research-article

Finally Johnny Can Encrypt: But Does This Make Him Feel More Secure?

Authors:

Verena Zimmermann,

Birgit Henhapl,

Melanie VolkamerAuthors Info & Claims

ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

Article No.: 11, Pages 1 - 10

https://doi.org/10.1145/3230833.3230859

Published: 27 August 2018 Publication History

Abstract

End-to-end (E2E) encryption is an effective measure against privacy infringement. In 2016, it was introduced by WhatsApp for all users (of the latest app version) quasi overnight. However, it is unclear how non-expert users perceived this change, whether they trust WhatsApp as a provider of E2E encryption, and how their communication behavior changed. We conducted semi-structured interviews with twenty WhatsApp users to answer these questions. We found that about half of the participants perceived that even with E2E encryption, their messages could still be eavesdropped, for example by hackers and other criminals, governmental institutions, or WhatsApp's employees and cooperation partners. Many participants correctly identified sender and recipient as weakest points after the introduction of E2E encryption, but misconceptions were still present. For instance, users thought that messages were transmitted directly between two devices without being forwarded or stored on a server, or interpreted 'end-to-end' as a temporally end of communication. The majority of users stated to mistrust WhatsApp and its E2E encryption and presumed image-related reasons for the cost-free implementation. While most participants did not change their communication behavior, they reported to use protection strategies such as sending sensitive content via alternative channels even after the introduction of E2E encryption.

References

[1]

Open Whisper Systems 2013-2016. 2016. Open Whisper Systems. website. (2016). Available on https://whispersystems.org/; called on May 30th 2017.

[2]

Ruba Abu-Salma, Kat Krol, Simon Parkin, Victoria Koh, Kevin Kwan, Jazib Mahboob, Zahra Traboulsi, and M Angela Sasse. 2017. The Security Blanket of the Chat World: An Analytic Evaluation and a User Study of Telegram. In Proceedings of the 2nd European Workshop on Usable Security. Internet Society.

[3]

Ruba Abu-Salma, M Angela Sasse, Joseph Bonneau, Anastasia Danilova, Alena Naiakshina, and Matthew Smith. 2017. Obstacles to the Adoption of Secure Communication Tools. In IEEE Symposium on Security and Privacy IEEE Computer Society.

[4]

Erinn Atwater, Cecylia Bocovich, Urs Hengartner, Ed Lank, and Ian Goldberg. 2015. Leading Johnny to Water: Designing for Usability and Trust. In Proceedings of the Eleventh Symposium On Usable Privacy and Security. USENIX Association, Ottawa, 69--88.

Digital Library

[5]

Mathias Brandt. 2017. Ende-zu-Ende-Verschlüsselung kaum verbreitet. website. (2017). Available on https://de.statista.com/infografik/9522/nutzung-von-ende-zu-ende-verschluesselung/; called on August 7th 2017.

[6]

A. Freude and T. Freude. 2016. Echos of History: Understanding German Data Protection. website. (2016). Available on http://www.bfna.org/publication/newpolitik/echos-of-history-understanding-german-data-protection; called on August 25th 2017.

[7]

S. L. Garfinkel and R. C. Miller. 2005. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. In Proceedings of the 2005 Symposium on Usable Privacy and Security. ACM, 13--24.

Digital Library

[8]

S. Gibbs. 2014. Six alternatives to WhatsApp now that Facebook owns it. website. (2014). Available on https://www.theguardian.com/technology/2014/feb/20/six-alternatives-whatsapp-facebook; called on August 30th 2017.

[9]

Andy Greenberg. 2015. Rating Tech Giants on Privacy: Google Slips, WhatsApp Fails. website. (2015). Available on https://www.wired.com/2015/06/rating-tech-giants-privacy-google-slips-whatsapp-fails/, called on November 24th 2017.

