Why don't people use secure internet tools?

A group of scholars and practicioners from the US, Germany and the UK conducted a qualitative study on the "obstacles to adoption of secure communications tools," which was presented to the 38th IEEE Symposium on Security and Privacy.

The researchers conducted in-depth interviews with users from across a variety of ages, skill levels and backgrounds to see what barriers existed to the adoption of privacy-oriented, cryptographically secured tools. Their findings have implications for the two major approaches to increasing secure tools adoption: user-interface improvements and training materials.

They found that usability wasn't the major impediment to adoption; rather, the "fragmented user base" (that is, none of your friends are on your secure messaging platform), lack of interoperability (the platform won't talk to other platforms) and low quality of service (voice calls on Signal suck) get in the way.

• Low Quality of Service (QoS) is an obstacle to adoption. Participants assessed the reliability and security of a communication tool by the QoS of messages and voice calls they experienced. Low QoS does not only hinder adoption, but also creates general doubts about how reliable and secure the tool is.

• Sensitivity of information does not drive adoption. Perceived sensitivity of information should drive the adoption of secure communication tools, but this was not the case with our participants. Instead, they used voice calls (regardless of the tool) and other obfuscation techniques to exchange sensitive information.

• Secure communications were perceived as futile. Most participants did not believe secure tools could offer protection against powerful or knowledgeable adversaries. Most participants had incorrect mental models of how encryption works, let alone more advanced concepts (e.g., digital signatures, verification fingerprints). If the perception that secure communications are futile persists, this will continue to hinder adoption.

• Participants’ security rankings of tools were inaccurate. We asked our participants to rank the tools they have used in terms of how secure they are. Many participants ranked the services (e.g., voice calls, messages) offered by the tools, rather than ranking the tools first. They perceived calls more secure than messages. Furthermore, they based their rankings on how large the tool’s user base is, QoS, social factors and other criteria, rather than assessing the security properties a secure tool offers. • Participants did not understand the EFF Secure Messaging Scorecard. The scorecard contains seven security properties. Four of these were misunderstood: participants did not appreciate the difference between point-to-point and E2E encryption, and did not comprehend forward secrecy or verification fingerprints. The other three properties reflecting open design (documentation, open-source code and security audits) were considered to be negative security properties, with participants believing security requires obscurity.

Obstacles to the Adoption of Secure Communication Tools [Ruba Abu-Salma, Anastasia Danilova, M. Angela Sasse, Alena Naiakshina, Joseph Bonneau, and Matthew Smith/IEEE Security]

(via 4 Short Links)