Why instructions are not enough for promoting email encryption

Off the Beat: Bruce Byfield's Blog

The Free Software Foundation (FSF) took a step in the right direction when it recently released Email Self-Defense, a guide to encrypting email using Enigmail and GNUPG. More screen shots might improve it, but on the whole it's a clear and well-organized explanation of a topic that puzzles even some intermediate users. I suspect, however, that to get people to encrypt email is not so much a matter of releasing clear instructions -- many of which already exist -- as a matter of overcoming deeply embedded attitudes.

Admittedly, privacy and personal security have become popular topics in the media over the last couple of years. However, to conclude from this popularity that people actually want to learn how to protect themselves may be too large a leap. For over two decades, the media has published stories about the dangers of computing -- often with gaping inaccuracies. These stories are rarely calls to action -- instead, they seem designed to reinforce the impression of computers and the Internet as scary technologies. If anything, these stories discourage action, because they make casual users believe that computers and the Internet are far too dangerous and complicated for them to tinker with them.

Yet even if casual users can be convinced that they can act to protect themselves, convincing them that they need to do so remains difficult. The perception is still widespread that only crackers, stalkers, and such people need worry about loss of privacy. The idea that there are many classes of people who need privacy for legitimate reasons -- for example, whistle-blowers or women being stalked -- is only slowly being accepted at best. The Nym Wars over Google+'s insistence on real names or registered aliases, and Facebook's seemingly endless erosion of its users' privacy are constantly reported, yet have done little to drive users away from such sites.

Which brings up another point: If asked to choose between convenience and security, too many users will pick convenience every time. I first made this observation when I helped neighbors to set up passwords and limited accounts, only to find that they had undone my changes after a week, but it seems to hold true in other instances, too. No matter how clear the instructions are or how intuitive the interface becomes, encrypting email may not catch on simply because it requires extra steps. Even if the encryption takes less than thirty seconds, that is still about twenty-nine seconds too long to feel convenient to many users.

Given current attitudes, a very real chance exists that encrypted email will be seen as simply too complicated to become widely used. The FSF has chosen a relatively simple method using Thunderbird, but not everyone uses Thunderbird or will switch to it for the sake of security, and setting up encryption on other email readers can be much more difficult.

In the end, encryption is very much like the email services of about a decade ago that limited email to those on a white list. The setup and daily use of these services soon proved more than people wanted to bother with, and in a year or two most of the services disappeared, made extinct due to a lack of interest.

What this means is that clear instructions, as praiseworthy as they are, cannot be enough. For the FSF's campaign to succeed, it needs to be supported by people with some understanding of the difference between casual users and hardcore geeks. It needs to convince people that simply a belief in privacy is enough to justify the use of encryption, that encryption is necessary and carries no stigma. And while it is busy changing people's minds, it needs to convince email client projects that encryption should be no more difficult than running a spell-check. Spreading clear instructions, which apparently is the next step in the FSF's campaign, seems not nearly enough -- no matter how well-crafted the instructions.

Advocating encryption, it strikes me, is comparable to being an anti-smoking activist in the 1990s: with considerable effort, you can bring about the change you advocate, but you have to be prepared for years of efforts to change people's minds. Without this effort, all the instructions in the world will not be enough to make encryption routine.