To improve national security, improve crypto usability

Scout Sinclair Brody (previously) is executive director of Simply Secure, a nonprofit I volunteer for that works on impriving the usability of privacy tools so that normal people can understand and benefit from them.


In an excellent soup-to-nuts editorial for the rock-ribbed Council on Foreign Relations, Sinclair Brody lays out the significance of increasing adoption of privacy tools — these are our best bulwark against breaches that threaten our individual, family, and business lives — and the barriers to that adoption, which are a mix of failure in the tech world to make these tools more comprehensible to regular people, and vicious attacks by governments and law enforcement on cryptography as an enabler of terrorism and crime.

Sinclair Brody ends by laying out a roadmap for improving matters:

Open-source developers, in turn, need to prioritize user-experience research and design, as well as to optimize their tools for large organizations. The focus of too many projects has long been on users who resemble the developers themselves. It is time to professionalize the practice of open-source development, recruit designers and usability researchers to the cause, and take a human-centered approach to software design. In particular, project leaders should make the development process more accessible to new participants by including explicit instructions to user-experience experts in their documentation. Although this change in focus will require a cultural shift within the open-source community, it will allow projects to attract more users and more donations, and ultimately result in more useful tools.

To support these efforts, technology-focused foundations and software companies' research and development wings should shift funding priorities toward more applied research on crafting and communicating about security-related features. Much of the work in this area examines the reasons a tool is hard to use—not ways to improve it—or focuses on toy refinements (e.g., "this custom interface is better than the standard"). As an example of such research, WhatsApp recently incorporated end-to-end encryption into its mobile messaging platform, without changing the user experience of its product. However, it accomplished this by hiding all privacy-specific features and tasks from its users, which in turn introduces vulnerability to certain kinds of attacks. Instead, researchers should work to identify factors that make privacy features successful across tools, and examine how such features might be added to popular products without harming user satisfaction.

Taken together, these recommendations would both incentivize and facilitate organizations and individuals in their efforts to adopt stronger protections of user data from unauthorized access. Easier-to-use privacy tools and greater consumer confidence, in turn, will support continued growth, innovation, and financial stability in the digital era.


Protecting Data Privacy With User-Friendly Software
[Sara "Scout" Sinclair Brody/Council on Foreign Relations]


(Image: Monitors working in the Security Operations Center at the University of Maryland.
[UMD-Eskin]