Technology: Too few encrypting e-mail, privacy advocates say
March 11, 2001
CAMBRIDGE, Mass. (March 11, 2001 1:01 p.m. EST http://www.nandotimes.com) - Elana Kehoe doesn't like the idea of governments and hackers reading her e-mail as it traverses the Internet. So a few weeks ago, she installed a tool to scramble her messages.
But she's having trouble using Pretty Good Privacy encryption. She knows of only four other PGP users, including her husband, Brendan. That means everything else goes through regular e-mail, which is as private as sending a postcard.
Kehoe has tried to persuade friends to install the free software, too, but they couldn't be bothered.
"Since I don't know that many people who use PGP, I don't know what I can fully do with it now," said Kehoe, a Dublin, Ireland, resident visiting Cambridge for a computer conference this past week.
Her plight reflects a larger problem with e-mail security. Fewer than 10 million people use PGP, the most popular method for encrypting e-mail. That's out of a worldwide Internet population approaching 400 million.
"We've had trouble getting PGP employed across the breadth of society," lamented Philip Zimmermann, the inventor of PGP. "There needs to be more consciousness raised about privacy, but ease of use certainly has been a factor."
Zimmermann said PGP has become simpler. Users now control it with mouse clicks whereas early versions required typing in commands.
But Zimmermann acknowledged more could be done. He recently joined Hush Communications Corp. in Dublin, which is trying to simplify PGP by moving the entire process to the Web.
Sending e-mail unencrypted is inherently insecure. Network administrators at Internet service providers and employers can read messages at one of several transit points.
The FBI has deployed Carnivore to scan e-mail traffic, and hackers can use software initially designed for network administrators to diagnose Internet problems. Security experts say more sophisticated hackers can even change messages in transit, without the sender or recipient ever knowing.
Without encryption, financial, medical and other sensitive information could fall into the wrong hands.
In fact, Kehoe and her husband had to chide her mother for sending credit card numbers and their accountant for sending tax totals and Social Security numbers using regular e-mail.
"There's a lack of understanding about the way e-mail is transmitted," said David Sobel, general counsel for the Electronic Privacy Information Center in Washington.
The Computers, Freedom and Privacy conference this past week devoted several sessions to encryption and PGP, which marks its 10th anniversary in June.
Part of the problem is analogy. You refer to electronic messages as e-mail, not e-postcards. Most software for sending e-mail carries pictures of envelopes, not postcards.
Furthermore, most people use whatever software ships with their computer.
Though free encryption programs are available for noncommercial use, running them takes several steps: Finding software, installing it, creating digital keys to lock and unlock messages, distributing keys, telling friends to do the same.
And even if Internet users suspect they should do more to protect their e-mail, they figure there are bigger targets.
"Your average everyday user on Yahoo! has a general attitude of 'We're not talking about anything important,'" said Jon Matonis, chief executive of Hush.
That may be true about e-mailing photos or commenting about the weather. Imagine, though, e-mailing a doctor about an AIDS test, only to have filtering software installed on your employer's e-mail server see the word "AIDS" and automatically forward the message to your health insurance company.
Jeff Jones, vice president of PGP marketing at Network Associates Inc., which employs the original PGP team, said a European financial institution once faced unauthorized withdrawals because customers had been e-mailing passcodes. He would not name the company.
The IRS has a policy against communicating with taxpayers via e-mail, and Janus mutual fund company warns customers not to send transaction and account information via regular e-mail.
Many doctors refuse to respond to unencrypted e-mail.
"I'm not so sure patients are so aware of the pitfalls," said John Abess, a Charleston, S.C., psychiatrist who also advises the Web site Healthology.
E-mail encryption generally involves a dual-key mechanism known as public key infrastructure. Under that scheme, one key locks a message, and a different key unlocks it.
People who want to receive encrypted mail distribute a public key that locks messages. A sender uses that person's public key to encrypt the message, which can be unlocked using only the recipient's private key.
The first version of PGP appeared in June 1991. Zimmermann and the PGP team initially had trouble with the U.S. government, which considers encryption a form of munition. The government ultimately backed off from prosecuting Zimmermann and slowly lifted export restrictions on PGP.
A competing standard called S/MIME is used by companies like VeriSign Inc.
Other techniques include Secure Socket Layer, suitable for Web-based communications, and IP Security, used in virtual private networks that companies deploy for remote workers. VPN, however, does not address snooping by employers.
Human-rights workers abroad have begun using encryption to prevent oppressive governments from identifying sources and techniques.
But those able to figure out how to use PGP are sometimes still reluctant as long as most e-mail worldwide remains unencrypted.
"The very use of strong encryption signals to the government that this is a group to be watched," said Minky Worden, electronic media director for Human Rights Watch. "In China, the use of PGP alone is enough for you to get rounded up."
© 2001 ANICK JESDANUN, Associated Press, Nando Media