Two new Pew Research Center studies are very enlightening around the American public’s perception of privacy, security, and surveillance. While both reports are worth a read, there are two contradictory statements that really stand out:
The surveys find that Americans feel privacy is important in their daily lives in a number of essential ways. Yet, few have adopted advanced privacy-enhancing measures.
Why is that? How could we be fully aware (thank you Edward Snowden!) and afraid of government and corporate surveillance, and yet take so few steps to protect ourselves? At a recent Technology Salon on Design, a good friend of mine made a great point that I believe answers this question:
Cyber security lacks user-centered design.
One of the best and most popular ways to encrypt email is PGP or Pretty Good Privacy. However, all the different flavors of PGP, from OpenPGP to PGP to GPG all have a central failing: they are hard to use.
Check out the self-titled “best PGP tutorial for the Mac ever” and you’ll quickly click away in horror at how hard it actually is to send encrypted email. This allows lazy journalists who probably never encrypt anything to write that, “Almost half of Americans have no interest in email encryption,” when the Pew study found that people really did care, but we are put off by 27 step processes.
Why should you care about what Americans think of email privacy? We work in developing countries, right?
Design matters in everything we do.
Well, here are tech-savvy people who are fully aware of government and corporate tracking. Who want to be protected from unreasonable searches, and yet who do not enact basic encryption protocols because they are not easy or simple to use.
This should be a stark lesson as we try to get tech-illiterate constituents to change their behavior and include ICT in what was previously an analog experience. Our technology tools, in fact, our whole intervention better be well designed if we hope to have any user acceptance, much less adoption of our solutions.
So do all of us a favor. Check out the Tech Salon posts on Design for Development, read the Design Salon Resource Document‘s 7 pages of links, and most of all, the Design with the User Digital Development Principle so we can all celebrate better design in ICT4D.
You’ve read this far, so you should really sign up to get invited to the next Technology Salon.
#2 reason: Absolute assurance that doing so invites attention from the security apparatus.
The ISC Project has a lot of easy-to-implement tools for data security. Better yet, bring them in for a presentation: https://iscproject.org/tools/
I use ProtonMail. Takes the hassle out of e-mail security. There’s a free plan, and they’re based in Switzerland (like Threema, the secure instant messenger).
Thanks for the recommendation. I just signed up but it looks like they’re not accepting new accounts at the moment. Hopefully soon!
There definitely are some horror stories out there in usability land for security tools, but there have been historically good reasons for that – if you have limited, often volunteered-time-only resources to work on a security project, and that project has substantially well-funded, global-level adversaries, then you have a hard time justifying any effort not spent on the security side. Combine that with a challenge where digital security broadly is so complex that you already need to be well-versed in in to even need to be leveraging such tools, the demand for ease of use has also been lacking.
That’s changing; security and privacy are more and more important to wider types of users, from environmental activists to election monitors to average normal people in the post-Snowden-revelations world. Tools are catching up (and a lot of profit-minded snake-oil is also seeping in to the space).
Some projects have really led the charge and have been using user-centered design for security for quite a while – https://guardianproject.info/ is a fantastic example, as is https://getlantern.org/. Even Tor, a super powerful anonymity tool, is incorporating user observation and feedback into its design and tool development approaches. https://www.mailpile.is/ has dramatically re-engineered how a user interfaces with PGP and has an early beta out now. Heck, even GPG/enigmail, the common “whipping boy” of security/usability, has developers deeply committed to improving the utility of email encryption.
But these groups need help – funding is always nice, but also user input from activists around the world facing real, tangible threats and facing bugs, confusing interfaces, and other problems stifling wider adoption.
It’s also time for those of us who have an afternoon or two to spare to play with these tools ourselves, learn them through research, the many existing guides out there, and support others in getting onboard. Or at least to stop complaining that they suck, and instead filing a bug report on the problem.
/soapbox