Thunderbird and end-to-end email encryption – should this be a priority?

R Kent James kent at caspia.com
Tue Aug 25 09:31:18 UTC 2015


This is the text from a blog post today on the Thunderbird blog:

See 
https://blog.mozilla.org/thunderbird/2015/08/thunderbird-and-end-to-end-email-encryption-should-this-be-a-priority/

In the last few weeks, I’ve had several interesting conversations 
concerning email encryption. I’m also trying to develop some concept of 
what areas Thunderbird should view as our special emphases as we look 
forward. The question is, with our limited resources, should we strive 
to make better support of end-to-end email encryption a vital 
Thunderbird priority? I’d appreciate comments on that question, either 
on this Thunderbird blog posting or the email list tb-planning at mozilla.org.

In one conversation, at the “Open Messaging Day” 
<http://www.oscon.com/open-source-2015/public/schedule/detail/45257> at 
OSCON 2015, I brought up the issue of whether, in a post-Snowden world, 
support for end-to-end encryption was important for emerging open 
messaging protocols such as JMAP <http://jmap.io/>. The overwhelming 
consensus was that this is a non-issue. “Anyone who can access your 
files using interception technology can more easily just grab your 
computer from your house. The loss of functionality in encryption (such 
as online search of your webmail, or loss of email content if 
certificates are lost) will give an unacceptable user experience to the 
vast majority of users” was the sense of the majority.

In a second conversation, I was having dinner with a friend who works as 
a lawyer for a state agency involved in white-collar crime prosecution. 
This friend also thought the whole Snowden/NSA/metadata thing had been 
blown out of proportion, but for a very different reason. Paraphrasing 
my friend’s comments, “Our agency has enormous powers to subpoena all 
kinds of records – bank statements,  emails – and most organizations 
will silently hand them over to me without you ever knowing about it. We 
can always get metadata from email accounts and phones, e.g. e-mail 
addresses of people corresponded with, calls made, dates and times, etc. 
There is */alot/* that other government employees (non NSA) have access 
to just by asking for it, so some of the outrage about the NSA’s power 
and specifically the lack of judicial oversight is misplaced and out of 
proportion precisely because the public is mostly ignorant about the 
scope of what is already available to the government.”

So in summary, the problem is much bigger than the average person 
realizes, and other email vendors don’t care about it.

There are several projects out there trying to make encryption a more 
realistic option. In order to change internet communications to make 
end-to-end encryption ubiquitous, any protocol proposal needs wide 
adoption by key players in the email world, particularly by client apps 
(as opposed to webmail solutions where the encryption problem is 
virtually intractable.) As Thunderbird is currently the dominant 
multi-platform open-source email client, we are sometimes approached by 
people in the privacy movement to cooperate with them in making email 
encryption simple and ubiquitous. Most recently, I’ve had some 
interesting conversations with Volker Birk of Pretty Easy Privacy 
<http://pep-project.org/> about working with them.

Should this be a focus for Thunderbird development?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20150825/2a0f88a4/attachment.html>


More information about the tb-planning mailing list