Usable Privacy - did you install the seat belt in your car?

In a recent chat with the journalist Eva Wolfangel we discussed why digital security and privacy is so little usable and why many computer scientists seem not to understand the problem. Reading several articles in newspapers I got really annoyed by many of my CS colleagues who:
(1) blame the user for not taking enough care of the data and for making little effort in installing the encryption modules into their email programs and
(2) focusing on new technologies and better encryption and better algorithms to improve security and not considering the entire system including the human user.

Eva wrote an interesting and comprehensive article on usable security in Spectrum der Wissenschaft (it is German and the full version is online at her website). In the following I am sharing the some of the thougts..

@1: Mount the Seatbelts Yourself 
Technically I agree that encryption is not really complicated to install and that most people using computers could learn how to keep their data safe and how to communicate using encryption. From my experience in the real world I see that they chose not to learn it and I completely disagree that this is the user’s fault. Making the end user responsible for security and privacy is in my view entirely and utterly wrong.

Photo by Wikipedia/Michiel1972

Consider this (obviously fictional) example that applies “user responsibly for safety” to another widely used product and shows how strange the idea is:
When you get a new car there are already fixtures and wholes prepared where you can attach the seat belts. In order to get the seats belts which you can than mount in your car, you just have to fill in a post-card (you get with the car) and send it to the manufacturer of your favorite seat belts. You get then the safety belts mailed to you home – free of charge – together with a 2-page manual how to fix them in the car. The only thing you need is a screwdriver and a wrench. It is so easy that really everyone can make their car safe within 30 minutes.

It is very clear and little surprising to anyone that this is not how we do it with cars. We have agreed that the car company is responsible for the safety of the car. Economically the above example would make it cheaper for the manufacturer – probably not all people would claim their seatbelt and the company saves the effort in mounting it. Nevertheless car companies still have to provide you with a build in seat belt if they want to sell their car in Germany…

@2: Live in a Bunker 

Again from a technical perspective it is of great importance that the algorithms are secure and the encryption is strong. Nevertheless this is in my view not the key problem. Take the following example. What is better a 20 random character string password or a 4 digit PIN? From a technical perspective this is clear – however most people will be able to remember a 4 digit PIN (without writing it down) but not many will be able to remember a 20 random character string. Hence the overall system with the PIN – if well designed – may be “better” than the apparently save password based solution (as people will write it down or email it to themselves).

In the physical world we are used to complex (social) systems that allow us to live in a secure environment. In Germany people generally live in houses and flats where people who are determined can break in (e.g. using a sledge hammer on the door, a stone from the front yard on the window, or using more subtle methods). Even though people could fortify their house most people I know value their windows and easy access to their house and do not live in a bunker or add seven additional locks to their front doors – they balance risk and comfort. In traditional environments we rely on the whole system: we expect that neighbors will keep an open eye, forced entry will leave traces, police will try to find a burglar and that they will be punished, and that for most people the risk of committing a crime is not worth the potential benefit.

From a society perspective we similarly balance risk and freedom. If a purse is stolen in a small town the police will not seal off the area and check each person and search each house. Traditionally this is not possible due to the effort involved but also due to our understanding that the actions taken by law enforcement has to follow the proportionality principle. In Germany we do not consider imposing a curfew, even though one could imagine that this would even more reduce the crime rate.

I think we should take the physical and social world as example and inspiration to create usable and secure systems that offer privacy to the end user.

Overall I think security and privacy in digital systems is much more a human computer interaction problem than most people (especially from the security community) think! If you read German you may want to look at the article Eva Wolfangel wrote on the topic.

ESSPRITS 2011 workshop, keynote

I was invited to present a keynote at the joint German-Canadian workshop on embedded systems, signal processing, and IT security (ESSPRITS 2011). The workshop is interdisciplinary and technically focused on embedded systems.

My talk was entitled “Challenges in a World of Ubiquitous Computing” and it looked at how the world changed over the last 20 years as ubiquitous computing has become reality. Computing technologies have become an integral part of our life and they shape more and more how we perceive the world and how we interact with each other. The talk highlights some technology trends that enable a new generation of computing systems. It presents a new vision suggesting new forms of perception and interaction without temporal and spatial boundaries.

During the lectures it was great to get a feel of what research is happening on a signal processing level. With regard to security I got the feeling that we need in the future a closer cooperation between people doing cryptography and those doing user interfaces. It seems it is currently still at the level that HCI people understand little about the algorithms, methods and concerns in IT-security and that people in security optimize for security that can be proved, but may not fit humans (and may not really increase security in the real world).