Here’s a question I’ve been wondering about from some time. Why don’t we encrypt our email? We devise security solutions to handle all kinds of complex threats, we play cat-and-mouse with the bad guys and we spend a fortune on monitoring, management and response to security issues as they happen.
And yet, as a global race we seem quite happy to transmit all kinds of information across the Internet without protecting it in any way against eavesdropping. Why is this? A couple of years ago, Stephen Farrell wrote a long paper addressing exactly this question, which I won’t attempt to reproduce here. You can read the PDF of the paper, which concludes:
“Casual use of end-to-end security is reduced further by essentially unimaginative implementation of the features in Mail User Agents (MUAs) that really only support corporate users, and then only if they have well-resourced and security-aware administrators. MUA developers should go back to basics and ask what users really want here — the ability to occasionally encrypt an email without much trouble at all.”
In other words, as long as email encryption is too complex for the average punter, it’s not going to get used. This sounds reasonable but if does beg a question of our entire attitude to security in general, and email security in particular. A critic might ask, “So, you’re saying that the reason we’re quite happy to send company secrets around in clear is because we can’t be bothered?”
While this is probably a bit harsh, the fact is that today, the vast majority of email users rely on “security by obscurity” when it comes to their email – or to put it another way, “I hope nobody reads my messages, though I don’t know whether they will.” It is true that, with some 3 billion email accounts worldwide today, the chances of anyone opening that Excel spreadsheet and picking out the quarterly sales projections are slim.
But it does beg the question of just how long we can go on with the attitude that email snooping only happens to other people. It could be that in the future, legislation is tightened to force us to encrypt email; alternatively, a major incident could cause a flurry of new policy implementation. In the meantime, like so often in the past, we shall keep going the way we always have, until we are given a big enough kick to do otherwise.