1. bookVolume 2021 (2021): Issue 3 (July 2021)
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

The Motivated Can Encrypt (Even with PGP)

Published Online: 27 Apr 2021
Page range: 49 - 69
Received: 30 Nov 2020
Accepted: 16 Mar 2021
Journal Details
License
Format
Journal
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

Existing end-to-end-encrypted (E2EE) email systems, mainly PGP, have long been evaluated in controlled lab settings. While these studies have exposed usability obstacles for the average user and offer design improvements, there exist users with an immediate need for private communication, who must cope with existing software and its limitations. We seek to understand whether individuals motivated by concrete privacy threats, such as those vulnerable to state surveil-lance, can overcome usability issues to adopt complex E2EE tools for long-term use. We surveyed regional activists, as surveillance of social movements is well-documented. Our study group includes individuals from 9 social movement groups in the US who had elected to participate in a workshop on using Thunder-bird+Enigmail for email encryption. These workshops tool place prior to mid-2017, via a partnership with a non-profit which supports social movement groups. Six to 40 months after their PGP email encryption training, more than half of the study participants were continuing to use PGP email encryption despite intervening widespread deployment of simple E2EE messaging apps such as Signal. We study the interplay of usability with social factors such as motivation and the risks that individuals undertake through their activism. We find that while usability is an important factor, it is not enough to explain long term use. For example, we find that riskiness of one’s activism is negatively correlated with long-term PGP use. This study represents the first long-term study, and the first in-the-wild study, of PGP email encryption adoption.

Keywords

[1] R. Abu-Salma, E. M. Redmiles, B. Ur, and M. Wei. Exploring User Mental Models of End-to-End Encrypted Communication Tools. In 8th USENIX Workshop on Free and Open Communications on the Internet (FOCI 18), 2018.Search in Google Scholar

[2] R. Abu-Salma, M. A. Sasse, J. Bonneau, A. Danilova, A. Naiakshina, and M. Smith. Obstacles to the Adoption of Secure Communication Tools. In 2017 IEEE Symposium on Security and Privacy (SP), pages 137–153, San Jose, CA, USA, May 2017. IEEE.Search in Google Scholar

[3] S. D. Agarwal, M. L. Barthel, C. Rost, A. Borning, W. L. Bennett, and C. N. Johnson. Grassroots organizing in the digital age: considering values and technology in Tea Party and Occupy Wall Street. Information, Communication & Society, 17(3):326–341, 2014.Search in Google Scholar

[4] E. Atwater, C. Bocovich, U. Hengartner, E. Lank, and I. Goldberg. Leading Johnny to Water: Designing for Usability and Trust. In Eleventh Symposium On Usable Privacy and Security (SOUPS), pages 69–88, 2015.Search in Google Scholar

[5] W. Bai, D. Kim, M. Namara, Y. Qian, P. G. Kelley, and M. L. Mazurek. An Inconvenient Trust: User Attitudes Toward Security and Usability Tradeoffs for Key-Directory Encryption Systems. In Twelfth Symposium on Usable Privacy and Security ({SOUPS} 2016), pages 113–130, Denver, CO, 2016.Search in Google Scholar

[6] C. Borgna. Multiple paths to inequality. How institutional contexts shape the educational opportunities of second-generation immigrants in Europe. European Societies, 18(2):180–199, Mar. 2016.Search in Google Scholar

[7] J. Brooke. SUS: A ’quick and dirty’ Usability Scale. In Usability Evaluation in Industry, pages 189–194. Taylor and Francis London, 1996.Search in Google Scholar

[8] D. R. Compeau and C. A. Higgins. Computer Self-Efficacy: Development of a Measure and Initial Test. MIS Quarterly, 19(2):189–211, June 1995.Search in Google Scholar

[9] D. Cunningham. There’s Something Happening Here: The New Left, the Klan, and FBI Counterintelligence. University of California Press, 1st edition, 2004.Search in Google Scholar

