Stop Being Lazy: Encrypt/Sign Your Email

Most people think about their own protections when they sign/encrypt their email, what people don’t consider is the privacy and protection of their friends and family. If your mail is intercepted or someone spoofs your address to send an email to your friends, your lack of signed/encrypted email puts you both at risk.

Falkvinge made a clear case for why all collected personal data will be used against citizens. However, what’s more is that the data that cannot be obtained through collection can be manufactured unless you take the proper precautions to protect yourself and your friends.

Let’s create a hypothetical senario: Your friends and you like to dance, and your fancy is tickled with some modern alternative dance to the beat of some new aged music. You feel the music in your soul and you just let your body flail like a bat fighting a chupacabra.

Every week, you and your friends send each other emails about where you want to meet up and shake your groove thing. It’s all fun and you guys stay out of trouble. There seems that nothing could go wrong in this picture. Except elections are coming up soon and let’s say hypothetically some fundamentalist religious dude is elected to the shock of everyone.

When this man takes over office, one of his smaller directives which get’s passed over by the media is to end this new heathan dancing (which would not be unheard of   ). As you are the hub of your friends who keeps everyone in contact, these agents who are charged with “protecting culture” spoof your email address and send out emails to all the other members in your little dance movement and have them meet you at a location.

Since you don’t sign or encrypt your emails, everything you send out is basically a post card. These culture warriors were able to study your writing style, and who you send your emails to. They were able to round up all the members of your non-violent fully legal gathering because YOU were too lazy to setup GPG encryption.

Maybe you hate dancing though, maybe you don’t see yourself as a member of any counter culture movement and are a normal guy on the street. You have no need to protect your speech, eh?

What about email conversations that have your personal medical information? Would you write a post card to a friend that details a rash or other condition? No, it’s something that is private. It’s private for a reason, and you should respect your own privacy enough to encrypt that email.

Emails are post cards, when you don’t encrypt (or at the very least sign) your emails with GPG… you are putting yourself and the people around you in danger of at the very least an embarracing situation. Let’s face it, the reason you are not using GPG is because you’re lazy… so is it worth it?


  1. […] McCrea – Digital Patriot Taking back our freedoms and supporting a more open society. LinksStop Being Lazy! Encrypt Your Email!Posted March 20, 2012 under […]

  2. Ploum

    The biggest problem with GPG is that it is way too complicated be be really useful. This might be compared with the bitcoin criticisms posted by Rick on this very same blog: wonderful technology, needed *now*. But only usable by a bunch of geeks.

    GPG’s authors are aware of the problem and working on some solutions:

    1. Travis McCrea

      “it’s too hard” is really more of a cop-out than a valid excuse. Windows and Mac have very straight forward GPG implementations and those who use Linux should really be able to follow the steps to setting up GPG otherwise they probably shouldn’t be using it.

      It just SEEMS scary, it’s really not.

      1. Ploum

        I don’t agree. Even for experienced geeks, it is still a pain. Consider the challenge of keeping your secret key in a safe place while being able to use it. And consider that most people are using GMail/Hotmail/Yahoo. I don’t see, for example, how anyone using Gmail (or any webservice) could use GPG without compromising his/her key.

        1. Travis McCrea

          A quick Google Search led me to

          if you are talking about portability, you are right, I cannot (and would not) sign/encrypt emails from my work computer. However, I have my android phone which has GPG support (K9Mail) , and if I really need to send an email from my work computer I will just have it unsigned but I wont send anything that would require any action on the recipient.

          Like “Hey I will be late for dinner… I will give you a call when I am on my way” or whatever. Those are fine (though they should be signed/encrypted as well). If I needed to change locations or something, I would just call the person.

    2. Zacqary Adam Green

      I definitely concur. Enigmail is the most user-friendly client I’ve been able to find, and even I have problems with it occasionally.

      Actually, that’s not accurate. Hushmail is absolutely more user-friendly (from what I’ve heard; never used it myself). It’s web-based, and does all of the key management in the background. But the free version only gives you 25 MB and no IMAP access, while Gmail gives you the entire kitchen sink free. (Well, yes, you pay for it by seeing ads, but we’re talking about how non-geeks think here)

      Paradoxically, if we try to arm the general public with GPG when its tools are in this sorry state, it might end up being more dangerous. People’s communications won’t be able to be monitored because they won’t be able to communicate at all, with PEBKAC errors rendering messages unreadable by their intended recipients. There’s a point at which the actual Problem Existing Between Keyboard And Chair is the designer, not the end user, and GPG has reached it.

      1. Travis McCrea

        I don’t really trust HushMail since it’s encryption is proprietary and server side. It does not protect the emails in transit, it also does nothing to sign the email to show that it was you that sent it.

