Forty per cent of IT professionals now use encrypted email - has a tipping point been reached?

Apple's and WhatsApp's conversion to end-to-end encryption has brought secure messaging to the mainstream - but there is still work to do on the convenience side

This article is one in a series of pieces about Privacy by Design and privacy engineering. More will follow over the coming weeks.

In a recent survey, almost 40 per cent of the respondents said they use encrypted email, compared with 42 per cent who said they do not. Eighteen per cent said they would rather not say - read into that what you will.

So that's pretty much a 50/50 split, but before anyone gets too excited by this statistic being some sort of bellwether, it should be noted that the respondents were Computing readers who are involved in making IT decisions - in other words, they were all techies of one sort or another.

This is an important caveat for two reasons. First, as IT professionals they will be more aware than most of the insecurity of most messaging services, where emails are essentially the postcards of internet communications, and will presumably be more careful as a result.

But second, while you don't have to be a techie to use encrypted email, it certainly helps. Having to get your head around asymmetric encryption, creating managing and importing public and private keys, key signing and verification, the web of trust and the rest of it is enough to put most people off using things like Enigmail and GnuPGP. Many techies even profess themselves confused by it, or simply find it too cumbersome for everyday use.

Base: 259 UK IT professionals. Full results will be presented at the Computing Enterprise Security & Risk Management Summit, 26 November

In a poignant (or deliciously ironic, depending on your point of view) exchange between seller of covert espionage software Hacking Team and a prospective client, revealed when the contents of Hacking Team's servers were dumped on the internet, the customer was obviously becoming nervous about the sensitive nature of the conversation. He suggested using encrypted email from then on in, but of course it was too late. Enough had already been said to identify him and the nature of his business.

The growing realisation that anyone anywhere (even the head of the CIA or a provider of covert surveillance software) can be hacked, Snowden's exposé of the extent of state surveillance, and unease about the data mining and profiling activities that fuel the dominant business model of the internet (i.e surveillance) have all led to a rise in interest in encrypted email. Even Google and Yahoo - two of the largest proponents of that business model - have been working on Chrome plugins that will encrypt email end-to-end. Meanwhile, third-party add-ons to provide secure web-based email, such as Mailvelope continue to proliferate.

These developments have all made using encrypted email more convenient, putting it in reach of non-techies who could really benefit (journalists, lawyers, politicians, business negotiators, and anyone who worries about being snooped on) but a number of problems remain. Perhaps the most pressing of these is compatibility.

The beauty of unencrypted email is that an email sent from Outlook or Gmail or Yahoo Mail can be received by a user of any other service. It is an open system. By contrast, to send and receive encrypted email using something like PGP there must be an exchange of public keys between the two parties. Because of the need for prior exchange of keys, service agnosticism is much more difficult with encrypted email. Different systems by different secure email vendors often don't co-operate.

Keep it simple

For privacy-oriented engineering to really take off it must be as simple to use - or certainly not much more difficult - than what we have now. This, of course, is more easily said than done. With technology, privacy and security considerations have tended to be afterthoughts, peripheral to the design and often sacrificed in exchange for ease of use. This makes privacy and security hard to retrofit. It's interesting that many of the companies working on privacy engineering are located in places like Switzerland and Germany, which for historical reasons place a great deal of weight on privacy and data protection.

Tutanota is based in Hanover, Germany. It offers end-to-end encrypted email with a convenient twist. First, you can send asymmetrically encrypted messages automatically to other Tutanota users without having to mess around with keys. You can also send password-protected email to users of other email services. These emails are symmetrically encrypted. The sender simply communicates a passphrase to the recipient via another means, perhaps by phone or secure instant messaging, to allow them to view the mail.

Symmetric encryption is less secure than asymmetric as passwords can be intercepted or stolen more easily than private keys tucked away on a hard drive, but it is certainly more convenient, and convenience-plus-additional-privacy is the name of the game. Each person and each use case will have a comfort zone located somewhere on the privacy vs convenience spectrum.

There are other difficulties when you bring encryption into the equation, says Tutanota founder Arne Möhle.

