Sascha Fahl
ABSTRACT
Several billion Facebook messages are sent every day. While there are many solutions to email security whose usability has been extensively studied, little work has been done in the area of message security for Facebook and even less on the usability aspects in this area. To evaluate the need for such a mechanism, we conducted a screening study with 514 participants, which showed a clear desire to protect private messages on Facebook. We therefore proceeded to analyse the usability of existing approaches and extracted key design decisions for further evaluation. Based on this analysis, we conducted a laboratory study with 96 participants to analyse different usability aspects and requirements of a Facebook message encryption mechanism. Two key findings of our study are that automatic key management and key recovery capabilities are important features for such a mechanism. Following on from these studies, we designed and implemented a usable service-based encryption mechanism for Facebook conversations. In a final study with 15 participants, we analysed the usability of our solution. All participants were capable of successfully encrypting their Facebook conversations without error when using our service, and the mechanism was perceived as usable and useful. The results of our work suggest that in the context of the social web, new security/usability trade-offs can be explored to protect users more effectively.
- J. Anderson, C. Diaz, J. Bonneau, and F. Stajano. Privacy-enabling Social Networking over Untrusted Networks. In Proceedings of the 2nd ACM Workshop on Online Social Networks, pages 1--6, 2009. Google Scholar
Digital Library
- F. Beato, M. Kohlweiss, and K. Wouters. Scramble! Your Social Network Data. In Proceedings of the 11th International Conference on Privacy Enhancing Technologies, pages 211--225. Springer, 2011. Google ScholarDigital Library
- J. Brooke. SUS: A "Quick and Dirty" Usability Scale. In P. Jordan, B. Thomas, B. Weerdmeester, and A. McClelland, editors, Usability Evaluation in Industry. Taylor and Francis, 1996.Google Scholar
- B. Dodson, I. Vo, T. J. Purtell, A. Cannon, and M. S. Lam. Musubi: Disintermediated Interactive Social Feeds for Mobile Devices. In Proceedings of the 21st International Conference on World Wide Web, pages 211--220, 2012. Google ScholarDigital Library
- S. Egelman, A. Oates, and S. Krishnamurthi. Oops, I Did it Again: Mitigating Repeated Access Control Errors on Facebook. In Proceedings of the 29th International Conference on Human Factors in Computing Systems. ACM, May 2011. Google ScholarDigital Library
- S. Egelman, J. Tsai, L. F. Cranor, and A. Acquisti. Timing is Everything?: The Effects of Timing and Placement of Online Privacy Indicators. In Proceedings of the 27th International Conference on Human Factors in Computing Systems, pages 319--328. ACM, 2009. Google ScholarDigital Library
- S. Fahl, M. Harbach, T. Muders, and M. Smith. Confidentiality as a Service - Usable Security for the Cloud. In Proceedings of the IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 2012. Google ScholarDigital Library
- S. Fahl, M. Harbach, T. Muders, and M. Smith. TrustSplit: Usable Confidentiality for Social Network Messaging. In Proceedings of the ACM Conference on Hypertext and Hypermedia, 2012. Google ScholarDigital Library
- S. Garfinkel. Email-based Identification and Authentication: An Alternative to PKI? IEEE Security & Privacy, 1(6):20--26, Nov. 2003. Google ScholarDigital Library
- S. L. Garfinkel and R. C. Miller. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. In Proceedings of the First Symposium on Usable Privacy and Security. ACM, July 2005. Google ScholarDigital Library
- M. Harbach, S. Fahl, T. Muders, and M. Smith. POSTER: All Our Messages Are Belong to Us: Usable Confidentiality in Social Networks. In Proceedings Companion of the 21st International Conference on World Wide Web, Apr. 2012. Google ScholarDigital Library
- C. Herley and P. Van Oorschot. A Research Agenda Acknowledging the Persistence of Passwords. IEEE Security & Privacy, 10(1):28--36, 2012. Google ScholarDigital Library
- J. King, A. Lampinen, and A. Smolen. Privacy: Is There an App for That? In Proceedings of the Seventh Symposium on Usable Privacy and Security. ACM, July 2011. Google ScholarDigital Library
- A. P. Lambert, S. M. Bezek, and K. G. Karahalios. Waterhouse: Enabling Secure E-mail With Social Networking. In Proceedings of the International Conference On Human Factors In Computing Systems. ACM, Apr. 2009. Google ScholarDigital Library
- J. Lazar, J. H. Feng, and H. Hochheiser. Resarch Methods in Human-Computer Interaction. Wiley, 2010. Google ScholarDigital Library
- M. M. Lucas and N. Borisov. FlyByNight: Mitigating the Privacy Risks of Social Networking. In Proceedings of the 7th ACM Workshop on Privacy in the Electronic Society, pages 1--8, 2008. Google ScholarDigital Library
- M.-E. Maurer, A. De Luca, and S. Kempe. Using Data Type Based Security Alert Dialogs To Raise Online Security Awareness. In Proceedings of the Seventh Symposium on Usable Privacy and Security. ACM, 2011. Google ScholarDigital Library
- National Institute of Standards and Technology (NIST). Advanced Encryption Standard (AES) (FIPS PUB 197), October 2001.Google Scholar
- P. Rogaway and D. Wagner. Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption. National Institute of Standards and Technologies, 2000.Google Scholar
- S. Sheng, C. Koranda, J. Hyland, and L. Broderick. Why Johnny Still Can't Encrypt: Evaluating the Usability of Email Encryption Software. In Proceedings of the Second Symposium on Usable Privacy and Security, Poster, 2006.Google Scholar
- N. Wang, H. Xu, and J. Grossklags. Third-party Apps on Facebook: Privacy and the Illusion of Control. In Proceedings of the 5th ACM Symposium on Computer Human Interaction for Management of Information Technology, 2011. Google ScholarDigital Library
- A. Whitten and J. Tygar. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium, 1999. Google ScholarDigital Library
Index Terms
- Helping Johnny 2.0 to encrypt his Facebook conversations
Recommendations
Finally Johnny Can Encrypt: But Does This Make Him Feel More Secure?
ARES '18: Proceedings of the 13th International Conference on Availability, Reliability and SecurityEnd-to-end (E2E) encryption is an effective measure against privacy infringement. In 2016, it was introduced by WhatsApp for all users (of the latest app version) quasi overnight. However, it is unclear how non-expert users perceived this change, ...
Confused Johnny: when automatic encryption leads to confusion and mistakes
SOUPS '13: Proceedings of the Ninth Symposium on Usable Privacy and SecurityA common approach to designing usable security is to hide as many security details as possible from the user to reduce the amount of information and actions a user must encounter. This paper gives an overview of Pwm (Private Webmail), our secure webmail ...
Building social capital with Facebook: Type of network, availability of other media, and social self-efficacy matter#
Highlights- Type of friends affects building social capital via Facebook and traditional media.
AbstractFindings about Facebook's effect on relationships are mixed, possibly due to lack of models that acknowledge differences across users, types of their friends, and use of competing media. To address this, we proposed and tested how ...
Comments