspike does not take credit for the growth of Signal in the twenty-tens. "I think it’s possible to look at technology in the same way that Marxists would talk about history, as this thing that has its own agency and force and inevitability," he said. "It’s this thing that’s just happening, and you’re moving with it." Instead, he cites a number of factors as having led to a resurgence of interest in encryption, including the rise of mobile devices, which offered software engineers a new forum in which to experiment, and the proliferation of chat applications. And, in the spring of 2013, Snowden, at the time a National Security Agency contractor and a former C.I.A. employee, disclosed classified information about the N.S.A.’s sprawling surveillance programs, which were bolstered by user data obtained from Google, Facebook, Yahoo, Microsoft, A.T. & T., and Verizon. Snowden revealed that the N.S.A. had subverted the National Institute of Standards and Technology (N.I.S.T.), a government agency that, among other things, developed guidelines for cryptography. The N.I.S.T.’s cryptography standards included four algorithms that generated random strings of numbers, which were used to encode data. The N.S.A. had created a backdoor to one of these algorithms, rendering it insecure. Until that point, Marlinspike said, the N.I.S.T. and other working groups "had a sort of monopoly on defining what was acceptable and thus what was possible." He described what ensued as a "brief renaissance."
Open Whisper Systems operated out of a rickety office in the Mission; a CrossFit gym directly above made the ceiling shake. It had a fiscal sponsor, the Freedom of the Press Foundation, and ran on a shoestring budget, assisted by grants from the Shuttleworth Foundation, the Knight Foundation, and the Open Technology Fund. Marlinspike calculates that, in the organization’s first five years, there were, on average, "2.3 full-time software developers." He worked on the TextSecure Protocol with Trevor Perrin, another cryptographer. Software protocols are robust descriptions of how systems should function; Marlinspike’s aim was to write something straightforward and compelling enough that other messaging platforms would want to adopt it, adding end-to-end encryption to their existing tools. At the time, most popular encryption protocols were designed for interactive applications that required all parties to be online simultaneously. These protocols included properties such as "forward secrecy": the regular changing of secret keys over time, which corrected the vulnerability of using a single private key across all encrypted correspondence. TextSecure’s innovation was to adapt these protocols, and replicate their properties, for the mobile chat environment, in which conversations are asynchronous, long running, and unpredictable: connections drop; people come and go. Perrin told me, "Most prior systems put encryption in the foreground: users had to jump through hoops to create and manage their secret keys and other people’s keys." He and Marlinspike had wanted their end-to-end encryption to work "so smoothly that it would be invisible."
In late 2013, Marlinspike met Brian Acton, a founder of WhatsApp, and expressed interest in adding end-to-end encryption to the messaging service. Shortly thereafter, in early 2014, WhatsApp was acquired by Facebook, for twenty-two billion dollars. That year, Open Whisper Systems merged RedPhone and TextSecure into a single communication tool for Android and iOS, and called it Signal. Marlinspike spent much of 2015 making trips to Mountain View, where he worked closely with Acton on implementing the Signal Protocol in WhatsApp. Acton is about a decade older than Marlinspike, and in some ways his foil: a Stanford graduate who worked in security at Apple, Adobe, and Yahoo before launching his own company. Acton was taken with Marlinspike’s technical vision. "The dude can get stuff done with high quality and high output," he said. "He naturally emerges as a leader because of his capability and his proficiency. To have done that with less formal training than the normal guy, I think, is outstanding." He also liked Marlinspike’s low-key nature. "He’s a very thoughtful and conscientious person," he said. "In corporate America, security incidents often result in what I would call the corporate freakout. A guy like Moxie is sort of unflappable."
In 2017, Marlinspike and Perrin were awarded, for their work on the Signal Protocol, the Levchin Prize—a new accolade, established by the entrepreneur and PayPal co-founder Max Levchin, for real-world applications of cryptography. During Marlinspike’s acceptance speech, which he requested go unrecorded, he deferred to history, saying that the celebration should be of technological progress rather than of any particular individual. Boneh, the Stanford professor, who chaired the award committee, said that the message was "really, really beautiful," but he didn’t entirely buy the idea that, without Marlinspike, widespread end-to-end encryption would have been inevitable. "Maybe it is true, but it would have taken many more decades," he said.
