- Have any questions? Contact us free of charge
- 233245354352
- 5432431
- [email protected]
ObstaclestotheAdoptionofSecureCommunicationTools.pdf
ObstaclestotheAdoptionofSecureCommunicationTools.pdf
Obstacles to the Adoption of SecureCommunication Tools
Ruba Abu-SalmaUniversity College London, UK
Anastasia DanilovaUniversity of Bonn, Germany
M. Angela SasseUniversity College London, UK
Alena NaiakshinaUniversity of Bonn, Germany
Joseph BonneauStanford University & EFF, USA
Matthew SmithUniversity of Bonn, Germany
Abstract—The computer security community has advocatedwidespread adoption of secure communication tools to countermass surveillance. Several popular personal communication tools(e.g., WhatsApp, iMessage) have adopted end-to-end encryption,and many new tools (e.g., Signal, Telegram) have been launchedwith security as a key selling point. However it remains unclearif users understand what protection these tools offer, and if theyvalue that protection. In this study, we interviewed 60 partici-pants about their experience with different communication toolsand their perceptions of the tools’ security properties. We foundthat the adoption of secure communication tools is hindered byfragmented user bases and incompatible tools. Furthermore, thevast majority of participants did not understand the essentialconcept of end-to-end encryption, limiting their motivation toadopt secure tools. We identified a number of incorrect mentalmodels that underpinned participants’ beliefs.
I. INTRODUCTION
The majority of web traffic between clients and servers
is now encrypted via TLS, however, the majority of com-
munications between users are not yet end-to-end (E2E)
encrypted [1], [2]. Whenever plaintext is processed or stored
by remote servers, users are vulnerable to mass surveillance [3]
or hackers. Their personal data is also subject to commercial
analysis by service providers for advertising and enhanced
personalization [4]. As a result, security experts have long
advocated increased use of E2E encryption.Usability has long been considered a key challenge for
secure communications, especially E2E encryption. However,
the design of most communication tools (and likewise most
of the cryptographic literature on secure communication proto-
cols) has typically not involved those who are ultimately meant
to use these tools, certainly not in the early to middle stages
of design [5], [6]. Several user studies (e.g., [7]–[9]) have
examined why users fail to use existing secure communication
tools (e.g., PGP) correctly, often concluding that significant
security failures arise due to user interface (UI) design flaws.Furthermore, there has been an effort to produce educational
materials (e.g., [10]–[12]) to explain existing security tools
and extensions, such as OpenPGP [13], Tor [14], Tails [15],
off-the-record (OTR) messaging [16], and SecureDrop [17].
These guidelines provide step-by-step instructions to install
and use these tools securely. However, documentation only
helps the users who read it and are already motivated enough
to adopt a new tool.
Recent mobile phone-based secure communication tools
have often been designed to hide security from the user com-
pletely (albeit at some security cost [1]). WhatsApp famously
deployed E2E encryption to approximately a billion users
through a code update to its application for messages, voice
calls and video communications [18], with only negligible
changes to the user experience. Some other communication
tools (e.g., Signal, Threema) have launched with security
as an explicit selling point, but they also hide nearly all
cryptographic details.There are key differences in the security model of dif-
ferent E2E-encrypted tools, in addition to a large gap in
security compared to competitors (e.g., Google Hangouts,
Skype) which do not offer E2E encryption. Yet, we have little
understanding of how users perceive the threats to their com-
munications, or whether they believe secure communication
tools protect against these threats. The Electronic Frontier
Foundation (EFF) Secure Messaging Scorecard [2] is one
attempt to provide security information to non-expert users,
a kind of a “consumer guide” to secure communication tools.
However, there has been no evaluation to see if the target users
understand the scorecard, or will select more secure tools as
a result of it.We argue that to design and build communication tools that
effectively protect users, we need to understand how users
perceive secure communications, and what influences their
decision to adopt (or not adopt) secure tools. To make a
preliminary step in this direction, we used a qualitative ap-
proach [19]–[21]. We first conducted 10 unstructured face-to-
face interviews (35 minutes on average), followed by 50 semi-
structured face-to-face interviews (90 minutes on average).The key qualitative insights from our interviews are:
• Usability is not the primary obstacle to adoption.Participants reported usability issues with different tools,
but did not stop using the tools mainly because of them.
• Fragmented users bases and lack of interoperabilityare significant obstacles. The common trend of creatingnew secure communication tools and assessing the usabil-
ity of these tools is a significant obstacle to adoption due
to creating fragmented user bases. Also, to reach their
communication partners, participants needed to use tools
that are interoperable (i.e., work across different devices).
2017 IEEE Symposium on Security and Privacy
© 2017, Ruba Abu-Salma. Under license to IEEE.
DOI 10.1109/SP.2017.65
137
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
• Low Quality of Service (QoS) is an obstacle to adop-tion. Participants assessed the reliability and securityof a communication tool by the QoS of messages and
voice calls they experienced. Low QoS does not only
hinder adoption, but also creates general doubts about
how reliable and secure the tool is.
• Sensitivity of information does not drive adoption.Perceived sensitivity of information should drive the
adoption of secure communication tools, but this was
not the case with our participants. Instead, they used
voice calls (regardless of the tool) and other obfuscation
techniques to exchange sensitive information.
• Secure communications were perceived as futile. Mostparticipants did not believe secure tools could offer pro-
tection against powerful or knowledgeable adversaries.
Most participants had incorrect mental models of how
encryption works, let alone more advanced concepts
(e.g., digital signatures, verification fingerprints). If the
perception that secure communications are futile persists,
this will continue to hinder adoption.
• Participants’ security rankings of tools were inaccu-rate. We asked our participants to rank the tools they haveused in terms of how secure they are. Many participants
ranked the services (e.g., voice calls, messages) offered
by the tools, rather than ranking the tools first. They
perceived calls more secure than messages. Furthermore,
they based their rankings on how large the tool’s user
base is, QoS, social factors and other criteria, rather than
assessing the security properties a secure tool offers.
• Participants did not understand the EFF Secure Mes-saging Scorecard. The scorecard contains seven securityproperties. Four of these were misunderstood: participants
did not appreciate the difference between point-to-point
and E2E encryption, and did not comprehend forward
secrecy or verification fingerprints. The other three prop-
erties reflecting open design (documentation, open-source
code and security audits) were considered to be negativesecurity properties, with participants believing security
requires obscurity.
Our findings suggest not only a gap between users’ under-
standing of secure tools and the technical reality, but also a gap
between users’ communication priorities and what the security
research community imagines them to be.
II. RELATED WORK
A. Secure Communications
For a detailed review of the literature on secure com-
munication tools, we refer the reader to Unger et al. [1].
Secure communication tools became widely available with
the release of PGP in 1991 [22], which was followed by
the creation of a large ecosystem of PGP tools [13], [23],
[24]. PGP was designed for asynchronous, high-latency email
communications. OTR [16], originally released in 2004, was
designed for low-latency messaging environments like chat
clients, introducing additional security features (e.g., forward
secrecy, deniability). OTR has influenced many secure commu-
nication tools designed since [25]–[30], including the Signal
protocol [31], which has recently gained popularity.
The use of self-destructing messages was popularized by
Snapchat, which was released in 2011. While popular with
users who perceived this feature as an effective solution to
some of their security and privacy needs, Snapchat offers little
security against motivated attackers, and secure data deletion
in messaging has proved elusive [32]–[34]. Other tools that
appear to provide certain security properties fail to provide
these properties in the face of government requests [3].
Usability has long been considered a challenge for secure
communications, especially E2E encryption. The main UI
challenge for E2E-encrypted communication tools is believed
to be providing assurance that a user is truly communicating
with the intended party (called trust establishment by Ungeret al. [1]). This is often reduced to verifying ownership of
cryptographic keys in some fashion. In traditional PKI, this
assurance is delivered in the form of a signed certificate from
a trusted authority [35]. However, there are many issues with
PKI associated with certificate management, including key
storage, distribution and revocation, as outlined in [36]. Pop-
ular E2E-encrypted tools (e.g., iMessage, WhatsApp, Signal)
relieve users of key management; they simply query a trusted
server that vouches for the authentic public keys of other users.
Recent proposals attempt to limit the trust in these servers
using transparency logs [37], [38], but this approach has not
been deployed in practice.
The smartphone era has seen an explosion of new com-
munication tools (typically called messengers or messagingapplications). Many of these applications claim to be “secure”,but they often do not provide specific security guarantees or
documentation, and fail to draw upon the existing crypto-
graphic literature [1], [39]. This led the EFF to develop the
Secure Messaging Scorecard in 2014 – 2015 to attempt to
provide objective information about what security properties
communication tools actually offer, providing a Consumer
Reports-style guide and encouraging adoption of tools that
offer better security [2]. Yet, there was no evaluation of the
scorecard with the target community (i.e., users who are not
security specialists) to see if the scorecard was perceived as
helpful, or did influence users’ decision to adopt secure tools.
B. User Studies of Secure Communication Tools
Lack of usability has been shown to hamper both adoption
of secure communication tools and the actual level of security
in real-world use. In their seminal paper [7], Whitten and Tygar
designed a case study to assess whether PGP 5.0 could be
effectively used by non-specialist users to secure their email.
They identified some problems in the UI design relevant to
security risks (e.g., irreversible errors, lack of consistency and
feedback). They also found that only one-third of participants
were capable of using the PGP software to correctly sign
and encrypt an email. They concluded that making security
usable requires the development of domain-specific UI design
principles and techniques.
138
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
Using a similar study to [7], Garfinkel and Miller studied
CoPilot, an email prototype based on Key Continuity Man-
agement (KCM) [8]. KCM attempts to make secure commu-
nication tools more usable by making key generation, key
management, and message signing automatic. Garfinkel and
Miller concluded that KCM is a workable model for improving
email security, and that the UI of CoPilot enables users to
send protected emails easily because, for example, it visually
distinguishes encrypted emails from unencrypted ones.
Ruoti et al. conducted a user study of two mail systems:
Private Webmail (Pwm) and Message Protector (MP) [40].
They found both systems to be usable, but participants trusted
MP more than Pwm because they “could see the ciphertextafter encryption takes place”, equating this with protection.More recently, Ruoti et al. conducted a lab-based study with
pairs of novice users cooperating to send encrypted emails
with a range of email tools [41]. Again, they found that hiding
the details of how a secure system provides security reduces
trust in the system, however, participants preferred integrated
over standalone encryption solutions. They concluded that
integrated encryption solutions are a key step to increase us-
ability, but complete transparency (i.e., hiding security details)
is counterproductive. The need for visible feedback matches
the findings of Whitten and Tygar [7] as well as the “visibilityof system status” usability engineering principle encouragedby Nielsen and Molich in 1990 [42].
