As a number of recent news stories in the past few months have demonstrated, neither our senior business executives in charge of billion dollar companies, nor the members of powerful governments apparently know how to protect and digitally sign their email communications. This points to the problem of being a coddled cog in a system, rather than being autonomously aware enough to independently take the right measures.
We've had the capability to use open source encryption and signature authentication methods en masse for close to two decades now, to standardise these, and yet unbelievably, on these issues email remains as primitive as it was in its first incarnations. There are a number of reasons why I believe this has happened:
Lack of user education and demand
"I've got nothing to hide, what do I care" is perhaps the regular response many people continue to use. As the story from the Coca-Cola email hack demonstrates, clicking on an unverified email sender's link can land you in a lot more trouble than just having someone else read your email. Increasingly, there are also fewer boundaries between personal and business data, which makes a holistic precautionary approach and user education even more necessary. It also remains far too easy to spoof an email address and falsely gain a user's trust.
Complexity and cost of implementation
Of course implementing new measures into a system is always going to place additional loads on a company, both in terms of know how and other costs. Lack of user demand also means that such a decision would be hard to justify in the boardroom. That being said, companies can create value in such measures by playing a role in educating users and creating differentiation from competitors. Letting people know that you're protecting them, is usually good for business.
Dissuasion by outside forces
Let's face it, if you want to monitor communications, it doesn't help to have any sort of barrier placed in front of you. Even if we make the unfounded assumption that some governments can break the strongest publicly accessible encryption methods, the demands of having to decrypt a few hundred billion messages a day (and growing) is going to introduce additional costs, both in time, processing power, and possibly human resources - meaning having to throw more money at the problem.
It might be that a combination of all the above issues are responsible for the continuing woeful state of email integrity, but sooner or later if we're all going to collectively fight back against the spammers and criminal hackers, the big players in web mail (Google, Microsoft, Yahoo - all US based companies) are going to have to step up and do more to protect their users. Protecting every message instead of the few that we deem sensitive, creates a much bigger headache for potential attackers.
The time has long since passed for only a minority of us to have the know how or desire to implement this layer of protection, so those that don't wish to wait for their webmail provider or IT department to take action, will have to do this on their own. In a future post I'll be going over a few relatively easy open source solutions which you can implement for yourself or your business's email communications.