InstantCrypt 2.3 released

What: InstantCrypt proudly announces the release of version 2.3. coming as "InstantCrypt 2.3" (installer) and "Portable InstantCrypt 2.3" (portable).

Download: They can be downloaded at www.instantcrypt.com/downloads/.

Purpose:

1. InstantCrypt is to improve message security of e-mails (not computer security).
2. InstantCrypt offers an Easy-to-Use front end for GPG/GnuPG that works with pre-installed e-mail client and user's web mail to send/receive OpenPGP-encrypted messages.
3. It offers an e-mail like user interface to give the user a familiar feeling right from the beginning.

New feature in 2.3: Encrypt so self: InstantCrypt now allows to encrypt-to-self, i.e, make an encryption to the signing key every time things are encrypted, so that the sender can read his/her own encrypted messages.

Yours,
Instantcrypt

 

Suggestion for Discussion of InstantCrypt 2.3: User Experience

Discussing User Experience

The current obstacle to e-mail privacy is not technical, but social/psychological: people are unwilling to use it. So I would like to steer the discussion on InstantCrypt to the user experience.

• What can be done to induce a user to actually download, install, set up, and use InstantCrypt (or encryption in general)?
• What features need to be added (or to dropped!) or improved?
• What good or bad user experience have you or others had?

For this purpose I also started a thread in InstantCrypt's own forum here. Feel free to post either here or there, whatever you prefer.[FONT=&quot] Remember: Improving the technical abilities of InstantCrypt makes only sense when people actually use it. Otherwise we talk about a corpse: maybe technically perfect, but dead.

Regarding the [/FONT]Technical Abilities and Limitations of InstantCrypt: A good discussion of the technical side of InstantCrypt is found here (a thread in DSL reports, see my discussion with Ozo).


Have a good day!
InstantCrypt

Thanks to all previous and future contributors!

 

The social/psychological questions are pretty important. Encryption is a shared event, first and foremost. The reason for the cipher is the secret, not the other way around. The cipher doesn't need meaning, though it is derived from meaning, and would be a completely random string without it. The beauty of the math and the meaning are inexoribly intertwined. The fact that the cipher is locked, it's impenetrability, means it is dead information or there that it hides something. The first question one needs to ask if one stumbles upon a cipher is: does it hide anything at all? Once it is determined that the cipher does, in fact, hide meaning, you're in business. This is all basic to the people who are in the business of breaking ciphers, of course. But it pays for the rest of us to remember what's up here.

Meaning defines the message, first and foremost, so any communications applications we apply to a message are important. From a social communication standpoint, there is a point whereupon people will decide they need to share a secret. That's an important moment, because secret-sharing requires work. It's an investment. And it's vested with political intent, in the sense that secert-sharing implies deviation from open messaging and community content. It says that you intend to share something of value. And successful secret-sharing requires both parties to realize this and to be equally invested. That's the bottom line.

So the software has to faciliate this process as efficiently as possible. The proto-communication stage where people decide they want to employ (computer) encryption is fraught with pitfalls. It's not so easy to drop pgp in everyone's lap and say "go to it." That's not because pgg is "hard" either, like we're all idiots who can't figure out how to exchange a key. It's because there's some serious psychological negotiation on going on when we decide the conditions of information exchange. Encryption is like value-added messaging. It should be an easy sell. But it's not, because it requires "work." And this work, like it or not, falls on the person who best understands why the message should be protected in the first place.

So I'm into these questions that Instantcrypt poses.

 

Getting someone to use encryption

Thanks for Nix's description from the perspective of social communication theory. I want to highlight this sentence: "It's because there's some serious psychological negotiation .. going on when we decide the conditions of information exchange."

I wonder if you, Nix, or anybody else has an idea how we can use this approach of social communication in general or the question of the psychological issues in particular to help us with our problem at hand, namely: How can I get my e-mail partner to use an encryption tool?

Or formulated even more to the point:

1. Are deeper psychological issues that prevent people from responding favorably to a request for encryption?
2. If yes, what are they?
3. If we know what they are, can we do anything about it?

Thanks Nix, for your contribution.

