Encouraging email security.

David Picon Alvarez eleuteri@myrealbox.com
Sun May 18 08:44:02 2003

Hash: SHA1

> I don't: I think its more to do with the nature of users.

> Most people I know get a computer for access to the internet and they do
> not want to bother with much else. New Windows users are blissfully
> unaware that there is any other OS and they simply want the machine to
> do everything it is capable of from power up: they do not want to
> bother with the "how".  Linux users and Mac users are generally more
> questioning because they have decided that they are not going to accept
> the defaults offered.  Even so, it is remarkable how many people are
> convinced AOL is "the internet".....
Well, a couple of things here. 1) we're mostly agreeing here about the fact
that encryption is unlikely to be widely used unless it comes by default. 2)
you claim it's not about needs and threat models, but essentially about
lazyness and ignorance. 3) I claim that if users don't value their privacy
(which is IMO the reason why they don't use crypto) is not because they're
lazy or they don't know better or the software is hard to set up, but simply
they have different values and they aren't terribly bothered by writing
e-mail in the clear. Just annecdotally, most of my friends know what the
Internet is, but not AOL. I guess that might have to do with market
penetration of AOL in my country.

> Most users wouldn't recognise a "threat model" if it jumped up and bit
> them, and the majority don't care and have no interest in finding out.
Which means they have no threat model.
> Here in the UK, ISPs are required to monitor all internet traffic and
> to pass on anything which is flagged as suspicious to the "relevant
> authorities".  Most computer users in the UK do not see this as an
> attack on personal liberty or their right to privacy, just part and
> parcel of using the internet.  Many MUAs have encryption installed,
> even if it is only S/MIME, and this certainly applies to Outlook
> Express and even the Netscape email client.  Very few people use it
> even so.
With this, you further prove my point that the users' "by default" threat
model is the cause. Users don't care about privacy thus they don't use
crypto. That was my point in the first place. OTOH, S/MIME crypto under OE
doesn't seem very easy to set up to me, since you have to get a certificate,
but I wouldn't know since I use OpenPGP anyway.
> The most we can do is help that minority of users who do want to use GPG
> and know of it even, to use it more effectively.  But we are fooling
> ourselves if we believe that they will ever be a significant number of
> users or anything less than a minority.

100% agree with you. As I said, the only way to see widespread use of crypto
is if it would be included by default in the default MUA, which isn't
happenning any time soon, if ever.
- --David.

Comment: This message is digitally signed and can be verified for authenticity.