Publisher Council on Foreign Relations Press
Release Date February 2016
Protecting the privacy of user data from unauthorized access is essential for business executives, policymakers, and users themselves. The pace of targeted attacks and massive data breaches is only increasing. Each new incident hurts organizations' bottom lines, undermines users' trust in the products they use every day, and can have dire consequences for public safety.
The problem is multifaceted. Technologists are rushing to fix software vulnerabilities. Regulators are trying to keep pace with the realities of a complex ecosystem. Market-based approaches, such as cybersecurity insurance, remain immature. In addition, consumers are still learning what options they have, and what options they should be asking for.
Currently, end users can use software that provides strong privacy protection with a high degree of certainty. Unfortunately, adoption rates for such software are low, largely because of how hard it is for nonexperts to use. This does not have to be the case. Software developers in the open-source community—who are generally the first to build encryption and privacy tools—need to improve the design of their tools to make them more user-friendly and useful. In turn, corporate and government purchasers should begin promoting the value of open-source software, particularly as it offers best-in-class security. These steps would go a long way toward improving privacy online.
Background: Cryptography and User Experience
Tools that provide strong privacy guarantees have historically been niche products, requiring a special understanding of the underlying security mechanisms in order to operate them. However, many of the basic concepts are straightforward. For example, encryption allows the contents of a message to be scrambled so that third parties cannot read it. Users apply an encryption key—similar to a long, complex password—to scramble data, and a decryption key to unscramble it. If the encryption of messages passing between users Alice and Bob occurs on their respective computers, and the decryption keys are under their sole control, it is called end-to-end encryption. This form of encryption is the gold standard in privacy preservation, because it prevents would-be eavesdroppers from intercepting the conversation.
Software tools for end-to-end encryption have been available to users since the early 1990s, when Phil Zimmerman created a program called Pretty Good Privacy (PGP) and released it to the public free of charge. However, nonexpert users have faced a number of challenges with these tools from the beginning. In a 1998 paper, "Why Johnny Can't Encrypt," Alma Whitten and J. D. Tygar documented problems facing users of PGP. The authors found that participants had difficulty performing even basic tasks like encrypting and decrypting messages. Further studies have replicated these results with a variety of software programs.
The integration of software into daily life—from workplace desks to phones tucked in pockets—has led to tremendous professionalization of user-experience (UX) design. From big firms to small app developers, many software companies live and die on the quality of their UX and employ a host of designers and researchers to improve it. Not surprisingly, end-to-end encryption tools are derided when they are hard to use, whether these tools are for playing games or talking confidentially about sensitive material. Given this industry focus on UX design, it may seem odd that privacy tools still have a reputation for being hard to understand and use. Several factors contribute to these apparent shortcomings, which limit the development and adoption of user-friendly privacy tools.
One fundamental challenge to both the usability and adoption of privacy-preserving tools is that privacy is considered a secondary task, as demonstrated through user-experience research. A secondary task is always subservient in users' minds to the primary task, which is whatever core activity the software is meant to enable: sending emails in an email client, exchanging instant messages in a chat program, or collaborating on documents in a file-sharing application. Many security features have this second-class status: users describe talking to their friend not as "secure messaging" but simply "messaging," with the need for security as an ancillary requirement. This is problematic for software designers because users will readily abandon success on the secondary task if it becomes too onerous, or if they perceive it to be in conflict with the primary task.
Privacy-preserving tools seeking mass appeal face another significant challenge: nonexpert users have a hard time distinguishing strong security properties from their snake-oil alternatives. It is easy to call a tool "secure," but it is hard to communicate the nuances without going into overwhelming details in an app-store listing. There have been efforts over the years to create a third-party seal of approval for secure tools, but these attempts have either foundered in obscurity or lacked credibility by allowing developers to purchase approval after a cursory self-evaluation.
Creating well-designed privacy-preserving tools with mass appeal also faces a variety of ecosystem hurdles. First, most tools in this space are developed as open-source products, which means that the authors publish the source code for anyone to read. This is good for security because the transparency of the open-source development model makes it possible to conduct independent reviews of the software (reducing the probability of critical vulnerabilities). It is bad for sustainability because few open-source projects are profitable, and many derive their funding from unsteady sources of income such as donations or grants.
