[liberationtech] What I've learned from Cryptocat

Wed Aug 8 10:22:21 PDT 2012

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/08/12 06:19, frank at journalistsecurity.net wrote:
> How many people on this list have spent time asking
> non-technologists and other users who have tried, but have since
> given up even trying to use tools like PGP? Or have examined how
> new users interact with such tools? I have a great deal of respect
> for this community. But to be honest it seems to me that neither
> the technologists nor the donors have spent much time asking such
> questions.

Hi Frank,

I'd just like to make an anecdotal point here. A few months ago I
spent an interesting afternoon talking to some activists in the UK
about what communication tools they use for what tasks.

None of them regularly used PGP, Tor, or disk encryption software, but
the reasons they gave had nothing to do with usability. They were
aware of the tools and knew how to use them, but they didn't believe
that doing so provided any practical security benefits. They believed
that encryption software probably contained backdoors and could be
defeated by keyloggers. They'd seen evidence trails from computers and
phones produced in court, and rather than relying on technology to
solve technology's problems, some of them preferred to avoid
electronic communication altogether for secret work.

It's tempting to say they were right and leave it at that. Keep your
secrets away from your gadgets and your gadgets away from your
secrets. But that wasn't what they were actually doing. They all
carried phones, even though they knew they were being tracked and
possibly bugged. They all had email accounts, and some of them used
mailing lists and forums for planning, even though they knew that if a
keylogger could get their encryption passwords it could get everything
else they typed. Why the apparent inconsistency?

One possible interpretation is that they were assessing encryption
tools with a typical information security mindset: if there's any weak
point, the adversary will exploit it, so the strong points are
irrelevant. But they were assessing other techniques with a more
balanced mindset: weigh up the risks and potential benefits, compare
the available alternatives, and choose the best (or the least bad).

That's only speculation on my part, of course. But if it's right, it
raises a difficult question: how do we maintain rigorous standards of
critique within the information security community, without giving
potential users of our tools the counterproductive impression that
nothing works and you might as well give up?

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJQIqBNAAoJEBEET9GfxSfMRLEH/04+ESJyNH9S6NYEwno1BvKe
J8kMLCmR6OpolJ15nu3K7GkE4wQnhTmZVIrHApjWGz+8TACGiIQg7rOBl19r4MvA
o/7tANsoUEgLRAO2hHQzA5tg+ZRtS+9oDe6LBVE3arHTCt9dYMW711ToOkgQwdoD
ekNWbC4Ba2aKm3t8JmSUF+goDiadF+nSP0HByvNhKHCjzP/2SLBxDOQqeOMF/kpK
Zej+0BZPCUGLaN6XaqoWw7DxgYfa9uUgx3E2ljwYnZZqcXr41kJp2uHQTZlExyxN
TfiI+2P4bQfJtkK7KcOZtp/QWCAz3whmqV6F5y3tjfcHiEywzByInnKFr3tT5D0=
=mHhw
-----END PGP SIGNATURE-----