Navigation Galaxy Social Interests Esoteric Ramblings Political Colophon Site map

Email Security Adoption

08/21/2003

Summary: I think email security like smime and pgp (ie. security to provide encryption and authentication) is unlikely to be widely adopted. I must say I'm for email security in theory but in practice I avoid using it. The way I see it, the infrastructure is not yet ready for it and society is not yet ready for it either. This keeps me from making any predictions as to when adoption is going to happen (or even whether it is going to happen). Let me explain.

To support email security, not only email software itself must be secure but the rest of the infrastructure (the OS, the hardware, etc) must also be secure because at the very least the keys must not be compromised. Right now, the infrastructure is not secure enough. It's not that things couldn't be made better but the current mix is not good enough. Imagine a world like the one we have today but where email security is used in full swing. All the worms, virii and other crap would snatch private keys and install keystroke loggers. So the system would pretty quickly fall on its face. You just need a few horror stories carried by the media and people would stop trusting the system. Then there's the whole maintenance aspect: having to apply security patches as soon as they are out.

It's rather paradoxical though because I think email security is probably more practically secure now, due to its unpopularity, than it will be when it takes off. Because of its narrow current use, it's not a worthwhile target right now.

Then the other aspect is the cultural aspect. Our society hasn't developed the culture required for the use of email security. Actually, I think this is true of all cryptographical systems that would be used during the course of social interactions, not just email security.

The first problem is developing security-minded behavior. Even techies have a hard time with this so, obviously, the rest of the population is really struggling. Then you have some parts of the population that are particularly at risk. I can think of some of the elders in my family who are quite intelligent people but would have a hard time thinking in terms of secure behavior. They just didn't grow up with that kind of thinking in mind. (Which raises an interesting thought: will it take a generational turnover before security becomes a normal feature of social interactions?) The basic example of security-minded behavior is the selection of secure passwords but then there's the necessary thinking in terms of "hostile environments" where the question is "if I use security in this environment, which I don't control, am I at risk of being attacked?" What if the sysadmin at work is not as clean as he looks? Can I send an email to my bank from work without fear the keys I use to encrypt the message are going to be compromised? Right now, I wouldn't send that email because I know the email can be read by just about anybody... and my bank would probably not accept that email without some other form of verification it came from me. But if email security is used, I may send that email and the bank may decide that my electronic signature is good enough. It requires more sophistication to act securely in an environment of email security than it does in an environment without security.

This whole problem is already present with credit cards, I suppose. Especially if used for online purchases. From what I've heard, it can be pretty darn hard to fix things if a credit card number is abused... especially if the abuse is associated with identity theft.

This brings me to a second aspect of the cultural problem. How do we deal with security breaches? Right now, victims of identity theft have an uphill battle to fight when they try to cleanup the mess left by the thieves. If a whole slew of social interactions become dependent on security what will happen when breaches occur? Who's responsible? How do you prove a breach happened? "Well, boss, you told me to stop production at our Milwaukee plant, so I did it. The email, after all, was digitally signed by you! I verified it!"

Here's a third cultural aspect. How will people manage their keys? Will they keep backups in a safe place? If they don't, will they have to reissue new keys each time they change computers? There may be solutions in the workplace but what about the home computer? If they have a set of keys for work and a set of keys for their private dealings, how are they going to manage the latter? Or if they want to work from home: they're bringing work-related keys into an environment not controled by the IT people of the company. I can just imagine. Oops... lost my keys when the old hard disk crashed... Oops... forgot to copy the keys to the laptop/pda/cell phone.

I realize the solution to the examples I have given so far could be to say that either email is not the proper medium for the interactions given in the examples or that additional authentication is needed (eg. use the phone in the "shut down production" example). It is certainly the case right now, without security, that some interactions cannot be securely conducted by email. But here's an important point, unless email security can significantly expand the set of interactions we can safely conduct through email, it won't be adopted. Or, in more abstract terms, the advantages of using it *must* outweigh the disadvantages. I think the disadvantages are pretty significant right now due to the technological and cultural problems mentioned above, so there better be some serious advantages. If at the end of the day, I can't do more by using email than I did when I had no security, what's the point of learning a brand new passphrase, of managing a set of keys, of putting up with an extra layer of complexity? I might as well stay with the old system, which has no security but requires no sophistication on my part and which I can handle very easily.

That's why I'm loathe to try to figure out if email security, as we understand it today, will be adopted by the masses, if ever. I'm sure things will change but I'm not convinced at this point that smime or pgp will be the solution. (I'm not saying they can't be the solution, I'm just saying that I can't assert that they are.) I can conceive that some revolutionary development in computer science could provide us with the tools needed for the kind of security we need. For instance, I've read that quantum encryption can make a message impervious to eavesdropping: that is, if someone even just looks at the message between the sender and the receiver, you can detect it. This is a significant feature. Now, I don't know how practical it is to implement quantum encryption. Probably not very practical at this point but it just shows that some radical change in what encryption can do may eventually provide the solution to the problem.