Bai et al. investigated whether non-expert users can evaluate
the security trade-offs between two encryption models: a
traditional key-exchange model (analogous to PGP) and a
registration model (analogous to iMessage) [43]. They asked
participants to complete a set of encryption tasks using both
models. They also described each model’s security properties
and asked participants for their opinion. They found that
participants understood both models “fairly well”. Even thoughparticipants recognized the benefits of the exchange model
for “very sensitive communications”, they preferred (and alsotrusted) the more usable, but less secure, registration model
for “everyday communications”. Bai et al. concluded thatdesigners should explain the security properties an encryption
tool offers, and that the EFF Secure Messaging Scorecard
provides an “excellent start in this direction”.Other studies (e.g., [44]–[48]) have considered PGP fur-
ther as well as contact verification in OTR [26], secure
communications in two-way radios [9], opportunistic email
encryption [49], and public-key fingerprints [50], [51]. Fur-
thermore, several studies have explored users’ perceptions of
email signatures [52], browser security indicators (e.g., [53],
[54]), and specific features of specific security tools (e.g., self-
destructing messages in Snapchat [55]).
Gaw et al. explored the social context behind users’ deci-
sions about whether and when to encrypt emails [56]. They
interviewed members of an activist organization under the
presumption that the organization’s employees would have
a strong incentive to encrypt emails. They found that the
perception of encryption behaviour by others (e.g., use of
encryption for protecting secrets is seen as “justified”, for gen-
eral communications as “paranoid”) influenced participants’
decision to adopt encrypted email.
In [57], Renaud et al. proposed seven possible explanations
for the non-adoption of E2E encryption in email, based on
the literature and researchers’ own observations. To validate
these explanations, they interviewed students and staff mem-
bers (not security experts), and surveyed computer science
students. They found that, in addition to usability issues,
incomplete threat models, misaligned incentives, and lack of
understanding of the email architecture are key drivers of the
non-adoption of E2E-encrypted email. They concluded that
security researchers should focus on building “comprehensivemental models of email security”.
Das et al. recently studied the role of social influence on
users’ decisions to adopt secure tools [58] and to use specific
security features of a specific application (Facebook) [59],
[60]. De Luca et al. also investigated how and why users use
mobile instant messengers that are advertised as being secure
(e.g., Threema) [61]. They concluded that peer influence,
not security and privacy, primarily drives users to adopt a
messenger. The objective of our study is to explore the user
experience of secure communications in more depth, identify
“other” factors that lead to the adoption and abandonment
of communication tools, and understand how users perceive
the “security” of communication tools, especially of those
advertised as being secure.
It is worth to mention that Dourish et al. studied how users
experience and practice security using a qualitative approach
(semi-structured interviews analyzed using Grounded The-
ory [20]) in 2004 [62]. Similarly, we use a qualitative approach
to understand how users manage their communications, secure
or not, as an “everyday, practical problem”. We “zoom out”to understand users’ security needs and practices, and the
background against which they decide to use or stop using
a communication tool. We also explore what users look for in
a secure communication tool.
We know that the decisions users make may not deliver
on their actual security requirements. The gaps in mental
models identified by Renaud et al. suggest that users may think
they are more secure than they are [57]. Similarly, the folk
models of home network security described by Wash led his
participants to believe that their practices were secure when
they were not [63]. Thus, we study users’ knowledge of the
threats to their communications, and their mental models of
the tools and practices they use to protect against these threats.
III. METHODOLOGY
In this section, we discuss our research questions, recruit-
ment process, interview procedure, data analysis, research
ethics, and the limitations of our work.
A. Research Questions
In this work, we explore (1) why, when and how users use
secure communications (Section III-C1), (2) what threats users
want to protect against when communicating (Section III-C2),
(3) which communication tools users perceive to be secure (or
139
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
insecure) and why (Section III-C3), and (4) how users think
secure communications can be achieved, and how they can be
breached (Section III-C4).
B. Participants
Our literature review (see Section II) shows that mainstream
users’ needs and practices of secure communications have not
been investigated. Instead of focusing on a specific at-risk
population, such as activists, whistleblowers, or journalists,
our main focus is understanding the needs and practices of
users of communication tools who do not consider themselves
to be at risk of targeted surveillance. This is because our focus
of enquiry is widespread adoption of secure communications.We recruited our participants via posting flyers around
University College London’s buildings and emailing university
staff members. We also distributed emails to staff members
in collaborating public- and private-sector organizations (e.g.,
banks, hospitals, universities). We asked interested participants
to complete an online pre-screening questionnaire, which
380 completed. The full questionnaire can be found in the
Appendix. We assessed participants’ technical knowledge and
cyber-security threat exposure via a set of simple questions.
We also provided them with a list of different communication
tools (those evaluated by the EFF Secure Messaging Score-
card), asking them to select all the tools they currently use
and the ones they stopped using. Additionally, we gave our
participants the option to specify other tools they have used,
but were not on the list.
We then divided the pool of eligible participants into sub-
groups, based on a number of variables: age, gender, education
level, study area, employment status, technical knowledge, and
previous cyber-security threat exposure. We conducted and
analyzed 10 unstructured interviews first, followed by 50 semi-
structured interviews. Tables 1 and 2 summarize the demo-
graphics of our recruited participants for both the unstructured
and semi-structured interview sessions, respectively1.
With 60 participants, our study represents the largest qual-
itative study on this topic. We interviewed 23 male and 35
female participants. Two participants preferred not to indicate
their gender. Participants’ ages ranged from 18 to 70. Two
participants did not have a formal educational qualification,
seven completed high-school education, 30 had a college
degree (e.g., BA, BSc), and 21 had a higher degree (e.g., MA,
MSc, PhD). 40 were high-school and university students, 17
were employed, and three were retired. Our participants used
a wide range of communication tools on different computing
platforms (e.g., Android, iOS, Mac OS X, Microsoft Win-
dows). None of the participants used a PGP-based tool, such
as Enigmail, GPGTools or Gpg4win. Only P23 and P57 used
an OTR-based tool; both have adopted Pidgin for some time
and then stopped using it.
We note that P2, P5 and P28 identified themselves as secu-
rity experts, so they did not necessarily represent mainstream
users of communication tools.
1 Tables 1 and 2 can be accessed from the first author’s webpage.
C. Interview Procedure
The value of conducting qualitative research lies in pro-
viding a holistic understanding of the phenomenon under
enquiry using predominantly subjective qualitative data, which
can be supplemented by observational and other quantitative
data [64]. A single trained researcher conducted all 60 in-
terview sessions in the UK in English, by first conducting
10 unstructured (open-ended) face-to-face interviews, lasting
for 35 minutes on average. The emerging themes shaped the
design of the script used for the 50 semi-structured face-to-face
interviews, lasting for 90 minutes on average. The interviewer
allowed participants to elaborate, share their thoughts, and ask
any clarification questions. The interviewer also asked follow-
up questions (or probed) where appropriate. This is a common
practice in semi-structured interviews, in which the interviewer
primarily uses a list of questions, but has discretion to ask
follow-ups or skip questions that have already been covered.
However, all interviews covered the following four areas in
the same order. Below, we describe the script we used for the
semi-structured interviews.1) Adoption of communication tools: We asked participants
to specify the communication tools they have used by giving
them the same list of tools provided during the pre-screening
stage. This allowed us to compare their answers with those in
the pre-screening questionnaire. Also, we asked them to take
out their mobile phones and check all the communication tools
they have installed.
For each tool currently used or previously used by our
participants, we asked why they decided to adopt it and why
they stopped using it (if they had). The given answers helped
us understand why specific tools were widely adopted and
others were not. The key questions were:
• Why did you decide to adopt [this communication tool]?• What computer platforms does the tool run on?• Who do you communicate with?• What is the context of use?• Do you describe yourself as a regular user of the tool?• Have you ever checked and/or changed the default set-
tings of the tool? Please elaborate.
• What kind of information do you regard as “sensitive”?• Have you ever sent sensitive information via a commu-
nication tool? If yes, why and how did you do so?
• Why did you decide to stop using [this communicationtool], if applicable?
2) How users defined secure communications: “Securing” acommunication tool is meaningless without defining a security
policy and a threat model. Many communication tools are
advertised as “secure” or “encrypted”, but a recent academic
survey suggested that many are not as secure as they claim
to be [1]. The link between users’ perceptions of secure
communications and the actual security offered by different
communication tools has not been investigated so far.
To address this gap, we asked our participants about the kind
of protection (or security properties) a secure communication
tool should provide, what they want to protect, with whom
140
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
they communicate, who the attackers (or adversaries) might
be, and what their capabilities are.
We also elicited participants’ mental models of how they
think secure communications work. Mental models are cogni-
tive representations of external reality that underpin people’s
cognition, reasoning, decision-making and behavior [65]. We
invited our participants to draw how a communication tool
works, and whether there is a distinction between calling
someone and sending them a text (or multimedia) message.
A message could be an SMS, an email or an instant message.
We provided our participants with an iPad and a stylus pen. We
also recorded and transcribed participants’ verbal commentary
while drawing, along with the rest of the interviews.
3) Security ranking of communication tools: We asked ourparticipants to rank the communication tools they have used in
terms of the security level each tool offers. We provided them
with cards with the names and logos of the tools they have
used, and asked them to sort the tools from the most to the
least secure. We used this card sorting exercise to compare our
participants’ rankings with those on the EFF Secure Messaging
Scorecard [2] and to elicit the rationale behind their rankings.
We also wanted to assess the effectiveness of the EFF
Scorecard in communicating which communication tool is
secure and why. After our participants ranked the tools and
described their reasoning, we showed them the scorecard
(printed on a sheet of paper) and gave them 10 minutes to
explore it, compare their rankings, and ask any clarification
questions they had.
4) Security properties and mechanisms: In the last part ofthe study, we wanted to probe our participants’ understanding
of how a security property can be achieved and how it can
be violated. We also asked participants about several spe-
cific security mechanisms: encryption, digital signatures and
cryptographic fingerprints. We wanted to check their broader
understanding to see whether they can interpret the criteria on
the EFF Scorecard correctly or not.
Finally, we debriefed our participants and gave them the
time to ask any clarification questions about the study.
D. Pilot Study
We conducted a pilot study of five semi-structured inter-
views to check that the questions could be understood and
identify any potential problems in the script (e.g., cost, time,
adverse events) in advance, so that the methodology could be
fine-tuned before launching into the main study. We used the
common practice of convenience sampling [66] by selecting
five colleagues for the pilot study. In addition to the five
sessions, we asked six researchers to review the study.
E. Data Analysis
To develop depth in our exploratory research, we conducted
multiple rounds of interviews, punctuated with periods of
analysis and tentative conclusions [19]. In total, we conducted,
transcribed (using an external transcription service) and ana-
lyzed all 10 unstructured and 50 semi-structured interviews.
We observed data saturation [67] between the 40th and 45th
interview; i.e., no new themes emerged in interviews 46–50,
and, hence, we stopped recruiting. Data saturation provides
a high degree of confidence that we observed the range of
reasons for adoption (or non-adoption) of secure communi-
cations. The audio-recordings of the interview sessions were
transcribed, and then independently coded by three researchers
using Grounded Theory analysis [20], [21], an inductive/open-
ended method to discover explanations, grounded in empirical
data, about how things work. After coding all interviews and
creating the final code-book, we tested for the inter-coder
agreement (or inter-rater reliability). The average Cohen’s
Kappa coefficient (κ) for all themes in the paper is 0.83 [68]. Aκ value above 0.75 is considered an excellent agreement [69].
