"Please select what kind of key you want" ~~ suggestion to developers

Mon Feb 23 22:24:51 CET 2009

Required reading:

	Garfinkel, S. L., Margrave, D., Schiller, J. I.,
	Nordlander, E., and Miller, R. C. 2005. How to make secure
	email easier to use. In _Proceedings of the SIGCHI Conference
	on Human Factors in Computing Systems_ (Portland, Oregon, USA,
	April 02 - 07, 2005). CHI '05. ACM, New York, NY, 701-710.
	DOI= http://doi.acm.org/10.1145/1054972.1055069

Some results from this paper were presented at FC2005, but is not the  
survey I mentioned in my previous message.  That said, the results are  
substantially similar.

The following is excerpted from the paper.  If possible, though, I  
highly recommend you read the entire paper; it's an excellent overview  
of why secure email has failed to take off.

Our survey consisted of 40 questions on 5 web pages.  Respondents were  
recruited through a set of notices placed by Amazon's employees in the  
Amazon Seller's Forum.  Participation was voluntary and all  
respondents were anonymous. ...  A total of 1083 respondents  
[participated], with 417 of those respondents completing all five pages.

...

Average age of our respondents was 41.5.  Respondents were highly  
educated, with more than half claiming an advanced or college degree.   
Most described themselves as "very sophisticated" (18.0%) or  
"comfortable" (63.7%) using computers and the Internet.  Roughly half  
the correspondents had obtained their first email account in the 1990s.

The majority of respondents (94.4%) used computers running Microsoft  
Windows for email.  The two other leading platforms were Apple  
Macintosh (8.5%) and some kind of mobile computing device such as a  
cell phone (5.8%).

... A majority (54%) of respondents understood the difference between  
digital signatures and sealing with encryption; that prior receipt of  
digitally signed mail significantly increased understanding of that  
difference; and that having previously received digitally signed email  
from Amazon increased respondents' overall trust in email.

... The majority (59%) didn't know [if their email client supported  
encryption], while another 9% chose the answer, "what's encryption?"

... Respondents with S/MIME-capable mail readers were more than twice  
as likely to know that their programs were capable of encryption, and  
half as likely to select the answer "What's encryption?"   
Nevertheless, the majority of [S/MIME-enabled] correspondents (54%)  
did not know the cryptographic capabilities of the software they were  
using.

Almost half of our respondents (44.9%) indicated that they would be  
willing to upgrade their client in order to "get more protection" for  
their email...

... Although roughly half of our respondents indicated that they  
didn't use cryptography because they didn't know how, the free- 
response answers from the more knowledgeable respondents indicated  
that they either didn't think that encryption was necessary or else  
that the effort, if made, would be wasted.

	* "I don't because I don't care."
	* "I doubt any of my usual recipients would understand
	   the significance of the signature."
	* "Never had the need to send these kinds of emails."
	* "I don't think it's necessary to encrypt my email &
	   frankly it's just another step & something else I
	   don't have time for!"