Helping Johnny 2.0 to encrypt his Facebook conversations

Several billion Facebook messages are sent every day. While there are many solutions to email security whose usability has been extensively studied, little work has been done in the area of message security for Facebook and even less on the usability aspects in this area. To evaluate the need for such a mechanism, we conducted a screening study with 514 participants, which showed a clear desire to protect private messages on Facebook. We therefore proceeded to analyse the usability of existing approaches and extracted key design decisions for further evaluation. Based on this analysis, we conducted a laboratory study with 96 participants to analyse different usability aspects and requirements of a Facebook message encryption mechanism. Two key findings of our study are that automatic key management and key recovery capabilities are important features for such a mechanism. Following on from these studies, we designed and implemented a usable service-based encryption mechanism for Facebook conversations. In a final study with 15 participants, we analysed the usability of our solution. All participants were capable of successfully encrypting their Facebook conversations without error when using our service, and the mechanism was perceived as usable and useful. The results of our work suggest that in the context of the social web, new security/usability trade-offs can be explored to protect users more effectively.

[1]  Karrie Karahalios,et al.  Waterhouse: enabling secure e-mail with social networking , 2009, CHI Extended Abstracts.

[2]  Rob Miller,et al.  Johnny 2: a user test of key continuity management with S/MIME and Outlook Express , 2005, SOUPS '05.

[3]  Jennifer King,et al.  Privacy: is there an app for that? , 2011, SOUPS.

[4]  J. B. Brooke,et al.  SUS: A 'Quick and Dirty' Usability Scale , 1996 .

[5]  Monica S. Lam,et al.  Musubi: disintermediated interactive social feeds for mobile devices , 2012, WWW.

[6]  Christopher C. White,et al.  Focus on Durability, PATH Research at the National Institute of Standards and Technology | NIST , 2001 .

[7]  Matthew Smith,et al.  TrustSplit: usable confidentiality for social network messaging , 2012, HT '12.

[8]  Lorrie Faith Cranor,et al.  Timing is everything?: the effects of timing and placement of online privacy indicators , 2009, CHI.

[9]  Jens Grossklags,et al.  Third-party apps on Facebook: privacy and the illusion of control , 2011, CHIMIT '11.

[10]  Simson L. Garfinkel,et al.  Email-Based Identification and Authentication: An Alternative to PKI? , 2003, IEEE Secur. Priv..

[11]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[12]  Alexander De Luca,et al.  Using data type based security alert dialogs to raise online security awareness , 2011, SOUPS.

[13]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[14]  Paul C. van Oorschot,et al.  A Research Agenda Acknowledging the Persistence of Passwords , 2012, IEEE Security & Privacy.

[15]  Helger Lipmaa,et al.  Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption , 2000 .

[16]  Matthew Smith,et al.  Confidentiality as a Service -- Usable Security for the Cloud , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[17]  Harry Hochheiser,et al.  Research Methods for Human-Computer Interaction , 2008 .

[18]  Frank Stajano,et al.  Privacy-enabling social networking over untrusted networks , 2009, WOSN '09.

[19]  Shriram Krishnamurthi,et al.  Oops, I did it again: mitigating repeated access control errors on facebook , 2011, CHI.

[20]  Nikita Borisov,et al.  FlyByNight: mitigating the privacy risks of social networking , 2008, WPES '08.

[21]  Matthew Smith,et al.  All our messages are belong to us: usable confidentiality in social networks , 2012, WWW.

[22]  Markulf Kohlweiss,et al.  Scramble! Your Social Network Data , 2011, PETS.