Encrypted Email
It's hard and annoying and there's no alternative
After leading several training sessions where I assisted journalists with setting up GPG encryption for their emails, I have collected the following observations. This post is subject to being updated.
The door-with-two-locks metaphor is the most successful one I've used to explain public-key cryptography.
- The workings of encryption are otherwise too complex for people to retain, unless they work in information technology or are an enthusiast thereof. Therefore, training of email users should focus heavily on rote process and only lightly on theory or demonstration.
As a technologist, I am tempted to train users on how to setup the GPG tools. It's not a good use of their time or mine. Guide them through the setup. Train them on the usage.
People confuse the concepts of security and anonymity. It is important when training email users to take time to talk about how email encryption does and doesn't (mostly doesn't) relate to anonymity.
Well-meaning people continue to try to propose alternatives. The problem is that building cryptography services and applications with hidden, critical flaws in them is really easy to do. Any new service should be assumed to be vulnerable and improperly implemented, and therefore not trusted.
Many implementations of PGP that have been around for a long time have stood the test of time and scrutiny. The average user of email will not find these applications completely satisfactory, but the implementations can be trusted until further notice. This is where training and support come in.
The PGP/MIME problem is a scourge on the general usability of email encryption.It is inexplicable to a non-technical email user and can add immense complexity to the process of exchanging emails. If you are assisting email users with encryption, prepare yourself to avoid or address this problem.
Like an increasing number of things in technology, non-technical email users should form a partnership with those who help them get setup with email encryption. Those partnerships should be with a trusted adviser, who will accept responsibility for proactively guiding the user through the perils of the technology.
Once users have it, they think it's cool. If you're a technologist like I am, their response is very satisfying. So go out there and help people.
Feedback? Let's talk about this post on Twitter.
Technology and journalism in San Diego.