There have been many articles recently extolling the virtues of encrypting your communications via the internet. But there is another side to this debate. Russell Kay, senior reviews editor of Computerworld in the US, gives us his view.
Crypto is a pipe dream until it's easy to do
Some writers conclude that we're not encrypting routinely because we don't believe, erroneously in his view, that we need it. I think that's wrong. The problem isn't that we don't care — it's that encryption is entirely too difficult to accomplish.
Sure, all the technology is at hand. Anyone with a technical bent or a compelling need can install, say, PGP and encrypt his messages. I could do that, but I haven't because I don't know a single person I correspond with who could then read my messages. At the current state of communications software, encryption is suited for dedicated email among a few, well-defined partners. It can be useful for internal communications at a given organization where an IT staff can enforce and manage keys, but otherwise forget about it.
Encryption simply can't work as a tool until it's nearly omnipresent and totally invisible to the user. Not until encryption is built into all common email software. Not until everyone we want to decrypt our messages is able to do so. Not until all those people have public/private key pairs or personal certificates. And not until there's a simple mechanism to discover and use someone else's public key or certificate.
The Decryption Hassle
I receive between 150 and 200 email messages every workday. An increasing number of those daily messages are already encrypted, after a fashion, and they're a nuisance to deal with.
IDG's email runs on Lotus Notes 4.6. If you send me an email message whose body is in HTML, it normally arrives as an attachment labelled 'att1.htm'. I can't read that message directly. Instead, it takes two to three more mouse clicks to send the attachment to a 'decryption program' — a web browser.
Worse, some messages arrive as plain HTML text, with so much code and tagging that I have to go through even more bother and steps to turn them into files I can then read in a browser window. Given the extra time and effort needed to read such messages, I look carefully at the sender and the subject line before I even think about reading them and, in fact, I delete most of them unread.
These days, we can count on everyone having a browser. But if even HTML email is a major nuisance in many cases, what chance does encryption have?
Suppose I want to send you confidential information in encrypted form. Must I first send you the proper encryption/decryption software and then ask you to install it, generate keys and let me know your public key? I'd better not be in a hurry!
Encryption will work only when the exchange of keys or certificates becomes a good deal more automatic and simpler than the capture of email addresses, as you'll realise once you see a PGP public key. You won't memorize that string of characters. Not for anyone. The public-key infrastructure (PKI) initiative is supposed to take care of all these key management and directory issues, and maybe it will. Someday.
For sending encrypted email, an electronic address book won't be just an option — I won't be able to function without it. But what happens if I'm using someone else's computer at, say, another office, or an internet cafe. How do I send email encrypted with my key? How does someone reply to me in confidence? Do I end up storing my address books online by necessity, and will that do the job? Will I need to carry smart cards with that data, or a special handheld device?
When, If Ever?
None of these problems is insurmountable — in fact we already have all the technology we need. Until email encryption is both effortless and available everywhere, it will remain a curiosity, a necessary but awkward tool reserved for special occasions, determined individuals, defined pairs of correspondents and co-conspirators.
We, as 'users', can't make change happen by ourselves. We need all the primary vendors of email software including Microsoft, Netscape and Lotus et al to include encryption as a standard feature. We need PKI to work as quickly, universally and transparently as the internet's Domain Name System.
Those vendors need to know that it's not just IT people who think it's important to encrypt email, it's everyone who uses email. Most of my personal email isn't confidential, but for some messages I do want and need the privacy that encryption can provide.
I think that once most email users realize how exposed their plain-text email is, they will want the capability to encrypt some messages. But encrypted email has to be simple enough for your grandmother to use before it's ready for business. As of now, it flunks that test.