To encrypt or not? That is the question
Encryption hasn't become the privacy panacea it was promised to be in the 1990s for e-mail, but it's making headway on hard drives. Here's a look at why communications encryption isn't mainstream, yet.
Even before someone hacked Sarah Palin's Yahoo Mail account I had been wondering whatever happened to encryption.
Encryption -- the science of rendering plain text unreadable by anyone but the intended reader -- made a splash in the mid-1990s. At the time the U.S. government was investigating human rights activist Phil Zimmermann for allegedly violating the Arms Export Control Act by distributing his PGP (Pretty Good Privacy) e-mail encryption software. The government eventually relaxed the restrictions and PGP was no longer programa non grata.
Nearly a decade has passed and it struck me recently that encryption still hasn't become a household word, although anyone who uses a Web browser has had his or her communications with sensitive Web sites encrypted without them even necessarily knowing it.
But outside of the SSL activity being done behind the scenes, people haven't been downloading encryption software to keep their online communications private. Hardly anyone I know uses encryption, even at work. Given the government's targeting of journalist sources and my own personal brush with an attempted hack, I decided to look into whether encryption would be a good idea and why it isn't more widely adopted.
First, a test drive
My first question was, is it still complex and difficult to use? My sense after trying out a free trial version of PGP Desktop Email ($149 after the one-month trial) is that it may be easier to use than it once was, but that it's still more complicated than necessary.
I downloaded the software and followed the prompts as it generated a public key for people to use to encrypt messages sent to me, and a private key for me to use to decrypt messages. I picked a password and published my public key to the Global Directory Server for people to find it when sending me encrypted e-mail. I sent an e-mail to Zimmermann as a test and he said it arrived encrypted, so I knew my PGP was working.
But then I noticed that reading and sending e-mails was slower than it used to be. It was taking a few seconds to try to authenticate every e-mail signed with a key and to search for keys to encrypt e-mails I was sending. Even after I changed the PGP settings so that it wouldn't automatically look up keys for each recipient, it was still taking time trying to authenticate signed e-mails.
While the software is more user-friendly now (requiring fewer hoops to jump through than the free, open source versions of PGP), there was a slight performance trade off and you still need to set policies and manage keys, which can be a hassle. For instance, because I turned off the automatic key look-up feature for encrypting I now have to manually get keys from people I want to send private e-mails to or look them up in a directory and spread my key to others. Keys for others are not always easy to find either. For me, it's not worth the effort at this time.
But the larger concern is self-perpetuating; because there are so few people I can send encrypted e-mail to I'm less likely to use it, which means that there are likely fewer people overall using encryption. All the software upgrades, automation and enhancements in the world can't change the fact that using encryption for e-mail requires that both parties have the same software installed for it to work.
"The biggest problem in the space has always been the lack of ability to send an encrypted message to someone who wasn't using encryption," says Nick Selby, director of the enterprise security practice at The 451 Group, who uses Gnu PGP.
Corporate workers have it easier than consumers; IT departments can handle the complexities of encryption software and manage the keys. E-mail encryption services from providers like Postini (now owned by Google), CertifiedMail and Voltage Security allow companies to outsource the function, easing the process further.
Despite that, a recent survey of more than 200 organizations conducted by CertifiedMail and Osterman Research found that frequent e-mail encryption users represent 18 percent of the total e-mail users and more than 50 percent of the total are infrequent users. Meanwhile, 21 percent of organizations have an enterprise-wide encryption strategy, according to a survey of 975 executives and administrators by The Ponemon Institute for PGP Corp.
For consumers, a no-hassle option is Hushmail, a free Web-based service that encrypts e-mail, scans for viruses and filters spam. The service encrypts mail sent to other Hush users or PGP-compatible e-mail users.
There is some level of encryption for users of the more popular Web-based e-mail services, but it's limited. Gmail encrypts the login and if a user enables always-https, the e-mail and cookies are encrypted as they travel between the server and the browser. Asked if the content on the servers is encrypted, a Google representative said that encryption and access control technologies are used but the company does not want to provide specifics on how it's used.
