Even before someone hacked Sarah Palin's Yahoo Mail account I had been wondering whatever happened to encryption.

Encryption -- the science of rendering plain text unreadable by anyone but the intended reader -- made a splash in the mid-1990s. At the time the U.S. government was investigating human rights activist Phil Zimmermann for allegedly violating the Arms Export Control Act by distributing his PGP (Pretty Good Privacy) e-mail encryption software. The government eventually relaxed the restrictions and PGP was no longer programa non grata.

Nearly a decade has passed and it struck me recently that encryption still hasn't become a household word, although anyone who uses a Web browser has had his or her communications with sensitive Web sites encrypted without them even necessarily knowing it.

But outside of the SSL activity being done behind the scenes, people haven't been downloading encryption software to keep their online communications private. Hardly anyone I know uses encryption, even at work. Given the government's targeting of journalist sources and my own personal brush with an attempted hack, I decided to look into whether encryption would be a good idea and why it isn't more widely adopted.

First, a test drive
My first question was, is it still complex and difficult to use? My sense after trying out a free trial version of PGP Desktop Email ($149 after the one-month trial) is that it may be easier to use than it once was, but that it's still more complicated than necessary.

I downloaded the software and followed the prompts as it generated a public key for people to use to encrypt messages sent to me, and a private key for me to use to decrypt messages. I picked a password and published my public key to the Global Directory Server for people to find it when sending me encrypted e-mail. I sent an e-mail to Zimmermann as a test and he said it arrived encrypted, so I knew my PGP was working.

This screenshot shows the PGP Desktop Corporate Key Properties window with details of my key.

But then I noticed that reading and sending e-mails was slower than it used to be. It was taking a few seconds to try to authenticate every e-mail signed with a key and to search for keys to encrypt e-mails I was sending. Even after I changed the PGP settings so that it wouldn't automatically look up keys for each recipient, it was still taking time trying to authenticate signed e-mails.

While the software is more user-friendly now (requiring fewer hoops to jump through than the free, open source versions of PGP), there was a slight performance trade off and you still need to set policies and manage keys, which can be a hassle. For instance, because I turned off the automatic key look-up feature for encrypting I now have to manually get keys from people I want to send private e-mails to or look them up in a directory and spread my key to others. Keys for others are not always easy to find either. For me, it's not worth the effort at this time.

But the larger concern is self-perpetuating; because there are so few people I can send encrypted e-mail to I'm less likely to use it, which means that there are likely fewer people overall using encryption. All the software upgrades, automation and enhancements in the world can't change the fact that using encryption for e-mail requires that both parties have the same software installed for it to work.

"The biggest problem in the space has always been the lack of ability to send an encrypted message to someone who wasn't using encryption," says Nick Selby, director of the enterprise security practice at The 451 Group, who uses Gnu PGP.

Corporate workers have it easier than consumers; IT departments can handle the complexities of encryption software and manage the keys. E-mail encryption services from providers like Postini (now owned by Google), CertifiedMail and Voltage Security allow companies to outsource the function, easing the process further.

Despite that, a recent survey of more than 200 organizations conducted by CertifiedMail and Osterman Research found that frequent e-mail encryption users represent 18 percent of the total e-mail users and more than 50 percent of the total are infrequent users. Meanwhile, 21 percent of organizations have an enterprise-wide encryption strategy, according to a survey of 975 executives and administrators by The Ponemon Institute for PGP Corp.

For consumers, a no-hassle option is Hushmail, a free Web-based service that encrypts e-mail, scans for viruses and filters spam. The service encrypts mail sent to other Hush users or PGP-compatible e-mail users.

There is some level of encryption for users of the more popular Web-based e-mail services, but it's limited. Gmail encrypts the login and if a user enables always-https, the e-mail and cookies are encrypted as they travel between the server and the browser. Asked if the content on the servers is encrypted, a Google representative said that encryption and access control technologies are used but the company does not want to provide specifics on how it's used.

Yahoo encrypts the login and sends the password encrypted over the network using SSL. Microsoft provides support for S/MIME encryption for Windows Live Hotmail users when using Microsoft Outlook or Windows Live Mail as clients. Windows Live Messenger includes an option to encrypt contact list data. Representatives from Google, Yahoo and Microsoft declined to discuss why they don't give people the option of storing e-mail in encrypted form on their servers.

If you are going to be concerned about keeping e-mail private, why not instant messages too?

I tried Off-The-Record messaging with Pidgin that allows for messaging on multiple IM platforms simultaneously. It was easy to install and use, but here again it only works if both parties are using the software. The popular multi-platform IM software Trillian has a built-in encryption feature called SecureIM. (For information on how specific popular IM programs handle security see the CNET News IM survey from June.)

Maybe it's just too hard to use
The consumer programs still require some user supervision of keys, which is an impediment to their widespread adoption. Consumers don't want to have to think about the logistics of communicating, they just want it to happen seamlessly.