F. Ethics
The Research Ethics Board at University College London
reviewed and approved our research project (project ID no.:
6517/002). Before each interview, we asked our participants
to read an information sheet and sign a consent form that
explained the purpose of the study, and emphasized that
all data collected was treated as strictly confidential and
handled in accordance with the provisions of the UK Data
Protection Act 1998 (registration no.: Z6364106/2015/08/61).
Participants had the option to withdraw at any point during
the study without providing any reason. We explained to them
that in such a case, none of their data would be used in the
analysis, and they would still receive the full reward of £10.No participant withdrew.
G. Limitations
Our study has some limitations. Although our sample size is
large for a qualitative study, we did not cover a wide range of
cultural backgrounds. One can argue that this limits the gen-
eralizability of our results. However, we have documented the
study protocol step-by-step, meaning that it can be replicated
with participants in different cultural contexts.
Additionally, our study has limitations common to all qual-
itative studies. Research quality depends on the researcher’s
individual skills and might be influenced by their personal
biases. A single researcher, who was trained to conduct the
interviews consistently and ask questions in an open and
neutral way in order not to influence participants, conducted all
60 interviews. We note that the length of the interviews meant
that fatigue set in during the final 20 minutes, so participants’
answers tended to be less detailed. However, the interviewer
prompted participants to give full answers to all questions.
Furthermore, some participants could have been concerned
about the interviewer’s perception of them and, therefore,
could have changed their answers in line with how they like
to be perceived.
IV. RESULTS
In this section, we present the key emerging and recur-
ring themes we observed across our interviews. We report
participants’ statements by labeling them from P1 to P60.
We additionally report how many participants mentioned each
141
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
theme to give an indication of the frequency and distribution
of themes. However, the main purpose of qualitative research
is to explore a phenomenon in depth, and not to generate
quantitative results. We identified several misconceptions of
secure communications among participants that underpinned
their reasoning and decision-making. We report those in their
respective sections: IV-A – IV-H.
A. Adoption Criteria of Communication Tools
We found nine main criteria influencing our participants’
decision to adopt a communication tool, namely (1) large user
bases and interoperability, (2) context of use, (3) services
offered by the tool, (4) QoS, (5) cost of use, (6) type of
communications (spontaneous or planned), (7) integration with
email, (8) registration (telephone numbers vs. usernames), and
(9) social influence.
Large user bases and interoperability. The ability toreach their intended communication partners is the primary
communication goal of our participants. If most of their regular
communication partners do not use the tool, it has little utility.
As P5 put it, “there is no point of using a chat service thatnot many people use”. 50 out of 60 participants explicitlymentioned that the tools they use most frequently are those that
most of their contacts use. Thus, the small and fragmented user
bases of current secure communication tools hinder adoption
of secure tools. For example, P23 and P57 who used Pidgin
(an OTR-based tool) in the past deserted it because of lack of
utility, whereas almost all participants use WhatsApp.
Even iMessage, which is available on any device running
iOS (or Mac OS X), is not used as frequently as WhatsApp
because not all of our participants’ contacts own such a device,
and iMessage is not interoperable (i.e., does not work with
non-iOS devices). The same applies to FaceTime. Because
WhatsApp works across different platforms, it is the tool of
choice; many participants who have an iOS device use What-
sApp to communicate with contacts who also have an iOS
device, instead of using iMessage (or FaceTime). Although
they perceive iMessage as more secure (see Section IV-G),
they see the overhead of using two communication tools as
not worth the better security offered by iMessage.
Context of use. Participants use communication tools in avariety of contexts: socializing, organizing events or creating
study groups. They perceive some tools as “more suitable” for
some types of communications: they use SMS and email for
formal conversations, whereas they prefer IM to communicate
informally with family members, friends and colleagues. Voice
calls using the mobile phone network (whether the call is
local or international) are preferred if the communication is
urgent, or, as P2 described his parents and grandparents, the
communication partner is “old-school”. Participants perceive
calling a contact as more convenient and “faster” than sending
a message via IM because they do not have to check if the
recipient is online. Also, our participants prefer SMS and IM
to email if they want the recipient to be notified quickly.
Services offered. Our participants choose specific toolsbased on the services the tools offer. 55 out of 60 participants
explicitly mentioned that they use email, instead of SMS,
to send large volumes of data (e.g., media messages, files)
although many of these participants (32 out of 55) perceive
sending a message via SMS as “more secure” than sending
an email (see Section IV-F). Furthermore, 20 participants who
perceive Telegram as more secure than WhatsApp (see Section
IV-G) explicitly mentioned that Telegram does not support
calls, causing them to use the “less secure” option: WhatsApp.
Lack of utility fosters insecure behaviour: Telegram sup-
ports two chat modes: (1) default chat mode (messages are
encrypted in transit), and (2) Secret Chat mode (messagesare E2E-encrypted). However, the Secret Chat mode does notcurrently support group conversations. All participants who useTelegram do not use Secret Chat when communicating withindividuals either because the overhead of switching between
the two modes is high, or because they just forget to use
Secret Chat, especially for participants who frequently use thedefault mode to send group messages. This can be conceived
as a usability problem (i.e., mode error: a type of slip where a
user performs an action appropriate to one situation in another
situation, which is common in software with multiple modes),
but is also caused by lack of utility (the secret mode does not
support group conversations).
QoS. 47 out of 60 participants assess the reliability of acommunication tool based on the QoS of voice calls and
messages they experienced. For example, P9 and P12 pre-
fer Google Hangouts because its audio has “high-quality”,
whereas P31 and P45 stopped using Google Hangouts because
they experienced “bad-quality” audio in the past. This not only
influences adoption, but also users’ perceptions of how secure
a tool is (see Section IV-G): 40 out of 60 participants said that
a tool that offers high-quality services can also be assumed to
be more secure. Thus, the perceived competence developers of
tools demonstrate by delivering high QoS makes participants
assume that they will also do a good job on security.
Cost of use. The financial cost of using a tool is anothermain factor influencing participants’ adoption decision (47 out
of 60). Participants mainly use IM when they are not in the
same country as the recipient. P2, P30 and P41 mentioned that
IM tools are not at “no cost” because they have to pay for the
Internet service most of the time. P2 reported that the cost of
the Internet service in developing countries is high.
Battery consumption is another cost our participants men-
tioned. 36 out of 60 participants said they never log out of most
of their accounts, but they do log out of their Skype accounts
because they see Skype as a “heavy” application that drains
the device battery. This in turn means it takes time and effort
to start Skype again and sign into the account. As a result, our
participants rarely use Skype for spontaneous communications.
Type of communications: spontaneous vs. planned. Par-ticipants clearly distinguish between spontaneous and planned
communications. Many participants who use Skype (30 out of
60) use it mainly for international calls and videoconferencing.
These communications are usually pre-arranged, rather than
spontaneous. P7, for instance, said she does not use Skype
for communicating with others on a regular basis because
142
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
communication partners will not notice her messages unless
they are logged in. However, the majority of our participants
always log out of their Skype accounts (see the previous point
on battery consumption).
Integration with email. Most participants have used Ya-hoo! Messenger for some time, but they stopped using it after
moving away from Yahoo! mail. For example, P46 and P56
mentioned that they had to specifically log in to their Yahoo!
mail account to access the chat service. 15 participants, on the
other hand, use Google Hangouts because they frequently use
Gmail (on their PC/laptop, not phone).
Registration: telephone numbers vs. usernames. Com-munication tools that require knowledge of a contact’s phone
number also have reduced utility. WhatsApp and Facebook
Messenger are the most frequently used tools among our
participants (45 out of 60) for sending messages. However,
WhatsApp is only convenient to use when participants have
the phone number of the person they want to communicate
with, whereas in Facebook Messenger, they can search for a
particular person by name, adding to the tool’s utility.
Social influence. A social system is a combination ofexternal influences (e.g., mass media) and internal influences
(e.g., social relationships) that affects participants decision
to adopt or stop using a particular tool (54 out of 60). A
newspaper article or a friend can influence adoption decisions.
Das et al. [58]–[60] have studied the role of social influence
on users’ decisions to adopt secure tools and to use specific
security features; we found some evidence in the reasons
our participants gave for adoption. For example, P56 said
she adopted Telegram because her father recommended it as
secure against eavesdropping by service providers. However,
we found she does not use the Secret Chat mode and, asa result, her communications are not protected. She was
motivated to adopt a secure tool, but was foiled by a usability
issue (mode error).
B. Sensitive Information: Perceptions and Practices
Perceived sensitivity of information should drive the adop-
tion of secure communication tools, but this is not the case
with our participants. When we asked participants if they send
sensitive information via communication tools, they started to
use the terms “security”, “privacy”, “safety”, and “protection”,
interchangeably. However, they do not select a secure tool to
do so. Instead, they use different practices and obfuscation
techniques. In this section, we explain how our participants
define sensitive information, which practices they use to send
this information, and the information’s level of sensitivity.
How participants define sensitive information. Our par-ticipants said they want to protect all data they transmit, and
all data stored on their personal devices. However, they regard
some information as sensitive, such as personally identifi-
able information (PII), bank account details, authentication
credentials (e.g., PINs, passwords), health data, their photos,
and political views. Only P37 mentioned that any piece of
information is potentially personal and sensitive.
Protection practices. The majority of participants (53 outof 60) believe that the best protection for sensitive information
is to speak to the recipient directly, instead of using a com-
munication tool. If they trust a communication partner with
the information and need to send the information urgently,
they regard voice calling or videoconferencing as most secure,
regardless of the tool used. Voice calling and videoconfer-
encing are seen as the “closest thing” to telling the recipient
face-to-face because there is “no record” of calls, as opposed
to messages (see Section IV-F for the reasons). Only seven
out of 60 participants (P2, P5, P37, P42, P45, P47 and P51)
mentioned that voice calls have the same security properties
as messages giving the reason that the same communication
tool and channel are used.
Other practices our participants perceive as secure include
sending information by post (P46), sending a voice message in
a foreign language (P17 and P48), or cutting the message into
“chunks” and sending these via different communication tools
(P20 and P43). P56 also reported sending different chunks
of information using the different modes of Telegram: when
sending a 4-digit PIN, she sends two digits via the SecretChat mode and the other two digits via the default chatmode, believing the two modes of Telegram use “two differentchannels”, which cannot be associated with each other.
P8 told us about using an encryption tool to encrypt a
document, sending the “encrypted document” via one com-
munication tool and the “encryption key” via another. The
encryption tool turned out to be Microsoft Word’s password-
based document encryption feature, with the password serving
as the encryption key. 10 participants have their own “code” to
exchange sensitive information via any communication tool.They share the code (effectively a substitution cipher) with
trusted parties in advance before sending any message. They
said that the “design” of these codes or schemes must be kept
secret, so that only the parties who know the schemes can
decode the scrambled message. P13 also mentioned using the
practice of sending her password to a trusted recipient as a text
message via any tool and then changing her password later.
Level of sensitivity. 54 out of 60 participants said theyshare sensitive bank account details with trusted recipients
via a phone call, but discuss political views only face-to-
face. They believe that (1) neither the government nor service
providers are interested in users’ PINs and passwords, and (2)
a government agency (especially with repressive regimes) can
target a particular person and record their calls, as portrayed
so memorably in the following movie: “The Lives of Others”.