That year, Acton left Facebook, later attributing his departure to intractable differences about privacy practices. At the heart of the conflict was tension with Facebook’s top executives, Sheryl Sandberg and Mark Zuckerberg, who wanted to extend Facebook’s targeted-ad network to WhatsApp. End-to-end encryption precluded the collection of message content that would be valuable to advertisers. In early 2018, Acton and Marlinspike announced the formation of the Signal Foundation, a nonprofit. Acton, the foundation’s chairman and sole member, seeded it with a no-interest, fifty-million-dollar loan.
Acton and Marlinspike wanted to demonstrate that it is possible to build mainstream technology that is not beholden to the incentives of venture capital, or to markets, despite the overwhelming cost of producing and maintaining software. Signal has always been remote. Its nonprofit status protects it from outside interests demanding rapid returns. Nonprofits cannot be acquired by for-profit companies, so there will be no repeat of what happened between Whisper Systems and Twitter, or between WhatsApp and Facebook. Acton told me, "The user is the customer, and we can actually put them first in terms of what their needs and their desires are, rather than a corporate bottom line or a profit motive or anything else. To me, it’s a powerful message to deliver."
Signal is compensated for implementations of the Signal Protocol on a pay-as-you-wish basis. Skype has used the protocol for its "Private Conversations" setting, and Facebook Messenger has used it in a feature called "Secret Conversations"; Marlinspike declined to say how much either company donated. He thinks a lot about how to bring the Signal Protocol to the "long tail of the Internet"—the galaxy of smaller apps and services that could be encrypted, given enough time and resources. Signal’s employees are paid competitively; still, the organization has trouble vying with major corporations for engineers. As C.E.O., Marlinspike takes a salary in the low six figures, modest for the software industry, and makes less than the median salary at Facebook. He is still ambivalent about Silicon Valley’s professional security culture. He described recent industry conferences in Las Vegas, where, he said, "you’d go to this club and there’d be a bouncer with a velvet rope or whatever. I’d always want to ask the bouncer, ‘How can you take yourself seriously, man? You should be trying to prevent us from getting out. It’s, like, a negative-cool space inside.’ "
Signal now has thirty-six employees. Marlinspike told me that he tries to find ways to facilitate collective decision-making. Nora Trapp, Signal’s iOS lead, said, "If there has to be a person who is representing us, it’s good that Moxie is that person. But I also think that having just one individual serve that role is a little bit counter to the way we work and the way we function." Perrin told me that, despite appearances, "Moxie leads from the front, and he just leads by doing. One of his favorite quotes is ‘The only secret is to begin.’ If you want to get good at something or do something, you just do it, and you figure it out along the way."
There are inherent privacy challenges to digital communication: messages can still be screenshotted; devices can be stolen or hacked. Some members of the privacy community, including Snowden, criticize Signal’s requirement that each user sign up with a phone number; others object to Signal’s default setting that alerts users every time a contact joins the service. And, although all of Signal’s source code is open-source and peer-reviewed, most users cannot be certain whether it is identical to the code deployed in the apps they download, or to the code that is actually running on Signal’s servers. Others argue that Signal should be federated, or decentralized: rather than trusting a single organization to remain stable, invulnerable, uncompromised, and oriented toward their needs, participants should be able to run their own servers. (Signal maintains that this would be prohibitive to everyday users, and potentially more insecure.) Signal Fails, an anonymous zine recently published on several anarchist Web sites, warns against dependency on a centralized service, particularly one running on mobile devices. "If your device is compromised with a keylogger or other malicious software, it doesn’t really matter how secure your communications are," the zine reads. Were anarchists to "pose a major threat to the established order," the government would "come for us and our infrastructure without mercy."
Marlinspike defends centralization as a necessary condition for Signal’s widespread adoption, and for its ease of use. He is acutely aware that the reason encryption did not catch on in the nineties was that the cypherpunks expected users to adopt the conventions of software engineers, rather than the other way around. Most people did not want to teach themselves about cipher suites and ASCII armor in order to send a secure e-mail; they did not want to attend key-signing parties and exchange public cryptographic keys in order to build a web of trust. They just wanted to log on and talk to their friends. "Everyone who wasn’t Steve Jobs was wrong in the same kind of way," Marlinspike said. Signal offers unusual features, such as messages that disappear after a set period of time; users recently asked for stickers, and these, too, needed to be end-to-end encrypted. For now, Signal’s engineers are working on improvements, such as developing a group-video-chat feature and making the app’s group-chat systems faster and more robust.
