Every once in a while we read yet another article revealing the level to which e-mail encryption is uncommon. The last one I saw is here. Whenever the debate is raised about how come e-mail encryption is so seldom used, we hear the common opinion that e-mail encryption is just not easy enough for the commons; yet. It is not intuitive enough, it is not user-friendly, it is too intrusive to the typical work-flow, and so forth. Indeed, e-mail encryption for the masses is with us for more than a decade already, and other than a few geeks and a few privacy-savvy individuals, people just don’t use it.
Vendors do their best. Each e-mail encryption product vendor tries to make his solution stick out of the pile in terms of ease of use and level of automation. They buy into the story of “people will not use it unless it is easy and intuitive” and try to make their product even easier to use than before. They do their best. Most e-mail encryption packages today will do almost everything automatically, by integrating with common e-mail clients. Just make sure you import a public key once, and each e-mail message is encrypted either automatically or at a tick of a checkbox. Still, people don’t buy.
I would like to challenge the common wisdom here. I don’t think people forgo e-mail encryption because it’s too complex, or too intrusive. It’s not this mighty key management nightmare that keeps people off PGP and other products. After all, these same people confronted much greater challenges when they needed to. Mastering Microsoft Word, even to the level required for typing a simple letter, is way more demanding than searching key servers for a key to import. Secretaries who never imagined using anything more complex than a typewriter are now using Microsoft Excel and writing their own formulas into cells when they need to. Just using a typical e-mail client required much more customization of work habits and much more learning of new skills than using an e-mail encryption plugin that merely adds a few keystrokes and the understanding of a few simple concepts.
I believe that the true reason people just don’t use e-mail encryption is simply because they don’t really think they need it. Most people naturally do something that is very hard for security people to do - they look at security from a genuine financial perspective. They see what they give and what they get in return. It’s not that e-mail encryption is too difficult for them to grasp and use - it’s just not worthwhile.
I think that most people don’t encrypt their e-mail because most people think they have nothing to hide, and most really do. The ones who do speak business over e-mail from time to time figure that the scenario in which someone actually taps into their e-mail, just to find this particular message, is too remote to actually deploy a new product and a new procedure just to mitigate it. They also may have a point, sometimes, depending on the scenario.
To summarize my opinion, most people don’t use e-mail encryption not because it’s not easy enough or because it’s too intrusive, but simply because they don’t truly believe they need it. If any vendor wants to increase his sales of e-mail encryption products, he should focus less on sharpening the already-sharp GUI and more on evangelism…