People that want their messages private should be minimally aware of the technology they're using to transmit said messages.
Nobody has a reasonable expectation of privacy when sending a postcard, and that's a decent analogy to email and other communications mediums - even HTTP for that matter. Unfortunately, because technology (or, I suppose, the protocols that power it) tends to mask that, most people just make incorrect assumptions.
No, people should not have to make these assumptions or do research into this. That's why it's important for us to design secure tools. Users assume stuff is secure, so it's our duty to ensure their assumptions are true. Let's not give people a false sense of security.
Nobody has a reasonable expectation of privacy when sending a postcard
Expectation of privacy isn't boolean. There's a big difference from a few postal offices reading it and it being published online (which, at least here, would be illegal).
I agree with this entirely. Two guys standing in line at a concession at a crowded football stadium talking might have no strict expectation of privacy, but they might have an expectation of privacy from a particular audience (hypothetically, let's say their wives). When you record their conversion, you are not violating their expectations of privacy, because many people could have heard that conversion. However, were you to broadcast the recording, at that point you have violated the assumptions they thought the privacy was affording them. Some of the hackers here would argue that they shouldn't speak in plain English, but should always speak to other humans in an encrypted spoken language and because they didn't do that they deserve no privacy for speaking in English.
Nobody has a reasonable expectation of privacy when sending a postcard, and that's a decent analogy to email and other communications mediums - even HTTP for that matter. Unfortunately, because technology (or, I suppose, the protocols that power it) tends to mask that, most people just make incorrect assumptions.
No, people should not have to make these assumptions or do research into this. That's why it's important for us to design secure tools. Users assume stuff is secure, so it's our duty to ensure their assumptions are true. Let's not give people a false sense of security.