Yahoo encrypts the login and sends the password encrypted over the network using SSL. Microsoft provides support for S/MIME encryption for Windows Live Hotmail users when using Microsoft Outlook or Windows Live Mail as clients. Windows Live Messenger includes an option to encrypt contact list data. Representatives from Google, Yahoo and Microsoft declined to discuss why they don't give people the option of storing e-mail in encrypted form on their servers.
If you are going to be concerned about keeping e-mail private, why not instant messages too?
I tried Off-The-Record messaging with Pidgin that allows for messaging on multiple IM platforms simultaneously. It was easy to install and use, but here again it only works if both parties are using the software. The popular multi-platform IM software Trillian has a built-in encryption feature called SecureIM. (For information on how specific popular IM programs handle security see the CNET News IM survey from June.)
Maybe it's just too hard to use
The consumer programs still require some user supervision of keys, which is an impediment to their widespread adoption. Consumers don't want to have to think about the logistics of communicating, they just want it to happen seamlessly.
Basically, e-mail encryption has failed to become mainstream (only five percent of all e-mail is encrypted, according to PGP) because technologists under-estimated how difficult it would be for people to manage their own key rings, said Benjamin Jun, vice president of technology at Cryptography Research.
"If we thought about where encryption was 10 years ago and where it is now, in many ways we have failed," Jun said. "You use more cryptography to start your car in the morning than there is in your e-mail, in many cases."
Meanwhile, the very government forces that were fighting use and export of strong encryption a decade ago may now be among the strongest beneficiaries of it.
"I don't think the government is doing much to discourage general Web encryption now," said PGP creator Zimmermann. "U.S. computer networks are getting hit hard by organized crime and foreign governments like China, so from a national security perspective there are arguments to be made" that favor of encryption. (The FBI, however, continues to seek access to consumer information for law enforcement.)
As data leaks and stolen laptops and missing back up tapes become commonplace, state governments are beginning to realize they may have to force companies to protect sensitive consumer data. A new Massachusetts law will require that personal consumer data stored on laptops and flash drives--and where feasible data transmitted over the Internet and wireless connections--be encrypted. Nevada recently passed a law that requires that personal data be encrypted before transmission over electronic networks.
"Overall, the legislative environment actually tends to favor encryption more now than in the '90s," with regulations like HIPAA and breach disclosure laws that have exemptions if the data is encrypted, Zimmermann said.
Full disk encryption
A hot area for encryption right now is full disk encryption, in which every piece of data on a hard drive is encrypted. With all the laptops that get lost and stolen, there's really no reason not to encrypt the hard drive.
Zimmermann learned this the hard way, having had several laptops stolen from him in train stations in Europe, including one instance that involved a thief distracting him by tossing yogurt on the back of his shirt. "Everyone who travels with a laptop absolutely needs whole disk encryption," he said in recounting the incident. (Zimmermann's latest venture is the Zfone Project, software for encrypting voice over IP calls.)
Bruce Schneier, chief security technology officer at BT, said he uses PGP Whole Disk Encryption and doesn't really worry about encrypting his communications. "It's data at rest that is at risk, not data in transit," he said.
And renowned social engineer Kevin Mitnick, who spent five years in jail for breaking into computer networks, takes extraordinary precautions using encryption when he travels outside of the U.S. because customs officials can search and seize computer equipment with no cause whatsoever. He was detained for four hours recently at a U.S. airport and had his laptops inspected. Because of that risk, he encrypts his hard drive before returning to the U.S. and encrypts all his confidential data, transmits it to servers in the U.S. and wipes the data from his laptop.
Mitnick says he uses free open source disk encryption software called TrueCrypt. Microsoft's Windows Vista and Windows Server 2008 include BitLocker Drive Encryption. And Fujitsu and other hardware companies offer full disk encryption hard drives.
While rules may force companies to adopt encryption to protect consumer data, there is no outside force pushing individuals to use it. Until people feel more vulnerable they aren't likely to be compelled to install more software, according to Cryptography Research's Jun. "Most alarm systems are installed after a home has been burglarized, not before," he said.
But just because people don't realize they need it doesn't mean it shouldn't be more readily available to them, said Marc Rotenberg, executive director of the Electronic Privacy Information Center.
"Right now, it's not practical. I think that's unfortunate and it should be more widely available," he said. "My hope is that in an IPv6 (Internet Protocol version 6) world encryption will be routine."