Recently a colleagues tweet took me to a news article promoting the use of secure (encrypted) email. The article was promoting this as a sensible thing to do, and provided a check list of how to do it.
Outside of closed users groups, I doubt many people will. Why?
I sent my first signed and encrypted email in the early 1990′s as part of a European Commission funded research project (Password). The technology has existed for a long time. Ever since then there have been a steady stream of new products and services moving the state-of-the-art forward. This is not a technology issue. My employer, Nexor has a long and successful track record of delivering secure / encrypted email systems. The technology works.
In 1998 I lead an a global EEMA project successfully demonstrating interoperability between over 20 major vendors worldwide. This is not a standards or interoperability* issue.
The key phase in my initial statement was outside of closed users groups.
In the article referred to above it does admit to an issue in the “Potential Pitfalls” section at the bottom of the article:
“you need to make sure that the person to whom you are sending the message has the tools to be able to decrypt it and read it”
This is key to the failure.
In a closed user group you can
- Control the end user environment, to ensure compatible software*;
- Deploy a PKI, the critical step in providing the security controls.
As soon as you step outside a closed user group^, and try to provide secure email to the masses on the Internet, you hit infrastructure issues:
- Lack of PKI deployment – do you have a personal PKI certificate? Would you buy one (last time I did it was too hard)?
- Lack of knowing what to do when the user interface presents a “certificate error”
- Email gateways tend to break signatures
- Signed email tend to break email client functionality such as preview
- Availability of client software on all platforms I use (I read email on my phone/iPad/PC and Web Browser – the relevant software and certificates need to be available on each – too hard right now)
Infrastructure issues are hard to solve. Our industry is littered with good concepts that did not take off as expected due to infrastructure failures, including smart cards and distributed directories.
But there are also successes, the Internet would not work without the DNS infrastructure for example. I am sure there are far more in depth studies as to why this is than I could do justice to here, but for me it’s relatively simple. Motivation. Infrastructures only get build when a motivated party invests in making it happen – today the desire for an open secure email infrastructure is not there.
Will this ever change? After 20 years of trying as an industry, we have not cracked the issue yet. My personal belief is it will not change until a game changing technology or approach is found.
The migration from open email, to communication via closed user group could be one such game changer, and we are partly seeing this with social network communications being used as an alternative for many people, especially digital natives.
* Having said this is not a standards or interoperability issue, there is a problem of too many standards – different set of users may adopt different standards.
^ There has been some limited success with cross-certification. I would argue this simply makes a large closed user group.