[liberationtech] [messaging] Informing the user they have the wrong key
L Jean Camp
ljcamp at indiana.edu
Sun Oct 5 15:53:52 PDT 2014
> 2) How do you express what's happening to the user in such a way that
they >will actually take action on it and not just click-through dismiss it?
We approach by providing information on order-of-magnitude risk. If someone
is MITM while you are in an airport looking at Washington Post you probably
do not care. When you log in to work or some other system, then the risk
you are looking at, combined with your individual risk posture and
momentary context determines if this is acceptable.
This echoes Elinor's call for understanding the risk domain when working
with activists. Since we cannot predict which tools will be used in which
domain, one way to approach that is to try to communicate the risks which
will and will not be mitigated by tool use. The risks that will be
*created* by tool use are also important. Loss of deniability was discussed
here; others are more mundane: block all scripts, cannot watch videos;
block flash, badly implemented sites are not functional; use Tor, must
learn patience. Block all MITM, good luck establishing a network connection
at many airports or hotels.
Speeding in the rain is inherently obviously risky. Accepting all scripts
is risky, but not obviously. Having just read about Hong Kong demonstrators
being targeted by malware *which required they voluntarily download said
malware*, to me this indicates a very serious structural communications
problem. No one should be downloading high-risk software without knowing
they are taking a risk.
So how wrong is the key? This is a probability of an event, a risk
distribution where the person has to bring awareness of the possible harm.
And if we tell people incorrectly or tell them too often or fail to
distinguish order of magnitude, they will reasonable ignore us. Alas, it is
not as if that probability distribution is easy to calculate either: is it
the hotel demanding payment or the NSA voraciously feeding its demand for
pointless surveillance? I guess which is more risky depends on if you are
broke or worried.
Prof. L. Jean Camp
http://www.ljean.com
Human-Centered Security
http://usablesecurity.net/
Economics of Security
http://www.infosecon.net/
Congressional Fellow
http://www.ieeeusa.org/policy/govfel/congfel.asp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20141005/03fd0858/attachment.html>
More information about the liberationtech
mailing list