[10] S. Das, T. H.-J. Kim, L. A. Dabbish, and J. I. Hong. The Effect of Social Influence on Security Sensitivity. In 10th Symposium On Usable Privacy and Security ({SOUPS} 2014), pages 143–157, 2014.Search in Google Scholar

[11] R. Deibert. Communities @ Risk: Targeted Digital Threats Against Civil Society. U of T Policy Reports. University of Toronto, 2014.Search in Google Scholar

[12] L. Dencik and J. Cable. The advent of surveillance realism: Public opinion and activist responses to the Snowden leaks. International Journal of Communication, 11:763–781, 2017.Search in Google Scholar

[13] L. Dencik, A. Hintz, and J. Cable. Towards data justice? The ambiguity of anti-surveillance resistance in political activism. Big Data & Society, 3(2):205395171667967, Dec. 2016.Search in Google Scholar

[14] R. Dingledine and N. Mathewson. Anonymity Loves Company: Usability and the Network Effect. WEIS, page 12, 2006.Search in Google Scholar

[15] A. Dusa. QCA with R: A Comprehensive Resource. Springer International Publishing, 2019.Search in Google Scholar

[16] A. Elliott and S. Brody. Design Implications of Lived Surveil-lance in New York. ACM Conference on Human Factors in Computing Systems (CHI), 2016.Search in Google Scholar

[17] S. L. Garfinkel and R. C. Miller. Johnny 2: a user test of key continuity management with S/MIME and Outlook Express. In Proceedings of the 2005 symposium on Usable privacy and security - SOUPS ’05, pages 13–24, Pittsburgh, Pennsylvania, 2005. ACM Press.Search in Google Scholar

[18] S. Gaw, E. W. Felten, and P. Fernandez-Kelly. Secrecy, flagging, and paranoia: adoption criteria in encrypted email. In Proceedings of the SIGCHI conference on human factors in computing systems, pages 591–600. ACM, 2006.Search in Google Scholar

[19] J. J. George and D. E. Leidner. From clicktivism to hack-tivism: Understanding digital activism. Information and Organization, 29(3):100249, Sept. 2019.Search in Google Scholar

[20] M. Giugni and A. Nai. Paths towards Consensus: Explaining Decision Making within the Swiss Global Justice Movement. Swiss Political Science Review, 19(1):26–40, Mar. 2013.Search in Google Scholar

[21] A. Greenberg. Signal, the Snowden-Approved Crypto App, Comes to Android. Wired, Nov. 2015.Search in Google Scholar

[22] A. Keller. What is an acceptable survey response rate?, Nov. 2014.Search in Google Scholar

[23] S. Kokolakis. Privacy attitudes and privacy behaviour: A review of current research on the privacy paradox phenomenon. Computers & Security, 64:122–134, Jan. 2017.Search in Google Scholar

[24] O. Leistert. Resistance against Cyber-Surveillance within Social Movements and how Surveillance Adapts. Surveillance & Society, 9(4):441–456, June 2012.Search in Google Scholar

[25] A. Lerner, E. Zeng, and F. Roesner. Confidante: Usable Encrypted Email: A Case Study with Lawyers and Journalists. In IEEE European Symposium on Security and Privacy (EuroS&P), pages 385–400. IEEE, Apr. 2017.Search in Google Scholar

[26] A. D. Luca, S. Das, M. Ortlieb, I. Ion, and B. Laurie. Expert and Non-Expert Attitudes towards (Secure) Instant Messaging. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016), pages 147–157, Denver, CO, June 2016. USENIX Association.Search in Google Scholar

[27] Y. Malhotra and D. Galletta. Extending the technology acceptance model to account for social influence: theoretical bases and empirical validation. In Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers, page 14, Maui, HI, USA, 1999. IEEE Comput. Soc.Search in Google Scholar

[28] B. Marczak, J. Scott-Railton, and S. McKune. Hacking Team Reloaded, Mar. 2015. Library Catalog: citizenlab.ca.Search in Google Scholar

[29] W. R. Marczak and V. Paxson. Social Engineering Attacks on Government Opponents: Target Perspectives. Proceedings on Privacy Enhancing Technologies, 2017(2):172–185, Apr. 2017.Search in Google Scholar