None of our participants mentioned meta-data (e.g., identity
of sender and recipient) as worth protecting. Even when we
hinted at the potential sensitivity of meta-data, they (except for
P2 and P5) described them as “less sensitive”. Clearly, they
are not aware of the highly publicizing and debated “we killpeople based on meta-data” comment [70]. Our participants’mental models of both the technology they are using and the
threats to their communications seem very much influenced
by traditional telephony, rather than digital communications.
143
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
C. Security Properties
Our participants used the terms “secure communications”
and “security” in previous discussions. In this section, we
analyze what security properties they expect from secure com-
munication tools. Their discussion of security properties falls
into three main categories: (1) secrecy of message content, (2)
message integrity, and (3) “no impersonation”.
Secrecy of message content. When our participants de-scribed this property, they did not use the terms “confi-
dentiality” or “encrypted communications”. Instead, they ex-
plained that exchanged messages via a secure communication
tool should only be accessed by the sender and intended
recipient(s). Third parties, including government intelligence
agencies and service providers, should not be able to read
the messages, or listen to voice calls. P5 mentioned that
information exchanged via a communication tool should not
be “re-routed to unintended recipients”.Message integrity. No participant mentioned unprompted
that a message should not be modified in transit (for several
reasons discussed later in Section IV-D.II). However, when we
explained the threat to them, all agreed that integrity is an im-
portant property a secure communication tool must offer. Only
three participants (P2, P5 and P28), who identified themselves
as security experts, discussed man-in-the-middle attacks and
digital signatures, the essential cryptographic mechanisms for
assuring integrity.
“No impersonation”. All participants believe a user willbe impersonated if their username and password are used to
log in to their account. They, therefore, want their passwords
stored in a secure place (the service provider’s server) where
they cannot be compromised. Many participants used the
term “hacking” in connection with this security property. Six
participants (P15, 17, 32, 43, 49, 56) expect to be notified,
and to be asked for consent, before the government or service
provider accesses their accounts. This is an expectation of
conduct by snoopers that in reality is unlikely to be met.
Our participants did not mention or describe plausible
deniability (or repudiation), forgeability, forward or backward
secrecy, recipient authenticity, or confidentiality of usernames.
When we started discussing anonymous communications, all
participants mentioned that anonymity is an unimportant secu-
rity property. From our participants’ perspective, anonymous
communications mean sender-anonymity [71] and/or third-
party anonymity [71] (expressed in their own words). P2,
P6, P32, P39, P45 and P50 also mentioned that only people
who engage in political discussions need sender anonymity.
P2 incorrectly stated that Telegram and Signal (formerly
known as TextSecure) offer sender-anonymity and third-party
anonymity. He stated (also incorrectly) that Skype, Snapchat
and Telegram’s Secret Chat mode provide deniability becausethey do not offer “evidence preservation”; i.e., a sender candelete a message they have already sent.
P8, P11, P22, P27, P32, P43 and P60 suggested that
anonymous communications can be achieved by using a public
PC, creating a fake account, sending the data, and then logging
out. However, they believe this only works for communication
tools that do not require a phone number at registration time
(e.g., Facebook Messenger).
Availability is hugely important to our participants, referring
to it as “reliable connection”. However, they regard it as a
utility feature (see Section IV-A), not a security property.
D. Threat Models
Our participants described different types of adversaries
that can violate the security of communications. We describe
these adversaries and their capabilities in Section IV-D.I. In
Section IV-D.II, we explain how participants think the security
properties of secure communication tools (discussed in Section
IV-C) can be breached.
D.I. Adversaries
All participants, except for P2 and P5, believe that the
security of any communication tool can be breached by threetypes of adversaries: (1) intelligence agencies, (2) application
service providers, and (3) technically-skilled attackers.
Intelligence agencies. 58 out of 60 participants believe gov-ernment agencies (e.g., NSA, GCHQ) have the resources and
capabilities required to monitor any citizen. They also believe
that governments can coerce or compel service providers to
hand over all the data related to a particular user. 21 par-
ticipants believe governments do this to protect their national
security; e.g., to prevent terrorism. P51 mentioned a “universaldecryption key” that allows governments to decrypt and readany encrypted communication.
Application service providers. 54 out of 60 participantsthink that all messages pass through the service provider
who “knows how the communication tool works” (P10) and,therefore, is able to access all messages. They also believe
that service providers can access any account stored on their
servers either because passwords are not encrypted, or en-
crypted in a way that can be “reverse-engineered” (P9). Eightparticipants mentioned that companies access the content of
messages not for malicious, but commercial reasons (e.g.,
targeted advertisements, removing inappropriate content). P1,
P12, P13, P35 and P42 reported that when they download
an application to their device, the application asks for their
permission to access PII, geo-location data, photo albums, and
contact lists. To them, this means that providers have ways of
circumventing the security properties of communication tools.
55 participants mentioned that they have to accept a
provider’s Terms and Conditions (T&Cs), which they do not
read because they are “too long” and “intentionally vague”,
and contain “a lot of jargon” (like Data Privacy Policies and
End-user Licence Agreements). 15 participants mentioned that
these terms are regularly updated without users being notified.
Our participants suspected they have agreed, because of a
clause somewhere, that the provider can access their data.
Hence, “having my data anyway” means trying to protect it ispointless (P47).
Technically-skilled attackers. All participants (except forP2 and P5) believe that the use of a secure communication
144
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
tool cannot protect against attackers with technical expertise,
described as hackers, computer science students, or competing
companies (e.g., Apple vs. Google).
Only P2 and P5 said that a secure communication tool is
as secure as the device they install it on, provided that the
security protocols are proved to be secure and implemented
correctly. Reasons for the device not being secure that P2 and
P5 are aware of include software and hardware bugs, malware
(e.g., viruses) and backdoors.
D.II. Violating the Security of Communications
Below, we explain how participants believe the security
properties of secure communication tools (discussed in Section
IV-C) can be violated.
Secrecy of message content. Almost all participants (exceptfor P2, P4, P5, P6, P9 and P28) believe that information
exchanged via any tool can be accessed and read by (1)physically accessing the user’s mobile phone or PC, and
reading messages from the chat history, (2) a communication
partner colluding with a third party and sending them the chat
history, (3) accessing the microphone and speaker to listen to
phone calls using some “sophisticated techniques”, (4) using
CCTV cameras to capture exchanged messages on a users’
device screen, or (5) falling for a social engineering attack.
Some participants also believe that confidentiality (i.e.,
secrecy of message content) can be easily breached by the
service provider because when users download an application,
it asks for their permission to access the device’s contact list,
camera, microphone and photo gallery. According to P1, if
the user decides not to agree to such a request, they will not
be able to exchange photos with others. This finding is in
line with the threat model explained earlier in Section IV-D.I.
P8 also reported that providers access log files to perform
quality monitoring of the service, hence, they can read the
information exchanged if they want to. She also mentioned that
a law enforcement agency that has a subpoena can “obviously”
access users’ information.
Only P2, P4, P5, P6, P9 and P28 mentioned eavesdrop-
ping, wiretapping or decrypting cipher-texts. No participant
explicitly talked about man-in-the-middle attacks (although we
cannot rule out that these attacks could have been part of the
“sophisticated techniques” mentioned above). P6 believes that
confidentiality can be breached by wiretapping the commu-
nications between one point and another, though he believes
that as long as “basic encryption, which is signing in to anapplication” is used, this attack can be avoided. He thinks thepassword used to log in to an account is a form of encryption
to protect the data in transit against unsophisticated attackers
(other members of the public).
P9 also mentioned that if many people use a communication
tool (whether secure or not), there will be “billions of messagesbeing exchanged via the network”. This, he believes, makesit hard to identify a message sent by a particular person. He
thinks that as long as a tool has a large user base, attackers
cannot associate exchanged messages with specific parties,
even if messages are sent in cleartext.
P2, P4 and P5 believe that confidentiality can be breached
through social engineering attacks, exploiting vulnerabilities,
using weak cryptographic schemes, or inserting backdoors.
Only P2, P4, P5 and P6 mentioned the terms “encryption” or
“decryption”, albeit with simplistic mental models. We discuss
participants’ mental models of encrypted communications in
detail later in Section IV-E.
Message integrity. As discussed in Section IV-C, thissecurity property was not mentioned by any participant. When
we hinted at it, all participants said that messages should
be protected from modification, but many did not think that
messages can be modified in transit (50 out of 60). P3 believes
her messages have never been modified because her phone has
never been stolen, and her account “has never been hacked”.Thus, no one can send modified messages from her account.
She believes that integrity is assured as long as authentication
takes place. 21 other participants share P3’s belief. Many
believe that their messages cannot be tampered with, which
is in stark contrast to their other belief that confidentiality
cannot be achieved.
P4 does not worry about integrity being breached because
“any message modification can be detected even after somepoint in time” by the recipient (a belief shared by P11, P25,P49 and P60). P4 believes that if someone sends a message
encrypted and then it gets modified in transit by an attacker, the
recipient will receive “nonsense”, and resending the message
will resolve the problem. 30 participants said they have never
thought of the possibility that messages can be tampered with
because, as P11 put it, “the chat history does not change whensending a message”.
P6, P12 and P18 believe that integrity does not get breached
unless people live under a repressive regime. Hence, govern-
ments can modify or censor communications. 40 participants
believe that service providers can tamper with messages,
however, P12 thinks it is not worth the effort: “this wouldrequire someone to have access to the intermediate serverbetween me and the recipient, so it could probably only bedone by someone within the company, who has access to thecentral server. But, this is unlikely, and I don’t know whythey would do it either, so I think it’s a very small concern”.P13 reported that message integrity can be violated if the
application software has a “bug”.
None of the participants knows how integrity can be
achieved, except for P2 and P5 who correctly explained
hashing and digital signatures. We discuss participants’ mental
models of digital signatures in Section IV-E.
“No impersonation”. All participants believe that as longas passwords are hard to guess or steal, authentication is
achieved. Passwords can be stolen by hacking, social engi-
neering, or brute forcing.
According to our participants (41 out of 60), hacking means
(1) stealing the username and password by mounting a social
engineering attack, guessing the password, intercepting the
password when logging into the application, or stealing the
password from the company’s server, (2) logging into the
account on behalf of the legitimate user, and then (3) reading
145
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
messages from the victim’s chat history and accessing PII.
Many participants (32 out of 60) believe that hacking generally
happens over the “Internet”; the traditional network (3G) is
more secure and, as a result, hacking is impossible.
All participants think social engineering attacks are possible,
and that they need to be aware of these attacks. They believe
security can be increased by not writing passwords down and
by changing them regularly, but doing so is onerous.
43 out of 60 participants mentioned that passwords can
be brute-forced. Furthermore, 21 out of 60 stated that an
attacker can create fake accounts to impersonate others, but
“the company providing the service should be aware of thisand ensure this does not happen” (P4). 25 participants alsobelieve that providers store passwords encrypted on their
servers: “they [service providers] are immune to brute-forcingattacks because encryption is used to protect credentials” (P9).