Second, the majority of nonexpert users are unlikely to transfer their digital lives to niche security tools, and prefer to prioritize their primary tasks by choosing the convenience of popular cloud platforms. End-to-end encryption is in direct conflict with the business model most platforms have adopted, because it prevents the data mining and ad targeting that these services have monetized. A service provider such as Google cannot serve targeted ads if it cannot read the contents of an email.
Finally, a recent resurgence of a decades-old debate around the propriety of encryption technologies—particularly as they relate to law-enforcement efforts to thwart terrorism or investigate crimes—is creating tremendous uncertainty for software developers. Apple and Google have both made upgrades to support user-controlled encryption by default in strategic products (iMessage's encrypted chat, Android's encrypted file system). However, these nascent investments are unlikely to be followed by large-scale integration of privacy-preserving technologies, given that a multitude of conflicting requirements around cryptography loom on the horizon in different jurisdictions. For the United States, it is especially unfortunate that this debate emerges at a time when confidence in technology companies' ability to protect user data is still suffering from the fallout of the Edward Snowden revelations.
First and most urgent, the current debate over the use of encryption undermines the promotion of privacy tools. The U.S. government proposed a technological backdoor with the Clipper Chip in the early 1990s, using the same arguments heard today. It failed spectacularly. Although technology has evolved since, the fundamentals of encryption have not. Policymakers in the United States and other countries should recognize that anything less than intact cryptography puts all users at risk. Developers cannot build software that allows law enforcement to access encrypted communications but prevents malicious actors from exploiting that access. Cryptography cannot distinguish good people from bad, so a backdoor for one is a backdoor for all. Undermining the encryption used by U.S. companies would place the average consumer at risk of attack by malicious third parties, and merely motivate criminals and terrorists to use one of many alternative options. Powerful cryptography tools can easily be built outside the United States; as the self-declared Islamic State's use of German messaging service Telegram demonstrates, software rarely respects borders.
In addition, technology decision-makers, including chief information security officers and others with purchasing power, need to promote the value of open-source tools throughout their organizations. This can be done by authorizing in-house engineers to contribute to open-source projects during work hours and explicitly seeking technology consultants experienced in the open-source world. Open-source development can span geopolitical barriers to create technologies that offer best-in-class security, but all too often such projects are viewed as half-baked or risky by decision-makers. The volunteer authorship of many projects contributes to this reputation, but the lack of polish in the user experience design does greater damage. Changing a company's culture from one of client ("software is an expense, what do I get for my money?") to one of community ("software is an investment, how can we contribute strategically for long-term benefit?") can help organizations and projects find innovative, secure, and affordable solutions.
Open-source developers, in turn, need to prioritize user-experience research and design, as well as to optimize their tools for large organizations. The focus of too many projects has long been on users who resemble the developers themselves. It is time to professionalize the practice of open-source development, recruit designers and usability researchers to the cause, and take a human-centered approach to software design. In particular, project leaders should make the development process more accessible to new participants by including explicit instructions to user-experience experts in their documentation. Although this change in focus will require a cultural shift within the open-source community, it will allow projects to attract more users and more donations, and ultimately result in more useful tools.
To support these efforts, technology-focused foundations and software companies' research and development wings should shift funding priorities toward more applied research on crafting and communicating about security-related features. Much of the work in this area examines the reasons a tool is hard to use—not ways to improve it—or focuses on toy refinements (e.g., "this custom interface is better than the standard"). As an example of such research, WhatsApp recently incorporated end-to-end encryption into its mobile messaging platform, without changing the user experience of its product. However, it accomplished this by hiding all privacy-specific features and tasks from its users, which in turn introduces vulnerability to certain kinds of attacks. Instead, researchers should work to identify factors that make privacy features successful across tools, and examine how such features might be added to popular products without harming user satisfaction.
Taken together, these recommendations would both incentivize and facilitate organizations and individuals in their efforts to adopt stronger protections of user data from unauthorized access. Easier-to-use privacy tools and greater consumer confidence, in turn, will support continued growth, innovation, and financial stability in the digital era.