Apscitu Mail masthead.
Apscitu Mail motto.

Expert Email News Article tab.

New York Times logo, their PGP public key, ProtonMail logo, goofy glasses media clown.

Incompetent Encryption Is Worse Than No Encryption



By Duane Thresher, Ph.D.          August 17, 2020

When you think of email security, you probably think of encryption. This is not the most important aspect of email security -- your email server is, see About Apscitu Mail -- but email encryption can add another layer of security, which is generally good. You might not use email encryption because you think the NSA, and more competent hackers, can break the encryption, but you are wrong; see No, The NSA Does Not Have Encryption-Breaking Quantum Computers. Or you might not use email encryption because it seems too complicated to use. In that case, you are right. Studies show that even the most user-friendly email encryption system is too difficult for even above-average users to use competently. And incompetent encryption is worse than no encryption because you are lulled into a false sense of security and insecurely send more, and more sensitive, data than you would otherwise. You might go looking around for some one-size-fits-all solution to your email encryption, particularly if you are someone like a whistleblower trying to contact the media, or vice versa, but you would be wrong then too. Your getting competent email encryption requires an IT expert working closely with you, i.e. custom work, like with Apscitu Mail. In that case, you would be right.

Encryption has existed for as long as mankind has communicated. For a readable account of the history of encryption, read The Code Book by Simon Singh (whom I met when the book was first published). You can just skim or skip the last chapter, on quantum computing; see No, The NSA Does Not Have Encryption-Breaking Quantum Computers.

For all that time, until 1977, encryption was symmetric, meaning the encode key and the decode key were the same. This meant the key had to be distributed to all users, which particularly during wars of the past was a huge problem, given the large number of users, the enemy trying to steal the key, and poor communications.

This key distribution problem led to the search for asymmetric encryption, meaning the encode key and the decode key are not the same, and can be generated by each user, not distributed to them.

This search for asymmetric encryption finally succeeded in 1977 when three MIT computer scientists discovered RSA encryption: Ronald Rivest, Adi Shamir, and Leonard Adleman.

With RSA asymmetric encryption, each user generates his own encode key and decode key. The decode key must be kept secret by the user so is called the "private" key. The encode key must be given to whoever wants to send the user an encoded message. In fact, this encode key is supposed to be made public, thus is called the "public" key, so anyone can send the user an encoded message. However, for the best security -- in case someone ever breaks RSA encryption -- even the public key can be kept secret and only distributed to the people the user wants and expects messages from. Key distribution is much easier with just a few people and these days.

It was thought that RSA encryption would only be used by the U.S. Government. However, in the 1980s American Phil Zimmermann thought everyone in the world should be able to use it (he was paranoid, to the point of almost moving to New Zealand). While this may have been an admirable thought, Zimmermann was unethical and incompetent. He illegally used RSA encryption for his own encryption system, which was not well designed. He called his encryption system Pretty Good Privacy (PGP), which is not too reassuring.

Phil Zimmermann made PGP available to everyone and because of this, and because of the extended, very public legal wrangling over it, PGP became synonymous with encryption in the public, particularly media, mind.

Redesign of PGP to make it better-designed and legal led to OpenPGP and GPG. GPG ostensibly stands for GnuPG, which in turn stands for Gnu Privacy Guard. The Gnu Project is a free software project founded at MIT by Richard Stallman (whom I met while I was at MIT). In turn, these encryption systems were used in other encryption systems.

Ironically, for communicating with just a few people and these days, key distribution is not a big problem and RSA asymmetric encryption is not even necessary. Symmetric encryptions can be just as unbreakable as RSA asymmetric encryption. The only reason RSA asymmetric encryption became the standard for encryption was the IT incompetent publicity around it made people believe it was the most unbreakable encryption, without mention that its real importance was that it solved the key distribution problem.

Symmetric encryptions have other advantages over RSA asymmetric encryption. For example, RSA asymmetric encryption is so computationally intensive (i.e. slow), that usually only the key for a symmetric encryption is RSA encrypted and the message itself is encrypted with the symmetric encryption, which is less computationally intensive, while being just as unbreakable, as RSA asymmetric encryption.

Email encryption is complicated. If you don't do it competently, or have an expert do it competently for you, it can be gotten around by the NSA and other hackers. As a VIP that could be disastrous for you.

Perhaps the best example these days of the need for encryption is whistleblowers contacting the media. And perhaps the best example of that is Edward Snowden exposing the NSA's secrets.

(Note that I and the law do not consider Edward Snowden a "whistleblower". Snowden was not working at the NSA in good faith and just happened to see what he considered illegal acts, like a real whistleblower. No, Snowden intentionally went to work at the NSA to steal secrets, which makes him a spy. As an American spying against the U.S. that makes Snowden a traitor. Also, Snowden was a contractor, via Booz Allen Hamilton, for the NSA and at the time whistleblower laws did not cover contractors. After Snowden they did and now we have the situation that contractors are covered by whistleblower laws but are still not subject to Freedom Of Information Act laws. Whistleblowers are rare so if you work in government and want to hide what you are doing, hire a contractor/future employer.)

