In a study, the SNS research group at the Institute for Information Systems (iisys) looked at a now older communication medium: email. The aim was to find out how user-friendly certain apps for email encryption are on smartphones and where the hurdles to secure encryption lie. We talked to Katharina Schiller, research assistant at iisys, about this.
Ms. Schiller, your study “Work in Progress: Can Johnny Encrypt Emails on Smartphones” has an original name, but a serious background. What prompted the study?
Especially in companies, e-mail is still the standard for communication. But it is not as secure as one might think. Unlike modern messenger services (e.g. WhatsApp), it does not have end-to-end encryption by default. You can think of it like a postcard: With a letter, you have an envelope and only the sender and recipient are visible, but with a postcard, the contents are visible as well. Therefore, theoretically, anyone on the transmission path could read or even change the content.
What ways are there to make data transmission more secure?
There are two well-known technical ways to encrypt emails – S/MIME and PGP. But these have to be set up manually. And that’s where the problem lies. As early as the 1990s, there was initial research that found that this was too complicated for “normal” e-mail users. So the systems work, but they are not at all user-friendly and are therefore hardly ever used. Until today, there have been new studies on this again and again, but no real success has been achieved.
If that’s the case, what exactly were you trying to find out?
In recent years, the use of smartphones has increased significantly. Accordingly, many e-mails are also received on these devices. There are studies that say that almost half of all e-mails are read on mobile devices. Our goal was to find out whether users find it easier to encrypt emails on smartphones than on desktop devices.
Until now, there was no study that looked at the usability of email encryption apps on smartphones. We wanted to change that. The participants in our study were each asked to send an encrypted e-mail on an iPhone and an Android smartphone and to decrypt a received e-mail in order to read it.
How did you go about the study and how many participants were there?
There were eleven participants in total. First, we checked and tested various encryption apps ourselves. Even here, most of the apps had to be ruled out due to errors. In the end, the standard mail app for iOS (with S/MIME) and for Android the app “FlowCrypt” (OpenPGP) were selected. All participants received an email address and password, so no personal data had to be used.
…and then?
First, general questions about the use of smartphones and e-mails had to be answered. The participants then had to take on the role of “John Doe” and perform three tasks each with both apps – namely, send an encrypted email, receive and decrypt an encrypted email, and they had to show how they could tell that an email was encrypted or not. In the process, they were asked to “think out loud.” After that, the app was changed. Finally, they were asked to answer two standardized questionnaires on usability and user experience (“System Usability Scale” and “User Experience Questionnaire Short Version”). At the end, the participants were interviewed about their understanding, possible suggestions for improvement, and whether they could imagine using the app.
And so to the all-important question: what was the result?
The results are indeed poor – similar to previous studies. Although many of the participants even work in the IT sector and attach great importance to data security, the majority had difficulties in performing the tasks or made critical mistakes in the process. Similar to desktop devices, email encryption on smartphones is not user-friendly enough for the masses. Activating the necessary settings was complicated for many participants and they felt they could not do it on their own. Many participants unintentionally sent an unencrypted e-mail during the test and did not heed the app’s warning message. Also, the fact that there are multiple keys and the public key can be easily sent was confusing and not understandable for some participants.
This is quite sobering. Where is the path of technical development leading on this issue?
Quite clearly: the existing problems with the lack of user-friendliness must be remedied. On the one hand, tutorials and wizards are needed to explain the full functionality to users. In particular, key management – requesting keys and exchanging keys – should be simplified or possibly automated. Of course, however, these aspects themselves must first be tested for security.
In your view, which method of communication is both secure and manageably complex?
The results should not mean that no one should write e-mails anymore. But especially with confidential information, one should be aware that an e-mail is not encrypted by default. Various messenger services use end-to-end encryption – e.g. Threema or Signal, even industry leader WhatsApp does so.
Thank you for the interview!