[30] W. R. Marczak, J. Scott-Railton, M. Marquis-Boire, and V. Paxson. When Governments Hack Opponents: A Look at Actors and Technology. In 23rd USENIX Security Symposium (USENIX Security 14), pages 511–525, San Diego, CA, 2014. USENIX Association.Search in Google Scholar

[31] J. R. P. Mauriés, K. Krol, S. Parkin, R. Abu-Salma, and M. A. Sasse. Dead on Arrival: Recovering from Fatal Flaws in Email Encryption Tools. In The {LASER} Workshop: Learning from Authoritative Security Experiment Results ({LASER} 2017), pages 49–57, 2017.Search in Google Scholar

[32] D. McAdam, H. S. Boudet, J. Davis, R. J. Orr, W. Richard Scott, and R. E. Levitt. “Site Fights”: Explaining Opposition to Pipeline Projects in the Developing World1: Opposition to Pipeline Projects in the Developing World. Sociological Forum, 25(3):401–427, Aug. 2010.Search in Google Scholar

[33] S. E. McGregor, P. Charters, T. Holliday, and F. Roesner. Investigating the Computer Security Practices and Needs of Journalists. In 24th USENIX Security Symposium (USENIX Security 15), pages 399–414, Washington, D.C., Aug. 2015. USENIX Association.Search in Google Scholar

[34] S. E. McGregor, F. Roesner, and K. Caine. Individual versus Organizational Computer Security and Privacy Concerns in Journalism. Proceedings on Privacy Enhancing Technologies, 2016(4):418–435, Oct. 2016.Search in Google Scholar

[35] S. E. McGregor, E. A. Watkins, M. N. Al-Ameen, K. Caine, and F. Roesner. When the Weakest Link is Strong: Secure Collaboration in the Case of the Panama Papers. In 26th USENIX Security Symposium, USENIX Security 2017, Vancouver, BC, Canada, August 16-18, 2017., pages 505–522, 2017.Search in Google Scholar

[36] P. A. Norberg, D. R. Horne, and D. A. Horne. The Privacy Paradox: Personal Information Disclosure Intentions versus Behaviors. Journal of Consumer Affairs, 41(1):100–126, June 2007.Search in Google Scholar

[37] D. A. Norman and S. W. Draper, editors. User centered system design: new perspectives on human-computer interaction. L. Erlbaum Associates, Hillsdale, N.J, 1986.Search in Google Scholar

[38] J. Ortiz, A. Young, M. D. Myers, R. T. Bedeley, and D. Carbaugh. Giving Voice to the Voiceless: The Use of Digital Technologies by Marginalized Groups. Communications of the Association for Information Systems, 45:21, 2019.Search in Google Scholar

[39] J. W. Penney. Chilling Effects: Online Surveillance and Wikipedia Use. 2016. Publisher: btlj.Search in Google Scholar

[40] W. Potter. Green is the new red: an insiders account of a social movement under siege. City Lights Books, San Francisco, 2011.Search in Google Scholar

[41] C. Ragin and S. Davey. Fuzzy-Set/Qualitative Comparative Analysis, 2016.Search in Google Scholar

[42] C. C. Ragin. Redesigning Social Inquiry: Fuzzy Sets and Beyond. University of Chicago Press, Chicago, 47116th edition edition, Oct. 2008.Search in Google Scholar

[43] C. C. Ragin and P. C. Fiss. Intersectional Inequality: Race, Class, Test Scores, and Poverty. University of Chicago Press, Dec. 2016. Google-Books-ID: Q3SpDQAAQBAJ.Search in Google Scholar

[44] E. M. Redmiles, N. Warford, A. Jayanti, A. Koneru, S. Kross, M. Morales, R. Stevens, and M. L. Mazurek. A Comprehensive Quality Evaluation of Security and Privacy Advice on the Web. In 29th {USENIX} Security Symposium ({USENIX} Security 20), pages 89–108, 2020.Search in Google Scholar