        For true security we have to expect at least a little effort from the users. Again, I asked people to not be lazy. You need to put your key on a thumb drive or somewhere where you wont lose it. Outside of that your system will do the rest.

        1. Anon

          HushMail is not safe and its not hidden from the server admins.

    3. Herbert Baierl
  3. BeSlayed

    The real reason I don’t encrypt/sign my email usually is because most of the people I email wouldn’t know what to do with an GPG-encrypted email….

    1. Travis McCrae

      Maybe I need to setup a type site for GPG?

      I include in my signature a request for people to install GPG and some basic links to get them set in the right direction.

      Just because most of the people don’t know how to check signatures doesn’t mean you shouldn’t still sign it. That is another lazy response. Even if they don’t know how to check signed emails, it wont affect their ability to read your email.

  4. Jesper

    Actually no. The reason is that I haven’t figured out a way to use it on MacOs 10.4.11 with firefox 3.6.28 and gmail.

    Which is the system I use at the moment. And will do until I can afford another machine.

    1. Travis McCrea

      How about those? I am on the latest version of MacOS and running MacGPG + modified mail app and it’s doing my GPG work just fine.

      You are assuming your only option is to use gmail web client, what I am saying is it’s your responsibility to take the steps nessessary to protect yourself and those whom you contact.

      You can still use the gmail web client when you are on the go, just be sure to inform people that they should call you if your email seems out of place.

      1. Jesper

        1st link req 10.5
        2nd is techspeak, which would need a week or so to be translated to a language I speak.

  5. steelneck

    Here comes a translation of a 3½ year old Swedish story, that could be true..

    Mustafa, a Swedish citizen born in Sweden are exchanging mails with his cousin Hani at the university in Teheran, in persian language. Mustafa like to keep in touch with his roots so to speak, he also see it as a good way to keep his language skills up to date. Of course he is also interested in the Iranian country, its culture, politics and so on. In some mail the may have mentioned those controversial things going on in Natanz, Mustafa explains how that is reported in Swedish media and get Hanis thought about it and what Iranians think about about it. But mostly they write about the family, cultural differences and a bit about religion. Not that Mustafa really could be called religious, not more than could be said about swedes in general that just maybe visit a church when going to weddings or funerals, he just find interest in it of mostly cultural and historic reasons.

    Mustafa study to become engineer, with some aim towards computers and such. He is engaged in some free software projects as a programmer and beta-tester, so he is on some mailing-lists.

    Peter Gustavsson is a main-worker living in the Swedish town Garpenberg. Lives in a small hose, have two children 8 and 12 years old. Peter is a real computer geek on his spare time, deeply involved in free software and a bit of a hacker (the good kind). But mostly he is very much an average Joe, working hard and use some of the hard earned money on a sunny vacation abroad for he and his family once a year.

    Peter and Mustafa happens to be engaged in the same software project, so they do have contact on the same mailing-list connected to the project. A program that is included in most Linux-distributions. Sometimes they communicate in private too, but they do not really know each other. Peter do not even know that Mustafa is a Swede, a G-mail address do not say a lot, so they communicate in english. Mustafa on the other hand have assumed from Peters address that Peter is American or Britt. They have exchanged crypto-keys with each other, so they can communicate encrypted when speaking about new technical things in the program they both are engaged in the development of. Some details in the program are really on the cutting edge of development and they want to be a little secret about it as long as it is only ideas, once in the program it becomes completely public of course, it is free software. But it would be sad if some corporation beat them in development and get a patent on it..

    Now what does a paranoid security service get out of this? To begin with, mails from Sweden written in persian addressed to a server in Teheran ought to catch some curiosity, even more so when the facilities in Natanz get mentioned. Now the traffic of Mustafa gets looked upon a bit closer.. now they find Peter and some encrypted traffic they cannot read. Now they take a closer look on peter and every damn alarm-bell rings out loud, because Peter is a main worker and as such he has access to explosives! That is why Peter, his wife and his children get their vacation ruined when hell breaks loose at the airport when they are checking in for their annual week in the sun.

    1. Travis McCrea

      This is another problem entirely. The attack on a person due to their desire to communicate in private online is as insane as an attack on a person who sends letters instead of post cards.

      I appreciate the story though, I am sure that it is a fear of many people who use encryption: If they encrypt their emails, then they will be viewed as doing something wrong.

      This also highlights another reason why people need to stop being lazy and encrypt their emails, because if only a couple of good people are encrypting their email… then enforcement agencies are more likely to pester them. If everyone is encrypting their email, then it’s not out of the ordinary. You can stop situations like this from happening by joining the people who encrypt their mail.

