[jcranmer]

With email, you necessarily leak the triple (to, from, date): no matter how good your cryptosystem is, that information can be pulled from the mailserver logs (and if you don't leak that triple, spam deluge is unsolvable). As a practical matter, you generally need to leak the mail headers as well, which contains a decent amount of useful metadata as well. Now I'm not an expert on how spy agencies do their analysis, but my understanding is that the set of information that has to be leaked by email is already the most useful information for them. And that's part of tptacek's point: if your main threat adversary is state-level actors, you've already lost if you're using email simply because you're using email.

What if your threat model isn't state-level actors? Well, the baseline of email these days is that your communication and your recipient's communication to the mail servers are both encrypted with TLS. The mail servers themselves may or may not communicate with each other using TLS, but if you really care about security, you can choose a mail server which will be using TLS. In other words, email is already at a baseline state of the only people aware of the message being the sender, the recipient, and their mail admins (and whomever these people choose to leak the message to, perhaps unwillingly). Encrypting email will only remove the mail admins from the list, and even then, they can still tell anybody whom you talked about.

So the use case of encrypted email boils down to wanting to hide the contents of communication but not hiding the fact of communication itself. Which isn't a broad use case; the best examples I've found in my own life is something like financial statements, but even in those cases, there's a pretty decent workaround: send an email saying "hi, we have a document for you online in our usual secure file repository" (protected by modern, useful standards for secure files). I don't like that only because I can't automate saving those files off to my own storage for my own purposes, but that is such a niche desire that I can understand why the bank doesn't bother.

[tptacek]

The original version of this post also mentioned, and was in fact motivated by, a fatal flaw in encrypted email that everyone who has used it at scale has experienced, which is that participants will reply to encrypted messages with unencrypted responses that quote the original (whether or not a reply quotes the original doesn't change how devastating this problem is, but sort of highlights how insane the system is).

So I think the metadata argument is dispositive. I agree with you that it's difficult to compose a coherent threat model that leaves metadata exposed the way SMTP does.

But the core argument of the piece is that encrypted email makes security concessions nobody would make if e.g. the wire for the down payment on their house was at stake, or if they were organizing against an oppressive state-level adversary. If encrypted email is unsuitable for those scenarios, then it seems more important to keep it from being used there than it does to accommodate the interests of people who using it for other reasons.