[10]

A. Herzberg and H. Leibowitz. 2016. Can Johnny Finally Encrypt? Evaluating E2E-Encryption in Popular IM Applications. Proceedings of the 6th International Workshop on Socio-Technical Aspects in Security and Trust (2016).

Digital Library

[11]

WhatsApp Inc. 2016. End-to-end encryption. website. (2016). Available on https://blog.whatsapp.com/10000618/end-to-end-encryption; called on August 30th 2017.

[12]

WhatsApp Inc. 2016. WhatsApp Encryption Overview. website. (2016). Available on https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf; called on August 7th 2017.

[13]

WhatsApp Inc. 2016. WhatsApp Privacy Policy. website. (2016). Available on https://www.whatsapp.com/legal/#privacy-policy; called on August 7th 2017.

[14]

Alexander De Luca, Sauvik Das, Martin Ortlieb, Iulia Ion, and Ben Laurie. 2016. Expert and Non-Expert Attitudes towards (Secure) Instant Messaging. In Proceedings of the Twelfth Symposium on Usable Privacy and Security. USENIX Association, 147--157.

Digital Library

[15]

A. Macro. 2014. 5 WhatsApp & Facebook Messenger alternatives. website. (2014). Available on http://www.techadvisor.co.uk/feature/software/5-whatsapp-facebook-messenger-alternatives-3324383/; called on August 30th 2017.

[16]

C. Metz. 2016. Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People. website. (2016). Available on https://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/; called on August 30th 2017.

[17]

M. Murgia. 2016. WhatsApp adds end-to-end encryption: What is it and what does it mean for you?. website. (2016). Available on http://www.telegraph.co.uk/technology/2016/04/05/whatsapp-encryption-what-is-it-and-what-does-it-mean-for-you/; called on August 30th 2017.

[18]

A. Naiakshina, A. Danilova, S. Dechand, K. Krol, M. A. Sasse, and M. Smith. 2016. Poster: Mental Models--User understanding of messaging and encryption. In Proceedings of European Symposium on Security and Privacy.

[19]

J. Naughton. 2016. Your WhatsApp secrets are safe now. But Big Brother is still watching you... website. (2016). Available on https://www.theguardian.com/commentisfree/2016/apr/10/whatsapp-encryption-billion-users-data-security; called on August 30th 2017.

[20]

Office of the Privacy Commissioner Canada. 2013. Investigation into the personal information handling practices of WhatsApp Inc.- PIPEDA Report of Findings. website. (2013). Available on https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2013/pipeda-2013-001/, called on November 24th 2017.

[21]

S. Patil and Alfred Kobsa. 2004. Instant Messaging and Privacy. In Proceedings of the 18th British HCI Group Annual Conference, A. Dearden and L. Watts (Eds.). Leeds, England, 85--88.

[22]

K. Renaud, M. Volkamer, and A. Renkema-Padmos. 2014. Why Doesn't Jane Protect Her Privacy?. In Privacy Enhancing Technologies. Springer, 244--262.

[23]

S. Ruoti, N. Kim, B. Burgon, T. Van Der Horst, and K. Seamons. 2013. Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes. In Proceedings of the Ninth Symposium on Usable Privacy and Security. ACM, 5.

Digital Library

[24]

B. Russell. 2014. Six Great Messaging Alternatives To WhatsApp. website. (March 2014). Available on https://www.technobuffalo.com/2014/03/14/six-great-messaging-alternatives-to-whatsapp/"; called on August 30th 2017.

[25]

D.E. Sanger and E. Schmitt. 2014. Snowden Used Low-Cost Tool to Best N.S.A. website. (2014). Available on https://www.nytimes.com/2014/02/09/us/snowden-used-low-cost-tool-to-best-nsa.html&_r=0; called on August 30th 2017.

[26]

S. Schröder, M. Huber, D. Wind, and C. Rottermanner. 2016. When SIGNAL hits the Fan: On the Usability and Security of State-of-the-Art Secure Mobile Messaging. In Proceedings of the 1st European Workshop on Usable Security. Internet Society.

