1991: PGP, S/MIME, and Why Most People Still Don't Encrypt Email
In June 1991, a software engineer named Phil Zimmermann uploaded a program called PGP — Pretty Good Privacy — to the internet. His timing was deliberate. Senate Bill 266, then making its way through Congress, contained a provision that would have required electronic communication systems to include backdoors for government access. Zimmermann wanted to make strong encryption available to ordinary people before the government could prevent it.
He succeeded. PGP would become the most important email encryption tool ever created. It would also land Zimmermann in a three-year federal investigation, spark an international debate about cryptography exports, and ultimately prove that making encryption available and making encryption usable are two very different achievements.
How PGP Works
The core concept of PGP is public-key cryptography, an idea that seems almost magical the first time you encounter it. Each user has two mathematically linked keys: a public key (which they share with everyone) and a private key (which they guard fiercely). To send someone an encrypted message, you encrypt it with their public key. Once encrypted, only their private key can decrypt it — not even you, the sender, can un-encrypt what you just encrypted.
It’s like a mailbox with a slot. Anyone can drop a letter in (using the public key), but only the person with the key to the mailbox (the private key) can retrieve it. Zimmermann packaged this concept into software that worked with email, and he named it with characteristic modesty — “Pretty Good Privacy,” a nod to Ralph’s Pretty Good Grocery from Garrison Keillor’s radio show.
The Federal Investigation
Zimmermann’s decision to distribute PGP as free software had consequences he anticipated but probably hoped to avoid. At the time, the U.S. government classified strong encryption as a munition — literally, in the same legal category as bombs and missiles. Exporting strong encryption software outside the United States was a federal crime under the Arms Export Control Act.
When PGP inevitably spread to users outside the U.S. (because that’s what happens when you put software on the internet), a criminal investigation was opened. From 1993 to 1996, Zimmermann lived under the shadow of potential prosecution. The case generated significant media attention and turned Zimmermann into a cause celebre in the nascent digital rights movement.
In January 1996, the investigation was dropped without charges. The case had become politically untenable — the government was essentially arguing that a privacy tool used by journalists, human rights workers, and ordinary citizens was equivalent to an arms shipment. The export regulations on encryption were eventually relaxed in 2000.
S/MIME: The Corporate Alternative
While PGP was born in the cypherpunk community, S/MIME (Secure/Multipurpose Internet Mail Extensions) emerged from the corporate world. Developed in the mid-1990s and standardized in 1999 (RFC 2633), S/MIME took a different approach to the same problem.
Where PGP used a “web of trust” — users directly verifying each other’s keys, with no central authority — S/MIME used the same certificate authority model as website HTTPS. A trusted third party (like VeriSign or Comodo) would verify your identity and issue a digital certificate. Your email client would automatically trust certificates from recognized authorities.
S/MIME had the advantage of fitting into existing corporate infrastructure. Organizations already used certificate authorities for website security and VPN access. Extending that to email was a natural fit. Microsoft built S/MIME support into Outlook, and it became the de facto standard for encrypted email in government and large enterprises.
So Why Doesn’t Anyone Use It?
Here’s the uncomfortable punchline of the email encryption story: after more than 30 years of available technology, the vast majority of email is still sent in plain text.
Estimates vary, but studies consistently show that encrypted email accounts for a tiny fraction — typically under 5% — of all email traffic. Even among security-conscious users and organizations, encrypted email is the exception rather than the rule.
The reasons are depressingly practical:
Key management is a nightmare. To send someone an encrypted email, you need their public key. Where do you get it? How do you verify it’s really theirs? If they lose their private key, every encrypted message you’ve ever sent them becomes unreadable forever. For organizations, managing keys for hundreds or thousands of employees is a significant operational burden.
Both sides must participate. Encryption is bilateral — both sender and recipient must have compatible encryption set up. If you encrypt an email to someone who doesn’t have PGP or S/MIME configured, they simply can’t read it. This chicken-and-egg problem has plagued email encryption since day one.
It breaks features people expect. Encrypted emails can’t be searched by the email server (because the server can’t read them). They can’t be filtered for spam or malware at the server level. They can’t be indexed, previewed, or processed by any system that doesn’t have the decryption key. These are fundamental trade-offs, and for most users, the loss of convenience outweighs the gain in privacy.
“Good enough” security exists without it. Since the mid-2010s, TLS encryption for email in transit has become nearly universal. Gmail, Outlook, Yahoo, and other major providers encrypt the connection between mail servers, meaning your email is protected against eavesdropping while it travels across the internet. This isn’t the same as end-to-end encryption — the email providers themselves can still read your messages — but for most people, it’s enough.
The Modern Landscape
Today, end-to-end encrypted email exists in more user-friendly forms. ProtonMail (launched 2014) and Tutanota (launched 2011) offer encrypted email services where the encryption is handled transparently — users don’t need to manage keys manually. These services have gained millions of users, but they remain a small fraction of the overall email market.
Google explored adding PGP-like encryption to Gmail with a project called End-to-End, announced in 2014. The project was eventually shelved. The technical challenges were solvable; the user experience challenges were not. Google reportedly concluded that making encryption seamless enough for Gmail’s billions of users was, at that point, impractical.
Phil Zimmermann, for his part, went on to co-found Silent Circle, a company focused on encrypted communications. He has expressed mixed feelings about the legacy of PGP — proud that the technology works and is available, disappointed that so few people use it. “If privacy is outlawed,” he once said, “only outlaws will have privacy.” The privacy isn’t outlawed. It’s just too much trouble for most people.
Email encryption remains one of technology’s great paradoxes: a solved problem that almost nobody uses. The tools exist. The math works. The threat of surveillance is well documented. And yet, convenience wins, every time.
Infographic
Share this visual summary. Right-click to save.
Related Events
Frequently Asked Questions
What is PGP encryption for email?
PGP (Pretty Good Privacy) is an encryption program created by Phil Zimmermann in 1991 that uses public-key cryptography to encrypt email messages. Only the intended recipient, who holds the matching private key, can decrypt and read the message.
Why don't more people encrypt their email?
Email encryption requires both sender and recipient to set up and manage cryptographic keys, install compatible software, and follow specific procedures. The complexity, lack of built-in support in popular email clients, and the 'good enough' perception of unencrypted email have limited adoption.
What is the difference between PGP and S/MIME?
PGP uses a decentralized 'web of trust' model where users verify each other's keys directly. S/MIME uses certificate authorities (like those used for website HTTPS) to verify identities. S/MIME has more corporate adoption, while PGP is more popular among individual privacy advocates.