Thursday, February 23, 2006


Email encryption

On Morning Edition yesterday, NPR reported on email encryption, and why it's not widely used. The item is introduced by pointing out that when you visit web sites your traffic is often encrypted, and that encrypting email can protect you from the government's prying eyes. And yet, they say (and they're right), hardly anyone uses it.

They talk with people from the Center for Democracy and Technology, who demonstrate a webmail service called "Hushmail", which, nevertheless, even the CDT people don't normally use. From the technical side, not covered in the NPR item, Hushmail appears to be at the wrong end of the interoperability curve. It does use OpenPGP; I'd rather see it use S/MIME, but Phil Zimmerman is associated with it, so, of course, it's on the PGP side. It does not appear to try to get PGP keys from the MIT or PGP key servers (both of which have my keys), so it looks like you can only send encrypted mail to other Hushmail users (you can sign mail to anyone, but their mail clients have to know how to deal with the PGP). It's also not clear how non-Hushmail users can get the public keys for Hushmail users, to send encrypted mail to them.

One impediment they cite, which relates to what I say above, is key management, and the danger of losing access to the encryption key (usually by forgetting the passphrase for your key or X.509 cert). They also discuss, of course, the point that most of the mail we send doesn't need the privacy that encryption provides. Says Outlook product manager Will Kennedy,

If I'm sending mail to my wife about what time to pick up my son at soccer practice, for example, it's not really something that needs to be encrypted; it's not a particularly important secret.
Finally, they note that of those who do use encryption in Outlook, the biggest user is — perhaps not surprisingly — the government.

I'm always pleased to see the mainstream press covering this sort of thing. As with most news items, though, I would have liked more content in there. It was only four minutes long, and they had to cover it in a way that the general public could understand, so that limits them, but, still, it would have been nice if what people got out of it was that if we did use email signing and encryption more, we'd be better off. Many web sites have their own email-like "contact us" pages, to get around the current situation, and that makes it more difficult, not less. Signed mail from known correspondents could bypass spam filters, and signed-and-encrypted mail could be used for communication that some avoid today because of the security and privacy issues (communication with your doctor, lawyer, banker, that sort of thing). I'd love to see wider adoption here, and that starts with some basic education.

1 comment:

Marcus Areliaus said...

I blogged about an email solution called MessageLock, that uses common zip files to transport encrypted communications. Anyone who has a zip reader and the password can access the encrypted email and attachments. Read about it on my site, or visit the messagelock home page at