Thunderbird and end-to-end email encryption – should this be a priority?
R Kent James
kent at caspia.com
Tue Aug 25 09:31:18 UTC 2015
This is the text from a blog post today on the Thunderbird blog:
In the last few weeks, I’ve had several interesting conversations
concerning email encryption. I’m also trying to develop some concept of
what areas Thunderbird should view as our special emphases as we look
forward. The question is, with our limited resources, should we strive
to make better support of end-to-end email encryption a vital
Thunderbird priority? I’d appreciate comments on that question, either
on this Thunderbird blog posting or the email list tb-planning at mozilla.org.
In one conversation, at the “Open Messaging Day”
OSCON 2015, I brought up the issue of whether, in a post-Snowden world,
support for end-to-end encryption was important for emerging open
messaging protocols such as JMAP <http://jmap.io/>. The overwhelming
consensus was that this is a non-issue. “Anyone who can access your
files using interception technology can more easily just grab your
computer from your house. The loss of functionality in encryption (such
as online search of your webmail, or loss of email content if
certificates are lost) will give an unacceptable user experience to the
vast majority of users” was the sense of the majority.
In a second conversation, I was having dinner with a friend who works as
a lawyer for a state agency involved in white-collar crime prosecution.
This friend also thought the whole Snowden/NSA/metadata thing had been
blown out of proportion, but for a very different reason. Paraphrasing
my friend’s comments, “Our agency has enormous powers to subpoena all
kinds of records – bank statements, emails – and most organizations
will silently hand them over to me without you ever knowing about it. We
can always get metadata from email accounts and phones, e.g. e-mail
addresses of people corresponded with, calls made, dates and times, etc.
There is */alot/* that other government employees (non NSA) have access
to just by asking for it, so some of the outrage about the NSA’s power
and specifically the lack of judicial oversight is misplaced and out of
proportion precisely because the public is mostly ignorant about the
scope of what is already available to the government.”
So in summary, the problem is much bigger than the average person
realizes, and other email vendors don’t care about it.
There are several projects out there trying to make encryption a more
realistic option. In order to change internet communications to make
end-to-end encryption ubiquitous, any protocol proposal needs wide
adoption by key players in the email world, particularly by client apps
(as opposed to webmail solutions where the encryption problem is
virtually intractable.) As Thunderbird is currently the dominant
multi-platform open-source email client, we are sometimes approached by
people in the privacy movement to cooperate with them in making email
encryption simple and ubiquitous. Most recently, I’ve had some
interesting conversations with Volker Birk of Pretty Easy Privacy
<http://pep-project.org/> about working with them.
Should this be a focus for Thunderbird development?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tb-planning