E. Mental Models of (Secure) Communications
During the interview, we asked our participants how a
communication tool works, and who the actors in a commu-
nication system are. We also asked about different security
mechanisms, such as encryption, digital signatures and cryp-
tographic fingerprints. We provided participants with an iPad
and a stylus pen, so they would draw if they wished to explain
a specific concept (e.g., encryption). This helped us identify
whether our participants know the mechanisms used to achieve
a particular security property, such as associating encryption
with confidentiality, and how this relates to their threat models
in Section IV-D. We also found a misconception about deleting
accounts shared by most participants.
Actors in a communication system. All participants,except for P1 and P11, believe the actors in a communication
tool are the sender, the recipient(s) and a single service
provider, referred to as the “company providing the service”.
This architecture is the same, irrespective of whether the
information exchanged is via telephony, SMS, email or IM.
P12 mentioned that the topology of a 3G network is different
from that of the Internet (or Wi-Fi). She incorrectly believes
there are only the sender and the recipient(s) in a 3G network
without a provider.
P1 has never thought of how a communication tool works.
She said the process is “too complicated” for her to think
about. As long as the message is “sent”, “delivered” and
“read”, she will be satisfied. Also, P11 does not know how
communications work.
An important finding of our study is that unlike experts’
network centric view, our participants’ mental models are
somewhat “ego-centric”: they see themselves as the centre
of their personal communications universe and being able
to choose across different tools, which they see as separate
channels. For example, 18 participants think that segmenting
information and sending different “bits” via different tools
means segments cannot be intercepted by the same attacker.
Participants assume that attackers can hack one tool or listen to
one channel. Participants who have more technical expertise
(P2, P4, P5, P16 and P28) showed the same basic mental
models (i.e., ego-centric models).Encrypted communications. When we asked our partici-
pants how secrecy of message content can be achieved, P2, P4,
P5 and P6 mentioned the terms “encryption” or “decryption”
(albeit with simplistic mental models). The remaining partic-
ipants did not. Hence, we probed and asked what encryption
is, why it is used, and how it works (including client-server
and E2E encryption, as distinguished by the EFF Scorecard).Ten participants confused encryption with authentication.
Nine mentioned “multiple encryption”: using a username and
multiple passwords to log in to an account. P12 mentioned
“double encryption” to describe two-factor authentication. In
other words, “encryption would be something like what banksuse. I have a mobile banking app, but they send me a codein the post, so only I have it, so protection means only I canaccess it in a way with the unique code” (P12). P19 statedthat when encryption is used, “it will be harder to get to thedata because of the passcode and password used to log in tothe account”. He believes that encryption is used to protectthe company providing the service from other companies and
“hackers”. P17 also described encryption as using the account
password in a way to protect the data in transit; the more
passwords the account has, the stronger the encryption is.P1 and P59 conflated encryption with data encoding. P1
explained encryption as sending messages in “computer lan-guage: 01010011110100” (i.e., binary representation) and said“these messages can only be understood by computer scien-tists, hackers, service providers and governments. Lay peoplecannot”. P59 explicitly described encryption as sending textin “binary language: 122121122”.
Other participants explained encryption as follows:
1) Turning a message into random text that people cannot
understand (27 out of 60).
2) Using a special language, such that if someone (like a
computer scientist) knows the language, they can decrypt
the message (P26, P27, P32 and P35).
3) Using a special code (P14 and P27).
4) Making conversations “invisible” (P14 and P60).
5) Slowing down the process of understanding the data;
“encryption is (no encryption + adding some time tosend the data packets)” (P23).
6) Using proxies when accessing websites to protect
against attackers (P29).
Seven participants said they have not heard of encryption
and, hence, did not provide any definition.All participants, except for P2, P4 and P5, believe that
encryption protects against the unsophisticated attackers “whodo not know how to hack” (P32). They believe that serviceproviders should not be able to read exchanged messages
in theory, but “this sort of encryption” (P9) is not offeredby existing communication tools. They think that encrypted
communications are futile because the designers who create
the encryption scheme know how to decrypt messages. As
P15 put it, “even the ultimate encryption can be broken, likethe ENIGMA machine in WWII”.
146
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
Only P2, P4 and P5 distinguished between client-server
encryption and E2E encryption; they provided a good (al-
though simplistic) understanding of both types of encryption
and discussed private-key and public-key cryptography. They
also stated that E2E encryption could protect against all types
of attackers.
The 57 remaining participants either did not know the
difference between both types of encryption or gave wrong
answers. For example, P13 equated client-server encryption
to SSL, and described E2E encryption as a special encryption
program (or software) used to manually encrypt messages. P16
equated keys to passwords, describing client-server encryption
as using one key (one password) for encryption and decryp-
tion, whereas E2E encryption as using two different keys (two
passwords): one for encryption and one for decryption.
Passcodes, digital signatures and fingerprints. Sometools, such as Telegram, allow users to set up a passcode
to lock their accounts. However, 45 participants said they do
not set up a passcode because it is time-consuming to unlock
accounts. They see the phone lock of their handset as sufficient
(i.e., Apple’s touch ID or passcode, Android’s pattern/PIN
lock). Others (P4, P11, P14, P15, P39, P40, P56) explicitly
said that locking the application has the undesirable effect of
being notified that a message has been received without thesender’s name and text. This is another example of a security
feature reducing the utility users are looking for.
57 participants (excluding P2, P4 and P5) provided various
incorrect explanations of digital signatures: (1) inserting a
USB stick into the PC to sign a document using a unique
code, (2) scanning a hand-written signature and then adding
the signature electronically to a document, or (3) signing a
digital document using a stylus pen. P29 described a digital
signature as a specific font type in Microsoft Word used to
type names. Only P2 and P5 correctly explained what digital
signatures are.
We also asked about verification fingerprints, and only P2
was able to explain them. All participants who use Telegram,
for example, believe that the fingerprint in the Secret Chatmode is the encryption key shared between the sender and the
recipient to encrypt and decrypt messages in transit, or the
encrypted message itself.
Account Deletion. At the beginning of the study, weasked our participants to take out their mobile phones and
check all the communication tools they have downloaded. All
participants (except for P2, P4, P5 and P28) uninstalled a
communication tool when they decided to stop using it, be-
lieving their accounts and chat history have been removed. We
can attribute this misconception to misleading feedback from
devices: both iPhone and Nexus warn their users that their
data will be deleted if they “delete” a particular application.
The warning message does not specify whether “all” the data
deleted is the application-related data stored on the phone, or
the data associated with the account on the provider’s servers.
F. Security Ranking of Communication Services: Calling vs.Messaging
We asked our participants to rank the communication tools
they have used in terms of how secure they are. Many partici-
pants ranked the services offered by the tools first, rather than
ranking the tools. Our participants exhibited high agreement
on the relative ranking of services (calling and messaging).
All, but seven participants, agreed on the following ranking,
ordered from the most to least secure:
1) Voice calls via the mobile network.
2) Voice calls via the Internet (e.g., Wi-Fi).
3) SMS messages (mobile network).
4) Emails (Internet).
5) Instant messages (Internet).
Seven participants (P2, P5, P37, P42, P45, P47 and P51)
disagreed with the ranking above, noting that voice calls
have the same security level as messages because several
communication tools (e.g., WhatsApp, Google Hangouts) offer
both services.
Calls are more secure than messages. Below, we discussthe reasons given by our participants for why calls are more
secure than messages:
1) According to most participants (53 out of 60), there
is no mass surveillance of phone calls. They are aware that
phone calls can be intercepted, but think it is unlikely unless a
government agency is monitoring a specific person. According
to P17, the calling parties “need to be targeted during theirconversation. This requires special wiretapping equipment”.
2) Nine participants believe that routine recording of phone
calls requires many resources, such as disk space. Hence, they
do not consider phone calls being recorded and stored on the
provider’s servers a threat. P17 also mentioned that text and
multimedia messages are “discarded from the servers as longas they were not suspicious”. In fact, providers store messagesfor long periods of time [72].
3) Nine participants mentioned that a phone call requires
a lot of time and effort to process and analyze, compared to
a text message. They stated that a human has to listen to a
phone call and extract the sensitive information (as portrayed
in movies, perhaps most memorably “The Lives of Others”).It is onerous to convert audio to text for analysis, whereas
text messages can be easily searched for specific keywords.
We speculate this is because participants are used to word
processors that scan text for words, but have never seen this
technology for scanning audio.
4) Seven participants mentioned that there is a record of
text messages stored on the user’s device. They said that if
the user’s device gets compromised, the adversary can access
all previously sent messages, unless the user deletes their
chat history regularly (something none of our participants
regularly does). P12 also mentioned that it should be common
practice not to write sensitive information down on a piece
of paper or as a text message, regardless of whether the
tool is secure or not. Sensitive information should be shared
in person, or via a phone call (if the situation is urgent)
147
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
“because there is no chat history of calls”. 16 participantsmentioned that it is possible to capture a sensitive exchange
by taking a screen-shot of a message, not something attackers
can do with a phone call. This finding suggests users have a
rudimentary understanding of forward secrecy, unconnected to
the cryptographic definition.
SMS is the most secure messaging service. We havediscussed why users regard voice calls more secure than
messages above. We here provide the rationale behind why
SMS messages are perceived as the most secure, while emails
the second most secure, and instant messages the least secure.
According to our participants:
1) Telephone service providers, as opposed to email (and
IM) service providers, are regulated by the government. Hence,
the mobile phone network can protect against competing
companies seeking intelligence, as opposed to the Internet (33
out of 60).
2) Many banks send banking details and notifications (re-
garded as sensitive information by our participants) via SMS
messages, so SMS must be secure (32 out of 60).
3) SMS is accessible only through the “Messages” applica-
tion on the phone, whereas email systems and IM tools can
be accessed through the PC as well, increasing the scope of
vulnerability (P21, P26, P29, P39 and P50).
4) Emails and instant messages (text and multimedia mes-
sages) are less secure than SMS messages because email
systems and IM tools are “free” (30 out of 60), and the Internet
is less secure than other networks (e.g., 3G) (see point 1
above). According to P12, “privacy is a general problem ofthe Internet”. In contrast, P2 and P5 believe it is possible tocommunicate over the Internet securely if vulnerabilities do
not exist.
5) Email was designed to send formal messages and not
to socialize, as opposed to IM tools (28 out of 60). As far as
our participants are concerned, formality of messages indicates
better security. In contrast, P12 believes that Gmail (an email
service) and Google Hangouts (an IM tool) are one entity,
hence, they have the same level of security. Also, P17 and P24
mentioned that their Yahoo! email account has been hacked,
hence, Yahoo! Messenger is perceived as insecure because
Yahoo! email and Yahoo! Messenger are one entity. We discuss
this theme in more detail in Section IV-G.
Some participants (29 out of 60) believe that “professional”
email (e.g., Outlook, P11’s university email) is more secure
than “commercial” email services (e.g., Gmail), provided that
the sender and the recipient have professional email accounts.
