Nina Gerber
ABSTRACT
End-to-end (E2E) encryption is an effective measure against privacy infringement. In 2016, it was introduced by WhatsApp for all users (of the latest app version) quasi overnight. However, it is unclear how non-expert users perceived this change, whether they trust WhatsApp as a provider of E2E encryption, and how their communication behavior changed. We conducted semi-structured interviews with twenty WhatsApp users to answer these questions. We found that about half of the participants perceived that even with E2E encryption, their messages could still be eavesdropped, for example by hackers and other criminals, governmental institutions, or WhatsApp's employees and cooperation partners. Many participants correctly identified sender and recipient as weakest points after the introduction of E2E encryption, but misconceptions were still present. For instance, users thought that messages were transmitted directly between two devices without being forwarded or stored on a server, or interpreted 'end-to-end' as a temporally end of communication. The majority of users stated to mistrust WhatsApp and its E2E encryption and presumed image-related reasons for the cost-free implementation. While most participants did not change their communication behavior, they reported to use protection strategies such as sending sensitive content via alternative channels even after the introduction of E2E encryption.
- Open Whisper Systems 2013-2016. 2016. Open Whisper Systems. website. (2016). Available on https://whispersystems.org/; called on May 30th 2017.Google Scholar
- Ruba Abu-Salma, Kat Krol, Simon Parkin, Victoria Koh, Kevin Kwan, Jazib Mahboob, Zahra Traboulsi, and M Angela Sasse. 2017. The Security Blanket of the Chat World: An Analytic Evaluation and a User Study of Telegram. In Proceedings of the 2nd European Workshop on Usable Security. Internet Society.Google ScholarCross Ref
- Ruba Abu-Salma, M Angela Sasse, Joseph Bonneau, Anastasia Danilova, Alena Naiakshina, and Matthew Smith. 2017. Obstacles to the Adoption of Secure Communication Tools. In IEEE Symposium on Security and Privacy IEEE Computer Society.Google ScholarCross Ref
- Erinn Atwater, Cecylia Bocovich, Urs Hengartner, Ed Lank, and Ian Goldberg. 2015. Leading Johnny to Water: Designing for Usability and Trust. In Proceedings of the Eleventh Symposium On Usable Privacy and Security. USENIX Association, Ottawa, 69--88. Google ScholarDigital Library
- Mathias Brandt. 2017. Ende-zu-Ende-Verschlüsselung kaum verbreitet. website. (2017). Available on https://de.statista.com/infografik/9522/nutzung-von-ende-zu-ende-verschluesselung/; called on August 7th 2017.Google Scholar
- A. Freude and T. Freude. 2016. Echos of History: Understanding German Data Protection. website. (2016). Available on http://www.bfna.org/publication/newpolitik/echos-of-history-understanding-german-data-protection; called on August 25th 2017.Google Scholar
- S. L. Garfinkel and R. C. Miller. 2005. Johnny 2: A User Test of Key Continuity Management with S/MIME and Outlook Express. In Proceedings of the 2005 Symposium on Usable Privacy and Security. ACM, 13--24. Google ScholarDigital Library
- S. Gibbs. 2014. Six alternatives to WhatsApp now that Facebook owns it. website. (2014). Available on https://www.theguardian.com/technology/2014/feb/20/six-alternatives-whatsapp-facebook; called on August 30th 2017.Google Scholar
- Andy Greenberg. 2015. Rating Tech Giants on Privacy: Google Slips, WhatsApp Fails. website. (2015). Available on https://www.wired.com/2015/06/rating-tech-giants-privacy-google-slips-whatsapp-fails/, called on November 24th 2017.Google Scholar
- A. Herzberg and H. Leibowitz. 2016. Can Johnny Finally Encrypt? Evaluating E2E-Encryption in Popular IM Applications. Proceedings of the 6th International Workshop on Socio-Technical Aspects in Security and Trust (2016). Google ScholarDigital Library
- WhatsApp Inc. 2016. End-to-end encryption. website. (2016). Available on https://blog.whatsapp.com/10000618/end-to-end-encryption; called on August 30th 2017.Google Scholar
- WhatsApp Inc. 2016. WhatsApp Encryption Overview. website. (2016). Available on https://www.whatsapp.com/security/WhatsApp-Security-Whitepaper.pdf; called on August 7th 2017.Google Scholar
- WhatsApp Inc. 2016. WhatsApp Privacy Policy. website. (2016). Available on https://www.whatsapp.com/legal/#privacy-policy; called on August 7th 2017.Google Scholar
- Alexander De Luca, Sauvik Das, Martin Ortlieb, Iulia Ion, and Ben Laurie. 2016. Expert and Non-Expert Attitudes towards (Secure) Instant Messaging. In Proceedings of the Twelfth Symposium on Usable Privacy and Security. USENIX Association, 147--157. Google ScholarDigital Library
- A. Macro. 2014. 5 WhatsApp & Facebook Messenger alternatives. website. (2014). Available on http://www.techadvisor.co.uk/feature/software/5-whatsapp-facebook-messenger-alternatives-3324383/; called on August 30th 2017.Google Scholar
- C. Metz. 2016. Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People. website. (2016). Available on https://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryption-billion-people/; called on August 30th 2017.Google Scholar
- M. Murgia. 2016. WhatsApp adds end-to-end encryption: What is it and what does it mean for you?. website. (2016). Available on http://www.telegraph.co.uk/technology/2016/04/05/whatsapp-encryption-what-is-it-and-what-does-it-mean-for-you/; called on August 30th 2017.Google Scholar
