Why secure email still doesn’t stack up

(I wrote this post for ReadWriteEnterprise, where I work. But I wanted to share it with you too.)

Well, this week marks the tenth anniversary of identity-based message encryption with more than a billion secure messages being exchanged annually, according to Voltage, one of the leaders in this space.

This is certainly a surprise. Who knew so many messages were being encrypted? Have you gotten an encrypted email in the past week? How about one that was digitally signed, so you knew for certain the sender’s identity? (like the one pictured below)
proofpoint msg.png

Okay, how about in the past year? Let’s see — I can remember just one. Yes, from one of the encrypted email vendors! Doesn’t count. I guess someone else is receiving more of my share of the bounty.

Encrypted email should be the norm, not the once-in-a-lifetime event. We all know that we should use it. Haven’t we all been schooled that sending emails is like having a post card plastered to the wall of your local coffee bar? Haven’t all the various exploits with stolen credit cards and easily guessed passwords of Sarah Palin’s Yahoo account been warning enough? Apparently not.

Well, we have come a long way, baby, to reach that billion burgers being served number. Back in March 1998, I penned this post from work that Marshall Rose and I did on our Internet Messaging epic book. We said:

The state of secure Internet email standards and products is best described as a sucking chest wound. Think that characterization is unprofessional? It is actually quite detached considering the amount of culpability enjoyed by the principals of the Internet’s secure email debacle. There are no technologies that are multi-vendor; interoperable; and, approved or endorsed by the Internet’s standardization body.

(If you want to jump into your wayback machine, here is the link to my column written back then.)

Rose, for those of you that don’t know him, was one of the authors of the POP protocol, among other Internet standards. He was one of the truly delightful characters that got this whole Internet thing going back in the days before others starting taking credit for its creation. (We won’t mention any names of former vice-presidents here.)

Things today are better

True, things have gotten better since then, at least from the technology side of the house. We have some standards, we have some multi-vendor interoperability, and we have some products that don’t require a PhD in cryptography to install and use (Voltage is one of them, RPost that I wrote about earlier this week is another, and Proofpoint, seen below, is a third, click to enlarge.)
proofpoint 3.png
But why is secure email still virtually unused to this day? I can think of five reasons:

First, plain Jane unencrypted email works mostly well for 99.9% of the time that we use it. Yes, people still hit “reply all” when they don’t mean to, and just this week a flustered PR flack tried to send me email at RWW.com, a domain that I have nothing to do with. And return receipts would be nice (Google is working on it). But most of the time messages go out over the pipes and Inter-tubes and arrive at the intended recipient.

mimecast outlook menu.pngSecond, many IT admins are still under the mistaken impression that securing their email is either expensive, cumbersome, or requires a symmetric solution for both recipients and senders. None of these are true today, although they were for many years. I guess these admins didn’t get the message that all is well in email land now. Maybe because it was encrypted. Some products even have Outlook plug-ins like Mimecast as we are showing here, how much easier could it be, really?

Third, email is no longer the lifeblood of business communications that it once was, sad to say. (Hey, I wrote the book, I am allowed to mourn for a few more years.) More stuff get sent via text and IM or lives inside Facebook or internal social networks such as Yammer, SocialText et al. Email is, shall we put this delicately, too slow for the modern era. Of course, IM is even more insecure than email, and we won’t even get started with Facebook and security.

Fourth, spammers didn’t help matters either. More messages are spam than real, and most corporations would quickly fill those Intertubes up if they didn’t cut off spam at the source. Yes, some big wig spammers have been taken down, but there are many waiting in the wings, being trained in middle school it seems now in some former Soviet republic, to take their place.

Finally, much of our communications isn’t one-to-one anymore. Never gonna happen, the horse is out of that barn forever. We have group discussions and chat rooms: imagine trying to get all that parsed into a series of email messages? Why do I need to send an email when I can just click on the “like” button or send a smiley face and make my feelings known to my entire MyFaceTwitverse?

So celebrate the billion-man message march towards encryption, why not? And do share some of your favorite email memories: soon our children will be reading about this technology like they look upon phones with dials, faxes, and the pony express.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.