Whenever plain text is involved, users are vulnerable to hacks or mass surveillance. Compounding the risk, most communications between users are not encrypted end-to-end. Nor does it help that, according to a recent study, the vast majority of mainstream technology users are oblivious to the concepts of E2E encryption.
A group of researchers decided to find out how much regular people know about the security of communications via popular messaging apps like WhatsApp, Telegram, Signal, Threema, iMessage, Skype and others.
The research focused on what the group calls “mainstream” users, as opposed to the tech savvy.
“Instead of focusing on a specific at-risk population, such as activists, whistleblowers, or journalists, our main focus is understanding the needs and practices of users of communication tools who do not consider themselves to be at risk of targeted surveillance. This is because our focus of enquiry is widespread adoption of secure communications,” the researchers wrote.
Despite polling just 60 participants, the study allegedly represents the largest qualitative research of its kind. 23 male and 35 female participants were interviewed, and two preferred not to indicate their gender. Participants’ ages ranged from 18 to 70, some had formal education while others didn’t, some had a college degree while others a higher degree, some were employed while others were retired, etc.
How users choose their communication tools
Following the interview, one of the preliminary observations was that usability is not the primary obstacle to adoption. Users do not wish to stop using the tools that facilitate their communication despite exhibiting usability problems.
Despite knowing of the existence of E2E encrypted messaging tools, most users prefer to stick with the tool that their acquaintances use most, indicating that interoperability is a significant obstacle to adopting secure communication tools.
“50 out of 60 participants explicitly mentioned that the tools they use most frequently are those that most of their contacts use,” the researchers said.
As far as quality of service (QoS), 47 out of 60 participants see it as an indication that their service is reliable for conducting safe calls and text-based conversations.
“For example, P9 and P12 prefer Google Hangouts because its audio has ‘high-quality’, whereas P31 and P45 stopped using Google Hangouts because they experienced ‘bad-quality’ audio in the past,” according to the report. However, none of the respondents knew that Google Hangouts does not sport end-to-end encryption.
Social influence plays a similarly important role in the way people adopt one tool or another. One female participant in the study admitted that she adopted Telegram because her father recommended it citing its ability to secure chats against eavesdropping. The interviewers, however, found that she was not using the Secret Chat mode that facilitates this feature.
Mainstream users also appear to have limited understanding of IT security as a whole. When asked to compare tools and assess their reliability, four respondents asked to skip this step as they did not understand what makes a communication tool secure. Faced with the same task, one participant said that “companies do not provide a clear definition of security because ‘things are always changing’, and what is secure today will not be secure tomorrow.”
Sensitivity of information does not drive adoption – subjects use voice calls and other obfuscation techniques to exchange what they believe is sensitive information
Secure communications are seen as futile – users don’t trust any tool as long as knowledgeable hackers exist, revealing an incorrect notion of how encryption works
Security rankings of tools – rankings were handed out on criteria like market-share, QoS, social factors, rather than on the actual security properties a tool offers; many participants ranked the services (e.g., voice calls, messages) instead of the apps themselves; they also perceive calls as more secure than messages
Participants did not understand the EFF Secure Messaging Scorecard – users were confused reading through the list of security properties, including point-to-point (P2P) and end-to-end (E2E) encryption, forward secrecy and verification fingerprints, as well as open design, the latter considered a negative security property, “with participants believing security requires obscurity,” according to the paper.
“Users’ goal to communicate with others overrides everything else, including security,” according to the authors.
The security community is encouraged to prioritize securing the most popular communication tools currently in use, while developers, for their part, should put a little more effort into educating their target demographic, the researchers said.
The full paper is available here: Obstacles to the Adoption of Secure Communication Tools.