So there was this discussion about privacy-oriented #email providers. Which led to urls about this and that and one included this generalization:
Signal is, therefore, the best solution currently available for keeping the actual contents of messages secure. OTR is also a good option for desktop users. – Douglas Crawford
That may be true for M Crawford’s use case. But I (and most everyone I know) use e-mail to get told my purchase is shipping, receive my flight itinerary, and to verify my internet service accounts. You know, the real metadata of life which needs protection.
The fact is almost no one uses any messaging app, however secure, to do the communications involved in financial transactions. You don’t get receipts for paying for dinner via Wire. Your bank is not sending your monthly statement via Signal. I doubt your insurance broker sends reminders via any such channel to renew your coverage.
But this is exactly the kind of thing being done by e-mail. The boring, necessary communications which describe your financial life and well-being.
And until the local delivery grocer is sending everything encrypted, the most important information in your life will be sitting on your mail provider’s storage in plain sight. It seems extremely unlikely, though, the local delivery grocer is going to stir one step to change the way they do business. If you tell ’em you will not give an e-mail address unless they encrypt, they will just shrug and not do business with you.
But if their e-mail provider tells them to encrypt, or they’ll not be able to send e-mails, watch how quick they shift.
That’s the thing, isn’t it? Chicken and egg. Companies will not implement encryption, because not enough clients use it. Clients do not use encryption, because they have no one with whom to use it. E-mail providers do not require it because governments insist they do not, and besides they make a tidy sum on the side with supposedly anonymized mining of your e-mails.
I won’t use your secure messaging apps for business because none of my business work is done on secure messaging apps.
But I will still use e-mail, for all the stuff deemed most important by the people whose business model is to violate my privacy.
So what is the better target here – building better, safer messaging fora, or changing the e-mail protocol to require encryption?
I think it is the latter. And I think that would suddenly overcome the industry-wide resistance to building a painless / invisible cryptokey exchange layer. There is nothing more likely to change the status quo as a slight discomfort for users, leading to competition to alleviate that discomfort.
And those fediverse evangelists who have a head-start on trying to implement e2ee everywhere may just have an edge over their corporate copycats.