Edward Snowden’s revelations around NSA email surveillance both shocked the world and sent the email privacy bandwagon into motion. With even Snowden conceding that email encryption provides protection, it seems like the whole world is buzzing about end-to-end encryption and how it’s going mainstream. Yahoo, Google, Chrome and others – they’re all heavily promoting email encryption and creating tools to make it happen.
It’s logical that the providers are focused on the nuts and bolts around secure email – how to encrypt files, what encryption software features are necessary, and other important considerations around providing secure email service. However, aren’t all of these efforts made in vain if email users aren’t actually going to use these encryption tools? No, because from a provider’s point of view, it’s no longer “optional” to provide email security protection. Even if people don’t use it, they still want to know that it’s in place and that their provider cares about their privacy protection.
Why wouldn’t an everyday email user go to the effort to encrypt private email communication?
For starters, it’s complicated. Email encryption tools typically require that the sender and recipient share the same encryption software – this requirement makes it pretty complicated for everyday use. Second, installing this software usually requires downloading, which email users view as time-consuming and potentially damaging to their computer. And installation and compatibility requirements are just the tip of the iceberg.
Assuming that an email user does in fact install the software and use it, it’s hardly failsafe. Beyond the risks associated with software bugs creating vulnerabilities and circumvention of the protection altogether through mining documents from the host computer before they are encrypted, the NSA is reportedly looking to develop quantum machines that can crack encryption keys with advanced physics. While it’s not widely believed that this capability is currently in place, it may be in the not-too-distant future.
Essentially, from an email user’s point of view, it’s a whole lot of time, effort and aggravation to expend for email encryption protection that may or may not actually work.
Compounding these barriers to wide-scale adoption is the low degree of perceived risk on a personal level within the general public. The truth is that most emails that most people send are relatively innocuous and don’t contain private or sensitive information that’s obvious cause for concern. And, even if an email does contain sensitive information, the perceived risk that any specific email will be filtered and scrutinized seems infinitesimally small.
While the public outcry around email surveillance has launched wide-scale end-to-end email encryption initiatives across providers, whether or not the public actually goes to the effort required to leverage email encryption capabilities remains to be seen.