"Anything you create in the technology landscape exists as part of an ecosystem, and the ecosystem is moving," Marlinspike said. Signal is a paranoid software, constantly adapting to new threats. As he wrote in 2016 on the organization’s blog, "Networks evolve, security threats and countermeasures are in constant shift, and the collective UX"—user experience—"language rarely sits still." He expressed envy of writers, musicians, and filmmakers: "Unlike software, when they create something, it is really done—forever. A recorded album can be just the same 20 years later, but software has to change."
Regulation remains a threat to Signal, although, Marlinspike said, "you can never get rid of cryptography. Sets of equations are everywhere. There’s no way for everyone in the world to unsee that, or to unknow it." He seemed unfazed by the prospect that, if end-to-end encrypted communication does catch on more widely, Signal might someday become obsolete. "If we’ve pushed the envelope as far as we can go and the things we develop become as ubiquitous as possible, we could all focus on other things," he said. As we walked around Venice, I tried to ask him about what those other things might be. His answers were a little vague. He is not interested in retiring, or relaxing; he still fears routine. "I’ve always been much better at doing than being," he told me later. Referring to Fitzgerald’s "This Side of Paradise," he explained that he has always seen himself more as a "personage" than as a "personality." He mentioned, casually, that he is curious about life-extension research, because he believes the world would look different if people had more time to explore their interests, learn new skills, build expertise, and experiment. "I dread the minute hand hitting the top of the dial every hour," he said. "I feel like I have less time than I used to. When you’re really young, no doors have really closed."
Whenever I asked Marlinspike what he had been up to, the answer was the same: "Work, work, work." Wang, describing Marlinspike’s "masochistic anarchist workaholism," told me, "I think the anarchy world rewards self-motivation, initiative, and experimentation. You oddly acquire a lot of skills that are useful, whether it’s graphic design or programming. There’s a strong work ethic, and a weird kind of anti-capitalist entrepreneurialism." Reinhard said, of Marlinspike, "He is an incredibly efficient time manager, and he approaches his leisure in exactly the same way. Almost all of his adventures require, like, six months of planning—and he has the patience for it."
Marlinspike moved from the Bay Area to Los Angeles in 2018, in part to work on a side project with friends—an ecological restoration "experience" intended to mitigate the depletion of coastal kelp forests. Participants would spend three days earning their scuba certifications, then paddle out to nearshore ecosystems, exploring the kelp forests and planting spores. The project, Marlinspike said, was "at the confluence of a few things that I’m interested in, like ocean ecology, climate change, potential climate-change remediation." Marlinspike’s close friend, who was also involved, said that the goal was for participants to be transformed: "What is the future of the world? Who are people in positions where they can change that future? How do we have those people do something that is going to change their world view, that might then change what they want to do?" The project fell through earlier this year, partly because of the pandemic but also because it is notoriously difficult to grow kelp from seed, and possibly illegal to plant it in the ocean at one’s leisure.
During our conversations, Marlinspike avoided making declarative statements about his plans and frequently declined requests to put seemingly innocuous information on the record. When I returned to his personal writing, I felt almost taunted by its attention to detail. I was particularly drawn to a blog post about a bicycle trip he took last year with friends through the Chernobyl Exclusion Zone, the eighteen-mile radius around the Chernobyl nuclear plant, in Ukraine, which was evacuated on April 27, 1986. (Access to the area, which is variously radioactive, is limited to maintenance crews, scientists, and scheduled guided tours.) Aided by a cheap compass, dust masks, and dosimeters, they slept in an abandoned apartment, surrounded by aging domestic detritus, and wandered through the buildings of Pripyat, the former factory town, at night. The Exclusion Zone was "paradise, but a paradise you can’t enjoy," he wrote. "The experience is full of tensions. . . . You have to be careful about where you sit, what you eat, how you eat it, what you touch; which is—ironically—why it exists. The reason it’s so beautiful and so peaceful is precisely because we can’t consume it. Like, perhaps, all real paradises everywhere."
