[liberationtech] 15 years later, why can't Johnny still not encrypt?

Steve Weis steveweis at gmail.com
Wed Jan 15 10:37:42 PST 2014

As one anecdote, when I TAed the MIT Network and Computer security
course, we assigned "Why Johnny Can't Encrypt" as the first reading.
We asked the students to send us a PGP encrypted & signed message and
tell us how long it took.

If I recall correctly, it took an average of 30 minutes for
non-existing users to figure out how to use PGP. Think about that.
These were graduate & upperclass undergraduate computer science
students enrolled in a network security course. Everyone had accounts
on the same university system and were mostly using standalone email

Best of all, someone decided it would be funny to generate a fake key
for me and post it to pgp.mit.edu. Several students fell for the
trick, didn't verify the key, and encrypted their homework with the
wrong key. It was a great way to drive home the lesson, but we asked
the jokers to kindly revoke their key, which they did.

Long story short, PGP was still hard to figure out for an experienced
cohort of users, who didn't have the issues of webmail and
proliferation of mobile platforms we have today. I don't think
anything has improved to make it viable for a wider audience.

On Wed, Jan 15, 2014 at 2:23 AM, Anders Thoresson <anders at thoresson.net> wrote:
> Hi all!
> When doing research on email encryption and why it's still not widely used, I've read Alma Whittens "Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0" [1] from '99. I wonder if anyone knows of similar but more recent usability studies on encryption software?
> Comparing the findings made by Whittens and compare them to the software available today, not much seems to have happened. But does the conclusion still holds, that a lack of mass-adoption of email encryption is due to problematic UX – or are there other reasons that today are seen as more important?
> [1] – https://www.usenix.org/legacy/events/sec99/full_papers/whitten/whitten.ps
> Best regards,
> Anders Thoresson
> Freelance reporter
> anders at thoresson.net
> http://anders.thoresson.se
> http://www.dn.se/blogg/teknikbloggen
> http://twitter.com/thoresson
> --
> Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.

More information about the liberationtech mailing list