Encryption for the masses? An analysis of PGP key usage

Sven Braun, Anne-Marie Oostveen

Abstract


Despite the rise of alternatives, email remains integral to technology-mediated communication. To protect email privacy the encryption software Pretty Good Privacy (PGP) has been considered the first choice for individuals since 1991. However, there is little scholarly insight into the characteristics and motivations for the people using PGP. We seek to shed light on social aspects of PGP: who is using PGP for encrypted email communication, how and why? By understanding those using the technology, questions on the motivations, usability, and the political dimension of communication encryption can be contextualized and cautiously generalized to provide input for the design of privacy-enhancing technologies. We have greatly extended the scale and scope of existing research by conducting a PGP key analysis on 4.27 million PGP public keys complemented by a survey filled out by former and current PGP users (N = 3,727). We show that a relatively small homogeneous population of mainly western, technically skilled, and moderately politically active males is using PGP for privacy self-management. Additionally, findings from existing research identifying poor usability and a lack of understanding of the underlying mechanisms of PGP can be confirmed.


Keywords


Email communication, Pretty Good Privacy, Privacy Enhancing Technologies, privacy self-management, encryption, usability

Full Text:

PDF

References


Adler R., Goggin J. (2005). What do we mean by “civic engagement”? Journal of Transformative Education, Vol. 3(3), pp. 236–253.

Aouragh M., Gürses S., Rocha J., Snelting F. (2015). FCJ-196 Let’s First Get Things Done! On Division of Labour and Techno-political Practices of Delegation in Times of Crisis. The Fibreculture Journal, Vol. 26, pp. 209–238.

Barenghi A., Federico A., Pelosi G., Sanfilippo S. (2015). Challenging the Trustworthiness of PGP: Is the Web-of-Trust Tear-Proof? In G. Pernul, P. Y A Ryan, E. Weippl (Eds.), Computer Security – ESORICS 2015. Springer: Cham, pp. 429–446.

Blank G., Groselj D. (2014). Dimensions of internet use: amount, variety, and types. Information, Communication & Society, Vol. 17(4), pp. 417–435.

Callas J., Donnerhacke L., Finney H., Shaw D., Thayer R. OpenPGP Message Format (RFC No. 4880), https://tools.ietf.org/html/rfc4880, 06.10.2018.

Čapkun S., Buttyán L., Hubaux J.-P. (2002). Small Worlds in Security Systems. In Proceedings of the 2002 Workshop on New Security Paradigms. ACM Press: Virginia Beach, pp. 28–35.

Carlo S., Kamphuis A. (2016). Information Security for Journalists. The Centre for Investigative Journalism, https://tcij.org/bespoke-training/infosec/, 06.10.2018.

Debatin B. (2011). Ethics, Privacy and Self-Restraint in Social Networking. In S. Trepte, L. Reinecke (Eds.), Privacy Online. Springer: Berlin, pp. 47–60.

Eisenhower D., Mathiowetz N. A., Morganstein D. (2004). Recall Error: Sources and Bias Reduction Techniques. In P. P. Biemer, R. M. Groves, L. E. Lyberg, N. A. Mathiowetz, S. Sudman (Eds.), Measurement errors in surveys. Wiley: Hoboken, pp. 125–144.

Eurostat. 2017. Community Statistics on Information Society. Individuals – Internet Activities (isoc_ci_ac_i), http://ec.europa.eu/eurostat/data/database?node_code=isoc_ci_ac_i, 06.10.2018. Garfinkel S. (1995). PGP: Pretty Good Privacy. O’Reilly: Sebastopol.

Garfinkel S., Miller R. C. (2005). Johnny 2: A User Test of Key Continuity Management with. S/MIME and Outlook. In Proceedings of the 2005 Symposium on Usable Privacy and Security. ACM Press: Virginia Beach, pp. 13–24.

Gaw S., Felten E. W., Fernandez-Kelly P. (2006). Secrecy, Flagging and Paranoia: Adoption Criteria in Encrypted E-Mail. In Proceedings of the 2006 SIGCHI Conference on Human Factors in Computing Systems. ACM Press: New York, pp. 591–600.

Greenwald G. (2014). No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State. Metropolitan Books: New York.

Gürses S., Kundnani A., Van Hoboken J. (2016). Crypto and empire: the contradictions of counter- surveillance advocacy. Media, Culture & Society, Vol. 38(4), pp. 576–590.

Horowitz J. (2017). While the rest of the world tries to “kill email,” in China, it’s always been dead. Quartz, https://qz.com/984690/, 06.10.2018

ITU International Telecommunication Union (2016). ITU Key ICT Indicators for Developed and Developing Countries and the World (Totals and Penetration Rates), http://www.itu.int/en/ITU-D/ Statistics/Pages/facts/default.aspx, 06.10.2018.