      1. so true

        This is why I often use tor for simple news reading and straight out non-controversial web browsing (just keeping in mind never to log in anywhere that’s not using httpS). If you want anonymity, privacy and security to be the default, you have to act that way as often as is conveniently possible.

  6. DavidXanatos

    Hash: SHA1

    My experience with encryption is that no one except me is using it, sure there is the occasional person who uses it but not even all people from the PPÖ I know are using it, just a few.

    And the usability of all these encryption tools is less than optimal.
    So eider way I’m ending up with a lot of worn and still a to > 99% unencrypted communication. Thats kind of frustrating and pointless.

    Nowadays I encrypt only stuff that is really confidential.
    But than I usually don’t use email for that but some messager with build in encryption, jabber or mumble, etc…

    About public and work computers, what is really needed would be an android app that can exchange data with the PC bidirectional over QR code where.
    Also this way PGP signed messages look is really uncool, it harms the normal read flow of an average user.
    In my opinion a signature should be limited to a QR code at the end of the email.

    David X.
    Version: GnuPG v2.0.12 (MingW32)


    Something like this:
    on the end of a mesage instead of this a line before everything and gibberish after would be much more convenient

    Also you have to design solutions that would work for tweeter and other means of communication that are nowadays substituting email.

    1. Travis McCrea

      The reason signatures are still done in text is because it makes them machine readable. Usually it’s the machine that auto verifies signatures, not humans.

      Also I think that the signature thing looks really cool. Like some spy message.

      1. DavidXanatos

        Well, actually I believe signatures are done in text so that they can be transited over 7bit protocols, resp. protocol independent.

        Machine readability does not require text, for a machine any binary data is just fine.

        >Also I think that the signature thing looks really cool. Like some spy message.
        Yes and thats exactly the grown up appearance you want to make when sending serious emails to important noobs.

        David X.

      2. Anonnymoose

        I’ve never had a complaint about using PGP-MIME, although that could reflect the community I send mail to. If you use it, for people without PGP-aware clients the signature block just shows up as a separate part (much like the rubbish some versions of Outlook attach).

        Supposedly the reason it is not the default is that some people use ancient clients which don’t understand MIME, but I don’t know how relevant that actually is. I’d actually suspect that half-baked phone-based mailers are more of an issue than people stuck in the 90s.

  7. Per "wertigon" Ekström

    The biggest problem with encrypting your emails; it does not stop data retention in any way, shape or form. Only an encrypted P2P tunnel does that.

    1. well does make the content of the retained data useless. But sender/recipient is of course still known, so yes, use Tor as well.

  8. Andrei

    Small correction – you wrote “heathan” – it’s spelled “heathen”

  9. AB

    Encrypt or sign or what?
    The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say)

    1. Ano Nymous

      Where is this going? Only time stands between freedom of speech and mass genocide now, if history is anything to go by…

      Privacy might well be the reason for world war III. And I don’t think we are going to be the ones starting it…

  10. Sam

    So if I set this up on my system, and encrypt an email and send it to someone, what do they see? (For the sake of this question you can assume the person I am sending to has never heard of GPG, because that is the case with 100% of all the people I send e-mail to.)

    1. nothing

      If they have never heard of GPG, they will not have a public key, which means you _can’t_ encrypt emails for them. The way public key encryption works, you encrypt _for_ someone, and then only they can read it (you, the encrypter, can’t even decrypt it, you need the private key (the one which matches the public key) for that).

      You can sign your own emails, which means you put a little bit of random-looking stuff at the bottom that any GPG-knowledgable person can check against _your_ public key to see that it was in fact you who wrote it. If you do sign your emails, your friends will see about four lines of random-looking stuff following your text.

      So find a good friend and set up GPG together with them.

  11. Samantha

    This is why i’m encouraging all my contacts to use enlocked ( it’s email encryption for the masses, it’s about time this culture changed. I don’t have anything I particularly need to hide, but privacy should be the default, not a reason to arouse suspicion. That’s like saying, well if you aren’t doing anything illegal then why don’t you let everyone see your bank statements? I don’t think most people even realise just how open email is, you type a password to access it, there’s a presumption of privacy.

    After all this controversy with the voicemail “hacking” I’m surprised these “journalists” don’t seem to have cottoned on to just how much more they could get just by sitting outside a person’s house with a laptop.

  12. kkrousseau

    “… flail like a bat fighting a chupacabra.” Beautiful, brilliant, hilarious! Thank you, thank you for making me laugh.

  13. Rejo

    Find out how to encrypt your mail in Chrome and Mozilla in a very simple steps, no need to be tech savvy to do this work.

    Learn how to Encrypt your mail in Gmail using Chrome

    and also see how you can encrypt your mail in Mozilla

Comments are closed.