---------- Forwarded message ----------
From: Steve Weis
Date: Wed, Jan 15, 2014 at 10:37 AM
As one anecdote, when I TAed the MIT Network and Computer security
course, we assigned "Why Johnny Can't Encrypt" as the first reading.
We asked the students to send us a PGP encrypted & signed message and
tell us how long it took.
If I recall correctly, it took an average of 30 minutes for
non-existing users to figure out how to use PGP. Think about that.
These were graduate & upperclass undergraduate computer science
students enrolled in a network security course. Everyone had accounts
on the same university system and were mostly using standalone email
clients.
Best of all, someone decided it would be funny to generate a fake key
for me and post it to pgp.mit.edu. Several students fell for the
trick, didn't verify the key, and encrypted their homework with the
wrong key. It was a great way to drive home the lesson, but we asked
the jokers to kindly revoke their key, which they did.
Long story short, PGP was still hard to figure out for an experienced
cohort of users, who didn't have the issues of webmail and
proliferation of mobile platforms we have today. I don't think
anything has improved to make it viable for a wider audience.
On Wed, Jan 15, 2014 at 2:23 AM, Anders Thoresson wrote:
Hi all!
When doing research on email encryption and why it's still not widely used, I've read Alma Whittens "Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0" [1] from '99. I wonder if anyone knows of similar but more recent usability studies on encryption software?
Comparing the findings made by Whittens and compare them to the software available today, not much seems to have happened. But does the conclusion still holds, that a lack of mass-adoption of email encryption is due to problematic UX – or are there other reasons that today are seen as more important?
[1] – https://www.usenix.org/legacy/events/sec99/full_papers/whitten/whitten.ps
...
