Why don't people use secure internet tools?

A group of scholars and practicioners from the US, Germany and the UK conducted a qualitative study on the "obstacles to adoption of secure communications tools," which was presented to the 38th IEEE Symposium on Security and Privacy.

The researchers conducted in-depth interviews with users from across a variety of ages, skill levels and backgrounds to see what barriers existed to the adoption of privacy-oriented, cryptographically secured tools. Their findings have implications for the two major approaches to increasing secure tools adoption: user-interface improvements and training materials.

They found that usability wasn't the major impediment to adoption; rather, the "fragmented user base" (that is, none of your friends are on your secure messaging platform), lack of interoperability (the platform won't talk to other platforms) and low quality of service (voice calls on Signal suck) get in the way.

• Low Quality of Service (QoS) is an obstacle to adoption.
Participants assessed the reliability and security
of a communication tool by the QoS of messages and
voice calls they experienced. Low QoS does not only
hinder adoption, but also creates general doubts about
how reliable and secure the tool is.

• Sensitivity of information does not drive adoption.
Perceived sensitivity of information should drive the
adoption of secure communication tools, but this was
not the case with our participants. Instead, they used
voice calls (regardless of the tool) and other obfuscation
techniques to exchange sensitive information.

• Secure communications were perceived as futile. Most
participants did not believe secure tools could offer protection
against powerful or knowledgeable adversaries.
Most participants had incorrect mental models of how
encryption works, let alone more advanced concepts
(e.g., digital signatures, verification fingerprints). If the
perception that secure communications are futile persists,
this will continue to hinder adoption.

• Participants’ security rankings of tools were inaccurate.
We asked our participants to rank the tools they have
used in terms of how secure they are. Many participants
ranked the services (e.g., voice calls, messages) offered
by the tools, rather than ranking the tools first. They
perceived calls more secure than messages. Furthermore,
they based their rankings on how large the tool’s user
base is, QoS, social factors and other criteria, rather than
assessing the security properties a secure tool offers.
• Participants did not understand the EFF Secure Messaging
Scorecard. The scorecard contains seven security
properties. Four of these were misunderstood: participants
did not appreciate the difference between point-to-point
and E2E encryption, and did not comprehend forward
secrecy or verification fingerprints. The other three properties
reflecting open design (documentation, open-source
code and security audits) were considered to be negative
security properties, with participants believing security
requires obscurity.

Obstacles to the Adoption of Secure
Communication Tools
[Ruba Abu-Salma, Anastasia Danilova, M. Angela Sasse, Alena Naiakshina, Joseph Bonneau, and Matthew Smith/IEEE Security]

(via 4 Short Links)