As the Media IT Incompetents Hall Of Shame (ITIHOS) shows, the media is IT incompetent, even while pretending to be IT experts. The member of the media that Edward Snowden first tried to tell NSA secrets to was Glenn Greenwald, who had been writing extensively about NSA surveillance, which is just IT. Snowden insisted that encryption be used for this. However, Greenwald was so IT incompetent that not only did he not know how to use encryption, but he refused to even try, even after Snowden gave him instructions. Snowden actually gave up 3 months after first contacting Greenwald.

Glenn Greenwald was only lucky enough -- it made his career, which was going nowhere before -- to get the NSA secrets, 5 months after Snowden first contacted him, after Snowden contacted someone else, who finally got Greenwald and Snowden together. (Greenwald did not even realize after this introduction that Snowden was the one who had contacted him 5 months earlier.)

After first publishing the NSA secrets in a foreign newspaper, the British Guardian, Greenwald wrote a book about all this, No Place To Hide, which made his career. But Glenn Greenwald is so IT incompetent that he couldn't fully understand the NSA secrets given to him by Snowden and the book painfully shows this. Edward Snowden himself is IT incompetent and doesn't fully understand the NSA secrets he gave to Greenwald. They are far more revealing if you are an IT expert; see No, The NSA Does Not Have Encryption-Breaking Quantum Computers.

After this fiasco, the IT incompetent, and jealous, media went out of its way to offer encryption to whistleblowers and other tipsters. Of course, all they knew of encryption was Zimmermann's PGP and offering public keys.

I dug into what major newspapers and magazines offered for emailing them encrypted tips. The classic whistleblower newspapers -- the New York Times, Washington Post, Guardian (classic since Snowden and Greenwald) -- offer PGP public keys ... and confused instructions about them, which is to be expected from IT incompetent writers who don't understand what they are writing about.

Instructions are even more important because PGP public keys are so daunting. Hover over it to see the

New York Times PGP public key

for tips emailed to tips@nytimes.com. That's enough to scare anyone off, particularly if they are already nervous about being a whistleblower and along with all the warnings given in the instructions. And I tell you from experience that what exactly you do with that PGP public key varies from encryption system to encryption system. You really have to know what you are doing.

I seriously doubt the media has ever received an important tip by decoding an email encoded with their PGP public key. Even in the unlikely event a tipster could figure out how to encode the email with it, I doubt the IT incompetent media could decode it.

To make things worse, the media probably ignores as unimportant emailed tips that are not encrypted. Incompetent and arrogant is a bad combination. (Also, many media email systems reject or filter out emailed tips, encrypted or otherwise. For example, the Washington Post uses Proofpoint for its email and Proofpoint censors emails without regard to what the recipient wants.)

One indication of all this is the lack of whistleblower stories in the media (and they wonder why). Most stories are taken from other members of the media and/or made up to fit a political narrative. The media has become a closed system. Real news from outside it, like from experts, is excluded. This has led to a news fantasy world (used exclusively, for example, by Wikipedia, Google, Facebook, etc.).

The media is giving up on the idea of giving out PGP public keys for encrypted email tips. For example, last year the New York Times terminated, without replacement, the woman responsible for their PGP public key, their senior director of information security, Runa Sandvik . Sandvik is IT incompetent and a foreigner (from Norway) to begin with, which should have been two big strikes against her (see Principles of IT Incompetence), but apparently not to the IT incompetent New York Times, whose two star cybersecurity writers, Nicole Perlroth and Sheera Frenkel, are in the Media IT Incompetents Hall Of Shame (in fact, Perlroth's photo is the basis for the Media ITIHOS clown). Don't worry about Sandvik though, she bounced back as a "Board Member at Norwegian Online News Association" (where she can do less harm, at least to American whistleblowers).

Now along comes ProtonMail, an email service based in Switzerland and run by foreigners, which promises to take care of all that pesky encryption for you. I first noticed this being used -- i.e. an @protonmail.com address was given -- for emailed tips by the Boston Globe, which writes about my alma mater MIT, and by Wired, the leading IT magazine.

ProtonMail will both drive away whistleblowers and other tipsters and put at risk anyone, like VIPs, who do use it.

Users have to sign up for a ProtonMail account to send or receive encrypted emails and a ProtonMail account is still complicated to use and set up, by the user alone, with instructions written by foreigners. This will again drive away whistleblowers and other tipsters.

Further, ProtonMail uses web apps as email clients (Apscitu Mail does not) and web apps are one of the leading hacking "vectors" used today.

Only emails sent from one ProtonMail account to another ProtonMail account are encrypted. An email can be sent to a ProtonMail account from a non-ProtonMail account -- I've actually done this with the Editor-in-Chief of Wired magazine -- but it won't be encrypted, even though the sender (whistleblower or VIP) might think it must be, with all the hype of ProtonMail encryption.

ProtonMail brags that its email servers are in Switzerland, so its emails are not subject to the U.S. Government reading them. But emails going in and out of the United States are exactly the emails that the NSA reads, since it can be assumed the senders or recipients are not U.S. residents, so not protected by U.S. law against having their emails read. Plus with senders being fooled into sending unencrypted emails, these emails are trivial for the NSA to read.

Incompetent encryption is worse than no encryption. Use Apscitu Mail, and if you want email encryption, have me personally set it up for you and train you how to use it.