The Encryption Dilemma

Random hexadecimal codes on a computer monitor.  Shallow depth of field.

Recently the Mercury News printed an Associated Press article entitled “More turn to encrypted email amid spying fears”. you can read the article here and I have attached it below as well. The article states that many internet companies like Google, Yahoo and Facebook are now automatically encrypting users’ messages given the recent privacy concerns.

On the surface encryption sounds like a great solution and it can be, but there is no free lunch here. First of all, any company that keeps your encrypted content and the keys to said content within their company has two issues. The first issue is that any hacker that can break into a company and find the content can probably also find the keys to unlock that content. You would be surprised how many messaging and file sharing companies use this methodology.

The second issue is that the government could force the company to hand over the content and the keys to them. This has happened very recently with a popular social messaging company. No company should hold both the content and the keys, not in their data center and not in the cloud. The keys should be held by the content owner — you, kept safe and out of the hands of the internet companies, government and online thieves.

The second problem with encryption is that to do it effectively it becomes harder to use for the average user. As the article points out, most internet services use Transport layer Security (TLS) which isn’t the most secure but anything better like end-to-end encryption comes with the price of complexity and therefore less widely adopted. Hence the encryption dilemma.

Perhaps there is another way. What if you could simply separate the e-mail header from the private content? Automatically making in-transit messages private without the need for encryption. And if encryption is used for stored content it keeps the keys with the owner and simplifies encryption use to the point of transparency for the user. Hmmmm I wonder if anyone has done this (wink).


Here is the reprint of the Associated Press/Mercury News article:

More turn to encrypted email amid spying fears

Posted:   06/03/2014 01:39:23 PM PDT0 Comments


SAN FRANCISCO — The volume of email cloaked in encryption technology is rapidly rising as Google, Yahoo, Facebook and other major Internet companies try to shield their users’ online communications from government spies and other snoops.

Google and other companies are now automatically encrypting all email, but that doesn’t ensure confidentiality unless the recipients’ email provider also adopts the technology.

In an analysis released Tuesday, Google said that about 65 percent of the messages sent by its Gmail users are encrypted while delivered, meaning the recipient’s email provider also supports the technology. That’s up from 39 percent in December. Incoming communiques to Gmail are lesas secure. Only 50 percent of them encrypted while in transit, up from 27 percent in December.

The volume of email cloaked in encryption technology is rapidly rising as major Internet companies try to shield their users’ online communications

The volume of email cloaked in encryption technology is rapidly rising as major Internet companies try to shield their users’ online communications from government spies and other snoops. (AP Photo/Damian Dovarganes, File)

Encryption reduces the chances that email can be read by interlopers. The technology transforms the text into coding that looks like gibberish until it arrives at its destination.

Google and other Internet services rely on a form of encryption known as Transport Layer Security, or TLS. Security experts say that encryption method isn’t as secure as other options. But encryption that is tougher to crack is also more complicated to use.

Gmail, with more than 425 million accounts worldwide, was one of the first free email services to embrace TLS. Yahoo, Facebook and AOL also are encrypting their email services. Microsoft Corp., whose stable of email services includes the Outlook, MSN and Hotmail domains, has started encrypting many accounts as part of transition that won’t be completed until later this year.

Less than half of the correspondence from a Hotmail account to Gmail isn’t encrypted as of late May, Google said. Security is even worse at and, where less than 1 percent of the traffic coming to and from Gmail is encrypted, according to Google.

The Google report comes a year after the first wave of media reports about the U.S. government’s intrusive techniques to monitor online communications and other Internet activity. The National Security Administration says its online surveillance focused on people living outside the U.S. as the agency tried to defuse threats of terrorism.

After lashing out at the government spying, Google and other Internet companies began encrypting email and other online services in an attempt to reassure users worried about their privacy. The Internet companies are hoping their efforts to thwart government surveillance will make Web surfers feel comfortable enough to continue to visit their services. The companies make more money from online ads if their audiences keep growing.

Edward Snowden, the former NSA contractor who leaked documents revealing the online espionage, is among critics who believe the encryption methods deployed by Google and it peers are inadequate. In a March appearance at a technology conference, Snowden described TSL encryption as “deeply problematic” because U.S. government operatives merely needed to obtain a court order or hack into data centers to obtain users’ emails and other information.

Like many privacy activists, Snowden prefers “end-to-end” encryption, a more complicated step that requires a key to decrypt the information contained in emails. Theses encrypted keys are only held by an email recipient, making it virtually impossible for an unauthorized user to know what’s in the message. This form of encryption takes more technical expertise to do right and can cause more headaches if passwords are forgotten because they can’t be reset. That raises the risk of the email being inaccessible even to the recipient.

Google hopes to make end-to-end encryption easier by releasing an extension for its Chrome browser later this year. The company released the coding for the planned extension to security specialists Tuesday in an effort to detect any weaknesses before making it available to everyone.