[27]

The H Security. 2012. WhatsApp accounts almost completely unprotected. website. (2012). Available on http://www.h-online.com/security/news/item/WhatsApp-accounts-almost-completely-unprotected-1708545.html; called on November 24th 2017.

[28]

BBC News Services. 2014. Facebook to buy messaging app WhatsApp for $19bn. website. (2014). Available on http://www.bbc.com/news/business-26266689; called on May 30th 2017.

[29]

S. Sheng, L. Broderick., C. A. Koranda, and J. J. Hyland. 2006. Why Johnny Still Can't Encrypt: Evaluating the Usability of Email Encryption Software. In Proceedings of the Second Symposium On Usable Privacy and Security -- Poster Session. 3--4.

[30]

Statista 2017. Number of monthly active WhatsApp users worldwide from April 2013 to July 2017 (in millions). website. (2017). Available on https://www.statista.com/statistics/260819/number-of-monthly-active-whatsapp-users/; called on August 30th 2017.

[31]

A. Strauss and J. Corbin. 1990. Basics of Qualitative Research: Grounded Theory Procedures and Techniques. Sage Publications, Newbury Park, California.

[32]

Anselm L. Strauss. 1987. Qualitative analysis for social scientists. Cambridge University Press, New York, NY, US.

[33]

A. Whitten and J. D. Tygar. 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Usenix Security, Vol. 1999.

Digital Library

[34]

V Zimmermann, B. Henhapl, M. Volkamer, and J. Vogt. 2017. Ende-zu-Ende sichere E-Mail-Kommunikation. Datenschutz und Datensicherheit 41, 5 (2017), 308--313.

[35]

M. Zuckerberg. 2017. Facebook Community Update 5.3.2017. website. (2017). Available on https://www.facebook.com/zuck/posts/10103696178824801; called on May 30th 2017.

Cited By

Logas JGarg PArriaga RDas S(2024)The Subversive AI Acceptance Scale (SAIA-8): A Scale to Measure User Acceptance of AI-Generated, Privacy-Enhancing Image ModificationsProceedings of the ACM on Human-Computer Interaction10.1145/36410248:CSCW1(1-43)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3641024
Fischer-Hübner SKaregar FFischer-Hübner SKaregar F(2024)Overview of Usable Privacy Research: Major Themes and Research DirectionsThe Curious Case of Usable Privacy10.1007/978-3-031-54158-2_3(43-102)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-54158-2_3
Nisenoff ASharma RFeamster NCalandrino JTroncoso C(2023)User awareness and behaviors concerning encrypted DNS settings in web browsersProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620412(3117-3133)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620412
Show More Cited By

Index Terms

Finally Johnny Can Encrypt: But Does This Make Him Feel More Secure?
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Privacy protections
    2. Usability in security and privacy

Recommendations

Can Johnny finally encrypt?: evaluating E2E-encryption in popular IM applications
STAST '16: Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust

Recently, many popular Instant-Messaging (IM) applications announced support for end-to-end encryption, claiming confidentiality even against a rogue operator. Is this, finally, a positive answer to the basic challenge of usable-security presented in ...
Caught in the Network: The Impact of WhatsApp’s 2021 Privacy Policy Update on Users’ Messaging App Ecosystems
CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing Systems

In January 2021, WhatsApp announced an update to their privacy policy, sparking an outcry that saw millions of users install other messaging apps such as Telegram and Signal. This presented a rare opportunity to study users’ experiences when trying to ...
Work in Progress: Can Johnny Encrypt E-Mails on Smartphones?
Socio-Technical Aspects in Security
Abstract
E-mail is nearly 50 years old and is still one of the most used communication protocols nowadays. However, it has no support for End-to-end encryption (E2EE) by default, which makes it inappropriate for sending sensitive information. This is why ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and Security

August 2018

603 pages

ISBN:9781450364485

DOI:10.1145/3230833

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

In-Cooperation

Universität Hamburg: Universität Hamburg

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 August 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2018

