skip to main content
10.1145/2335356.2335371acmotherconferencesArticle/Chapter ViewAbstractPublication PagessoupsConference Proceedingsconference-collections
research-article

Helping Johnny 2.0 to encrypt his Facebook conversations

Published: 11 July 2012 Publication History

Abstract

Several billion Facebook messages are sent every day. While there are many solutions to email security whose usability has been extensively studied, little work has been done in the area of message security for Facebook and even less on the usability aspects in this area. To evaluate the need for such a mechanism, we conducted a screening study with 514 participants, which showed a clear desire to protect private messages on Facebook. We therefore proceeded to analyse the usability of existing approaches and extracted key design decisions for further evaluation. Based on this analysis, we conducted a laboratory study with 96 participants to analyse different usability aspects and requirements of a Facebook message encryption mechanism. Two key findings of our study are that automatic key management and key recovery capabilities are important features for such a mechanism. Following on from these studies, we designed and implemented a usable service-based encryption mechanism for Facebook conversations. In a final study with 15 participants, we analysed the usability of our solution. All participants were capable of successfully encrypting their Facebook conversations without error when using our service, and the mechanism was perceived as usable and useful. The results of our work suggest that in the context of the social web, new security/usability trade-offs can be explored to protect users more effectively.

References

[1]
J. Anderson, C. Diaz, J. Bonneau, and F. Stajano. Privacy-enabling Social Networking over Untrusted Networks. In Proceedings of the 2nd ACM Workshop on Online Social Networks, pages 1--6, 2009.
[2]
F. Beato, M. Kohlweiss, and K. Wouters. Scramble! Your Social Network Data. In Proceedings of the 11th International Conference on Privacy Enhancing Technologies, pages 211--225. Springer, 2011.
[3]
J. Brooke. SUS: A "Quick and Dirty" Usability Scale. In P. Jordan, B. Thomas, B. Weerdmeester, and A. McClelland, editors, Usability Evaluation in Industry. Taylor and Francis, 1996.
[4]
B. Dodson, I. Vo, T. J. Purtell, A. Cannon, and M. S. Lam. Musubi: Disintermediated Interactive Social Feeds for Mobile Devices. In Proceedings of the 21st International Conference on World Wide Web, pages 211--220, 2012.
[5]
S. Egelman, A. Oates, and S. Krishnamurthi. Oops, I Did it Again: Mitigating Repeated Access Control Errors on Facebook. In Proceedings of the 29th International Conference on Human Factors in Computing Systems. ACM, May 2011.
[6]
S. Egelman, J. Tsai, L. F. Cranor, and A. Acquisti. Timing is Everything?: The Effects of Timing and Placement of Online Privacy Indicators. In Proceedings of the 27th International Conference on Human Factors in Computing Systems, pages 319--328. ACM, 2009.
[7]
S. Fahl, M. Harbach, T. Muders, and M. Smith. Confidentiality as a Service - Usable Security for the Cloud. In Proceedings of the IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 2012.
[8]
S. Fahl, M. Harbach, T. Muders, and M. Smith. TrustSplit: Usable Confidentiality for Social Network Messaging. In Proceedings of the ACM Conference on Hypertext and Hypermedia, 2012.
[9]
S. Garfinkel. Email-based Identification and Authentication: An Alternative to PKI? IEEE Security & Privacy, 1(6):20--26, Nov. 2003.
[10]
S. L. Garfinkel and R. C. Miller. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. In Proceedings of the First Symposium on Usable Privacy and Security. ACM, July 2005.
[11]
M. Harbach, S. Fahl, T. Muders, and M. Smith. POSTER: All Our Messages Are Belong to Us: Usable Confidentiality in Social Networks. In Proceedings Companion of the 21st International Conference on World Wide Web, Apr. 2012.
[12]
C. Herley and P. Van Oorschot. A Research Agenda Acknowledging the Persistence of Passwords. IEEE Security & Privacy, 10(1):28--36, 2012.
[13]
J. King, A. Lampinen, and A. Smolen. Privacy: Is There an App for That? In Proceedings of the Seventh Symposium on Usable Privacy and Security. ACM, July 2011.
[14]
A. P. Lambert, S. M. Bezek, and K. G. Karahalios. Waterhouse: Enabling Secure E-mail With Social Networking. In Proceedings of the International Conference On Human Factors In Computing Systems. ACM, Apr. 2009.
[15]
J. Lazar, J. H. Feng, and H. Hochheiser. Resarch Methods in Human-Computer Interaction. Wiley, 2010.
[16]
M. M. Lucas and N. Borisov. FlyByNight: Mitigating the Privacy Risks of Social Networking. In Proceedings of the 7th ACM Workshop on Privacy in the Electronic Society, pages 1--8, 2008.
[17]
M.-E. Maurer, A. De Luca, and S. Kempe. Using Data Type Based Security Alert Dialogs To Raise Online Security Awareness. In Proceedings of the Seventh Symposium on Usable Privacy and Security. ACM, 2011.
[18]
National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES) (FIPS PUB 197), October 2001.
[19]
P. Rogaway and D. Wagner. Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption. National Institute of Standards and Technologies, 2000.
[20]
S. Sheng, C. Koranda, J. Hyland, and L. Broderick. Why Johnny Still Can't Encrypt: Evaluating the Usability of Email Encryption Software. In Proceedings of the Second Symposium on Usable Privacy and Security, Poster, 2006.
[21]
N. Wang, H. Xu, and J. Grossklags. Third-party Apps on Facebook: Privacy and the Illusion of Control. In Proceedings of the 5th ACM Symposium on Computer Human Interaction for Management of Information Technology, 2011.
[22]
A. Whitten and J. Tygar. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, 1999.

