Why isn't all email encrypted?

More and more of our lives are online now, and more of our communication is happening online. The most ubiquitous communication mechanism is email, and, for better or worse, more people are putting more sensitive information into their emails every day.

With HTTPS becoming a near standard for accessing popular websites (and for good reason) I got to thinking about email security. STARTTLS is used by most major email providers (like Gmail), but that only serves to encrypt messages from relay to relay - it doesn’t provide true end-to-end encryption, from sender to recipient.

With Google Apps taking over the nearly the entire University email client ecosystem, I think it’s safe to say that in the near future, if not already, almost all email will be conducted through a cloud provider like Gmail. When it comes to sending unencrypted messages, you can choose to trust your cloud provider (and all the relays between them and your intended recipient), but I think that’s a mistake because:

  1. Providers have a profit motive that isn’t always in your favor (e.g. contextual ads based on the contents of your messages)
  2. Cloud providers have a less than stellar security record
  3. Good security exists in layers
  4. Trust is not security

Those wearing tinfoil hats right now won’t see the problem because they already use PGP to encrypt all their emails. However PGP, with its near military-grade encryption available to the public, is not a mainstream solution in its current state. We need regular people - the same people who don’t know what HTTPS is beyond a green indicator in the address bar - to be able to communicate securely.

SafeGmail is an interesting take on this problem, and requires fairly seamless, strong security, but it requires sharing of a password of passphrase ahead of time, not exactly something that can happen every day.

I think the reason our email remains unencrypted is that we don’t have a scalable solution for person-to-person encryption. I think PGP is the answer, but we need to find a way to give everyone, including my grandmother, a PGP key that can encrypt and decrypt her communications effortlessly.