Encouraging email security.
David Picon Alvarez
eleuteri@myrealbox.com
Sun May 18 08:44:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> I don't: I think its more to do with the nature of users.
> Most people I know get a computer for access to the internet and they do
> not want to bother with much else. New Windows users are blissfully
> unaware that there is any other OS and they simply want the machine to
> do everything it is capable of from power up: they do not want to
> bother with the "how". Linux users and Mac users are generally more
> questioning because they have decided that they are not going to accept
> the defaults offered. Even so, it is remarkable how many people are
> convinced AOL is "the internet".....
Well, a couple of things here. 1) we're mostly agreeing here about the fact
that encryption is unlikely to be widely used unless it comes by default. 2)
you claim it's not about needs and threat models, but essentially about
lazyness and ignorance. 3) I claim that if users don't value their privacy
(which is IMO the reason why they don't use crypto) is not because they're
lazy or they don't know better or the software is hard to set up, but simply
they have different values and they aren't terribly bothered by writing
e-mail in the clear. Just annecdotally, most of my friends know what the
Internet is, but not AOL. I guess that might have to do with market
penetration of AOL in my country.
> Most users wouldn't recognise a "threat model" if it jumped up and bit
> them, and the majority don't care and have no interest in finding out.
Which means they have no threat model.
> Here in the UK, ISPs are required to monitor all internet traffic and
> to pass on anything which is flagged as suspicious to the "relevant
> authorities". Most computer users in the UK do not see this as an
> attack on personal liberty or their right to privacy, just part and
> parcel of using the internet. Many MUAs have encryption installed,
> even if it is only S/MIME, and this certainly applies to Outlook
> Express and even the Netscape email client. Very few people use it
> even so.
With this, you further prove my point that the users' "by default" threat
model is the cause. Users don't care about privacy thus they don't use
crypto. That was my point in the first place. OTOH, S/MIME crypto under OE
doesn't seem very easy to set up to me, since you have to get a certificate,
but I wouldn't know since I use OpenPGP anyway.
> The most we can do is help that minority of users who do want to use GPG
> and know of it even, to use it more effectively. But we are fooling
> ourselves if we believe that they will ever be a significant number of
> users or anything less than a minority.
100% agree with you. As I said, the only way to see widespread use of crypto
is if it would be included by default in the default MUA, which isn't
happenning any time soon, if ever.
- --David.
-----BEGIN PGP SIGNATURE-----
Comment: This message is digitally signed and can be verified for authenticity.
iQIVAwUBPscq46YOp7uFKb/EAQJbPhAA0MacsCasAfuUNtJoNCc9NHrM5QyaC8sS
OTtH/k5VE4OJJD9nrmpScnZroPwl97qEfYGP2LXkOrqfszkURPQ5rj/PXHVjBvdt
wEit9mFwpBM3rLMkdDU8/ckTK+20imgboxSVaOONaezzkwtyy4djK9//85KrsGLh
uFutGrrkL5vSbEqUKBV5ShXYk/TQT4Centt6DgQdNMOQmt+IT0zWcYpx6BvtSM4a
/TKanSA+5zNL4YFedM5khZ5iLiKmS4AZ7J7qLoKWXd6bBiTrpM3excsDE3Wd5sQT
JHxiokt52yNVkAOruLEtEMV0UuvrCp2wga4zi9Rp7D5SeghwdjY97Nl5MTNEHTSl
kojG6kwzKj/dRPGlSiIe0D9fYfwMRr7Kj09jVGMV//XOh3uYY+1xGb8eoMxxo9nb
zZaKDjK2TAZLoa9aNjpC0fz/n5SpIAo4X0XjmxQxl8wQh5CDU3Z8ayAjLggBswQo
zzYwex80fntRgYqcao/J0qdO5RY3DO2YuZBHQSQjvAehan7brtJCvY00T7btUJfy
xuU9tBwICu9PpViPJRIXvLabugDpZ3+ggskWgP9GTiQ4E4s4KcrrizG8TZ7BUnw1
l0EZ6pEU2q5CRWlsyUD9HAr8Df6z9pS9fIQJrtfxvg8nhlBezUu4+c43wysUwLkE
rck+T9Zm9Sg=
=99U/
-----END PGP SIGNATURE-----