There has been much written on the subject of encryption over the last couple years. A great deal of it coming on the heels of the revelations of warrantless government wiretaps and driftnet data collection techniques. The Snowden leaks were pivotal in this regard. Numerous secret programs were brought out into the light of day.
The drive was on with people tub thumping that we should “encrypt all the things!” and they weren’t wrong. They were missing a broad stroke however. They weren’t taking into account the wider audience. What do I mean by that? Well, the “which icon on the desktop is the Internet?” people for starters. The non-technical folks amongst us are the most vulnerable and those that need the most help.
Oh right, them. Security folks tend to have a low tolerance for others who “don’t get it” and this is a real problem. How do we move beyond this issue? One thing that I’ve observed over the years is that security people are very good at talking amongst themselves but, simply atrocious at talking to other groups and especially with non-technical folks.
So, how do we include the wider audience? Well, first off we have to realize that is it time for a better mousetrap. Encryption products need to be approachable and simple to use. I had occasion to ask a couple of people that I know well in the industry for their perspectives.
First off I spoke with James Arlen, Director, Risk and Advisory Services, Leviathan Security Group. He had this to say, “Even the most simple kind of encryption – the kind that C-51 and The USA PATRIOT Act abhor – is not easy to use. Setting up S/MIME encryption on email, while still based on X.509 certificates and Global PKI is still approximately a bazillion times better than no encryption at all. It’s not that you’ve got a reason to hide anything, it’s that you want to ensure that your communications are reasonably private (as a normal person) and that communications with an expectation of privacy/confidentiality — with your lawyer, accountant, realtor – are actually transmitted and received by the intended parties.
But we don’t make it easy. It’s not the default. It’s esoteric knowledge held by the technological priesthood and doled out in wafer sized bites to the faithful on rare occasion.
In much the same way that the infosec people decried TouchID from Apple as an inappropriate and unsafe thing, it did DRAMATICALLY increase the number of people using PINs on their devices — which has the interesting side effect of engaging device level encryption, is TouchID perfect: no. Is having systems like TouchID (easy, obvious, good enough) better or worse than NOT having them and working towards the Security Nerdvana that the priesthood in their black t-shirts and tac pants requires?”
Exactly! This lack of ease confounds most users and leads to the inevitable slack jaw shrug when people are met with the question “Do you encrypt?”
I then posed the question of how to improve adoption of encryption amongst non-technical people to Wendy Nather, Research Director, Information Security at 451 Group. “Those who grew up building the technology that we use today tend to lose sight of the fact that most users don’t want to be builders. If you’ve got a pen, you don’t want to know how it works or how to fix it; you just want to get your writing done. If it breaks, you just get a new one. Encryption needs to be as invisible and trouble-free as that.”
I could not agree more.
When I hear people carry on about the need for more encryption I have to agree, for the most part. I want to see encryption easier to use so that people don’t have to puzzle out the how of it it so much as the ability to just use it.
(Image used under CC from kchans)
This article was written by Dave Lewis from Forbes and was legally licensed through the NewsCred publisher network.