We've already discussed the importance of being encrypted. Now it's time to discuss the very real problem of encryption system adoption. How do we get people to actually use encryption?
I have already discussed the importance of being encrypted. Now it's time to discuss the very real problem of encryption system adoption.
It's all well and good to talk about how important it is to encrypt sensitive communications. If you're earnest about the importance of being encrypted, you will, of course, try to help others understand how important it is, too. As things stand right now, you're going to meet with a lot of resistance, though. A lot of that resistance won't even be very easily detectable -- people will smile and nod and agree with you, and ultimately will end up going about their unencrypted lives, not even thinking about the dangers to which they subject themselves every day by never considering how they handle sensitive data.
If you manage to corner someone with evidence of their poor behavior in this regard, the most common justification will probably be, "It's just too hard!" The level of convenience of employing good encryption policies in our daily lives is a significant barrier to adoption by the average, everyday computer end users of the world. Minor inconvenience is no excuse, of course, especially when people will go to far greater lengths to ensure the continuity and integrity of their American Idol series recordings than they will to ensure the continuity and integrity of their encryption identity -- but that doesn't change the fact that, without improved convenience, many people just won't go to the trouble.
There are efforts to ease adoption of good encryption practices, and many of them are very positive steps in that direction. I think of examples like Gpg4win, which eases installation of GnuPG and management of its functionality for users of Microsoft Windows; Adium X, which gives its users OTR encryption by default; and Claws Mail, which seamlessly integrates excellent security and privacy practice with the basic functionality of a "user friendly" e-mail client. We still have a ways to go, of course, but every step in the right direction gets us closer to the goal.
In an "enterprise" environment, the holy grail of (corporate) privacy over e-mail has at least mostly been achieved in the form of PGP Corporation's PGP Universal Server, an offering that provides the entirety of the needed encrypted communication infrastructure we wish our employers would deploy. It doesn't just provide the infrastructure for the functionality, though -- it does so almost invisibly. Once it is in place, PGP Universal Server can make it more natural to use encryption than not to do so. It does this not by making unencrypted e-mail more difficult, but by making encrypted e-mail easier (though it can be configured to make unencrypted e-mail impossible, too, if that is your preference).
Unfortunately, PGP Universal Server is not the universal solvent. It doesn't solve all our problems with regard to getting people to use encryption:
- It doesn't provide complete personal privacy -- it provides corporate privacy, to protect corporate secrets.
- It isn't easy enough to deploy to make it suitable for solving the problems of the average end user.
- It doesn't solve the problems of local key escrow (a fancy term for "making sure you don't lose your private keys") for personal use.
- It isn't a fully distributed system (in part because it is a server-based system that isn't free), and thus isn't sufficient for encouraging universal encryption.
In short, it's an excellent as a tool for your business bottom line -- either as an enterprise looking into security options or a security consultant trying to help your clients improve their practices -- but it will not save the world.
Join the fight
I choose to assume that my typical reader is aware of the importance of being encrypted. This may not be a realistic assumption, but it's the assumption I will use for now. Next on my list is the importance of being earnest.
A key point in the argument for helping others adopt good encryption practice is the fact that, the more of them use encryption, the easier it is for us to use encryption when we communicate with others. Spreading the gospel of good encryption practice helps you, as well as the recipients of your wisdom. Go forth and multiply.
Winning the hearts and minds of end users and IT managers can be difficult, though. Doing so, on a case-by-case basis, requires making a strong argument for the importance of encrypted communications coupled with well-conceived plans for how to help people make setting up, using, and maintaining their encryption identities as convenient and "natural" as possible with available tools.
There is a larger concern here, though: the long run. We, as security professionals and security-aware private computer users, must always work toward making good security practice important to as many people as possible, and as convenient as it can be to employ, if we want to see adoption increase.
Keys to increased adoption include factors like:
- convenient setup
- convenient use
- convenient maintenance
- opportunity to use it
We can do something about all of the above:
- We can improve the convenience of setup by working on, and distributing, software and systems that make use of our encryption identities with a minimum of fuss and a reasonable maximum of automation. This would involve defaulting to secure use when possible, and eliminating the level of familiarity with specific tools necessary to get started.
- We can improve the convenience of use by ensuring that the software and systems we work on and distribute actively seek out opportunities to make use of secure encryption. They should default to using secure encryption any time they detect that "the other end" also supports it, especially when "the other end" is the same software or system later on down the line -- and warn us when encryption is not possible because "the other end" isn't using it.
- One of the biggest problems with getting people to employ an encryption identity properly is the convenience of identity maintenance. This is the biggest reason that good encryption practice is not "fire and forget" -- once we set up our encryption identities (our GnuPG key sets, for instance), we then have to maintain those identities to make sure we don't lose keys or let them get compromised so that we can provide continuity of encryption identity. Greater convenience of encryption practice maintenance without compromising the integrity of the encryption identity is of key importance (pun intended).
- The opportunity to use good encryption practice is a big problem as well -- or, more to the point, the general lack of opportunity is the problem. If someone sets up his GnuPG key set, digitally signs all his e-mails, and generally starts doing everything he's "supposed to," but never encounters anyone else who uses encryption technology for anything, he'll start wondering why he bothered (ignoring for the moment the very real value of encrypting files for storage purposes). Thus, the more people there are using good encryption practice, the more likely people are to adopt and stick to good encryption practice.
The snowball effect
In the long run, we're basically looking to push adoption past some unknown magical tipping-point, where the opportunity and technical convenience combine to overpower apathy and ignorant resistance, creating a runaway self-reinforcing process. We're looking for the point beyond which it's more desirable for the common end user to employ good encryption practice than to fail to do so.
As people more familiar with (and aware of) the techniques and importance of encryption than the general run of humanity, we the security-conscious can help provide some downward pressure on the problem of getting people to adopt and maintain good encryption practice. In addition to working on the software and systems used for good encryption practice to make it more convenient to use, we also need to work on a top-down adoption of both good encryption practice and a desire to get other people to adopt good encryption practice.
As we get more technically astute people to employ good encryption practice and to take up the banner, we can increase not only the opportunity for use of encryption (thus improving the adoption and retension rate), but also the number of people who care about good encryption practice and adoption of encryption that have the ability to improve existing encryption systems and software, create new systems and software, and convince yet more people to adopt good encryption practice.
Even if some of those technically astute people don't start proselytizing -- in fact, even if most of them don't -- greater numbers of such people will increase the pool of skilled individuals willing and able to fix convenience problems in existing systems just because they want convenience too.
It's in your best interest to push things toward that tipping point, to get the snowball rolling downhill, picking up mass and speed. As I said already -- go forth and multiply.