Tuesday, June 3, 2014

Can Encryption Save Email?

Could encryption save Internet email?

Email encryption is something I am thinking about today because of a Google announcement: it is working on a security protocol for sending and receiving email that makes the text inaccessible to anyone else. This announcement comes with the caution that this feature won’t be immediately available — it has just today gone into its formal security review, and will likely need a revision or two before it is ready for the public to try it out.

Already, encryption has quietly been creeping into email over the last two years. If you have a web-based email account, you have probably seen the web pages switch over from HTTP to HTTPS, which means the transfer of messages between your web browser and the email server are protected from snooping. Behind the scenes, there is also “backbone” encryption that protects email messages going from one email server to another. Backbone encryption is relatively new, so at this point it probably covers something like one sixth of legitimate Internet email messages. Probably by the end of this year it will be closer to one half.

Here is what intrigues me, though: the combination of endpoint encryption and backbone encryption may also provide some protection against email spam. Email spam, to be effective, has to be sent without disclosing who the sender is. Because of that, I think it would be very hard for email spam to be encrypted. And remember that roughly 99 percent of Internet email is spam — if you see less than 99 percent spam in your inbox, it is mainly because email servers tend to filter out the most repetitive messages along the way. Legitimate messages increasingly tend to be encrypted; spam messages, not so much. So encryption may shortly come to be a sign of legitimate, non-spam communication.

That, of course, is quite a turnaround from last year, when merely sending and receiving encrypted email was enough to get some American companies shut down by the government or hauled into court. The White House said at the time that it thought all this encryption was a sign of international espionage. But the government is not about to shut down Google. Meanwhile, if everyone is sending encrypted email — and you will be too, if you have an email account with Google, AOL, Microsoft, Facebook, and the like — it can no longer be taken as a sign of anything unusual.

Google’s suggestion for end-to-end email encryption puzzles some people, as it also defeats a part of Google’s text mining that it depends on for its advertising business. With end-to-end encryption, even Google will not know what words you are using in your email messages. But the greater threat to Google is if people decide it is too risky to be on the Internet — and making encryption broadly available is a way to reverse some of that risk.

That people feel threatened by problems on the Internet is not merely a hypothetical concern. A survey found that 1/4 of Americans had stopped their online buying entirely for at least a week after the data-loss fiascoes at Target and eBay, and only about 1/3 felt they had been unaffected by those events. There is other evidence that people’s email habits have been significantly shaped by both the NSA and spam.

So if a level of security can be added to email, that too will change the way people communicate. It is not as if we are about to start revealing our deepest thoughts in email, but perhaps we will start to exchange ideas more freely again. That result seems entirely possible if email can be made more secure over the next year or two.