ARES 2018: International Conference on Availability, Reliability and Security

August 27 - 30, 2018

Hamburg, Germany

Acceptance Rates

ARES '18 Paper Acceptance Rate 128 of 260 submissions, 49%;

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

15
Total Citations
View Citations
374
Total Downloads

Downloads (Last 12 months)81
Downloads (Last 6 weeks)6

Reflects downloads up to 16 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Logas JGarg PArriaga RDas S(2024)The Subversive AI Acceptance Scale (SAIA-8): A Scale to Measure User Acceptance of AI-Generated, Privacy-Enhancing Image ModificationsProceedings of the ACM on Human-Computer Interaction10.1145/36410248:CSCW1(1-43)Online publication date: 26-Apr-2024
https://dl.acm.org/doi/10.1145/3641024
Fischer-Hübner SKaregar FFischer-Hübner SKaregar F(2024)Overview of Usable Privacy Research: Major Themes and Research DirectionsThe Curious Case of Usable Privacy10.1007/978-3-031-54158-2_3(43-102)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-54158-2_3
Nisenoff ASharma RFeamster NCalandrino JTroncoso C(2023)User awareness and behaviors concerning encrypted DNS settings in web browsersProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620412(3117-3133)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620412
Al Qahtani EJaved YTabassum SSahoo LShehab M(2023)Managing Access to Confidential Documents: A Case Study of an Email Security ToolFuture Internet10.3390/fi1511035615:11(356)Online publication date: 28-Oct-2023
https://doi.org/10.3390/fi15110356
Delgado Rodriguez SDao Phuong ABumiller FMecke LDietz FAlt FHassib M(2023)Padlock, the Universal Security Symbol? - Exploring Symbols and Metaphors for Privacy and SecurityProceedings of the 22nd International Conference on Mobile and Ubiquitous Multimedia10.1145/3626705.3627770(10-24)Online publication date: 3-Dec-2023
https://dl.acm.org/doi/10.1145/3626705.3627770
Tally AAbbott JBochner ADas SNippert-Eng C(2023)What Mid-Career Professionals Think, Know, and Feel About Phishing: Opportunities for University IT Departments to Better Empower Employees in Their Anti-Phishing DecisionsProceedings of the ACM on Human-Computer Interaction10.1145/35795477:CSCW1(1-27)Online publication date: 16-Apr-2023
https://dl.acm.org/doi/10.1145/3579547
Dressler AGerber NMenig APasnicu OStöver AVogt J(2023)Current topics of interdisciplinary cooperation between engineering and human sciencesAktuelle Themen der interdisziplinären Zusammenarbeit von Ingenieur- und HumanwissenschaftenZeitschrift für Arbeitswissenschaft10.1007/s41449-023-00352-y77:1(7-22)Online publication date: 1-Feb-2023
https://doi.org/10.1007/s41449-023-00352-y
Kävrestad JHagberg ARoos RRambusch JNohlberg M(2022)Usable Privacy and Security from the Perspective of Cognitive AbilitiesPrivacy and Identity Management. Between Data Protection and Security10.1007/978-3-030-99100-5_9(105-121)Online publication date: 31-Mar-2022
https://doi.org/10.1007/978-3-030-99100-5_9
Stransky CWermke DSchrader JHuaman NAcar YFehlhaber AWei MUr BFahl SChiasson S(2021)On the limited impact of visualizing encryptionProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563595(437-454)Online publication date: 9-Aug-2021
https://dl.acm.org/doi/10.5555/3563572.3563595
Egert RGerber NHaunschild JKuehn PZimmermann V(2021)Towards Resilient Critical Infrastructures – Motivating Users to Contribute to Smart Grid Resiliencei-com10.1515/icom-2021-002120:2(161-175)Online publication date: 8-Sep-2021
https://doi.org/10.1515/icom-2021-0021
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents