research-article

From Secure to Military-Grade: Exploring the Effect of App Descriptions on User Perceptions of Secure Messaging

Authors:

Ruba Abu-Salma,

Elissa M. Redmiles,

Michelle L. Mazurek,

Blase UrAuthors Info & Claims

WPES '21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society

Pages 119 - 135

https://doi.org/10.1145/3463676.3485602

Published: 15 November 2021 Publication History

Abstract

Although end-to-end encryption (E2EE) is more widely available than ever before, many users remain confused about its security properties. As a result, even users with access to E2EE tools turn to less secure alternatives for sending private information. To investigate these issues, we conducted a 357-participant online user study analyzing how explanations of security impact user perceptions. In a between-subjects design, we varied the terminology used to detail the security mechanism, whether encryption was on by default, and the prominence of security in an app-store-style description page. We collected participants' perceptions of the tool's utility for privacy, security against adversaries, and whether use of the tool would be seen as "paranoid.'' Compared to "secure,'' describing the tool as "encrypted'' or "military-grade encrypted'' increased perceptions that it was appropriate for privacy-sensitive tasks, whereas describing it more precisely as "end-to-end encrypted'' did not. However, "military-grade encrypted'' was also associated with a greater perception of tool use as paranoid. Overall, we find that --- compared to prior work from 2006 --- the social stigma associated with encrypted communication has largely disappeared.

References

[1]

Ruba Abu-Salma. 2020. Designing User-Centered Privacy-Enhancing Technologies. Ph.D. Dissertation. UCL (University College London).

[2]

Ruba Abu-Salma, Kat Krol, Simon Parkin, Victoria Koh, Kevin Kwan, Jazib Mahboob, Zahra Traboulsi, and M Angela Sasse. 2017. The security blanket of the chat world: An analytic evaluation and a user study of telegram. Internet Society.

[3]

Ruba Abu-Salma, Elissa M Redmiles, Blase Ur, and Miranda Wei. 2018. Exploring User Mental Models of End-to-End Encrypted Communication Tools. In Proc. USENIX Workshop on Open and Free Communications on the Internet.

[4]

Ruba Abu-Salma, M. Angela Sasse, Joseph Bonneau, Anastasia Danilova, Alena Naiakshina, and Matthew Smith. 2017. Obstacles to the Adoption of Secure Communication Tools. In Proc. IEEE Symposium on Security and Privacy.

[5]

Ruba Abu-Salma, M Angela Sasse, Joseph Bonneau, and Matthew Smith. 2015. POSTER: Secure Chat for the Masses? User-centered Security to the Rescue. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. 1623--1625.

Digital Library

[6]

Omer Akgul, Wei Bai, Shruti Das, and Michelle L. Mazurek. 2021. Evaluating In-Workflow Messages for Improving Mental Models of End-to-End Encryption. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, 447--464. https://www.usenix.org/conference/usenixsecurity21/presentation/akgul

[7]

Wei Bai. 2019. User Perceptions of and Attitudes toward Encrypted Communication. Ph.D. Dissertation.

[8]

Wei Bai, Moses Namara, Yichen Qian, Patrick Gage Kelley, Michelle L. Mazurek, and Doowon Kim. 2016. An Inconvenient Trust: User Attitudes toward Security and Usability Tradeoffs for Key-Directory Encryption Systems. In Twelfth Symposium on Usable Privacy and Security (SOUPS 2016). USENIX Association, Denver, CO, 113--130. https://www.usenix.org/conference/soups2016/technical-sessions/presentation/bai

[9]

Hamparsum Bozdogan. 1987. Model selection and Akaike's information criterion (AIC): The general theory and its analytical extensions. Psychometrika, Vol. 52, 3 (1987), 345--370.

[10]

Sauvik Das, Tiffany Hyun-Jin Kim, Laura A Dabbish, and Jason I Hong. 2014a. The Effect of Social Influence on Security Sensitivity. In ACM Symposium on Usable Privacy and Security, Vol. 14.

[11]

Sauvik Das, Adam DI Kramer, Laura A Dabbish, and Jason I Hong. 2014b. Increasing Security Sensitivity with Social Proof: A Large-scale Experimental Confirmation. In ACM Conference on Computer and Communications Security. 739--749.

Digital Library

[12]

Sauvik Das, Adam DI Kramer, Laura A Dabbish, and Jason I Hong. 2015. The Role of Social Influence in Security Feature Adoption. In ACM Conference on Computer Supported Cooperative Work and Social Computing. 1416--1426.

