[messaging] Let's run a usability study (was Useability of public-key fingerprints)

Bernard Tyers - ei8fdb ei8fdb at ei8fdb.org
Sun Mar 30 15:44:54 PDT 2014

Hi there,

I recently sub’ed to the list. A friend mentioned this thread, and I’d like to pitch in.

I’m a user research/interaction designer. I did my Msc thesis on non-technical user adoption of OTR in instant messaging, specifically on their mental models (how someone thinks something works based on a) previous experience and/or b) second-hand correct/incorrect knowledge).

I looked specifically at The Guardian Projects Gibberbot (now Chatsecure for Android) and iOS Chatsecure client by Chris Ballinger.

I focused on journos, and human rights defenders.

IMO, IM, e-mail is essentially human interactions, supported by computer.

I’d argue cryptography is just computers interacting, a computer exchanging messages which are validated somehow by the other computer. They are highly formulated conversations.

Humans understand conversations, once they are explained in a way thats familiar to them.

I can totally agree with the comment made about the Cryptocat blog post where the user said the word fingerprint terrified them.

Two of my participants (both journos who worked in “tricky” situations and not “digital security literate”) found the word scary - one said “can my iPhone read my fingerprint? (this was before the faux fingerprint reader), while the other said “fingerprint? What the hell does that mean?”.

When I interviewed the participants of my study, there was a mixture of good structural mental models and bad functional mental models, and vice-versa.

Two other participants were involved in scenarios where they had to validate humans identities, sometimes remotely (one situation: different parties in London, Syria, Bahrain).

When I questioned them more they explained their human procedures for validating the identities of the other parties. I mapped their procedure in a flow diagram” and it closely mirrored that of OTR, however they had third parties (I defned them as proxies) who they trusted implicitly.

While most had heard of OTR in some shape or form, they varying depths of mental models, some correct, and some totally incorrect.

The maority of them did not instinctively compare the fingerprints when the software gave them the opportunity. 

Some found the OTR SMP an accessible option as it was a model they understood - “secret answer to a question”.

Others thought the fingerprint was “more secure” (I didn’t get a chance to probe further).

One conclusion I made was that non-technical people CAN understand OTR - the issue is OTR is implemented in user software in ways they CANNOT understand (or find difficult) - jargon, cryptogtaphic terms, overly complicated language.

If you are looking for a user research/usability tester to be involved in the test I’d like to offer my time.

If anyone would like some more information on my thesis, I am trying to write up some short papers/discussions about what I found.

All the best,

Bernard / bluboxthief / ei8fdb

If you’d like to get in touch, please do: http://me.ei8fdb.org/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140330/178cf3c2/attachment.sig>

More information about the Messaging mailing list