 

Hey Instantcrypt, another factor to consider is that there's a lot of people out there who have a vested interest in preventing you from getting your nice, easy encryption to the common folk. Who knows if this is a "psychological" factor, but it's definitely "social." I could go on and on about what would happen to information analysis if we reach an encryption "tipping point," and how an information syndicate might influence how products and technology come to market, but I might loose half the followers of the thread. Pretty boring stuff.



But a developer needs to keep such concerns in mind, as there is concerted interplay between those forces and end-users' perceptions of the software (and even the encryption) itself.

So, anyway, one of those perceptions that your target user has (beyond the fact that encryption is "difficult") is that they actually have privacy when they conduct unencrypted email communication. They think of surveillance as a target opportunity that happens now. They aren't concerned with long-term data storage. Therefore, one psychological disadvantage one must overcome in inducing contacts to use encryption is the short-term goal (to conduct efficient communication) is compatible with long-term concerns. That only happens with speed and ease built into the equation.

 

Why people do not use encryption, continued...

Thanks Nix for your thoughts.

1. At the moment I do not feel that it is vested interests (be it government with security concerns or business in its limitless hunger for information) that prevents people from using encryption, although it may become a problem in the future. On the other hand, sometimes these interests may favor encryption. In Germany, e.g., the government is starting De-Mail, an encrypted communication service, encouraging its citizens to use it when communicating with government agencies. The jurisprudence may one day favor encryption, because electronic exchange, enabled by encryption, might make their work easier. The GPG developers (GPG is InstantCrypt's encryption engine) had a German government grant at one time. Realistically, not all big forces out there will be against us. I think we should cross the bridge of how to fight vested interests when we get there.

2. I agree that normal users are not aware of how open their e-mail is and additionally seem to feel that nobody is really interested in what they send. So one could start an "awareness campaign": How vulnerable their communication is, what dangers are lurking in the wilderness of the Internet , etc.

But I do not think that would be good. First, people are mostly right that nobody cares about their e-mail: the world does not spend a lot of money to hack into all the baby pictures they send to the grandmothers. And second, scare campaigns (which this awareness campaign, as many so-called "awareness campaigns", would certainly be) are usually not very successful. They turn people off. People do not want to be scared. Global warming is bad enough already , and they can't hear it any more !

So, how about a positive message: Encrypt out of respect for the dignity of the message, the dignity of you yourself and the dignity of the other person. How about selling encryption as a signal that something special is being communicated: "Respect - Encrypt". Or "Out of respect: encrypt." Or: "Encryption - because you are worth it." "Encryption - what I write deserves it."

Any opinions on that?

 

Well, I think you actually bring up another factor that needs to be considered. Different cultural norms prevail in regard to how a society wants to perceive secure communication. I'm not sure where you are, but your example of Germany actually works well to illustrate.

Any given country's laws regarding encryption form a backdrop as to how the technology will be perceived by the new user. While I appreciate your message about keeping encryption positive, the fact remains that governments in part dictates users' response to encryption and anonymity. Should, for instance, encryption be illegal, a user needs to feel empowered before she's going to risk prosecution. If the government is able to convey that encryption or anonymity will be tolerated, but only on certain terms, citizens will go out their way to cultivate an aura of "cooperation" with the government and the technology, and they will probably vastly underutilize encryption.

That being said, I think you are correct that encryption can still be "sold" as value-added messaging anyplace where there are no overt political campaigns to subvert the technology.

And while the world doesn't care much for the content of our pedestrian emails, the U.S. government and others care very much about large volumes of information. Massive volumes caches are enormously valuable for data mining and other purposes. It's like collecting pennies. I don't mind giving up a few here or there. But trillions in the aggregate add up. Information caches provide governments with enormous power.

Vested interests are another story. And you're right. That concern is somewhat outside the scope of this thread. But vested interests often have undisclosed government ties, so a critique of the software might not be complete without trying to ferret out the origin or funding of the project.