- A. Naiakshina, A. Danilova, S. Dechand, K. Krol, M. A. Sasse, and M. Smith. 2016. Poster: Mental Models--User understanding of messaging and encryption. In Proceedings of European Symposium on Security and Privacy.Google Scholar
- J. Naughton. 2016. Your WhatsApp secrets are safe now. But Big Brother is still watching you... website. (2016). Available on https://www.theguardian.com/commentisfree/2016/apr/10/whatsapp-encryption-billion-users-data-security; called on August 30th 2017.Google Scholar
- Office of the Privacy Commissioner Canada. 2013. Investigation into the personal information handling practices of WhatsApp Inc.- PIPEDA Report of Findings. website. (2013). Available on https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2013/pipeda-2013-001/, called on November 24th 2017.Google Scholar
- S. Patil and Alfred Kobsa. 2004. Instant Messaging and Privacy. In Proceedings of the 18th British HCI Group Annual Conference, A. Dearden and L. Watts (Eds.). Leeds, England, 85--88.Google Scholar
- K. Renaud, M. Volkamer, and A. Renkema-Padmos. 2014. Why Doesn't Jane Protect Her Privacy?. In Privacy Enhancing Technologies. Springer, 244--262.Google Scholar
- S. Ruoti, N. Kim, B. Burgon, T. Van Der Horst, and K. Seamons. 2013. Confused Johnny: When Automatic Encryption Leads to Confusion and Mistakes. In Proceedings of the Ninth Symposium on Usable Privacy and Security. ACM, 5. Google ScholarDigital Library
- B. Russell. 2014. Six Great Messaging Alternatives To WhatsApp. website. (March 2014). Available on https://www.technobuffalo.com/2014/03/14/six-great-messaging-alternatives-to-whatsapp/"; called on August 30th 2017.Google Scholar
- D.E. Sanger and E. Schmitt. 2014. Snowden Used Low-Cost Tool to Best N.S.A. website. (2014). Available on https://www.nytimes.com/2014/02/09/us/snowden-used-low-cost-tool-to-best-nsa.html&_r=0; called on August 30th 2017.Google Scholar
- S. Schröder, M. Huber, D. Wind, and C. Rottermanner. 2016. When SIGNAL hits the Fan: On the Usability and Security of State-of-the-Art Secure Mobile Messaging. In Proceedings of the 1st European Workshop on Usable Security. Internet Society.Google Scholar
- The H Security. 2012. WhatsApp accounts almost completely unprotected. website. (2012). Available on http://www.h-online.com/security/news/item/WhatsApp-accounts-almost-completely-unprotected-1708545.html; called on November 24th 2017.Google Scholar
- BBC News Services. 2014. Facebook to buy messaging app WhatsApp for $19bn. website. (2014). Available on http://www.bbc.com/news/business-26266689; called on May 30th 2017.Google Scholar
- S. Sheng, L. Broderick., C. A. Koranda, and J. J. Hyland. 2006. Why Johnny Still Can't Encrypt: Evaluating the Usability of Email Encryption Software. In Proceedings of the Second Symposium On Usable Privacy and Security -- Poster Session. 3--4.Google Scholar
- Statista 2017. Number of monthly active WhatsApp users worldwide from April 2013 to July 2017 (in millions). website. (2017). Available on https://www.statista.com/statistics/260819/number-of-monthly-active-whatsapp-users/; called on August 30th 2017.Google Scholar
- A. Strauss and J. Corbin. 1990. Basics of Qualitative Research: Grounded Theory Procedures and Techniques. Sage Publications, Newbury Park, California.Google Scholar
- Anselm L. Strauss. 1987. Qualitative analysis for social scientists. Cambridge University Press, New York, NY, US.Google Scholar
- A. Whitten and J. D. Tygar. 1999. Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0. In Usenix Security, Vol. 1999. Google ScholarDigital Library
- V Zimmermann, B. Henhapl, M. Volkamer, and J. Vogt. 2017. Ende-zu-Ende sichere E-Mail-Kommunikation. Datenschutz und Datensicherheit 41, 5 (2017), 308--313.Google ScholarCross Ref
- M. Zuckerberg. 2017. Facebook Community Update 5.3.2017. website. (2017). Available on https://www.facebook.com/zuck/posts/10103696178824801; called on May 30th 2017.Google Scholar
Index Terms
- Finally Johnny Can Encrypt: But Does This Make Him Feel More Secure?
Recommendations
Can Johnny finally encrypt?: evaluating E2E-encryption in popular IM applications
STAST '16: Proceedings of the 6th Workshop on Socio-Technical Aspects in Security and TrustRecently, many popular Instant-Messaging (IM) applications announced support for end-to-end encryption, claiming confidentiality even against a rogue operator. Is this, finally, a positive answer to the basic challenge of usable-security presented in ...
Caught in the Network: The Impact of WhatsApp’s 2021 Privacy Policy Update on Users’ Messaging App Ecosystems
CHI '22: Proceedings of the 2022 CHI Conference on Human Factors in Computing SystemsIn January 2021, WhatsApp announced an update to their privacy policy, sparking an outcry that saw millions of users install other messaging apps such as Telegram and Signal. This presented a rare opportunity to study users’ experiences when trying to ...
Work in Progress: Can Johnny Encrypt E-Mails on Smartphones?
Socio-Technical Aspects in SecurityAbstractE-mail is nearly 50 years old and is still one of the most used communication protocols nowadays. However, it has no support for End-to-end encryption (E2EE) by default, which makes it inappropriate for sending sensitive information. This is why ...
Comments