“Users’ goal to communicate with others overrides everything else, including security,” a group of researchers has concluded after interviewing sixty individuals about their experience with different communication tools and their perceptions of the tools’ security properties.
Adoption of secure communication tools hinges on many things
It has long been thought that usability issues are the main thing preventing users from adopting secure communication tools, but the results of their research show that it’s not the primary obstacle.
Instead, fragmented (small) users bases and a lack of interoperability is what drives most users to abandon many of these tools.
“50 out of 60 participants explicitly mentioned that the tools they use most frequently are those that most of their contacts use,” the researchers noted.
“Even iMessage, which is available on any device running iOS (or Mac OS X), is not used as frequently as WhatsApp because not all of our participants’ contacts own such a device, and iMessage is not interoperable (i.e., does not work with non-iOS devices).”
“The same applies to FaceTime. Because WhatsApp works across different platforms, it is the tool of choice; many participants who have an iOS device use What- sApp to communicate with contacts who also have an iOS device, instead of using iMessage (or FaceTime). Although they perceive iMessage as more secure, they see the overhead of using two communication tools as not worth the better security offered by iMessage,” they added.
Other barriers to adoption are:
- Low quality of service (which also creates doubts about how reliable and secure the tool is)
- Incorrect mental models of how secure communications work (users don’t understand how encryption works, don’t undestand tools’ security properties, have wrong perceptions of how secure a tool is), and
- The belief that secure tools cannot offer protection against powerful or knowledgeable adversaries.
Advice for developers
The results of this research have spurred the researchers to “encourage the security community to prioritize securing the communication tools that have already been adopted by mainstream users over improving the usability of different secure tools,” as well as to emphasise the need for good quality of service.
Finally, they note, security developers must make sure they have a clear idea of users’ goals and preferences.
“The technical security community must develop a deeper understanding of what is important (and not important) to users. Security properties and threats should be framed in terms that users can understand.”