Co-ordinating Developers and High-Risk Users of Privacy-Enhanced Secure Messaging Protocols

Abstract: Due to the increased deployment of secure messaging protocols, differences between what developers "believe" are the needs of their users and their actual needs can have real consequences. Based on 90 interviews with both high and low-risk users, as well as the developers of popular secure messaging applications, we mapped the design choices of the protocols made by developers to the relevance of these features to threat models of both high-risk and low-risk users. Client device seizures are considered more da… Show more

“…There has been considerably less work on attempting to understand what threat models and privacy properties actually match the intuitions and expectations of users. While there have been no prior usability studies of anonymous cryptocurrencies, large-scale studies of at-risk activists that show that privacy is a core concern, and that their understanding of privacy -while sometimes confused with the more narrow use of encryption -does indeed map to a global passive adversary capable of observing the metadata of their communication [18]. This threat model is also mentioned explicitly in the ZCash (Zerocash) design, which notes that "Zerocash only anonymizes the transaction ledger.…”

“…This problem is not confined to privacy-enhanced cryptocurrency wallets, but the hard problem of holistic privacy is endemic in the development of privacy-enhancing tools from web browsers like Tor to secure messaging applications like Signal. For example, Tor cannot interoperate with the popular Google Chrome browser due to the way it retrieves DNS without allowing a proxy like Tor, and Signal uses phone numbers for identities in a way that many activists feel uncomfortable with even though the Signal server itself uses advanced techniques so that it does not need to record the phone number itself [18]. Holistic privacy is likely always incomplete, as new bugs and layers of abstraction are discovered and more complex assemblages of programs created (in turn, altering their original privacy properties).…”

“…A large incentive that is twice the amount required for success is given at the end to users who pass the final verification. Although the online setup is more difficult than an in-person experiment, 18 the users are given a persistent URL to communicate with the guides over video, so that when their IP address changes they can return to communicate with the guides. The users are given a help forum in Telegram to help continue the experiment at their own pace and a video of the instructions that they can download as well.…”

“…It should be noted these users are highly motivated and so it can be argued highly motivated users who are aware of privacy are not representative of ordinary users. However, we would argue that motivated users actually are a more representative sample and better in terms of understanding the behavior of early adopters of a system than some mythical 'ordinary user,' as this idea is operationalized often in usable security and humancomputer interaction studies with a small (perhaps randomly, but often self-selected) group of students from a university, as has been extensively argued earlier [18]. Over all sessions, 60 out of 89 users completed the entire survey and consented to data collection while respecting the General Data Protection Directive (note once 60 users were reached, no more users were added for a session).…”

Holistic Privacy and Usability of a Cryptocurrency Wallet

“…There has been considerably less work on attempting to understand what threat models and privacy properties actually match the intuitions and expectations of users. While there have been no prior usability studies of anonymous cryptocurrencies, large-scale studies of at-risk activists that show that privacy is a core concern, and that their understanding of privacy -while sometimes confused with the more narrow use of encryption -does indeed map to a global passive adversary capable of observing the metadata of their communication [18]. This threat model is also mentioned explicitly in the ZCash (Zerocash) design, which notes that "Zerocash only anonymizes the transaction ledger.…”

“…This problem is not confined to privacy-enhanced cryptocurrency wallets, but the hard problem of holistic privacy is endemic in the development of privacy-enhancing tools from web browsers like Tor to secure messaging applications like Signal. For example, Tor cannot interoperate with the popular Google Chrome browser due to the way it retrieves DNS without allowing a proxy like Tor, and Signal uses phone numbers for identities in a way that many activists feel uncomfortable with even though the Signal server itself uses advanced techniques so that it does not need to record the phone number itself [18]. Holistic privacy is likely always incomplete, as new bugs and layers of abstraction are discovered and more complex assemblages of programs created (in turn, altering their original privacy properties).…”

“…A large incentive that is twice the amount required for success is given at the end to users who pass the final verification. Although the online setup is more difficult than an in-person experiment, 18 the users are given a persistent URL to communicate with the guides over video, so that when their IP address changes they can return to communicate with the guides. The users are given a help forum in Telegram to help continue the experiment at their own pace and a video of the instructions that they can download as well.…”

“…It should be noted these users are highly motivated and so it can be argued highly motivated users who are aware of privacy are not representative of ordinary users. However, we would argue that motivated users actually are a more representative sample and better in terms of understanding the behavior of early adopters of a system than some mythical 'ordinary user,' as this idea is operationalized often in usable security and humancomputer interaction studies with a small (perhaps randomly, but often self-selected) group of students from a university, as has been extensively argued earlier [18]. Over all sessions, 60 out of 89 users completed the entire survey and consented to data collection while respecting the General Data Protection Directive (note once 60 users were reached, no more users were added for a session).…”

Holistic Privacy and Usability of a Cryptocurrency Wallet

“…Existing qualitative studies have explored security practices of different groups of higher-risk users, e.g. [23,24,29,33,37,42,69,73,74,93], but none to our knowledge have studied such practices within large-scale urban protests.…”

Collective Information Security in Large-Scale Urban Protests: the Case of Hong Kong

Privacy and Social Movements