Communicating Securely

Slides

• Communicating Securely

Mentioned in class

• Video Edward Snowden made to teach journalists email encryption and a news article explaining the video.

Handouts

• Public/Private Key Encryption Handout

Required Reading

• Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0 by Whitten and Tygar

Not required - a good more modern similar study of encryption:

• Felix Reichmann, Annalina Buckmann, Konstantin Fischer, M. Angela Sasse, and Alena Naiakshina. 2025. Bridging the Gap Between Usable Security Research and Open-Source Practice - Lessons From a Long-Term Engagement With VeraCrypt. In Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems (CHI ‘25). Association for Computing Machinery, New York, NY, USA, Article 911, 1–21. https://doi.org/10.1145/3706598.3713983

Learning Outcomes

Topics

• Public/Private key cryptography
• Encrypting modern communication
• Cognitive walkthrough
• Usability heuristics
• Think aloud

Understand

• Why Johnny Can’t Encrypt is so famous.

• Encryption is only helpful if its security assumptions are met AND the properties it provides meet users needs.

• Research often requires several rounds of study and the early rounds can be informal.

• What a hard problem looks like in Usable Security and Privacy and what makes it so hard to solve.

• How USEC relates to general security research.

• HCI methodologies: think aloud, cognitive walkthrough

• Public private key encryption

Apply

• Think about a security or privacy technology that you often use and claims to be encrypted. How might you run a study like the Johnny paper on that technology and how would you expect the results to be the same or different?
• Compare Telegram and Signal in terms of communication security.

Lecture Notes

Why Johnny Can’t Encrypt is one of the most famous studies in Usable Privacy and Security. It showed that even PhD students at Carnegie Mellon University could not accurately send and receive encrypted email messages without making very serious errors.

Additional Resources

• Surveillance Self-Defense

• Ranking Digital Rights - Ranks digital and telecom companies on their privacy and consumer rights.

• Many studies that all start with “Why Johnny still can’t encrypt” and a few entitled “Johnny can finally encrypt” that look at E2E encryption in IM.

• Telegram security and usability: http://dx.doi.org/10.14722/eurousec.2017.23006

• Norman Group Think Aloud video: https://www.nngroup.com/videos/think-aloud/

• McDonald, Aleecia M., and Lorrie Faith Cranor. “Americans’ attitudes about internet behavioral advertising practices.” Proceedings of the 9th annual ACM workshop on Privacy in the electronic society. 2010.

• Micah Lee. Ed Snowden Taught Me To Smuggle Secrets Past Incredible Danger. Now I Teach You.