At the beginning of the pandemic, the beaches in Los Angeles were closed. Unable to surf, Marlinspike bought a pair of Rollerblades and began taking nightly skates through Venice and Santa Monica, piping the techno-heavy soundtrack to "Hackers" out of a small speaker. He had wondered whether the pandemic would break something open. When the Black Lives Matter protests started, Signal employees began fielding requests and feedback from organizers, medics, and protesters. Trapp pulled an all-nighter to work on a new face-blurring tool, for strategic obfuscation of protest photographs, and Signal released it almost immediately. Ten years ago, it had been fringe to talk about abolishing the police or prisons. All of a sudden, people were forming mutual-aid networks and, although Marlinspike had no way of knowing this, forming cop-watch groups on Signal with names like Pig Sniffers. More Americans had begun to talk about the ways in which law enforcement is applied unevenly, arbitrarily, and unnecessarily. "I think those kinds of things are a silver lining to things being as bad as they are—being able to see and question the structures around us that have maybe not been serving us well," Marlinspike said, during our third and final meeting in Venice.
Still, much had stayed the same. He was startled to see protesters posing for photographs with the National Guard, as if the demonstrations were just another Abbot Kinney experience to be consumed and documented for social media. "In the nineties, there was this huge emphasis on the idea of self-publishing," he said at one point. "This idea that, if everyone could be both a producer and a consumer of information, the world would be fundamentally different. That’s all of zine culture." He went on, "That’s the world we got, in a lot of ways. The people from that scene didn’t anticipate this being the vector, but everyone more or less has access to the same publishing platform as the President of the United States." He exhaled lightly. "What we didn’t necessarily anticipate, when everyone was so optimistic, was how little it would change things. The dream was always that, if someone in the suburbs of St. Louis got killed by a cop, immediately everyone would know about it. At the time, it was a sort of foregone conclusion that that would be enough." "Enough for what?" I asked. "To prevent that from happening," he replied, flatly.
That morning, Marlinspike seemed to be feeling expansive. He told a story about Patty Hearst, and another about the Soviet space dogs, and an anecdote about centralized hot water in Russia. As he spoke, he gesticulated theatrically, as if his arms had just been unlatched. I found this unnerving; it suggested that, during our other conversations, he had been practicing a well-honed restraint. The sun was out in full force, the air smelled like weed, and the wind carried the clicking sound of low-stakes skate tricks. Women wearing masks and bikinis rollerbladed along the boardwalk, past venders hawking novelty sunglasses, one-hitters, and onesies stamped with a low-resolution TikTok logo. As we turned toward the beach, Marlinspike stopped walking and looked up at the sky. A line of twelve military helicopters cruised over the ocean. "Crazy," he said, shaking his head.
When we sat down, he told me about a trip that he and a friend had taken to Abkhazia, in 2016, to attend the CONIFA World Football Cup, a soccer tournament for unrecognized states. Abkhazia, a separatist region of Georgia, lies on the coast of the Black Sea. It has only two embassies—one belonging to Russia, its economic patron, and another to the fellow breakaway republic South Ossetia—and few diplomatic relationships. It is recognized by only five U.N. member states, and is barely integrated into the world economy. "An interesting thing is, if you’re going to be a country, you need a bunch of stuff, right?" Marlinspike said. "You need a flag, you need a national bird, you need an anthem, and you have to have a soccer team." He was wearing black jean shorts, and he bounced a finger against a tanned thigh for emphasis. "If you’re going to be a country, you’ve got to have a soccer team."
Abkhazia is the sort of place that appeals to Marlinspike: a would-be country outside the strictures of globalization, and almost outside the bounds of imagination. As the U.K. voted to exit the European Union, and the Catalan independence movement fought for autonomy from Spain, Marlinspike, who believes the world is seen most clearly from the margins, found that Abkhazia offered a unique perspective on nationalist and separatist movements. To get there, he and his companion travelled through southern Russia to a militarized border. After passing through three checkpoints, Marlinspike found himself in a landscape that looked exactly the same as the one where they had just been. People were speaking the same language. He wondered if the fight for independence—a brutal civil war, the ethnic cleansing of Georgians in the early nineties, and now economic isolation—had been worth it.
By the time they arrived at the stadium, in Sokhumi, the Abkhazian capital, the opening match was sold out. People were sitting in the aisles and hanging from the fences. Using elementary Russian, Marlinspike pleaded his case to a security guard. Not knowing what to make of two backpackers who had travelled from California expressly for the tournament, the guard waved them through the gates. ♦