[13]

Alexander De Luca, Sauvik Das, Martin Ortlieb, Iulia Ion, and Ben Laurie. 2016. Expert and non-expert attitudes towards (secure) instant messaging. In Twelfth Symposium on Usable Privacy and Security ({SOUPS} 2016). 147--157.

[14]

Sergej Dechand, Alena Naiakshina, Anastasia Danilova, and Matthew Smith. 2019. In encryption we don't trust: The effect of end-to-end encryption to the masses on user perception. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 401--415.

[15]

Steve Dodier-Lazaro, Ruba Abu-Salma, Ingolf Becker, and M Angela Sasse. 2017. From Paternalistic to User-Centred Security: Putting Users First with Value-Sensitive Design. In CHI 2017 Workshop on Values in Computing. Values In Computing.

[16]

Allan Fenigstein and Peter A Vanable. 1992. Paranoia and self-consciousness. Journal of personality and social psychology, Vol. 62, 1 (1992), 129.

[17]

Joseph L Fleiss, Bruce Levin, and Myunghee Cho Paik. 2013. Statistical methods for rates and proportions.john wiley & sons.

[18]

Electronic Frontier Foundation. 2014. Secure MessagingScorecard. (2014). https://www.eff.org/secure-messaging-scorecard Accessed on: 09.07.2016.

[19]

Daniel Freeman, PA Garety, and E Kuipers. 2001. Persecutory delusions: developing the understanding of belief maintenance and emotional distress. Psychological medicine, Vol. 31, 7 (2001), 1293--1306.

[20]

Daniel Freeman, Philippa A Garety, Paul E Bebbington, Benjamin Smith, Rebecca Rollinson, David Fowler, Elizabeth Kuipers, Katarzyna Ray, and Graham Dunn. 2005. Psychological investigation of the structure of paranoia in a non-clinical population. The British Journal of Psychiatry, Vol. 186, 5 (2005), 427--435.

[21]

Daniel Freeman, Bao S Loe, David Kingdon, Helen Startup, Andrew Molodynski, Laina Rosebrock, Poppy Brown, Bryony Sheaves, Felicity Waite, and Jessica C Bird. 2019. The revised Green et al., Paranoid Thoughts Scale (R-GPTS): psychometric properties, severity ranges, and clinical cut-offs. Psychological medicine (2019), 1--10.

[22]

Simson L Garfinkel and Robert C Miller. 2005. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. In ACM Symposium on Usable Privacy and Security. 13--24.

Digital Library

[23]

Shirley Gaw, Edward W Felten, and Patricia Fernandez-Kelly. 2006. Secrecy, flagging, and paranoia: adoption criteria in encrypted email. In Proceedings of the SIGCHI conference on human factors in computing systems. 591--600.

Digital Library

[24]

Nina Gerber, Verena Zimmermann, Birgit Henhapl, Sinem Emeröz, and Melanie Volkamer. 2018. Finally Johnny Can Encrypt: But Does This Make Him Feel More Secure?. In Proceedings of the 13th International Conference on Availability, Reliability and Security. 1--10.

Digital Library

[25]

CEL Green, D Freeman, E Kuipers, P Bebbington, D Fowler, G Dunn, and PA Garety. 2008. Measuring ideas of persecution and social reference: the Green et al. Paranoid Thought Scales (GPTS). Psychological medicine, Vol. 38, 1 (2008), 101--111.

[26]

Eric Griffith. 2019. NordVPN dominates VPN market share, and that will likely continue. PC Magazine (2019). https://www.pcmag.com/news/nordvpn-dominates-vpn-market-share-and-that-will-likely-continue

[27]

Timothy M Hagle and Glenn E Mitchell. 1992. Goodness-of-fit measures for probit and logit. American Journal of Political Science (1992), 762--784.

[28]

Amir Herzberg and Hemi Leibowitz. 2016. Can Johnny finally encrypt? Evaluating E2E-encryption in popular IM applications. In Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and Trust. 17--28.

Digital Library

[29]

Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh. 2013. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI conference on human factors in computing systems. 3393--3402.

Digital Library

[30]

Jon A Krosnick, Sowmya Narayan, and Wendy R Smith. 1996. Satisficing in surveys: Initial evidence. New directions for evaluation, Vol. 1996, 70 (1996), 29--44.

[31]

Ivar Krumpal. 2013. Determinants of social desirability bias in sensitive surveys: a literature review. Quality & Quantity, Vol. 47, 4 (2013), 2025--2047.