"[Enabling searching] takes a bit longer because we can't search server-side due to the encryption. We need to implement the search on the client, which isn't the easiest as it also needs to be fast enough to work on mobile phones."

Another feature is the zero-knowledge design.

"Tutanota automatically encrypts your entire mailbox. This means no one can access your data - not even we as the developers. For the encryption we use the user's password (hashed locally before being transmitted) to decrypt all data locally on the user's device. This makes it impossible to snoop in on your private communication," Möhle says, before explaining the firm's guiding principles.

"We firmly believe that it's everybody's right to protect their email communication, just as it is everybody's right to whisper without being eavesdropped upon."

Zero-knowledge architecture is secure, but if you forget your password there are no second chances - which may not be convenient.

A similar service, one developed by CERN scientists in Geneva, Switzerland is ProtonMail. Like Tutanota it is open-source, zero-knowledge, end-to-end encrypted, with a password system to allow non-ProtonMail users to share encrypted messages. Its servers are heavily protected and isolated - almost to the point of paranoia.

"We have invested heavily in owning and controlling our own server hardware at several locations within Switzerland so your data never goes to the cloud," says the company's web site.

"Our primary data centre is located under 1,000 meters of granite rock in a heavily guarded bunker which can survive a nuclear attack," it continues. Beat that, Google. If you are planning to communicate securely during the Apocalypse ProtonMail is the one to go for.

ProtonMail also offers self-destructing emails that time out and disappear, like photos do with Snapchat.

Tutanota and Protonmail are examples of start-up companies that are making secure communications simpler to use, with no keys to import or export. There are others too, such as Swiss-based GhostMail. For businesses and casual users this simplicity is a core requirement. Both services are still in beta so there are few bells and whistles as yet, and being browser- and app-based they are possibly less secure than command-line GPG counterparts, although we are unqualified to say for sure. While they may not be totally NSA-proof, they are certainly a better option than unencrypted Outlook or Yahoo Mail for those wishing to keep sensitive information private and secure.

Apple weighs in

Let's say you're a ProntonMail or Tutanota subscriber. How do you send your passphrases to a user of another service so they can read your emails? If you have an Apple iPhone or iPad you could use iMessage, which for the last year or so has been encrypted end to end, much to the dismay of the intelligence services.

This move by Apple is a pretty big deal. The fact that a tech behemoth has weighed in to encrypt its own messaging services by default has moved the debate on further and faster than any number of ProtonMails or Tutanotas could ever have achieved.

And Apple was soon joined by WhatsApp, perhaps the most popular chat application in the world, which is now encrypted too. Private messaging is now mainstream.

If you don't use (or perhaps trust) Apple or WhatsApp there are plenty of alternative chat and IM apps. Many of them open-source, which for a lot of privacy-minded people is a cornerstone of trust. However, both parties will need the same app which can be limiting when few are using them.

For example there is the TextSecure app by Open Whisper systems and there's Wickr. Then there are some more Germans Telegram and Threema. And of course there is the venerable BlackBerry MMS.

Prefer to talk? There's plenty of choice of encrypted VoIP services catering to individuals and businesses too, including Whisper System's RedPhone and Signal, which are free, and numerous paid-for business oriented services.

Obstacles lead to opportunities

Secure communications services are a burgeoning cottage industry, especially in Europe, whose growth is fed by the revelations of overreach by GCHQ, the NSA and other agencies, discomfort with personal profiling by internet companies and a steady stream of security breaches in the headlines. As legislation tightens this industry will surely increase in size and reach, moving beyond the domain of the techies.

"Obstacles lead to opportunities," said Rimma Perelmuter CEO an global board director at industry trade body the Mobile Enterprise Forum, recently. Perelmuter went on to say that it is vital to give consumers more control over sensitive data and to make them aware of its value, so that quid pro quos of trading information for services are better understood. If not, she warned, the erosion of trust will be of detriment to the entire industry.

This is a message Apple and WhatsApp seem to have taken on board.

Privacy and encryption will be topics of discussion during our Enterprise Security & Risk Management Summit on 26 November. The full results of our research will also be presented. Registration is free for most delegates.