|Editions | myCNN | Video | Audio | Headline News Brief | Feedback||
Should you encode your e-mail?
(IDG) -- Determined to succeed where others have failed, Hush Communications President Jon Gilliam is announcing this week a free e-mail encryption system for consumers. The question is, do consumers care?
For the past two years, Hush has been creating encryption software so powerful that the firm was forced to shift development to an office on Anguilla, British West Indies, to avoid the U.S. government's restrictions on export of strong encryption. So far, 210,000 people have used the 1,024-bit encryption via Hush's Web site at www.hushmail.com. Now, the company is offering HushPOP (post office protocol), a Java-based downloadable version that will let people encrypt messages using their own e-mail program.
Personal encryption hasn't taken off, experts say, because consumers don't think it's worth the trouble. "The real need for privacy hasn't been demonstrated yet for consumer-to-consumer [e-mail]," says Jonathan Penn, a senior industry analyst at Giga Information Group.
Many free e-mail programs are targeting consumers, including 1on1mail, LokMail, PrivacyX.com and ZixMail. But the industry's longtime darling has been Pretty Good Privacy, which nearly landed creator Phil Zimmermann in jail for violating export regulations. PGP, which Zimmermann sold to Network Associates in 1997, now boasts about 7 million users. Most of them, however, are "die-hard Phil fans and encryption gurus," says Allison Taylor, PGP director of product marketing for Network Associates.
"Most people don't care about encrypting their e-mail," says Bruce Schneier, author of Applied Cryptography and CTO at Counterpane Internet Security. "You lock your front door now because you care. Your grandparents didn't."
Gilliam demurs, maintaining that if encryption were easier to use it would attract a critical mass of people. "Ever tried to use PGP?" he asks. "It's just too much for the average user."
Indeed, a 1998 study by Carnegie-Mellon found that two-thirds of study subjects failed when given 90 minutes to send a message with PGP. The study concluded that PGP 5.0 was "not efficiently usable to provide effective security for most users."
PGP users must exchange their public keys (used to encrypt messages) with each other via e-mail attachments, or use the software to look them up on a key server. To ensure they are sending to the desired recipients, users must verify each others' "fingerprint," or unique 16- to 24-digit number, over the phone or in person. With Hush, the public key is exchanged automatically by the company's servers.
Unlike PGP, which stores private keys (used to decrypt messages) on users' machines, Hush's private keys are stored on the company servers. When users want to access encrypted mail, they enter a password, and the private key is automatically downloaded.
Acknowledging that PGP's user interface could be simplified, Zimmermann says it's still a more private form of communication than HushPOP. "In PGP you get to choose who you trust to sign the keys," he says. "Hushmail signs the keys. That might make things easy, but it also means you have to trust Hushmail."
Is there a profitable business model in free encrypted e-mail? Network Associates maintains the free version of PGP but makes money off a corporate version with more features.
Gilliam expects to move in the same direction, and plans to offer a corporate version. "Corporations will love it," he says -- begging the question of whether we'll all one day be sending out encoded e-mail.
Concern over U.K. e-mail surveillance bill grows
RELATED IDG.net STORIES:
Cryptography advances into the future
Hushmail home page
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.