However, let's keep to the basics for now. Assuming that a positive sell is politically and socially appropriate, what's next on the agenda? I would assume that you as software developer, (and others like cryptographer Justin Troutman, who has been eloquent here on Wilders as to goals for transcending these same barriers) would like to be a bridge between the cryptography and the user. So you must be able to communicate from both sides and make everybody happy. The cryptography, in many ways, speaks for itself. It will be evaluated by professionals, not the average user. So you need to intuite what a novice user needs to know. And give her that, and only that, in a friendly interface. That means intuitive instructions. Screenshots. Web design is key. My grandmother doesn't want a page that looks like a backmarket/blackmarket site, though some novice business users might, if it is done with a lite touch. So you can try your tutorials on different pages. Targeted design, same information in different colors and layout. And yes, convey your overriding philosophy through overt messaging like "Encryption- my information deserves it."

I've spent some time with your software. I think it conveys the most important quality - a desire to make encryption accessible. What do you see as your next step?

 

Thank you, Nix, for your reply.

Indeed, we cannot do much about the social context in general, even if it is important. So it is mainly the presentation of the program itself.

Next steps:
a) Take a break from all the work !
b) See if there are improvements in the user interface or the help presentation or the "first steps" on the Welcome page that can be made. For this I need user reactions.

For example, I have thought about rearranging the menu into these sections:

File | Write/Read | En-/Decrypt | Send | Keys | Tools | Help

Write/Read would have all things concerning writing and navigating the main page: New, Next, Reply... En-/Decrypt would have Encryption and Decryption and Password storage. Send would have: Send current mail, Send Your Key, Send Invitation to Encrypt (now: Initiate Encrypted Exchange under File), Keys would have the rest of the key management, Tools (or maybe should be called Settings?) the Options and Mail Settings, and Help the current Help.

Or maybe one manu item that is just called Instructions?

And maybe reduce the key creation to just one step: Enter your identification (Name, Address, Distinguisher) and click -- next message: Done. And should be get rid of the "Distinguisher" too? Does that confuse people?

What do people think?

Yours,
InstantCrypt

 

This looks like a great little program that I'd be interested in using - if I can get my few email contacts to download it.

I do have a couple of questions. I didn't see any answers in the help files.

1. Will encrypted emails work with gpg? If I sent an encrypted instantcrypt email to someone, could they open it in gpg?

2. Can I use my current gpg keys? By that I mean, since I already have them, can they be imported and used, or do I need to make new keys, even if same password is used?

 

Thank you for your questions.
1. Yes. (InstantCrypt uses GPG as its encryption engine, that's why. I am pretty sure, but have not tried it recently, that it can also work with key files created by PGP.)
2. Yes. If you put your two keyring files (pubring.gpg and secring.gpg) into the directory "Keys" within the Instantcrypt folder, Instantcrypt should recognize the keys and will be ready to start with them. Alternatively, you could open InstantCrypt (click past the Welcome page) and click in the main menu, Key Management | Change Key Directory and choose as the key directory the directory that the keys are already in. (Instantcrypt needs both key files - pubring.gpg and secring.gpg - in the same directory.) Make sure that not two encryption programs try to access the keyfiles at the same time, that may lead to crashes or hung programs.
Alternatively you can import the keys in your two current key files into InstantCrypt, by main menu | Key Management | Import Key. Then you'd have two sets of keyrings. (I would not do that, because that may lead to confusion in the long run.)

If you could, it would be great to let me know your further experience.

InstantCrypt

 

Re: InstantCrypt 2.3.0.1 released

Good news and bad news:

Good news first: I released InstantCrypt v. 2.3.0.1.

This to fix a bug: Instantcrypt had been unable to decrypt certain large files, and now it can. This was due to a hint by a user from Brazil: Thank you, Alfredo!

Bad news: InstantCrypt may not work on Windows Vista and Windows 7.

While doing cursory testing on my own Windows 7 computer for the new release, certain key manipulations (creating a key, signing a key) only worked intermittently: sometimes they did, sometimes not. Very annoying! I have not been able to fix this and may not be able to do so for some time, so in the meantime, I cannot vouch for InstantCrypt on Vista and Win7.

However, I have had no reasons to believe that there is a problem with encrypting and decrypting. So if you have not had problems with that, go on using it.

I would be interested if other people have experienced problems with InstantCrypt on Win 7 and Vista. Please let me know!

Yours,
InstantCrypt