Open PGP: It’s Not All It’s Cracked Up to Be

It’s hardly surprising that concerns around email privacy are percolating to a boil – there are threats to email security on all fronts. It’s no longer just about fraud protection and regulatory compliance – it’s about protecting people from government surveillance and other seemingly innocuous yet pervasive and poorly understood threats. The public outcry for privacy protection has reached a fever pitch, and the software industry is responding with free tools that leverage open PGP to simplify the encryption of online forms of communication, including email, instant messaging, SMS and more.

PGP, however, is too complicated for typical email users – in fact, while it’s been available for free for over 20 years, it has never built a significant installed base. Why?

The primary challenge that users face is related to key management – every sender and recipient of PGP-secured email must create and publish a PGP key.  Then, these PGP keys require validation before they’re used to make sure that they are in fact authentic and not faked by an interloper.

The process around distributing, verifying and revoking PGP keys when necessary is a cumbersome manual exercise with a steep learning curve. This explains why even highly skilled and trained technologists hardly ever use PGP to secure their email communications.

While a variety of companies have embedded PGP software into their email clients, a reasonable solution to PGP key management issues has yet to surface. Not surprisingly, Yahoo and Google are in the midst of trying to solve this problem.  However, the fruits of their efforts will be limited to their own user bases.

Limited adoption around email encryption tools is not only attributable to the complexities of the email encryption software solutions currently available but also to email user inertia and complacency. From a user’s perspective, the risk of personal breach is perceived as very small.

This is because most email users don’t grasp the full scope of existing and emerging threats. When messages with attachments containing sensitive information are exchanged via email and intercepted, the email user is placed at significant risk for fraud and more.

While most organizations in highly regulated industries – like health care and financial services – are paying attention to email security to maintain compliance, the reality is that many industries that fall outside these requirements are ignoring the risk. Sending attachments that contain personally identifiable information – things like mortgage applications, transcripts and receipts – is riskier than folks realize.

The industry is ripe for advancement on secure document delivery, but PGP is not the wave of the future.  With the groundswell of concern emerging around email security within the general public, it’s only a matter of time before the industry moves forward to bring secure email to the masses. But rest assured – it won’t be based on open PGP.

Tagged with: , , , , , , , , , , , ,
Posted in Data Security, Email Security

Leave a Reply