---------- Forwarded message ---------- From: Steve Weis <steveweis@gmail.com> Date: Wed, Jan 15, 2014 at 10:37 AM As one anecdote, when I TAed the MIT Network and Computer security course, we assigned "Why Johnny Can't Encrypt" as the first reading. We asked the students to send us a PGP encrypted & signed message and tell us how long it took. If I recall correctly, it took an average of 30 minutes for non-existing users to figure out how to use PGP. Think about that. These were graduate & upperclass undergraduate computer science students enrolled in a network security course. Everyone had accounts on the same university system and were mostly using standalone email clients. Best of all, someone decided it would be funny to generate a fake key for me and post it to pgp.mit.edu. Several students fell for the trick, didn't verify the key, and encrypted their homework with the wrong key. It was a great way to drive home the lesson, but we asked the jokers to kindly revoke their key, which they did. Long story short, PGP was still hard to figure out for an experienced cohort of users, who didn't have the issues of webmail and proliferation of mobile platforms we have today. I don't think anything has improved to make it viable for a wider audience. On Wed, Jan 15, 2014 at 2:23 AM, Anders Thoresson <anders@thoresson.net> wrote:

Hi all!

When doing research on email encryption and why it's still not widely used, I've read Alma Whittens "Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0" [1] from '99. I wonder if anyone knows of similar but more recent usability studies on encryption software?

Comparing the findings made by Whittens and compare them to the software available today, not much seems to have happened. But does the conclusion still holds, that a lack of mass-adoption of email encryption is due to problematic UX – or are there other reasons that today are seen as more important?

[1] – https://www.usenix.org/legacy/events/sec99/full_papers/whitten/whitten.ps ...