Kantrowitz M., Ross B. (1994). Names Corpus, version 1.3. https://www.cs.cmu.edu/afs/cs/project/ ai-repository/ai/areas/nlp/corpora/names/, 06.10.2018.

Kaspersky. 2016. The Kaspersky Cybersecurity Index H1 2016 Online Activity. https://index.kaspersky.com/metrics/onlineactivity, 06.10.2018.

Kaspersky. 2017. The Kaspersky Cybersecurity Index 2017 Online Activity. https://index.kaspersky.com/metrics/onlineactivity, 06.10.2018.

Kubitschko S. (2017). Acting on media technologies and infrastructures: expanding the media as practice approach. Media, Culture & Society, Vol. 40(4), pp. 629–635.

Metz C. (2016). Forget Apple vs. the FBI: WhatsApp Just Switched on Encryption for a Billion People. Wired, http://www.wired.com/2016/04/forget-apple-vs-fbi-whatsapp-just-switched-encryptionbillion-

people/, 06.10.2018.

Orman H. (2015). Encrypted Email. The History and Technology of Message Privacy. Springer: Cham. Ruoti S., Andersen J., Heidbrink S., O’Neill M., Vaziripour E., Wu J., Zappala D., Seamons K. (2016). “We’re on the Same Page”: A usability study of secure email using pairs of novice users.

In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems. ACM: Virginia Beach, pp. 4298–4308.

Schonlau M., Fricker Jr. R., Elliot M. (2002). Conducting Research Surveys via E-Mail and the Web. Santa Monica: RAND.

Sheng S., Broderick L., Koranda C. A., Hyland J. J. (2006). Why Johnny Still Can’t Encrypt: Evaluating the Usability of Email Encryption Software. Poster for the Symposium on Usable Privacy and Security, Pittsburgh, PA.

Solove D. (2013). Privacy Self-Management and the Consent Dilemma. Harvard Law Review, Vol. 126(7), pp. 1880–1903.

Trottier D., Fuchs C. (2014). Theorising social media, politics and the state: An introduction. In Trottier D., Fuchs C. (Eds.) Social media, politics and the state. Routledge: New York, pp. 15–50.

Ulrich A., Holz R., Hauck P., Carle G. (2011). Investigating the OpenPGP Web of Trust. In V. Atluri, C. Diaz (Eds.), Computer Security – ESORICS 2011. Springer: Cham, pp. 489–507.

UN United Nations Department of Economic and Social Affairs Population Division. (2017). World Population Prospects: The 2017 Revision. st/esa/ser.a/377, https://esa.un.org/unpd/wpp/, 06.10.2018.

Verba S., Nie N. H., Kim J.-o. (1978). Participation and Political Equality: A Seven-nation Comparison. Chicago: University of Chicago Press.

Warren R. H., Wilkinson D., Warnecke M. (2007). Empirical analysis of a dynamic social network built from PGP keyrings. In E. Airoldi, D. M. Blei, S. E. Fienberg, A. Goldenberg, E. P. Xing, A. X. Zheng (Eds.), Statistical network analysis: models, issues, and new directions. Springer: Cham, pp. 158–171.

Whitten A., Tygar J. D. (1999). Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. In Proceedings of the 8th USENIX Security Symposium. McGraw-Hill: Washington, pp. 169–183.

Wright R., Marett K. (2010). The Influence of Experiential and Dispositional Factors in Phishing: An Empirical Investigation of the Deceived. Journal of Management Information Systems, Vol. 27(1), pp. 273–303.

World Bank. (2016). World Development Indicators. http://data.worldbank.org/indicator/, 06.10.2018.

Zimmermann P. (1995). The Official PGP User’s Guide. MIT Press: Cambridge.

Zimmermann P. (1996). Testimony of Philip R. Zimmermann to the Subcommittee on Science, Technology, and Space of the US Senate Committee on Commerce, Science, and Transportation. https://philzimmermann.com/EN/testimony/index.html, 06.10.2018.

Zimmermann P. (1999). Why I Wrote PGP. https://www.philzimmermann.com/EN/essays/ WhyIWrotePGP.html, 06.10.2018.




DOI: http://dx.doi.org/10.17951/ms.2018.2.69-84
Data publikacji: 2019-06-26 08:58:25
Data złożenia artykułu: 2018-04-15 16:27:14

Refbacks

  • There are currently no refbacks.


Copyright (c) 2019 Sven Braun

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.