I have mentioned in my books and on this blog that I like to convince people to use encryption. More specifically I like to persuade them to use the encryption that I use, especially for data-in-motion. There are a couple of reasons for this. First, if more of us use encryption, the more “noise” we all generate. Encrypted calls, messages, chats, and emails become the norm, none of them stand out just because they are encrypted, and the less alerting any one individual using encryption is. I also like to convince others to use the encryption that I use because it gives me a secure communication pathway with them. Individuals with whom I communicate represent a fairly significant weak point in my own security if I must revert to insecure email, voice, text, and other forms of communication with them. Finally, the more mainstream encrypted apps become, the easier it is to get others to join the fun. At this point it is not at all uncommon for one of my friends to install an encrypted app and see that several of his or her contacts is already on there.
Getting others to adopt encryption is no small task, however. People are reluctant to change, and throwing around the word “encryption” can be a turn-off itself. The uninitiated may think of it as complicated or intimidating. If they care little to begin with they are unlikely to take the steps necessary to learn on their own and need some encouragement. Because of this (or maybe in spite of it) I have waged something of a campaign to get my friends, family, and other personal contacts to use encryption. I have had as many failures as I have successes, but even the failures have been valuable because of the lessons they have taught me. This blog post is dedicated to sharing a few of those lessons, and some successful techniques I have employed over the years to convince people to use encryption with me. Your results may vary, and I’d love to hear your stories of success (and yes, failure).
- Start small. Securing your digital life can be a daunting task. You can quickly overwhelm an individual who is otherwise friendly to encryption by elucidating the full body of threats against them and then explaining the incredibly complex nature of a thorough defense. Rather, start will small measures. Have them install and use Signal or Wickr, even if they talk only with you. Once they have seen how uncomplicated that step is and internalized it (and maybe even sold a few others on it), make another approach and chip away at another security task. Help them full-disk encrypt their phones and computers. Once they have reached the realization that it really isn’t that hard or complicated they maybe willing to pursue additional security measures. The bottom line: don’t tell them it all has to be done overnight. Even if they believe that, it won’t happen. It can’t; good security takes time to implement.
- Highlight benefits that matter to them. For months I had attempted to convince a friend to use an encrypted messaging app (Signal) but every time I mentioned encryption her eyes glazed over and the conversation essentially ended. So I dropped it. For a while. A few months later I was going out of the country but she still wanted to communicate while I was gone. I used this as an opportunity and learned a lesson in the process. I said “install Signal. I don’t want to pay for international calling but we can talk and text over Wi-Fi.” She immediately installed the app and I realized that it was because I had chosen to emphasize something that mattered to her. When I returned from my trip we continued to talk on Signal and still do to this day. When attempting to convince people to use encryption it is important to focus less on how it benefits you, and more on how it benefits them.
- Be consistent. Though I have railed against brand loyalty before on this blog, I do recommend you try to stay consistent with one or two apps and services that achieve your desired goals. If your goal is encrypted messaging pick one or two and stick with them. Obviously I like Signal and Wire but there are plenty of good ones out there like Surespot, Telegram (secret chats), and Threema. I am not suggesting that you stay with an app you are uncomfortable with, or which contains known vulnerabilities. What I am suggesting is that you try to be somewhat consistent. If you change apps every month or so your less dedicated friends will lose interest and you will lose their participation. Pick one or two, pick a username you are comfortable with, and stick with it. When choosing these apps there are three factors you should consider:
- Simplicity and ease of use. Though I still use full-manual PGP encryption for some email, I also realize it isn’t for most people. If I want to give a non-security/non-technical person access to encrypted email I set it up for them in the form of a ProtonMail account (I have done this for nearly all of my contacts). I like services like this because they lower the bar of entry to a manageable level for those with little interest in security and those with busy, hectic lives that don’t have the time or energy to sit down and learn the ins and outs of public key cryptography. The simpler the app or service and the more it mirrors their preexisting insecure services, the better.
- Cost. Apps and services should also be free. I tried for a very long time to get others to join Silent Circle. Adding another cost to an already-expensive phone bill wasn’t an option for most, so the idea failed rather spectacularly. The only people I convinced to participate were those for whom I purchased subscriptions, an unsustainable model if there ever was one. Free apps and services are the only ones that the security-indifferent will adopt, so cost is a crucial consideration when attempting to convince people to use encryption tools.
- Cross-platform support. Another hard sell is apps that only work on one platform. These are becoming less common but were a major hold up for Redphone. Once iOS support was added I switched whole-heartedly and have never looked back. Now, regardless of phone OS I can recommend the same handful of apps or services, and these can be used with their other friends, too.
- Don’t give up, but don’t be overbearing. Know your audience. Undoubtedly you have some friends that you can harangue into downloading an app, but this approach has been only mildly successful for me (and “mildly” may be a generous characterization). Persistence must also be tempered with some patience and grace, but persistence will generally win the day. Remember, the goal is to convince people to use encryption, not shame, belittle, or force them into it.
I do not guarantee that any of these techniques will be successful in helping you to convince people to use encryption. There are still individuals on my list who, despite my best efforts, have not yet implemented a single, meaningful security measure. I mentioned Signal repeatedly in this post and for good reason: it’s setup is about as simple as they come. You download it and verify your phone number. There are no usernames to come up with, no passwords to remember, no pesky login screens, and no complicated settings. The GUI is intuitive and simple and it’s free. Anyone can set it up and use it with no special effort. This is the type of encryption product that we need more of. Plenty of products exist for those of us who desire the ability to tinker with key exchange protocols, SHAs, and encryption algorithms; we need a few more that are seamless and simple.