[32]

Juan Ramón Ponce Mauriés, Kat Krol, Simon Parkin, Ruba Abu-Salma, and M Angela Sasse. 2017. Dead on Arrival: Recovering from Fatal Flaws in Email Encryption Tools. In The {LASER} Workshop: Learning from Authoritative Security Experiment Results ({LASER} 2017). 49--57.

[33]

Jonathan Mummolo and Erik Peterson. 2019. Demand effects in survey experiments: An empirical assessment. American Political Science Review, Vol. 113, 2 (2019), 517--529.

[34]

Sean Oesch, Ruba Abu-Salma, Oumar Diallo, Juliane Krämer, James Simmons, Justin Wu, and Scott Ruoti. 2020. Understanding User Perceptions of Security and Privacy for Group Chat: A Survey of Users in the US and UK. In Annual Computer Security Applications Conference. 234--248.

[35]

K.G. Orphanides. 2020. Why everyone should be using Signal instead of WhatsApp. Wired https://www.wired.co.uk/article/signal-vs-whatsapp. (April 16, 2020).

[36]

Robert W Proctor and Jing Chen. 2015. The role of human factors/ergonomics in the science of security: decision making and action selection in cyberspace. Human factors, Vol. 57, 5 (2015), 721--727.

[37]

Elissa M Redmiles, Sean Kross, and Michelle L Mazurek. 2019. How well do my results generalize? comparing security and privacy survey results from mturk, web, and telephone samples. 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1326--1343.

[38]

Elissa M Redmiles, Ziyun Zhu, Sean Kross, Dhruv Kuchhal, Tudor Dumitras, and Michelle L Mazurek. 2018. Asking for a friend: Evaluating response biases in security user studies. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security. 1238--1255.

Digital Library

[39]

Scott Ruoti, Jeff Andersen, Scott Heidbrink, Mark O'Neill, Elham Vaziripour, Justin Wu, Daniel Zappala, and Kent Seamons. 2016. "We're on the Same Page: A Usability Study of Secure Email Using Pairs of Novice Users. In ACM Conference on Human Factors and Computing Systems.

Digital Library

[40]

Scott Ruoti, Nathan Kim, Ben Burgon, Timothy Van Der Horst, and Kent Seamons. 2013. Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes. In ACM Symposium on Usable Privacy and Security. 5.

Digital Library

[41]

Theodor Schnitzler, Christine Utz, Florian M Farke, Christina Pöpper, and Markus Dürmuth. 2020. Exploring user perceptions of deletion in mobile instant messaging applications. Journal of Cybersecurity, Vol. 6, 1 (2020), tyz016.

[42]

Svenja Schröder, Markus Huber, David Wind, and Christoph Rottermanner. 2016. When SIGNAL hits the fan: On the usability and security of state-of-the-art secure mobile messaging. In European Workshop on Usable Security. IEEE.

[43]

Signal. 2020. Signal Private Messenger - Apps on Google Play. https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms. (2020). Accessed on: 02.29.2020.

[44]

Mike Startup and Sue Startup. 2005. On two kinds of delusion of reference. Psychiatry Research, Vol. 137, 1--2 (2005), 87--92.

[45]

Christian Stransky, Dominik Wermke, Johanna Schrader, Nicolas Huaman, Yasemin Acar, Anna Lena Fehlhaber, Miranda Wei, Blase Ur, and Sascha Fahl. 2021. On the Limited Impact of Visualizing Encryption: Perceptions of E2E Messaging Security. In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, 437--454. https://www.usenix.org/conference/soups2021/presentation/stransky

[46]

Joshua Tan, Lujo Bauer, Joe Bonneau, Lorrie Cranor, Jeremy Thomas, and Blase Ur. 2017. Can Unicorns Help Users Compare Crypto Key Fingerprints?. In ACM Conference on Human Factors and Computing Systems.

Digital Library

[47]

Telegram. 2020. Telegram - Apps on Google Play. https://play.google.com/store/apps/details?id=org.telegram.messenger. (2020). Accessed on: 02.29.2020.

[48]

Elham Vaziripour, Devon Howard, Jake Tyler, Mark O'Neill, Justin Wu, Kent Seamons, and Daniel Zappala. 2019. I Don't Even Have to Bother Them! Using Social Media to Automate the Authentication Ceremony in Secure Messaging. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems (CHI '19). Association for Computing Machinery, New York, NY, USA, 1--12. https://doi.org/10.1145/3290605.3300323

Digital Library

[49]

Elham Vaziripour, Justin Wu, Mark O'Neill, Jordan Whitehead, Scott Heidbrink, Kent Seamons, and Daniel Zappala. 2017. Is that you, Alice? a usability study of the authentication ceremony of secure messaging applications. In Thirteenth Symposium on Usable Privacy and Security (SOUPS 2017). 29--47.

