It's All About Me: Why Email Security Remains Elusive

 David's explanations are all on target, but he missed at least one: hypocrisy. People don't use encryption because they don't want to. They say that they do, but they say a lot of things they don't mean. The check is in the mail.

In his recent article, "Why Secure Email Still Doesn't Measure Up," David Strom offers a compelling set of explanations for why virtually no one uses encrypted email. Strong encryption capabilities have been available for decades, with standardization efforts dating back to PEM in 1987.

Trust is rare. Everyone wants to be an exception to their own rules. They don't want their crypto programs to do unto them as they would have our crypto programs do unto us.

It has been decades since there have been any serious technical impediments to encryption, and over a decade since the last political impediments were removed in the US. There used to be user interface impediments, but as David says, those have long since been removed in products such as Mimecast's, and are unlikely to be more than a transient challenge. What's left are two relatively intractable social impediments.

The first impediment is that people don't want encryption as badly as they say. A very wise man once advised me on the importance of computer security: "People will pay any price for security," he said, pausing significantly before completing his thought: "as long as it's free." It took me years to understand that this was no joke. People really do want security, and they'll tell you they want it very badly, but the depth of that desire is belied by a consistent reluctance to invest in it.

The second, and most important impediment to the adoption of encryption is our lack of trust. Our communications technologies are tightly embedded in a web of relationships, and we think sloppily about our differing desires for technology in different contexts. Key relationships may be characterized by mutual suspicion and deception. Within a web of business and personal relationships, whose encryption do you trust, and who do you trust to encrypt, and when? The default consequence of such complexity is the easy victory of the status quo. If you're not sure you can trust "secure" email, any excuse for avoiding it will do.

I wouldn't say that I'm an optimist, but I do believe that a solution is possible. For people to trust and use encryption, it will have to be flat-out simple in every imaginable sense; it would be worth trading a good deal of technical security for almost any amount of simplicity. Here's what I had in mind:

1. Create a simple global directory for authentication keys. I don't know of anything better than storing it in DNS.

2. For every message sent, your software should look up the public keys of the recipients, and encrypt the message automatically before sending it.

3. For the user, the maximum change from present practice should be an occasional need to reauthenticate.

Experts can tell you several things that are wrong with that approach, and it's certainly imperfect. But it's better than what we have today, and there's at least a chance of getting it accepted by users.

Unfortunately, adoption preceeds user acceptance, and I don't see much chance for this being adopted. The fact is that companies feel the need to read their employees' mail from time to time, and any system with the added complexities this requires would be far harder for users to trust -- and rightly so. Similarly, even consumer email providers will resist any mechanism strong enough to interfere with their ability to target advertising, but the added complexities for that goal would further reduce trust. And of course, there's always a government asking for a back door that adds complexity while destroying trust.

Unlike computer security professionals, real-world actors with the most critical security needs prefer to avoid open standards. They prefer safe, private, even undocumented channels, decrying "security through obscurity" even as they rely on it. In the end, these are the people most likely to encrypt, but they're the least likely to trust a standard mechanism. The people who should be leading adoption are the most resistant to it.

I want the rules to favor senders when I'm sending mail, but favor receivers when I'm receiving. I want to be able to read my employees' mail, but I don't want my boss to be able to read my mail. I want to spy on my spouse's mail, but I don't want her to be able to spy on mine. And if you have similar wishes, I don't want yours to come true. Just mine. And that's why we don't have secure email.