A (Renewed) Case for Encryption

I kind of hoped that this NSA/PRISM/wholesale government surveillance business would re-energize people into actually getting back into using encryption – but sadly it doesn’t seem that way. Content encryption – as opposed to just endpoint encryption, like SSL – is important, and especially so in light of this kind of wholesale government surveillance.

gpg encryptionI kind of hoped that this NSA/PRISM/wholesale government surveillance business would re-energize people into actually getting back into using encryption, and perhaps even trying to solve the problem of getting more people to actually use it.

One of the big problems with encryption – for example, email encryption using public key cryptography (PGP or GnuPG) – has been just getting enough people to start using it. With the way public key encryption works, you need to use encryption, AND the person you’re sending it to needs to use encryption, too.

In addition, there’s also the further complication of signing one another’s keys and assigning trust levels and so on… it’s just a bit too complicated and technical for your average user.

However, it doesn’t have to be complicated, and given what we’ve learned recently, it seems to me it really shouldn’t be – and that it is in all of our best interests to make it be as simple and easy as possible.

People have been harping on about the importance of encryption for ages, but widespread adoption has mostly been limited to SSL (for webmail & other web apps & services). This sort of encryption prevents a 3rd party from intercepting your communication with Google or Microsoft or Facebook or your bank or whatever, but none of that matters if your data is just going to be handed over to the government by the company on the other end anyway!

SSL encrypts your connection and your data during transmission, but the actual contents of your data are unencrypted at either end, and vulnerable to interception. It’s a good first step, but it isn’t enough – not anymore.

passwordOn the other hand, actually encrypting the contents of your communications – the email, the files, etc. – means that even if they are stored on a server (as your email is, for example), they are still encrypted – and most importantly, the server doesn’t have the decryption key –  only the recipient does.

What this would means in practice is that it would prevent the wholesale collection of data.  If the government wanted the contents of someone’s communications, they would need to go after that individual; they wouldn’t be able to just pull it out of a big database.

Since going after an individual takes effort and requires a subpoena or at least a court order of some sort, there’s protection built-in. Plus, now the government’s attempts to access your data would be limited in scope to one person at a time, and they can’t be done in secret – or, at least, they’d be less secretive.

The government may still collect other data about you, of course – encryption is not a cure-all. It may still collect “metadata” about you – times and dates and such – but at least the content of your data remains secure until specifically subpoenaed.

As a side note, the NSA has repeatedly said that this is what it does anyway, as part of an attempt to justify why we shouldn’t be worried about this – but because everything the NSA does is secret, we have no way to be sure that this is actually the case. All we have to go on is the NSA saying “trust us, we won’t read your email without a court order (that you aren’t allowed to see).” Doesn’t exactly inspire a lot of trust, now does it? Especially given the track record we’re dealing with.

Perhaps if our government had a long & strong history of being trustworthy, of being transparent with its behavior, of standing up for individual rights and privacy, and severely limiting the collection and access of people’s data to only what is explicitly needed for specific cases and actions, this whole wholesale surveillance thing wouldn’t be such an issue.

But sadly, this is not the case – our government has shown, again and again, that it cannot be trusted in this regard, and that when given the opportunity, it will make a grab for as much power as it possibly can get.

Given the recent revelations on exactly how much power (and, by extension, data) our government has grabbed as of late, making actual content encryption available, widespread, and easy to use seems like an absolute no-brainer.

Icons courtesy of the Crystal Icon Set.

Unsubscribe me NOW, Damnit!

If there’s one thing that really annoys me, it’s crappy methods of unsubscribing from email newsletters and mailing lists that end with “it may take up to 10 days to process your request.”

If there’s one thing that really annoys me, it’s crappy methods of unsubscribing from email newsletters and the like. You’ve probably seen it before – you get some email from a company you’ve bought something from in the past, or maybe a website’s newsletter that you signed up for. It’s not spam, but you decide that you don’t really want these sorts of emails anymore, so you click the “Unsubscribe” link down at the bottom.

And then you’re greeted with something like this (emphasis mine):

Thanks for unsubscribing.
It may take up to 10 days to process your request.

Ten days? TEN DAYS?!? Seriously?

While the exact number of days may vary, the point is that you aren’t unsubscribed yet, even though you clicked the link to unsubscribe.

What’s worse is that sometimes the company or website will send you another email during that processing period!

Personally, whenever I see something like this it tends to send me into a sort of rage, where I vow never to do business with this company/organization/website ever again. Because really, saying that it’s going to take days (however many it may be) to do what should be instantaneous is just a giant middle finger to whomever is on the receiving end of the original email.

I could understand delays in processing an unsubscribe request back in the dark ages of the Internet – maybe even as recently as 5 years ago – when email mailing lists were cultivated manually, but honestly in this day and age there is absolutely no excuse for not automatically honoring an unsubscribe request immediately after a link is clicked.

I have to imagine that all of these “unsubscribe processing delay” messages come from old or home-grown email systems, because all the modern email marketing systems I know of will honor unsubscribe requests immediately.

When someone clicks an “unsubscribe” link (and I’m talking about a true “unsubscribe me from everything” link, not just a “stop receiving offers” or “stop sending me the monthly newsletter” type links), that person’s email address should be immediately marked as “DO NOT CONTACT” and no more bulk-type emails should ever be sent to that person’s address until they do something to opt-in to receiving them again.

In other words, when I click the “unsubscribe” link in your email, I expect you to unsubscribe me NOW, not 3 or 5 or 10 days later. Immediate unsubscribing may not be legally required (e.g., by the CAN SPAM Act), but I’d like to think it is morally required – it’s just common courtesy.