[45] K. Renaud, M. Volkamer, and A. Renkema-Padmos. Why Doesn’t Jane Protect Her Privacy? In E. De Cristofaro and S. J. Murdoch, editors, Privacy Enhancing Technologies, volume 8555, pages 244–262. Springer International Publishing, Cham, 2014. Series Title: Lecture Notes in Computer Science.Search in Google Scholar

[46] B. Rihoux and C. Ragin. Configurational Comparative Methods: Qualitative Comparative Analysis (QCA) and Related Techniques. SAGE Publications, Inc., 2455 Teller Road, Thousand Oaks California 91320 United States, 2009.Search in Google Scholar

[47] M. Rogers and G. Eden. Digital Citizenship and Surveillance| The Snowden Disclosures, Technical Standards, and the Making of Surveillance Infrastructures. International Journal of Communication, 11:22, 2017.Search in Google Scholar

[48] D. A. Rohlinger and J. Klein. From Fervor to Fear: ICT and Emotions in the Tea Party Movement. In N. Van Dyke and D. S. Meyer, editors, Understanding the Tea Party Movement, pages 125–148. Routledge, New York, 2016.Search in Google Scholar

[49] N. Roig-Tierno, T. F. Gonzalez-Cruz, and J. Llopis-Martinez. An overview of qualitative comparative analysis: A bibliometric analysis. Journal of Innovation & Knowledge, 2(1):15–23, Jan. 2017.Search in Google Scholar

[50] S. Ruoti, J. Andersen, S. Heidbrink, M. O’Neill, E. Vaziripour, J. Wu, D. Zappala, and K. Seamons. “We’re on the Same Page”: A Usability Study of Secure Email Using Pairs of Novice Users. In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems, pages 4298–4308. ACM Press, 2016.Search in Google Scholar

[51] S. Ruoti, J. Andersen, D. Zappala, and K. Seamons. Why Johnny Still, Still Can’t Encrypt: Evaluating the Usability of a Modern PGP Client. arXiv preprint arXiv:1510.08555, 2015.Search in Google Scholar

[52] S. Ruoti, N. Kim, B. Burgon, T. Van Der Horst, and K. Seamons. Confused Johnny: when automatic encryption leads to confusion and mistakes. In Proceedings of the Ninth Symposium on Usable Privacy and Security, page 5. ACM, 2013.Search in Google Scholar

[53] N. Samarin, C. Cheshire, A. Frik, S. Egelman, and S. Brooks. Cybersecurity for High-Risk Users: Case Study of Civil Society Organizations. In Conference on Human Factors in Computing Systems, page 6, 2020.Search in Google Scholar

[54] J. Schradie. The Digital Activism Gap: How Class and Costs Shape Online Collective Action. Social Problems, 65(1):51–74, Feb. 2018.Search in Google Scholar

[55] J. Scott-Railton. Security for the High-Risk User: Separate and Unequal. IEEE Security & Privacy, 14(2):79–87, Mar. 2016.Search in Google Scholar

[56] S. Sheng, L. Broderick, C. A. Koranda, and J. J. Hyland. Why johnny still can’t encrypt: evaluating the usability of email encryption software. In Symposium On Usable Privacy and Security (SOUPS), pages 3–4, 2006.Search in Google Scholar

[57] J. L. Sierra. Digital and Mobile Security for Mexican Journalists and Bloggers. Freedom House, 2013.Search in Google Scholar

[58] A. Strauss and J. Corbin. Grounded Theory in Practice. SAGE Publications, 1997.Search in Google Scholar

[59] A. Thiem and A. Du³a. Boolean Minimization in Social Science Research: A Review of Current Software for Qualitative Comparative Analysis (QCA). Social Science Computer Review, Mar. 2013.Search in Google Scholar

[60] J. Warren, J. Wistow, and C. Bambra. Applying qualitative comparative analysis (QCA) in public health: a case study of a health improvement service for long-term incapacity benefit recipients. Journal of Public Health, 36(1):126–133, 2013.Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo