Just over two years ago I decided to spend some time digging into an emerging class of encryption tools that were making a solid run at simplifying the notoriously cumbersome use of PGP.
“So I stopped being lazy and have encryption implemented across all of my devices. Now, I have a 4096-bit RSA OpenPGP key, The Chrome extension Mailvelope is handling Gmail encryption, Thunderbird and Enigmail are configured on the Linux box, and IPGMail is setup for the same on my iPhone.”
Now I wasn’t looking to implement the strongest security model. I just wanted to see how challenging it would be to implement and use reasonably safe tools across all of my devices. These tools, all of which sprang to life pre-Snowden, did represent a huge improvement in usability but none of them would have passed the mom test.
Fast forward a very short two years and the landscape is starting to look very different. Free elegant encrypted email services like ProtonMail (listen to my interview with co-founder Andy Yen) and Tutanota are now viable alternatives to Gmail for millions of people. Encryption is baked-in and transparent to the user. If you were creating your first email account today there would be no reason not to start with an encrypted-by-default solution and we are rapidly approaching the point where the absence of end-to-end encryption in some of these tools will be perceived as a fatal flaw by consumers.
Encrypted cloud storage is significantly easier to use as well. Here we see the same kind of evolution from plugins or add-on applications that add encryption capabilities to standalone tools like SpiderOak and Tresorit that encrypt by default. These services greatly simply security by making it a nearly invisible function of the software. Are they as easy to use as Dropbox? Close, but not quite. However, they are reasonably easy. In fact, I use Tresorit for all of my file storage across all of my computers and phone. The convenience penalty is now so slight that it is essentially negligible for a large portion of the user base.
But nowhere has the shift toward usability been more evident than in the mobile app market. People have literally thousands of options to choose from. Although it must be said that the number of good options is substantially lower than the total. Still, the barriers to encrypted text messaging, photo sharing, and even voice conversations on your phone just don’t exist. Secure communication is drop dead simple.
And Now A Warning
The tools that I’ve mentioned here are all reasonably secure. Reasonably. That’s a very important caveat but what does it mean? It means that, as I’ve said before, true security requires more than tools. Every tool and every model has numerous attack vectors. If your secrets are juicy enough, say they’re interesting to a superpower or country with advanced intelligence collection capabilities, then they will find a way to literally or metaphorically read your mail.
Reasonably secure in this context means that people who are not targets of incredibly sophisticated adversaries can expect these tools to do exactly what they say they do. If you are Edward Snowden or on this exclusive list then these tools are not for you. In fact, the internet is not for you at all unless you’re willing to employ a radically different security model. ProtonMail is even honest enough to remind its users of that in a breakdown of their threat model:
You’re probably not the next Snowden (lucky you!) but all of us have to think about who we are, who wants our information (seemingly everyone), why they want it, and what precautions must be taken to prevent that disclosure. Security requires more than an app. It requires thought. And this is why it will always be difficult – even as the tools get easier to use.