A group of scholars and practicioners from the US, Germany and the UK conducted a qualitative study on the "obstacles to adoption of secure communications tools," which was presented to the 38th IEEE Symposium on Security and Privacy.



The researchers conducted in-depth interviews with users from across a variety of ages, skill levels and backgrounds to see what barriers existed to the adoption of privacy-oriented, cryptographically secured tools. Their findings have implications for the two major approaches to increasing secure tools adoption: user-interface improvements and training materials.

They found that usability wasn't the major impediment to adoption; rather, the "fragmented user base" (that is, none of your friends are on your secure messaging platform), lack of interoperability (the platform won't talk to other platforms) and low quality of service (voice calls on Signal suck) get in the way.

• Low Quality of Service (QoS) is an obstacle to adoption.

Participants assessed the reliability and security

of a communication tool by the QoS of messages and

voice calls they experienced. Low QoS does not only

hinder adoption, but also creates general doubts about

how reliable and secure the tool is. • Sensitivity of information does not drive adoption.

Perceived sensitivity of information should drive the

adoption of secure communication tools, but this was

not the case with our participants. Instead, they used

voice calls (regardless of the tool) and other obfuscation

techniques to exchange sensitive information. • Secure communications were perceived as futile. Most

participants did not believe secure tools could offer protection

against powerful or knowledgeable adversaries.

Most participants had incorrect mental models of how

encryption works, let alone more advanced concepts

(e.g., digital signatures, verification fingerprints). If the

perception that secure communications are futile persists,

this will continue to hinder adoption. • Participants' security rankings of tools were inaccurate.

We asked our participants to rank the tools they have

used in terms of how secure they are. Many participants

ranked the services (e.g., voice calls, messages) offered

by the tools, rather than ranking the tools first. They

perceived calls more secure than messages. Furthermore,

they based their rankings on how large the tool's user

base is, QoS, social factors and other criteria, rather than

assessing the security properties a secure tool offers.

• Participants did not understand the EFF Secure Messaging

Scorecard. The scorecard contains seven security

properties. Four of these were misunderstood: participants

did not appreciate the difference between point-to-point

and E2E encryption, and did not comprehend forward

secrecy or verification fingerprints. The other three properties

reflecting open design (documentation, open-source

code and security audits) were considered to be negative

security properties, with participants believing security

requires obscurity.



Obstacles to the Adoption of Secure

Communication Tools [Ruba Abu-Salma, Anastasia Danilova, M. Angela Sasse, Alena Naiakshina, Joseph Bonneau, and Matthew Smith/IEEE Security]





(via 4 Short Links)