Robert J. Hansen rjh at
Thu Feb 2 00:27:04 CET 2012

On 2/1/12 6:08 PM, Hauke Laging wrote:
> My question was NOT "Why do so few people use email cryptography"?
> But that is the question this paper wants to answer.

Your statement was, "I just don't understand why someone who has
understood the concept[s] and is capable of [using the software] should
not use that technology for his email."  That's a statement, not a
question: I inferred your question as, "Why is it people who understand
the concepts and are capable of using the software don't use it for
their email?"

And that is, in fact, exactly the question they're answering.  "In this
paper we try to identify additional barriers by interviewing a set of
users from an organization that relies on secrecy.  Our interviews
demonstrate that users' attitudes about encryption, and the social
significance users attach to it, are an important factor in limiting

Their central finding?  It's not a technological problem: it's a social one.

> Some points from the paper:
> • It is (mainly) about people not familiar with GnuPG in some context
>  different from email.

Incorrect.  GnuPG is never mentioned in the paper.  The NGO mentioned in
the paper is PGP-only.  Some of their case studies (Woodward) used PGP
to encrypt files on their desktops: others (Abe) were email-only.  Some
were email-only (Jenny) but abandoned it, others... etc.

> • Most or even all of those users did not have an environment which
> creates signatures or encrypts automatically.

Incorrect.  The paper makes it clear they had plugins available to do
the process automatically.  "In addition, [Woodward] distrusted plugins
for email programs, relying on encrypting the text of a message first
and copying it into his email program later."  That sentence only makes
sense if they had access to plugins.  Further, PGP circa 2006 shipped
with email plugins.

Another user, Abe, "used encryption to protect financial data ... [he]
believed this setup was simple."  From that I infer Abe had suitable
tools for the task -- which is quite plausible, given we know they were
using PGP.

More information about the Gnupg-users mailing list