It's a very hard problem IMO. Not just finding the words, but everything. For example, before learning linux to a degree where it wasn't a pain to use as a desktop, I thought it made no sense to waste time learning this or that security feature (like email encryption), because an expert would probably be able to fuck me anyway. Now that I have a better understanding, and I can mentally trace the information from end to end, know where it could be compromised, etc, I started caring, secured everything the best I could, and my friends now call me a paranoid (that didn't stop me from installing Thunderbird and Enigmail in their PC's).
So I think someone should explain to the people in a clear way that you don't need 100% security, but you need to understand when and where your information can get compromised, and what you can do about it. Eg:
- Private message on facebook - you are screwed
- Messenger - you are screwed
- Post on a blog - you are screwed, unless you posted anonymously and hidden your IP (which is not that easy, we know of many geeks who were caught even when they were using Thor, because they didn't fully understand the technology - hint: exit nodes)
- Email - you can encrypt it, and you are safe as long as both computers (sender's and receiver's) stay safe (assuming you store your private key there)
- Data on your computer - you are safe unless malware is installed, or someone gets physical access. You can use full disk encryption, but you will probably have to use Linux (personally, I use Ubuntu), so this is a far fetched goal for the regular Joe. There is also truecrypt for windows, but it's not full disk if I recall correctly.
- Etc.
I'll add a recent anecdote here: Just the other day a friend of mine replied to one of my emails, saying that gmail broke the encrypted email (meaning he couldn't read it, not that gmail decrytped it). In his reply, I received the broken email, and four emails from a private conversation he was having with other people. Something happened in gmail, something went wrong, and I got those emails. They came with headers and everything, he didn't copy/paste those (he wouldn't know how to do that). So there's another reason to encrypt emails: mails server can make mistakes apparently.
Can you please elaborate on Tor exit nodes vulnerability? As far as I know they can read your passwords if you're not using secure connection, but how can it compromise your identity? I'm assuming the new account was created for an anonymous blog post.
Exactly, if you are careful you are safe. But it takes just one mistake to get caught. For example, if you have javascript activated (without it most of the web is useless), you could get fingerprinted, and then make a match with facebook or gmail, or if you are already a suspect, just get raided and make the match there. I don't know exactly how these guys I mentioned got caught, they probably did something stupid like logging in to a website with a real account. If I remember correctly, the news article only said that the police started running an exit node and sniffing the data that went out.
I wasn't the downvoter, but I suspect they may have been pointing out you are missing the forest for the trees.
"The people" don't need detailed explanations about why one form of technology is "more secure" than another. Instead they need motivation to care about security from their government.
Yes I understand that. But in my case, even being into computers, and wanting privacy, I dind't even know where to begin. A friend of mine told me he is in that exact position right now: he doesn't bother, because he does not have a full picture, and thinks he won't be safe should the government decide to target him. Here's another case: someone I know needed to protect some data and store it. I gave him fool-proof steps on how to do that, and explained how it worked. How did it end? He just stored everything unsafely in a pendrive and took it with him everywhere, he even sleeped with it. Granted, he was safe from a warrant to confiscate his PC, I concede that. But it was a pain and he probably had deleted the files from the PC insecurely, so it was in vane.
Security and "being able to sleep" is more about understanding, and less about installing things on your PC. If everyone suddenly started encrypting their emails, of course we would be safer. But nobody is going to bother doing that, if they don't really feel safe (because they don't understand how safe they are, or which risks they are taking).
TL;DR - To sum up, even if you get people to want privacy, there is quite more work to do after that. People have lives to live, and if the cost of privacy is becoming a security expert, in most cases they won't bother.
So I think someone should explain to the people in a clear way that you don't need 100% security, but you need to understand when and where your information can get compromised, and what you can do about it. Eg:
- Private message on facebook - you are screwed
- Messenger - you are screwed
- Post on a blog - you are screwed, unless you posted anonymously and hidden your IP (which is not that easy, we know of many geeks who were caught even when they were using Thor, because they didn't fully understand the technology - hint: exit nodes)
- Email - you can encrypt it, and you are safe as long as both computers (sender's and receiver's) stay safe (assuming you store your private key there)
- Data on your computer - you are safe unless malware is installed, or someone gets physical access. You can use full disk encryption, but you will probably have to use Linux (personally, I use Ubuntu), so this is a far fetched goal for the regular Joe. There is also truecrypt for windows, but it's not full disk if I recall correctly.
- Etc.
I'll add a recent anecdote here: Just the other day a friend of mine replied to one of my emails, saying that gmail broke the encrypted email (meaning he couldn't read it, not that gmail decrytped it). In his reply, I received the broken email, and four emails from a private conversation he was having with other people. Something happened in gmail, something went wrong, and I got those emails. They came with headers and everything, he didn't copy/paste those (he wouldn't know how to do that). So there's another reason to encrypt emails: mails server can make mistakes apparently.