Rhodri Marsden: Use email encryption services? The trouble is, we can't be bothered

 

When I was a boy I was given a fantastic book called The Knowhow Book of Spycraft. This hugely important volume did an excellent job of persuading young men and women of the importance of secrecy and stealth, with evocative illustrations of men in dark coats and sunglasses covertly passing notes to one another through shrubbery. For a whole summer, I found myself leaving bits of paper for friends at carefully allocated drop points, informing them of crucial nuggets of information.

The bits of the book dedicated to coding your messages, though, I wasn't that bothered about. I remember one tip involved writing a message in lemon juice and the recipient holding the piece of paper over a candle to read it. It just seemed like too much of a faff. My secrets didn't seem worth encrypting.

For years, I felt the same way about email. When I send a message to a specific email address, I figure that it'll be opened by the person who owns that email address, and even if anyone else did stumble across that message, it's unlikely that they'd be interested in the contents. I knew about methods of email encryption such as PGP (Pretty Good Privacy) and GPG (Gnu Privacy Guard), because I occasionally saw the email signatures of people who cared deeply about such things; they'd include a public key that you could use to send them encrypted messages. But rather like the lemon juice, dealing with the various keys and additional processes all seemed too much like hard work. I reckoned that the people who emphasised its importance were at best excessively geeky and at worst ridiculously paranoid.

But this thinking seems to be slowly changing, not least in my own head. The revelations over the past few months about the surveillance programs of the NSA have prompted people to toy with the idea of encryption, not necessarily because they have something to hide, but merely because they have something to type and find the idea of unauthorised interception slightly unappealing. When stories of the kind revealed by Edward Snowden have emerged in the media, some encryption services have seen spikes of interest in their products, and that's a good thing for privacy in future; as systems such as PGP or GPG rely on senders and receivers having the same encryption and decryption tools at their disposal, they are only as useful as the number of people using them.

But could encryption be made easier, perhaps to the point where we can actually be bothered to do it? This week, the website Venture Beat quoted a source at Google claiming that research is under way to "improve the usability of PGP with Gmail". This piqued my interest, for a bit. The idea of all my email being encrypted with a single click and unreadable to anyone except the intended recipients – not even Google! – held a very strong appeal.

But then I realised that the aforementioned faff, a lack of ease of use, is almost a necessary part of encryption systems. All the coding or decoding should happen on your computer before the email is sent or after it's received; as soon as you make it part of the system, with public and private keys stored for convenience in the cloud and "protected" by a password, you've made the whole point of encryption redundant. Convenience and encryption will never make easy bedfellows; that's why I still don't my write letters in lemon juice. (Don't tell GCHQ.)

twitter.com/rhodri

Comments