Basically, e-mail encryption has failed to become mainstream (only five percent of all e-mail is encrypted, according to PGP) because technologists under-estimated how difficult it would be for people to manage their own key rings, said Benjamin Jun, vice president of technology at Cryptography Research.

"If we thought about where encryption was 10 years ago and where it is now, in many ways we have failed," Jun said. "You use more cryptography to start your car in the morning than there is in your e-mail, in many cases."

Meanwhile, the very government forces that were fighting use and export of strong encryption a decade ago may now be among the strongest beneficiaries of it.

"I don't think the government is doing much to discourage general Web encryption now," said PGP creator Zimmermann. "U.S. computer networks are getting hit hard by organized crime and foreign governments like China, so from a national security perspective there are arguments to be made" that favor of encryption. (The FBI, however, continues to seek access to consumer information for law enforcement.)

As data leaks and stolen laptops and missing back up tapes become commonplace, state governments are beginning to realize they may have to force companies to protect sensitive consumer data. A new Massachusetts law will require that personal consumer data stored on laptops and flash drives--and where feasible data transmitted over the Internet and wireless connections--be encrypted. Nevada recently passed a law that requires that personal data be encrypted before transmission over electronic networks.

"Overall, the legislative environment actually tends to favor encryption more now than in the '90s," with regulations like HIPAA and breach disclosure laws that have exemptions if the data is encrypted, Zimmermann said.

Full disk encryption
A hot area for encryption right now is full disk encryption, in which every piece of data on a hard drive is encrypted. With all the laptops that get lost and stolen, there's really no reason not to encrypt the hard drive.

Zimmermann learned this the hard way, having had several laptops stolen from him in train stations in Europe, including one instance that involved a thief distracting him by tossing yogurt on the back of his shirt. "Everyone who travels with a laptop absolutely needs whole disk encryption," he said in recounting the incident. (Zimmermann's latest venture is the Zfone Project, software for encrypting voice over IP calls.)

Bruce Schneier, chief security technology officer at BT, said he uses PGP Whole Disk Encryption and doesn't really worry about encrypting his communications. "It's data at rest that is at risk, not data in transit," he said.

And renowned social engineer Kevin Mitnick, who spent five years in jail for breaking into computer networks, takes extraordinary precautions using encryption when he travels outside of the U.S. because customs officials can search and seize computer equipment with no cause whatsoever. He was detained for four hours recently at a U.S. airport and had his laptops inspected. Because of that risk, he encrypts his hard drive before returning to the U.S. and encrypts all his confidential data, transmits it to servers in the U.S. and wipes the data from his laptop.

Mitnick says he uses free open source disk encryption software called TrueCrypt. Microsoft's Windows Vista and Windows Server 2008 include BitLocker Drive Encryption. And Fujitsu and other hardware companies offer full disk encryption hard drives.

While rules may force companies to adopt encryption to protect consumer data, there is no outside force pushing individuals to use it. Until people feel more vulnerable they aren't likely to be compelled to install more software, according to Cryptography Research's Jun. "Most alarm systems are installed after a home has been burglarized, not before," he said.

But just because people don't realize they need it doesn't mean it shouldn't be more readily available to them, said Marc Rotenberg, executive director of the Electronic Privacy Information Center.

"Right now, it's not practical. I think that's unfortunate and it should be more widely available," he said. "My hope is that in an IPv6 (Internet Protocol version 6) world encryption will be routine."

 

About the author: Elinor Mills is a tech and news writer for CNET.com