End-to-End Email Encryption – This Time For Sure?

Phil Zimmerman's Pretty Good Privacy (PGP) and its offspring have been encrypting and decrypting email for almost 25 years but require enough knowledge and determination to use them that adoption has never taken off outside the technoscenti. Now initiatives from several quarters aim to fix that but will it all "just work," and will end users adopt it even if it does?

According to a new Pew Research Center study of Americans' attitudes after two years of disclosures about widespread government surveillance, 61% of respondents are less confident that these efforts are serving the public interest, and 57% said it is "unacceptable" to monitor the communications of US citizens. Despite this strong sentiment, only 18% of those surveyed indicated that they had changed the way they used email even "somewhat" as a result. Add this gap to the high bar end users have had to overcome in order to adopt email encryption, and how likely is it that these new tools and services will trigger a change in behavior?

Not Widespread After Two And A Half Decades

People who regularly say things that can put them in danger activists, dissidents, journalists may come to depend heavily on encrypted email. But it never really caught on with average email users, probably because in the past it never occurred to them to worry about who might see their messages other than a nosy spouse or partner. Even if they felt the need, the steps involved were fairly arcane for the average consumer. And if they overcame that hurdle, and if somebody they wanted to swap encrypted messages with did too, then exchanging and loading the necessary keys was often a bridge too far.

The community around PGP tried to make key exchange easier by creating public keyservers and programming plugins for just about every email client written. But the adoption curve was never driven far enough to trigger the network effect likely because of the number of unusual (to Joe Sixpack) steps involved in generating a key and getting it onto that keyserver in the first place. Similar issues affected alternatives like S/MIME, outside of certain business environments and platforms, where the equivalent hurdle was obtaining or exchanging valid certificates. Each system worked well where it was used, but none of them really impacted the use of email on Main Street.

Instead the form of encrypted email most often encountered by consumers has typically been a small, self-contained system often deployed by banks or healthcare providers that only allowed them to exchange messages with people at those organizations. In many cases this was just a captive webmail service accessed from a web browser over a TLS-encrypted session, with content-free "you have a message" notes going to a customer's regular email address to prompt them to visit the portal. In these highly regulated industries the expense of deploying these systems is often easy to justify, especially when the alternative is an envelope sent via courier or next-day service.

Along Comes Citizen Four

Since the Edward Snowden leaks made the depth and breadth of recent government surveillance public, there has been renewed interest in encrypting email along with just about every other kind of Internet traffic. And after a few years of steady work, a number of initiatives are coming to the fore.

Since 2008 the German government has been working on an email service called DE-Mail. The initial goal was to support the exchange of legally binding electronic communications and documents between citizens, businesses, and government. But according to German officials, beginning in April 2015 the platform will offer end-to-end encryption of messages through browser plugins, which will be based on PGP. While the DE-Mail platform hasn't been wildly popular with consumers to date, this new service might change that and the announcement certainly reflects a different attitude on the part of the German government, compared to the official UK or US positions that end-to-end encryption threatens the effectiveness of law enforcement.

In early 2014 a small startup called Keybase.io began getting attention, at least partly because of the founders' track record with SparkNotes and OkCupid. They set out to update the traditional PGP keyserver and attestation models, incorporating public proofs of identity based on social media and other services. They also offered both command-line and browser-based code that would simplify many of the details of key management and encryption for end users though perhaps allowing users to upload their private keys for ease of portability is a step too far. Still, the focus on simplifying things for the end user is laudable, and it is a standalone service that you use with your existing email account. Their keyserver is integrated with the existing PGP keyservers, and their simpler user interface can be used on top of publicly reviewed and vetted open source programs.

Read more:
End-to-End Email Encryption - This Time For Sure?