According to P11, there is no clear evidence that Outlook is
more secure than Gmail. However, since she receives more
spam emails in her Gmail’s spam folder, she believes that
Gmail is less secure. Also, P11’s university sends regular
warnings about spam emails, which is interpreted as a sign
that the university cares about protecting Outlook, as opposed
to Gmail that “only has a folder for spams”. Here, we havean example of effortful but visible security that makes the
participant believe that Outlook is secure, whereas security
being done automatically (i.e., the filtering done by Gmail)
makes her perceive Gmail as insecure due to invisible security.
Other participants (15 out of 60) feel secure as long as
they use their university email account, even if the recipient
does not use the same email system. P14 and P18 believe
that the university email account is more secure than Gmail
because the university (an educational, non-profit organization)
owns the service and is responsible for protecting it. This
misconception can be attributed to the ego-centric models
explained earlier in Section IV-E.
G. Security Ranking Criteria of Communication Tools
We here discuss the reasons for our participants’ rankings
of the communication tools they have used, not the services
offered by the tools. We provided participants with cards with
the names and logos of the tools, and then asked them to
rank them from the most to the least secure. Our aim was
not to analyze the rankings, but to elicit the rationale behind
our participants’ choices. We found that our participants base
their security rankings of communication tools on several
adoption criteria discussed earlier in Section IV-A, namely
(1) users bases, (2) QoS, (3) cost of use, (4) registration:
telephone numbers vs. usernames, and (5) social influence,
rather than on the security properties they expect from a
secure tool. Below, we discuss the different reasons given by
our participants to justify their rankings of the tools (without
necessarily mentioning the most recurrent reasons first).
User bases. 20 participants believe that popular communi-cation tools (e.g., Facebook Messenger, WhatsApp) have large
user bases and, hence, they are more likely to be targeted. 10
participants, on the other hand, believe that Facebook Mes-
senger is more secure than Yahoo! Messenger because more
people use the former and, hence, there is more investment to
secure it.
QoS. The QoS our participants experience while using atool influences their perceptions of how secure the tool is
(40 out of 60). For example, P7 and P17 said that Viber
has low audio/video quality: “the signal is bad, and thereare continuous disconnections” (P7), which means it is alsoless secure compared to other tools. P12 believes that Google
Hangouts is secure because its audio/video quality is better
than that of, for example, Skype.
Cost of use. 40 participants mentioned that “cheap” toolsshould not be trusted. For example, P59 thinks that Blackberry
Messenger Protected offers better security compared to “otherfree tools” because its subscription cost is high. 22 participantsalso said that tools with advertisements are insecure.
Registration: telephone numbers vs. usernames. 27 par-ticipants perceive WhatsApp as more secure than other tools
because it requires a phone number when creating an account.
They said that using the phone number is a guarantee the
account can only be accessed from the users’ phone. The
phone is seen as strongly linked to the communication partner,
whereas other IM tools that require a username and a password
can be “easily hacked”. P2, P5 and P48 see no difference
between both methods.
148
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
Integration with other tools. 25 participants distrust toolsused in combination with other less secure tools. For instance,
10 participants said that if a user imports their personal details
from Facebook to WhatsApp, WhatsApp’s security will drop
to that of Facebook.
Tools integrated with SMS. Many participants believe thatSMS is more secure than IM for several reasons previously
discussed in Section IV-F. However, 12 participants who use
iMessage and Google Hangouts on their phone have the mis-
conception that these two IM tools are equivalent to SMS and,
hence, have the same security level. For instance, P6 stated
that “iMessage is designed as part of Apple’s SMS service”.He sends banking details via iMessage for this reason.
Attractive UIs. 22 participants stated that if the tool creatorscare enough to make the tool usable, they will also care
about its security. A “bad” (unattractive) UI is a sign that the
developer “does not care” or is not competent, so the security
of the tool is also likely to be shoddy. P17 and P23 cited Kik
and Ebuddy XMS as examples. This finding shows that a good
user experience on one aspect of the tool increases trust in the
competence and motivation of the developers.
Visible security. Visible security indicates “there must bea threat”. 21 participants believe that the mobile version of a
communication tool is more secure than other tools accessed
via browsers because users do not have to deal with HTTPS
locks and certificates. Hence, they prefer to have a stand-
alone desktop application similar to that on the mobile phone.
According to P27, “the information is just on your device, itis not easy to access data on a personal device, as opposedto the web browser”.
An emerging theme is that our participants’ experience of
warning messages and need for security indicators lead them
to perceive the services they access via web browsers as
insecure. Applications on mobile phones have comparatively
fewer indicators and warnings and are, thus, perceived to be
more secure, despite this being technically incorrect [73], [74].
30 participants also think that the probability of a mobile
phone getting infected by a “virus” is lower than that of a
PC because (1) they have never experienced any issue with
their phones, unlike PCs, and have never installed a mobile
phone version of an anti-virus program, and (2) the sender of
an instant message is known, unlike SMS and email: “thereare spam emails, but not spam instant messages” (P18).
Social influence. Social factors largely influence partici-pants’ perceptions of the security offered by a communication
tool (54 out of 60). Some tools are deemed more secure
and trustworthy than others because a friend, colleague, or
newspaper article said so.
Geopolitical context. The local laws and practices thata service provider is subject to influence perception. P12
believes Facebook Messenger is less secure than other tools
because Facebook is US-based. She believes that US gov-
ernment agencies, the NSA in particular, are able to read
transmitted data. Hence, she does not share sensitive infor-
mation via Facebook Messenger. Five participants mentioned
that Threema is the most secure tool because Germans “who
are more privacy-concerned” use it extensively, showing the
“crowd follower” characteristics described in [75].
Self-destructing messages. P15 and P43 believe Telegram’sSecret Chat mode deceives participants into thinking thatmessages are deleted from the recipient side, when they are
actually stored on the server. They compare Telegram to
Snapchat and believe both are insecure.
Open-source vs. proprietary tools. Kerckhoffs’ principleof avoiding security-by-obscurity is well-established in the
cryptographic literature. However, 51 out of 60 participants
largely believe obscurity is necessary for security. P6, P12,
P13, P18, P26, P36 and P59 explicitly stated that Apple
products are secure because they are closed-source. However,
Garman et al. found significant vulnerabilities in iMessage
that can be exploited [76]. Our participants are not aware of
the long line of cases where proprietary encryption schemes
have been broken, despite recent high-profile cases, such as
the Volkswagen key [77].
Finally, seven participants (P3, P4, P8, P11, P19, P22 and
P26) did not rank the communication tools, perceiving them
to have the same level of security for several reasons:
No clear understanding of security. P3, P4, P8, P11and P26 did not compare the tools. They said they do not
understand what makes a communication tool secure. P8 said
that companies do not provide a clear definition of security
because “things are always changing”, and what is securetoday will not be secure tomorrow. Legal liability is seen as
another reason: P26 believes companies want to be able to
change the definition of security in privacy policies in response
to developments.
Security is expensive. P3, P19, P22 and P26 believe noneof the tools are secure because security is expensive, and the
companies who own these tools put profit first. They said that
PII and conversations are not protected because most tools
are free. Without data collection, advertisements cannot be
generated and, hence, there will be no profits.
Past experiences. P19 and P22 believe that all messengersare secure because they have never experienced a breach.
P24 and P46, in contrast, experienced a security breach with
Yahoo! Messenger: “But, talking about this Yahoo! thing, myYahoo! email account is probably one of the least securebecause actually, you know, it has got hacked again recently”(P46). Hence, they believe all tools are insecure.
Security is not possible. P8 believes that “completelysecure” tools exist only in theory. Due to bugs, software can beattacked and communications traced. P2 and P12 were the only
participants to mention that one can evaluate the security of a
tool based on how well the program is written, and that source
code should be audited. P12, however, believes that audits need
to be confidential because the designs of secure tools should
not be published (see Section IV-D on threat models).
H. EFF Secure Messaging Scorecard
We provided our participants with the first-generation EFF
Secure Messaging Scorecard [2] (printed on a sheet of pa-
per), and invited them to compare their rankings with those
149
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
of the scorecard. Not a single participant gave a ranking
that reflected the scorecard. The scorecard contains seven
security criteria. Four criteria are completely misunderstood:
participants do not appreciate the difference between point-
to-point and E2E encryption, and do not comprehend forward
secrecy and fingerprint verification. The other three criteria
reflecting open design (documentation, open-source code and
security audits) are considered to be negative, with participantsbelieving security requires obscurity. We describe below how
participants perceive the importance of the scorecard’s criteria.
Encrypted in transit vs. encrypted so the providercan’t read it. 57 participants (except for P2, P4 and P5) donot differentiate between point-to-point encryption and E2E
encryption. Recent literature [41] suggests that users develop
more trust in an encrypted communication system that makes
the cipher-texts visible. However, whether the cipher-text is
visible or not, our participants do not know what security
properties each tool offers, and they (incorrectly) believe that
encryption can be broken anyway (see Section IV-D).
Can you verify contact’s identity? Recent studies [50],[51] have assessed the usability and security of various repre-
sentations of verification fingerprints. However, no participant
(except for P2) appreciates why some communication tools
can verify a contact’s identity (i.e., the role of fingerprints).
Are past communications secure if your keys are stolen?All participants (except for P2 and P5) do not recognize the
importance of forward secrecy.
Open design. The EFF Scorecard has three explicit criteriato ensure the design and code have undergone independent
reviews. Our participants, in contrast, said proprietary tools
are more secure. This belief in “security by obscurity”, an
anathema to security researchers, stems from the fact that users
perceive security properties to be akin to trade secrets: if a
skilled attacker learns how a tool works, they can compromise
it. This fundamental misconception feeds the perception of
futility. Only P2, P5 and P28 appreciate open design.
V. DISCUSSION
Most user studies of secure communication tools, in particu-
lar encrypted email, have been lab studies conducted following
the same pattern (see Section II): assessing the usability of
specific tools in an artificial setting, where participants are
given a series of security tasks associated with those tools
(e.g., managing keys, sharing keys, encrypting a message)
with fictional communication partners (study coordinators) to
accomplish a particular security goal (e.g., confidentiality)
without errors, and then measuring success, or failure, based
on the goals and tasks imposed on participants, rather than
being their own.
Indeed, users will not adopt a communication tool if they
cannot use it effectively and efficiently. Our study identified
some usability problems (e.g., participants who used Telegram
were not able to recognize the Secret Chat mode). However,our results also show that to be adopted, secure tools have
to offer their intended users utility; i.e., the ability to reach
their communication partners. Security may be part of users’
primary communication goals, but given a choice between a
usable and secure tool that does not offer utility and a usable
but insecure tool that does, users choose the latter. Our results
suggest it is unrealistic to expect that users will switch to
secure tools and only communicate with those who do the
same. Also, they will not expend the effort associated with
maintaining two communication tools (one secure and one
insecure) depending on whom they are talking to. For example,
our participants with iOS devices used WhatsApp and Skype,
instead of iMessage and FaceTime, even when communicating
with other Apple users. Although they perceived the Apple
services as more secure (see Section IV-G), they did not live
in an Apple-only universe; using different tools was perceived
as an overhead they were not willing to carry for security.
