Sending Encrypted email to the Technically Illiterate

[Diana]

This is the situation. I want to email sensitive documents (pdfs) that contain my w2's and pay stubs for a mortgage application. While the initial pre-approval is all done online through the lender's website, they always require additional info; most lenders just ask that these things be emailed, with no regard to how secure a message is.

I have not been able to find an easy video or tutorial on decrypting a message. Even if I send an encrypted message, if the recipient does not use encryption plug-ins, they won't be able to decrypt the message, is that correct? (Do both users need to use the same encryption software? Like “Enigmail to Enigmail”?)

If the person you are sending to doesn’t understand encryption or how to use it, is it reasonable to walk them through an entire installation of any software? (No, it isn’t, in my opinion, working in customer service, a lot of people don’t even know what a “download” is. When I worked at a library, I was trying to help someone re-apply for food stamps. He literally did not know what “Your password must be 6 characters long” meant. When I said “the password needs to be 6 letters long, the one you have typed is 5 letters” he looked at me blankly and replied “I have all the information filled out!” My point is, some people just don’t understand basic concepts.)

In such cases, what can we do? I have read all the guides on Enigmail, however, none of it tells you what to do if a user gets your email and cannot decrypt it (aka, the “normal” user). Am I missing a tutorial on this? Does anyone know of a basic, basic, guide to decrypting things? Heck, I can’t even find a good article of what happens when important documents are sent without encryption. Not everyone takes “intro to cybersecurity”.

If anyone has any resources or links I missed, please let me know!
Thank you.

(Bonus story; once at the library, a woman yelled “I think ya’lls computer is hacked” so I sighed to myself and walked over. She thought it was hacked because she couldn’t post her facebook message. Except…she DID post the message. I pointed to the comment thread and said “It posted right here”. She blustered more about hacking and cyberattacks but it is very clear that most people like her only know buzzwords that the media throws out, and even then, they don’t know what they mean. Right now, cybersecurity is only a luxury.)

[Olav Seyfarth]

No tutorial tells you what to do if a user gets your email and cannot decrypt it

That it because you cannot send encrypted (using OpenPGP) without the receipient providing you with his/her public key first. So, if a receipient already managed to create keys (which in turn requires software being installed properly), the decryption of received messages is easy.

What you're looking for is a way to securely send messages without prerequisites. I'm sorry to deliver the bad news: Enigmail cannot provide that. Please rather look for a portal based solution that works wich a challenge response, like:

• send a "to be send securely" message - this should result in the confidential message being deposited on the portal server, and a unsecured message with an access link being sent to the receipient
• the receipient clicks on this (HTTPS) link[, gets prompted to set a passwort for future use] and views his message; problably the system allows to reply to the initial message.

Or you work with password-based document/container encryption (Word, PDF, ZIP). That requires these applications to be installed, but that's often the case. Then you have your usability issue again, yes.

Compare it to a postbox, though. In order to be ABLE to deliver securely, one MUST require the receipient to KNOW how to use the postbox' key (and where to find it ;-) ).

[Joe]

I couldn't agree more with the requestor's plight. What if the recipient is not a thunderbird user? What if they are stuck on a work computer with MS outlook with no admin rights? This product is great, but needs to close the gap.
Is Enigmail compatible with something like the google extension Virtru? That wasn't too, too, hard to set up. (Not to imply Enigmail was .)

[Olav Seyfarth]

Enigmail cannot heal the world. It's a Thunderbird AddOn to send and receive OpenPGP compliant messages. Nothing more. Many contributors (and espacially Patrick) have spent hours to make THAT task as simple as possible. But it's not a "secure all communications" tool.

What I tried to explain in my first answer: OpenPGP (not Enigmail) is just not suitable for the requestors usecase. That is due to how the OpenPGP protocol -an internet standard (RFC)- works.

Joe's usecase of persons not using Thunderbird refers to the question whether there are (easy to use) OpenPGP clients for other e-mail programs/apps. Enigmail cannot (and does not strive to) solve this, too.

I didn't know Virtru, so thanks for the heads up. Virtru is a complex encryption system/suite that includes e-mail handling. To my knowledge it's only implemented/handled by its creator. It is not even close to an internet standard such as OpenPGP, but may be a good product anway. But it seems not to be compatible with OpenPGP, so it cannot be compatible with Enigmail.

Except for some XMPP encryption protocols, most instant messaging encryption protocols aren't standard, too. Yet -within their eco system- they solve the task of "usable secure communication". So I think, maybe even e-mail itself is the wrong channel to look at.

But we're getting real off-topic now. It's an Enigmail forum after all ...