Cited By

View all
  • (2024)Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00215(1160-1178)Online publication date: 19-May-2024
  • (2023)"Is reporting worth the sacrifice of revealing what i've sent?"Proceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632213(491-508)Online publication date: 7-Aug-2023
  • (2023)Is Cryptographic Deniability Sufficientƒ Non-Expert Perceptions of Deniability in Secure Messaging2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179361(274-292)Online publication date: May-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
SOUPS '12: Proceedings of the Eighth Symposium on Usable Privacy and Security
July 2012
216 pages
ISBN:9781450315326
DOI:10.1145/2335356

Sponsors

  • Carnegie Mellon University: Carnegie Mellon University

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 11 July 2012

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. message encryption
  2. social networks
  3. usable security

Qualifiers

  • Research-article

Conference

SOUPS '12
Sponsor:
  • Carnegie Mellon University
SOUPS '12: Symposium On Usable Privacy and Security
July 11 - 13, 2012
Washington, D.C.

Acceptance Rates

Overall Acceptance Rate 15 of 49 submissions, 31%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)34
  • Downloads (Last 6 weeks)3
Reflects downloads up to 19 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Signing in Four Public Software Package Registries: Quantity, Quality, and Influencing Factors2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00215(1160-1178)Online publication date: 19-May-2024
  • (2023)"Is reporting worth the sacrifice of revealing what i've sent?"Proceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632213(491-508)Online publication date: 7-Aug-2023
  • (2023)Is Cryptographic Deniability Sufficientƒ Non-Expert Perceptions of Deniability in Secure Messaging2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179361(274-292)Online publication date: May-2023
  • (2022)An empirical study of a decentralized identity walletProceedings of the Eighteenth USENIX Conference on Usable Privacy and Security10.5555/3563609.3563620(195-211)Online publication date: 8-Aug-2022
  • (2022)27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833755(860-875)Online publication date: May-2022
  • (2022)Usability of Antivirus Tools in a Threat Detection ScenarioICT Systems Security and Privacy Protection10.1007/978-3-031-06975-8_18(306-322)Online publication date: 3-Jun-2022
  • (2021)On the limited impact of visualizing encryptionProceedings of the Seventeenth USENIX Conference on Usable Privacy and Security10.5555/3563572.3563595(437-454)Online publication date: 9-Aug-2021
  • (2020)Towards adding verifiability to web-based Git repositoriesJournal of Computer Security10.3233/JCS-191371(1-32)Online publication date: 6-Apr-2020
  • (2020)Private Cloud Storage: Client-Side Encryption and Usable Secure Utility FunctionsHCI for Cybersecurity, Privacy and Trust10.1007/978-3-030-50309-3_44(652-670)Online publication date: 19-Jul-2020
  • (2019)Helping Johnny to Search: Usable Encrypted Search on Webmail SystemJournal of Information Processing10.2197/ipsjjip.27.76327(763-772)Online publication date: 2019
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media