When a new tool is usable and attractive enough, users
may accept the initial switching cost and adopt it. However,
creating a new tool that will be adopted by a critical mass of
users requires resources and a set of skills (e.g., user research,
user experience design, communication, affective interaction,
marketing) the creators of secure communication tools do
not have at their disposal. If we want users to adopt secure
communications in the near future, security engineers should
consider putting their skills to securing tools that have a large
use base. WhatsApp’s implementation of E2E encryption for
text, voice calls and video communications is an example of
this more pragmatic approach [18].
In [61], De Luca et al. found that security and privacy are
not a primary factor that drives users to adopt a particular
messenger. We argue that this is not because users do not
care about security at all. Users are aware of some threats and
willing to make some effort to manage them (e.g., by chopping
up credentials into segments and sending these via different
tools). Our participants preferred these quite cumbersome
processes, instead of using a secure tool, because they did not
believe the tools available are actually secure. This impression
was fed by several misconceptions (e.g., they believed service
providers can read E2E-encrypted messages). Besides the lack
of usability and utility, such misconceptions undermined the
case for adoption in their eyes.
There are some users who want to be secure and are
“shopping” for tools that offer specific security properties.
The EFF Secure Messaging Scorecard [2] aims to tell users
about what security properties various communication tools
actually offer. Our findings show that the scorecard is not
supporting typical users effectively because our participants
did not understand these fine-grained security properties. In-
deed, participants believed these properties are either impos-
sible to achieve or detrimental to security (like open design).
These misunderstandings cannot be fixed by just changing the
wording on the scorecard, as our results show that participants
had very inaccurate understanding of fundamental security
properties, such as confidentiality (see Section IV-E).
The key takeaway from mental models research is that
non-experts do not understand abstract security properties.
They can only understand why a property matters in the
context of a specific threat model that matters to them. For
150
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
example, if users do not want their service providers to be
able to read their messages, we need to explain how E2E
encryption protects against this threat. Based on our results,
our participants’ existing models were the “toxic root” of their
belief that ultimately using any form of a secure tool is futile
because they believed even the best encryption scheme can
be broken by the resources and skills of governments and
service providers. We need to make users understand that it is
in their power to protect themselves because several security
mechanisms have been developed based on the best available
knowledge from security research, and are open to audits by
security researchers and practitioners.
Based in part on our feedback, the EFF is redesigning
the scorecard to group tools into general tiers from “most
secure” to “insecure”. Instead of check marks for specific
properties, textual descriptions will be provided for what
security properties each tool provides. The goal is to help
casual readers correctly understand which tools are considered
secure (e.g., E2E-encrypted) without needing to understand
security mechanisms specifically, while also providing text to
help readers acquire accurate mental models of confidentiality,
integrity and authentication. The scorecard will also attempt to
provide more non-security information that users desire: Does
the tool have a large user base? What devices/platforms is it
available on? Can it be used over 3G and Wi-Fi? Does it offer
audio or video chats? Is the tool free? While not necessarily
related to security and privacy, these items drive adoption and
would be recommended to include them in the scorecard.
A final interesting high-level observation is that while efforts
to secure email systems with PGP that were interoperable
across email providers failed on the usability front, current
approaches (e.g., iMessage) succeed on the usability front
at the expense of interoperability with different devices. We
believe examining whether some of the lessons learnt from
securing these communication tools can be transferred to
interoperable secure tools without sacrificing usability is an
interesting open research question for the security community.
VI. CONCLUDING REMARKS
Our research, based on 10 unstructured and 50 semi-
structured interviews, provides the broadest study of user
perceptions of secure communications to date. Although our
participants have experienced usability issues with different
communication tools, these are not the primary obstacles
to adopting secure tools. Low motivation to adopt secure
communications is due to several factors (e.g., small user
bases, lack of interoperability, incorrect mental models of
how secure communications work). Based on our findings,
we conclude with three concrete recommendations:
Secure tools with proved utility. We encourage the securitycommunity to prioritize securing the communication tools
that have already been adopted by mainstream users over
improving the usability of different secure tools. Users’ goal to
communicate with others overrides everything else, including
security. Growing a user base for a new tool is difficult and
unpredictable. Therefore, we encourage security researchers to
work with today’s existing popular tools.
Understand the target population. In the long run, ifsecurity developers want to develop new paradigms and secure
communication tools using a user-centered design process,
they need to understand users’ goals and preferences. The
technical security community must develop a deeper under-
standing of what is important (and not important) to users.
Security properties and threats should be framed in terms that
users can understand.
Improve QoS. Secure communication tools must feel pro-fessional. Security itself is difficult for users to evaluate
directly; they often use proxy signals. This suggests that
engineering effort spent on improving the performance of
cryptographic tools still matters to the extent that it can reduce
latency and dropped packets.
VII. ACKNOWLEDGMENTS
We thank the reviewers for their helpful comments and
suggestions. This work is supported by a gift from Google.
Joseph Bonneau is supported by a Secure Usability Fellowship
from the Open Technology Fund and Simply Secure.
REFERENCES
[1] N. Unger, S. Dechand, J. Bonneau, S. Fahl, H. Perl, I. Goldberg, andM. Smith, “SoK: Secure Messaging,” in IEEE Symposium on Securityand Privacy, 2015, pp. 232–249.
[2] Electronic Frontier Foundation (EFF), “Secure Messaging Scorecard,”https://www.eff.org/secure-messaging-scorecard, accessed on:09.07.2016.
[3] D. Yadron, “Apple Transparency Report: Over 1,000 GovernmentRequests for User Data,” The Guardian, 2016.
[4] S. Gibbs, “Gmail Does Scan All Emails, New Google Terms Clarify,”The Guardian, 2014.
[5] R. Anderson, “Why Cryptosystems Fail,” in ACM Conference onComputer and Communications Security, 1993, pp. 215–227.
[6] S. Fahl, M. Harbach, H. Perl, M. Koetter, and M. Smith, “RethinkingSSL Development in an Appified World,” in ACM Conference onComputer and Communications Security, 2013, pp. 49–60.
[7] A. Whitten and J. D. Tygar, “Why Johnny Can’t Encrypt: A UsabilityEvaluation of PGP 5.0,” in USENIX Security Symposium, 1999.
[8] S. L. Garfinkel and R. C. Miller, “Johnny 2: A User Test of KeyContinuity Management with S/MIME and Outlook Express,” in ACMSymposium on Usable Privacy and Security, 2005, pp. 13–24.
[9] S. Clark, T. Goodspeed, P. Metzger, Z. Wasserman, K. Xu, andM. Blaze, “Why (Special Agent) Johnny (Still) Can’t Encrypt: ASecurity Analysis of the APCO Project 25 Two-Way Radio System,”in USENIX Security Symposium, 2011, pp. 8–12.
[10] M. Lee, “Encryption Works: How to Protect Your Privacy in the Ageof NSA Surveillance,” Freedom of the Press Foundation, 2013.
[11] “Tips, Tools and How-tos for Safer Online Communications,”https://ssd.eff.org/en, accessed on: 19.08.2016.
[12] McGregor, Susan E, “Digital Security and Source Protection forJournalists,” http://towcenter.org/digital-security-and-source-protection-for-journalists-research-by-susan-mcgregor/, accessed on: 20.08.2016.
[13] “The OpenPGP Alliance Home Page,”http://www.openpgp.org/resources/downloads.shtml, accessed on:20.08.2016.
[14] “Tor,” https://www.torproject.org/projects/torbrowser.html.en, accessedon: 20.08.2016.
[15] “Tails: The Amnesic Incognito Live System,” https://tails.boum.org/,accessed on: 20.08.2016.
[16] “Off-the-Record Messaging,” https://otr.cypherpunks.ca/, accessed on:20.08.2016.
[17] “SecureDrop: The Open-source Whistleblower Submission System,”https://securedrop.org/, accessed on: 20.08.2016.
151
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
[18] Natasha Lomas, “WhatsApp Completes End-to-End EncryptionRollout,” https://techcrunch.com/2016/04/05/whatsapp-completes-end-to-end-encryption-rollout, accessed on:09.09.2016.
[19] A. J. Onwuegbuzie and N. L. Leech, “Validity and QualitativeResearch: An Oxymoron?” Quality & Quantity, vol. 41, no. 2, pp.233–249, 2007.
[20] A. Strauss and J. Corbin, “Grounded Theory Methodology,” Handbookof Qualitative Research, pp. 273–285, 1994.
[21] B. Harry, K. M. Sturges, and J. K. Klingner, “Mapping the Process:An Exemplar of Process and Challenge in Grounded TheoryAnalysis,” Educational Researcher, vol. 34, no. 2, pp. 3–13, 2005.
[22] P. R. Zimmermann, The Official PGP User’s Guide, 1995.[23] “GPGTools,” https://gpgtools.org/, accessed on: 11.07.2016.
[24] “GPG4WiN,” https://www.gpg4win.org/, accessed on: 11.07.2016.
[25] “Off-the-Record Communication, or, Why Not To Use PGP,” in ACMWorkshop on Privacy in the Electronic Society, 2004, pp. 77–84.
[26] C. Alexander and I. Goldberg, “Improved User Authentication inOff-the-Record Messaging,” in ACM Workshop on Privacy in theElectronic Society, 2007, pp. 41–47.
[27] J. Bian, R. Seker, and U. Topaloglu, “Off-the-Record InstantMessaging for Group Conversation,” in IEEE International Conferenceon Information Reuse and Integration, 2007, pp. 79–84.
[28] R. Stedman, K. Yoshida, and I. Goldberg, “A User Study ofOff-the-Record Messaging,” in ACM Symposium on Usable Privacyand Security, 2008, pp. 95–104.
[29] I. Goldberg, B. Ustaoğlu, M. D. Van Gundy, and H. Chen,“Multi-party Off-the-Record Messaging,” in ACM Conference onComputer and Communications Security, 2009, pp. 358–368.
[30] H. Liu, E. Y. Vasserman, and N. Hopper, “Improved GroupOff-the-Record Messaging,” in ACM Workshop on Privacy in theElectronic Society, 2013, pp. 249–254.
[31] “Open Whisper Systems: Signal,”https://whispersystems.org/blog/signal/, accessed on: 11.07.2016.
[32] R. Perlman, “The Ephemerizer: Making Data Disappear,” SunMicrosystems, Inc., 2005.
[33] R. Geambasu, T. Kohno, A. A. Levy, and H. M. Levy, “Vanish:Increasing Data Privacy with Self-Destructing Data,” in USENIXSecurity Symposium, 2009, pp. 299–316.
[34] J. Reardon, D. Basin, and S. Capkun, “SoK: Secure Data Deletion,” inIEEE Symposium on Security and Privacy, 2013, pp. 301–315.
[35] R. Housley, W. Polk, W. Ford, and D. Solo, “Internet X. 509Public-key Infrastructure Certificate and Certificate Revocation List(CRL) Profile,” Tech. Rep., 2002.
[36] P. Gutmann, “PKI: It’s Not Dead, Just Resting,” Computer, vol. 35,no. 8, pp. 41–49, 2002.
[37] M. D. Ryan, “Enhanced Certificate Transparency and End-to-EndEncrypted Mail,” in Network and Distributed System SecuritySymposium, 2014.
[38] M. Melara, A. Blankstein, J. Bonneau, M. Freedman, and E. Felten,“CONIKS: Bringing Key Transparency to End Users,” in USENIXSecurity Symposium, 2015.
