Cybersecurity experts are fond of reminding the public that the best way to avoid having sensitive messages exposed is to encrypt them. Sending financial information to your accountant? Encrypt it. Sending a state secret to a journalist? Encrypt it. Sending really good gossip to your friend? Encrypt it.
The only problem: Most people have absolutely no clue how to encrypt anything, and encryption software isn't helping.
A new study by researchers at Brigham Young University confirms that the vast majority of people cannot figure out even the most basic encryption tools.
Widely believed to be the most user-friendly tool for sending PGP-encrypted messages, Mailvelope is a browser extension that does a lot of the dirty work for you through its integration with many popular email services. That's precisely why the researchers chose it for their study.
The study gave 10 pairs of people up to 45 minutes to encrypt, send, decrypt, and read a message via Mailvelope. Only one subject pair was able to complete the task, and it took them the full 45 minutes; in addition, this pair had some previous familiarity with PGP encryption, unlike the rest of the subjects. In other words: The software was nearly impossible for a novice to use.
"With Mailvelope and other systems we've tested, it seems like they've never asked a real person down and watched them use it," said Scott Ruoti, the lead author on the study.
Most of the failures didn't even get close. Only one of the nine failing pairs even managed to exchange public keys, which are necessary to encrypt and send messages in the first place. Several of the subjects found the software extremely difficult to understand:
All participants expressed frustration with Mailvelope ... "Imagine the stupidest software you would ever use, and that was what I was doing.". The difficulty also led several participants to indicate that in the real world they would have given up trying to use Mailvelope long before they did during the study. For example, M3A also said, "After five minutes, I would have just given up and called."
The resulting paper, entitled "Why Johnny Still, Still Can't Encrypt: Evaluating the Usability of a Modern PGP Client" is a follow-up of sorts to Alma Whitten's 1999 paper "Why Johnny Can't Encrypt," a seminal work in the field of usable security. It concluded that the "standard model of user interface design, represented here by PGP 5.0, is not sufficient to make computer security usable for people who are not already knowledgeable in that area."
The BYU paper concluded much the same.
The authors identified some simple steps that could be taken to make PGP extensions easier to use, including tutorials built into the software, idiotproof explanations of public-key cryptography, and plaintext instructions for decryption accompanying every encrypted message.
Those are all good ideas, but Mailvelope is free-to-use, open-source software. It isn't incumbent on its developers to make it more user-friendly than it already is, beyond their own goodwill. There is no party that has a financial stake in making personal encryption a cinch.
"People may be habituated to the thought that email is always going to be insecure," Ruoti said.
Historically, Ruoti said, the cryptologists who designed encrypted mail systems have been far more focused on making them highly secure than making them usable. That's good for the technologically sophisticated, but bad for everyone else. Recently, Ruoti has seen a trend toward encrypted email systems with slightly "ratcheted down" encryption that are far easier to use for most people. One of them is Private WebMail, built by the Internet Security Research Lab at BYU.
Given the Mailvelope study, if anyone can use it, it would be a start.