[50]

Viber. 2020. Viber Messenger - Messages, Group Chats & Calls - Apps on Google Play. https://play.google.com/store/apps/details?id=com.viber.voip. (2020). Accessed on: 02.29.2020.

[51]

Alma Whitten and J. Doug Tygar. 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In USENIX Security Symposium.

[52]

Gordon B Willis. 2004. Cognitive interviewing revisited: A useful technique, in theory. Methods for testing and evaluating survey questionnaires (2004), 23--43.

[53]

Gloria HY Wong, Christy LM Hui, Jennifer YM Tang, Cindy PY Chiu, May ML Lam, Sherry KW Chan, WC Chang, and Eric YH Chen. 2012. Screening and assessing ideas and delusions of reference using a semi-structured interview scale: A validation study of the Ideas of Reference Interview Scale (IRIS) in early psychosis patients. Schizophrenia research, Vol. 135, 1--3 (2012), 158--163.

[54]

Justin Wu, Cyrus Gattrell, Devon Howard, Jake Tyler, Elham Vaziripour, Daniel Zappala, and Kent Seamons. 2019. "Something isn't secure, but I'm not sure how that translates into a problem": Promoting autonomy by designing for understanding in Signal. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA. https://www.usenix.org/conference/soups2019/presentation/wu

[55]

Justin Wu and Daniel Zappala. 2018. When is a tree really a truck? Exploring mental models of encryption. In Fourteenth Symposium on Usable Privacy and Security ({SOUPS} 2018). 395--409.

Cited By

Fischer-Hübner SKaregar FFischer-Hübner SKaregar F(2024)Overview of Usable Privacy Research: Major Themes and Research DirectionsThe Curious Case of Usable Privacy10.1007/978-3-031-54158-2_3(43-102)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-54158-2_3
Kacsmar BDuddu VTilbury KUr BKerschbaum FMeng WJensen CCremers CKirda E(2023)Comprehension from Chaos: Towards Informed Consent for Private ComputationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623152(210-224)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623152
Akgul ORoberts RNamara MLevin DMazurek M(2022)Investigating Influencer VPN Ads on YouTube2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833633(876-892)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833633

Index Terms

From Secure to Military-Grade: Exploring the Effect of App Descriptions on User Perceptions of Secure Messaging
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Social aspects of security and privacy

Recommendations

On provably secure code-based multiple grade proxy signature scheme

In multiple grade proxy signatures, the signing right can be delegated from one grade to the next grade. In this paper, we first introduce a code-based multiple grade proxy signatures based on Stern's identification scheme. The proposed scheme is the ...
Privacy-Enhanced Anonymous and Deniable Post-quantum X3DH
Science of Cyber Security
Abstract
End-to-end encryption (E2EE) is widely used in instant messaging applications to protect data privacy. Forward secrecy (FS) and post-compromised security (PCS) are two essential features that aim to protect security when the session keys are ...
Strongly secure certificateless short signatures

Highlights We introduce a new efficient and secure short certificateless signature scheme. It is strongly unforgeable. The security is based on the CDH assumption. The proposed scheme is provably secure against a relatively stronger adversary. Short ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES '21: Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society

November 2021

257 pages

ISBN:9781450385275

DOI:10.1145/3463676

General Chairs:
Yongdae Kim
Korea Advanced Institute of Science & Technology, Republic of Korea)
,
Jong Kim
Pohang University of Science and Technology, Republic of Korea
,
Program Chairs:
Giovanni Livraga
Università degli Studi di Milano, Italy
,
Noseong Park
Yonsei University, Republic of Korea

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

United States Air Force and DARPA

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
204
Total Downloads

Downloads (Last 12 months)79
Downloads (Last 6 weeks)0

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Fischer-Hübner SKaregar FFischer-Hübner SKaregar F(2024)Overview of Usable Privacy Research: Major Themes and Research DirectionsThe Curious Case of Usable Privacy10.1007/978-3-031-54158-2_3(43-102)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-54158-2_3
Kacsmar BDuddu VTilbury KUr BKerschbaum FMeng WJensen CCremers CKirda E(2023)Comprehension from Chaos: Towards Informed Consent for Private ComputationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623152(210-224)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623152
Akgul ORoberts RNamara MLevin DMazurek M(2022)Investigating Influencer VPN Ads on YouTube2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833633(876-892)Online publication date: May-2022
https://doi.org/10.1109/SP46214.2022.9833633

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents