Why You Should Encrypt Everything and the Reason You Probably Don't
Why does much of the world stubbornly resist data and email encryption? Why don’t we enable it on all our devices all the time?
Most of the more than 2.5 billion people who use email have more than one account, and 95 percent of the email they send is unencrypted. In real numbers, that’s just over 194 billion emails sent every day in the clear. With the Edward Snowden leaks, the increased attention to online privacy, and the steady increase in data breaches around the world, it would seem imperative — in fact, negligent otherwise — to encrypt the emails we send, the data we store on our phones, and information we send up to the cloud. But, we don’t. And even now, when we’re advised that mainstream email providers like Google and Yahoo offer end-to-end encryption, we refuse to enable the technology. Why does much of the world stubbornly resist data and email encryption? Why don’t we enable it on all our devices all the time?
For most, it’s about convenience. It’s too cumbersome to set it up, and the potential for irrevocable data loss is too high if you forget your password. Unlike technologies that allow for the automatic back up and recovery of your data, if you forget your password to an encrypted device, you may lose all your data. There is no safety net.
The technology to encrypt consumer email has been around since 1991. Phil Zimmerman released Pretty Good Privacy (PGP) that year and provided to the average citizen encryption technology that heretofore had been the domain of large corporations and governments. Reportedly, when it was released, the NSA couldn’t break it. And while not simple to use, it afforded many with the ability to feel secure in sending and receiving email traffic.
"It's easy to see how encryption protects journalists, human rights defenders, and political activists in authoritarian countries. But encryption protects the rest of us as well. It protects our data from criminals."
But, in a famous study by scholars at UC Berkeley and Carnegie Mellon University, researchers found that most people didn’t use email encryption technology like PGP because it was too complex to use. The user interface was clunky. “User errors cause or contribute to most computer security failures, yet user interfaces for security still tend to be clumsy, confusing, or near-nonexistent,” the authors argue. “User interface design for effective security remains an open problem.”
In fact, The Washington Post reported back in 2013 that Snowden had to personally explain how to set up PGP to Glenn Greenwald, the reporter at The Guardian he contacted:
"When Edward Snowden, the man who leaked the details of the PRISM program, first contacted Glenn Greenwald at The Guardian in February, he asked the journalist to set up PGP on his computer so the two could communicate securely. He even sent Greenwald a video with step-by-step directions for setting up the software. But Greenwald, who didn't yet know the significance of Snowden's leaks, dragged his feet. He did not set up the software until late March, after filmmaker Laura Poitras, who was also in contact with Snowden, met with Greenwald and alerted him to the significance of his disclosures."
“Encryption works best if it's ubiquitous and automatic,” computer security guru Bruce Schneier writes. “The two forms of encryption you use most often — HTTPS URLs on your browser, and the handset-to-tower link for your cellphone calls — work so well because you don't even know they're there.”
"Encryption is the most important privacy-preserving technology we have, and one that is uniquely suited to protect against bulk surveillance — the kind done by governments looking to control their populations and criminals looking for vulnerable victims."
To that end, privacy nonprofit Open Whisper Systems announced last week announced the release of Signal for Android. And while the app doesn’t encrypt and protect email, it does allow for the sending and receiving of encrypted messages and voice calls. And it does it in an idiot-proof manner. When the app was first released on iTunes last year, Open Whisper Systems’ founder Moxie Marlinspike told Wired magazine, “In many ways the crypto is the easy part. The hard part is developing a product that people are actually going to use and want to use. That’s where most of our effort goes.” Lauded by privacy advocates globally — including Snowden — Signal has been downloaded to over a million Android phones.
Whether or not apps make encryption simpler and easy to use, it’s vital that you use technologies that encrypt and protect your information. Personal data security and privacy is your problem. No one is going to solve it for you; neither is an app developer, your government, your child, nor your tech-geek neighbor. Protecting your data is the responsibility of one person: you.
As Schneier reminds us:
"It's easy to see how encryption protects journalists, human rights defenders, and political activists in authoritarian countries. But encryption protects the rest of us as well. It protects our data from criminals. It protects it from competitors, neighbors, and family members. It protects it from malicious attackers, and it protects it from accidents. ... Encryption should be enabled for everything by default, not a feature you turn on only if you're doing something you consider worth protecting. ... Encryption is the most important privacy-preserving technology we have, and one that is uniquely suited to protect against bulk surveillance — the kind done by governments looking to control their populations and criminals looking for vulnerable victims. By forcing both to target their attacks against individuals, we protect society."
Jason is Chief, Innovation for Thomson Reuters Special Services where he facilitates, oversees, and executes long-term solutions to emerging technology challenges. He works closely with governments, the private-sector, and non-governmental organizations to identify opportunities that will shape the future. The views expressed are his alone and do not necessarily represent the views of Thomson Reuters or Thomson Reuters Special Services.