How do we get our less nerdy friends to use encryption?
As of late, the free software movement has been putting an emphasis on using software as a counter-measure against surveillance. Among the various ways free software can help us resist being spied upon, perhaps the most central way is its prevalence in encryption technology, like GnuPG for email.1 The only reliable encryption tools are free software, because trusting proprietary software not to have backdoors and exploits, without the ability to even read its source code, is reckless at best.
Free software activists making use of encryption software is a good thing. But to resist the NSA's dragnet surveillance, we are going to need to get lots of people using this technology. We need encryption to spread outside the free software movement proper, and into the broader world of computing.2
So what is preventing us from getting to the point of widespread adoption? Until recently, there was the lack of public concern about surveillance, but Edward Snowden and the NSA have each done their part to bring privacy issues to the forefront of discussion. Now the two main problems standing in our way are the lack of awareness that encryption can make us safer from surveillance and how difficult it is to use the existing tools. Even though established encryption tools succeed in protecting privacy, their interfaces present a significant barrier to people more familiar with the slick interfaces of nonfree communication tools. I don’t mean to be gratuitously critical of free software. It’s simply a fact that most people used to using Facebook or Skype are going to balk at the interfaces of most encryption software.
The good news is that we can solve both of these problems. For increasing awareness of encryption technology, we need to leverage the network effect. The more people there are using a given encryption technology, the more sense it makes for each additional person to give it a try. Those of us already using encryption can start by making it a bigger part of our online persona and getting our friends excited about using it with us. Wherever we write our email addresses and in the signature of every email we send, we should have our GnuPG key fingerprint. We need to get to the point where people feel like something is missing if they see a personal email address without it.
For the usability question, we of course need to make better interfaces that are friendlier to new users, but that doesn’t get around the fact that even basic encryption programs are just a little bit difficult to understand. A working knowledge of GnuPG, one of the most basic and widely used tools, requires a mental model of public-private keypairs, cryptography, keyservers, and software plugins or command line interfaces. To deal with this, we need excellent tutorials, which are as inviting and fun as they are complete and concise.
The FSF has just published what we hope to be just such a tutorial, to do our part in encouraging people to use GnuPG for encrypting and signing their email. You can find it at u.fsf.org/zr. If you haven’t tried GnuPG, we hope this tutorial makes you excited about getting started. We would love to hear your feedback about our tutorial to help us make it even better. If you already know how to use GnuPG, please post the tutorial everywhere you can and offer to help people if they have questions about it. With an accessible tutorial and the knowledge that a skilled friend is there for backup, many people will tackle encryption software that would otherwise be outside their comfort zone.
1For further discussion of this point, see my article in the FSF's Fall 2013 Bulletin, "How can free software protect us from surveillance?"
2To be as safe as possible from state misuse of surveillance, it will take a multipronged approach, including reducing the amount of data collected about people in the first place. See gnu.org/philosophy/surveillance-vs-democracy for more about this.