In The Guardian article “We need encryption for private communications“, Jeff Jarvis is asking tech companies to come together and come up with a plan to offer encryption technology for private communications. This is obviously in reaction to the revelation of the NSA PRISM program. The technology exists, with GPG at the top; however, those in the infosec field knows very well that adoption has been an uphill battle.
Let’s face it, it’s not in the best interest of Google, Facebook, Microsoft, Twitter, etc to provide encryption to its users, both from a business and technical perspective. These businesses need our data to provide advertisement, which is what pays for the services we use. Encrypting it would mean they loose the ability to see the emails, IM’s, posts, pictures, comments, and others that provide the data they need to target just the right advertisement to each and every user. From a technical perspective, encrypting something is relatively fast–if you’re encrypting your own stuff. If these companies starts encrypting all data going through them I think the encryption system will be a major bottleneck that’ll slow everything down for their users. Not good for their users, not good for their advertisers, not good for their business.
Let’s say Google, Microsoft, and Yahoo decided that they’ll offer PGP encryption as part of their email services, and encryption will happen on the client side (I only selected PGP because it’s the most widely used encryption method used in emails). They’ll take their chances, those that want to can choose to encrypt their messages and they’ll even provide a keyserver for their encrypting users to distribute their public keys. They’ll provide targeted advertisements to users that choose not to encrypt their messages . How will your average users move private keys between computers, tablets, cell phones, cars, IFE’s, etc? One of the biggest reason why users use web-based email is because of the convenience of being able to type a URL, enter your credentials and there are your emails.
Demanding that communication providers offer encryption of private communication is great; however, there are major hurdles that needs to be overcome from a technological and usability standpoint. At the end of the day users are still the weakest link in the security chain. If they can’t even generate strong passwords that are not written down somewhere, how can we expect them to manage a private key for encryption?
Cross-posted at Home+Power