The Etiquette of E-Mail Signatures

Email signatures – are they still important? And is yours one of those obnoxiously long ones?

Back in the old days, your signature (or “.sig”) was a statement about who you are – and in some places (such as forums like Slashdot), it’s still used for that purpose. (In a way, it’s like having an electronic bumper sticker!)

Recently though, I’ve been thinking about signatures, and whether or not they were still useful in the context of email – specifically in the context of business emails. I mean, really, when was the last time you actually found someone’s email signature useful?

I’m talking, of course, about those huge, obnoxious, totally unnecessary email signatures that seem to be the norm nowadays. The ones that contain pictures, six different phone numbers, an email address (often a different one than the one in the email itself!), a picture, a long title & company name, colors, pictures, flashing lights… okay, maybe that last one was made up.

I’m much more old-school in my opinion of what a signature should be, mostly in the fact that I don’t think an email signature should have any formatting at all – it should be plain text only. I also think that shorter is better. I think 3-4 lines is about the max you’d want – any longer than that and your signature starts being significantly larger than most of the emails you’re sending!

Really, all your email signature should be is:

  • Your name
  • Your company name
  • Your phone number

Why is that? Because:

  • I already have your email address (or else how would I be seeing your email??)
  • I already have your web address, by virtue of your email address (we’re talking about “business” signatures here, so I’ll assume you’re not using Gmail or Hotmail or something like that, and that your email address’s domain name is the same as your web site’s domain name)
  • If you’ve got other methods of contact (IM, Twitter, blog, whatever), then you can just tell me those in the body of your email. There’s no need to repeat them to every single person you send email to.
  • Any flashy graphics or pictures just distracts from your message, and in all likelihood will not look right for at least some people (so why take the chance?)

While some people think of their email signature as being like their business card, I think that comparison is a little off for one major reason: people don’t have to look at your business card every single time you talk to them. On the other hand, they do have to look at your email signature every time you send them an email. So it’s important not to overdo it. After all, “less is more,” and simple is always tasteful.

The alternative – for those that feel that they absolutely must give out all of their contact information at once – is to have a signature you use when you first email someone, and then a smaller signature (or none at all!) for follow-up emails after the fact. The problem with this is that you’ll forget, and eventually you’ll just fall back to sending the big signature to everyone.

I think of an email signature as being like “fine print” – the less of it there is, the better. And conversely, the more of it there is, the more… formal, harsh, corporate, and impersonal your email will sound.

There’s another aspect of email signatures as well – the closing line.

Some people include a closing line in the signature block that their email client auto-attaches to every email – which I find annoying, since every single email from them has the same “yours truly” or whatever attached to it and it sounds like I’m talking to a robot.

People who add closing lines like “yours truly” or “sincerely” tend to come from the world before email – that is, the world of physical letters & correspondence. Email is not a direct replacement for old-fashioned mail (for better or worse), and I think it’s inappropriate to try to “force” things that were meant for a different medium onto email.

Although I do sometimes like to close my emails with outrageously formal and archaic closing lines, just for fun – I have been known to use “I have the honor to remain / Most Sincerely Yours.” But that’s for special occasions, not for everyday use.

Other people will close emails with less formal, more casual phrases, such as “ciao” or “cheers,” perhaps hoping to lend a little “international” flavor to their message. My opinion on these sorts of closing phrases is mixed – they tend to be hit or miss, depending on the context.

For myself, as I’ve said, I’m quite old-school, so my emails end quite simply. If I want to use my name (rare), I’ll simply write:


Often with no closing line at all. As for my signature, that is just my name, company, and phone number. (My personal signature is equally short – just the tagline of my blog, my blog’s address, and a URL to my PGP public key).

In the end, people who try to make their email signature be more than it really is are just deluding themselves and annoying others.

For more on the do’s and don’ts of email signatures, check out these two articles:

UPDATE: It’s worth noting that there are certain sub-industries where you can’t get around the need for an obnoxious email signature – where they may be mandated by law (or almost mandated by law). Take, for example, lawyers in the U.S. They have some of the longest signatures you’ll ever see – full of disclaimers, legal references, and so forth. Ernie the Attorney has a two great posts on these uber-long email signatures over at his blog which is well worth reading – even if you’re not an attorney (but are in an industry that has mandated email signature laws).

Holiday Spam Tricks

There was a brief period about a week ago where the amount of spam I was receiving (in the multiple unrelated email addresses I have) suddenly dropped. Yay!

But, alas, the spam has come back – with a vengance. One in particular that seems to be slithering by most spam filters at the moment is something I imagine was crafted specifically for this time of year – a spam message designed to take advantage of the fact that people are doing their holiday shopping.

This spam message generally has some variation on the subject line “Re: Order Status” or something like that. The body of the message seems to just be a “Click here to view this message as a web page” link. (Of course, if you get one of these, don’t click the link!)

Given how much on-line shopping is probably going on this time of year, this is a particularly nasty trick to use to get past people’s spam filters. Of course, there are ways to “separate the wheat from the chaff,” so to speak.

Most of these spam “Order Status” messages seem to have a “From” address that’s the same as the address they’re sent to – in other words, when they show up in your inbox, they look as if they were sent by you!

So I guess my holiday spam-avoiding tip for everyone this year is “delete emails that look like ‘order status’ messages but that appear to come from your own email address.” Not the greatest of tips, but hey, every little bit helps.

Stay safe from spam this holiday season!

Email image courtesy of the Tango Desktop Project.