posted on November 16, 2013 in security, twitter

GnuPG Is Still Too Hard To Use

You should encrypt your emails. Actually you should encrypt anything you do not want other people to see. While talking to tech-savvy people this is a common sentence you hear, especially the last few month after the whole Snowden and secret agency revelations. What I find mildly amusing is that people actually believe encryption is so easy that everyone can use it.

I am aware that there are things which are quiet easily usable by everyone. Some services and tools work great and some of them are just snake oil. I do not want to talk about all the different tools and which make sense. I want to specifically talk about encrypting your mails.

My benchmark for "the ordinary user" are my parents. They both have a tech background but started pretty late using computers. They know their way around most problems, can install software, update their systems and are able to tell me the exact error message and what they did when calling me, asking for help.

You do not just download GnuPG and start using it. You install it, create keys, fetch the recipients key and so on. Especially the part involving keys and key servers is the hard one. Not to mention different key servers. Before being able to actually encrypt a mail they have to learn about all this things. It is nothing they could knew from anything they have ever used before. Now you could argue that learning new things is always necessary, more about that shortly.

The next thing that will just fail is reading mails on most mobile devices. I know, I know... Android can do this if,... blablabla. On most mobile devices it does not work in a convenient way, if it works at all. So instead of just checking mails they would have to wait till they are at home or in the office. I remember doing this - I think it was in the late 90s.

And if this is not enough: updates break the GnuPG integration. "Just reinstall it and it will work again". Pretty comfortable and a pretty obvious solution, huh?

The Ordinary User

An ordinary user does not want the most secure and mathematically proven system. The ordinary user actually does not even understand why he or she would benefit from encrypting mails. "Hey mum, you HAVE to encrypt your cake recipe you are sending me, the NSA could read it otherwise!". I am aware that this is a great oversimplification and that there are valid arguments why you would even want to encrypt your cake recipe - but I hope you get my point. Raising the awareness and explaining the benefits and reasons to encrypt things is exceptionally hard if it goes hand in hand with losing comfort or increasing the overall complexity of standard tasks.

Users who do not care about computers became used to the fact that they can just sit in front of this thing and do what they wanted to do, without blue screens, drivers and all the other things we wasted the 90s and 00s with. Starting to use a secure encryption software would set most of them 20 years back. "You have to learn this and this and that. Than you can do this but beware of doing that". No matter how many secret agency programs would become public, you will likely not be able to convince a user who just "wants this thing to work" to use GnuPG as it is right now.

I have no solution for this problem. I also never thought about how you can improve the usability of GnuPG to be honest. There are mail services, which are just built or on kickstarter, that will try to solve this. And this is the best thing that could actually happen for "ordinary users". A system that just works server side without bothering the user or forcing him to learn something new is a system that could be adopted by the masses.

I would love to talk to you about this post, your ideas or awesome projects.

I am @fallenhitokiri on Twitter and GitHub or you can send me a mail.