[39] G. Cluley, “WhatsApp Doesn’t Properly Erase Your Deleted Messages,Researcher Reveals,” https://www.hotforsecurity.com/blog/whatsapp-doesnt-properly-erase-your-deleted-messages-researcher-reveals-16169.html, accessed on: 02.08.2016.
[40] S. Ruoti, N. Kim, B. Burgon, T. Van Der Horst, and K. Seamons,“Confused Johnny: When Automatic Encryption Leads to Confusionand Mistakes,” in ACM Symposium on Usable Privacy and Security,2013, p. 5.
[41] S. Ruoti, J. Andersen, S. Heidbrink, M. O’Neill, E. Vaziripour, J. Wu,D. Zappala, and K. Seamons, ““We’re on the Same Page”: A UsabilityStudy of Secure Email Using Pairs of Novice Users,” in ACMConference on Human Factors and Computing Systems, 2016.
[42] J. Nielsen and R. Molich, “Heuristic Evaluation of User Interfaces,” inACM Conference on Human Factors and Computing Systems, 1990,pp. 249–256.
[43] W. Bai, D. Kim, M. Namara, Y. Qian, P. G. Kelley, and M. L.Mazurek, “An Inconvenient Trust: User Attitudes toward Security andUsability Tradeoffs for Key-Directory Encryption Systems,” in ACMSymposium on Usable Privacy and Security, 2016, pp. 113–130.
[44] S. L. Garfinkel, D. Margrave, J. I. Schiller, E. Nordlander, and R. C.Miller, “How to Make Secure Email Easier to Use,” in ACM
Conference on Human Factors and Computing Systems, 2005, pp.701–710.
[45] J. F. Ryan and B. L. Reid, “Usable Encryption Enabled by AJAX,” inIEEE International Conference on Networking and Services, 2006, pp.116–116.
[46] S. Sheng, L. Broderick, C. A. Koranda, and J. J. Hyland, “WhyJohnny Still Can’t Encrypt: Evaluating the Usability of EmailEncryption Software,” in ACM Symposium on Usable Privacy andSecurity, 2006, pp. 3–4.
[47] E. Atwater, C. Bocovich, U. Hengartner, E. Lank, and I. Goldberg,“Leading Johnny to Water: Designing for Usability and Trust,” inACM Symposium on Usable Privacy and Security, 2015, pp. 69–88.
[48] S. Ruoti, J. Andersen, D. Zappala, and K. Seamons, “Why JohnnyStill, Still Can’t Encrypt: Evaluating the Usability of a Modern PGPClient,” arXiv preprint arXiv:1510.08555, 2015.
[49] S. L. Garfinkel, “Enabling Email Confidentiality through the Use ofOpportunistic Encryption,” in Annual National Conference on DigitalGovernment Research, 2003, pp. 1–4.
[50] S. Dechand, D. Schürmann, T. IBR, K. Busse, Y. Acar, S. Fahl, andM. Smith, “An Empirical Study of Textual Key-FingerprintRepresentations,” in USENIX Security Symposium, 2016.
[51] J. Tan, L. Bauer, J. Bonneau, L. Cranor, J. Thomas, and B. Ur, “CanUnicorns Help Users Compare Crypto Key Fingerprints?” in ACMConference on Human Factors and Computing Systems, 2017.
[52] S. L. Garfinkel, J. I. Schiller, E. Nordlander, D. Margrave, and R. C.Miller, “Views, Reactions and Impact of Digitally-Signed Mail inE-commerce,” in Financial Cryptography and Data Security, 2005, pp.188–202.
[53] J. Sobey, R. Biddle, P. C. Van Oorschot, and A. S. Patrick, “ExploringUser Reactions to New Browser Cues for Extended ValidationCertificates,” in European Symposium on Research in ComputerSecurity, 2008, pp. 411–427.
[54] A. P. Felt, R. W. Reeder, A. Ainslie, H. Harris, M. Walker,C. Thompson, M. E. Acer, E. Morant, and S. Consolvo, “RethinkingConnection Security Indicators,” in ACM Symposium on UsablePrivacy and Security, 2016, pp. 1–14.
[55] F. Roesner, B. T. Gill, and T. Kohno, “Sex, Lies, or Kittens?Investigating the Use of Snapchat’s Self-destructing Messages,” inFinancial Cryptography and Data Security, 2014, pp. 64–76.
[56] S. Gaw, E. W. Felten, and P. Fernandez-Kelly, “Secrecy, Flagging, andParanoia: Adoption Criteria in Encrypted E-mail,” in ACM Conferenceon Human Factors in Computing Systems, 2006, pp. 591–600.
[57] K. Renaud, M. Volkamer, and A. Renkema-Padmos, “Why Doesn’tJane Protect Her Privacy?” in Privacy Enhancing TechnologiesSymposium, 2014, pp. 244–262.
[58] S. Das, T. H.-J. Kim, L. A. Dabbish, and J. I. Hong, “The Effect ofSocial Influence on Security Sensitivity,” in ACM Symposium onUsable Privacy and Security, vol. 14, 2014.
[59] S. Das, A. D. Kramer, L. A. Dabbish, and J. I. Hong, “IncreasingSecurity Sensitivity with Social Proof: A Large-scale ExperimentalConfirmation,” in ACM Conference on Computer and CommunicationsSecurity, 2014, pp. 739–749.
[60] ——, “The Role of Social Influence in Security Feature Adoption,” inACM Conference on Computer Supported Cooperative Work andSocial Computing, 2015, pp. 1416–1426.
[61] A. De Luca, S. Das, M. Ortlieb, I. Ion, and B. Laurie, “Expert andNon-Expert Attitudes towards (Secure) Instant Messaging,” in ACMSymposium on Usable Privacy and Security, 2016.
[62] P. Dourish, R. E. Grinter, J. D. De La Flor, and M. Joseph, “Securityin the Wild: User Strategies for Managing Security as an Everyday,Practical Problem,” Personal and Ubiquitous Computing, vol. 8, no. 6,pp. 391–401, 2004.
[63] R. Wash, “Folk Models of Home Computer Security,” in ACMSymposium on Usable Privacy and Security, 2010, p. 11.
[64] H. Sharp, Y. Rogers, and J. Preece, Interaction Design: BeyondHuman-Computer Interaction, 2007, vol. 11, no. 4.
[65] P. N. Johnson-Laird, Mental Models: Towards a Cognitive Science ofLanguage, Inference, and Consciousness. Harvard University Press,1983, no. 6.
[66] R. H. Bernard, Non-probability Sampling: Social Research Methods:Qualitative and Quantitative Approaches. SAGE, 2006.
[67] C. Seale, “Quality in Qualitative Research,” Qualitative Inquiry, vol. 5,no. 4, pp. 465–478, 1999.
152
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.
[68] J. Cohen, “A Coefficient of Agreement for Nominal Scales,”Educational and Psychosocial Measurement, vol. 20, no. 1, pp. 37–46,1960.
[69] J. L. Fleiss, B. Levin, and M. C. Paik, Statistical Methods for Ratesand Proportions. John Wiley & Sons, 2013.
[70] D. Cole, “‘We Kill People Based on Metadata’,” http://www.nybooks.com/daily/2014/05/10/we-kill-people-based-metadata/,accessed on: 09.07.2016.
[71] G. Danezis and C. Diaz, “A Survey of Anonymous CommunicationChannels,” Microsoft Research, Tech. Rep., 2008.
[72] “Snapchat Law Enforcement Guide,” http://www.documentcloud.org/documents/717257-snapchat-law-enforcement-guide-12112-1.html,accessed on: 11.06.2016.
[73] S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, andM. Smith, “Why Eve and Mallory Love Android: An Analysis ofAndroid SSL (in)Security,” in ACM Conference on Computer andCommunications Security, 2012, pp. 50–61.
[74] M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, andV. Shmatikov, “The Most Dangerous Code in the World: ValidatingSSL Certificates in Non-Browser Software,” in ACM Conference onComputer and Communications Security, 2012, pp. 38–49.
[75] A. Morton and M. A. Sasse, “Desperately Seeking Assurances:Segmenting Users by Their Information-Seeking Preferences,” in IEEEAnnual International Conference on Privacy, Security and Trust, 2014,pp. 102–111.
[76] C. Garman, M. Green, G. Kaptchuk, I. Miers, and M. Rushanan,“Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks onApple iMessage,” in USENIX Security Symposium, 2016.
[77] R. Verdult, F. D. Garcia, and B. Ege, “Dismantling Megamos Crypto:Wirelessly Lockpicking a Vehicle Immobilizer,” in USENIX SecuritySymposium, 2015, pp. 703–718.
APPENDIX
PRE-SCREENING QUESTIONNAIRE
• Please indicate which of the following ranges your age fallswithin.
Under 1818 – 2021 – 3031 – 4041 – 5051 – 6061 – 7070+
• Please indicate your gender.MaleFemalePrefer not to say
• What is your highest level of education? If you are currentlyenrolled, please specify the highest level/degree completed.
Some high-school educationHigh-school education or equivalentSome college education (incomplete degree)College degree (e.g., BSc, BA)Graduate degree (e.g., MSc, MA, MBA, PhD)Vocational training (e.g., NVQ, HNC, HND)Other
• If you have (or are currently pursuing) a BSc or BA degree,what is your area of study?
• If you have (or are currently pursuing) an MSc, MA or MBAdegree, what is your area of study?
• If you have (or are currently pursuing) a PhD degree, what isyour area of study?
• What is your current employment status?StudentEmployedSelf-employedUnemployedRetired
• If employed, what is your current occupation?• Do you own a desktop computer and/or a laptop?
Yes No• Do you own a smartphone?
Yes No• What communication tools have you ever used? Please select
all that apply.• What computing platforms do you use to communicate with
your contacts via communication tools? Please select all thatapply.
Android (e.g., Google Nexus, Galaxy Samsung)iOS (e.g., iPhone)Microsoft WindowsMac OS XOther
The following questions assessed participants’ general technicalexpertise.
• Do you have an engineering or computer science background?Yes No
• Have you ever configured a network firewall?Yes No Do not know
• Have you ever written a computer program?Yes No Do not know
• Have you ever changed your web browser’s search engine(e.g., Google, Yahoo! Search, Bing, Ask.com)?
Yes No Do not know• Have you ever changed your web browser’s homepage?
Yes No Do not know• Have you ever registered a domain name?
Yes No Do not know• Have you ever designed a website?
Yes No Do not know• Have you ever unscrewed anything on your PC or laptop?
Yes No Do not know
The following questions assessed participants’ cyber-security threatexposure.
• Have you ever lost data because of an infected computer (e.g.,Trojan horse, virus or worm infection)?
Yes No Do not know• Have you ever been impersonated (or have your account
credentials been stolen)?Yes No Do not know
• Have you ever fallen for a phishing e-mail?Yes No Do not know
• Has your personal data ever been misused?Yes No Do not know
• Have you ever received an unsolicited e-mail (i.e., spam)?Yes No Do not know
153
Authorized licensed use limited to: IEEE Xplore. Downloaded on August 30,2020 at 23:30:14 UTC from IEEE Xplore. Restrictions apply.