"Please select what kind of key you want" ~~ suggestion to developers

Robert J. Hansen rjh at sixdemonbag.org
Mon Feb 23 21:56:56 CET 2009 

> Robert, yes, literacy is important, too.  Your counter proposition  
> also has validity.

You missed the point.  Refer to my last three sentences.  The world  
doesn't need another "easy to use GnuPG interface."  You're  
essentially saying, "what the world needs is a really good book!"   
What I'm saying is, "the world first needs to learn to read."

With respect to claims of experience, I don't put any stock in them,  
really.  Or, as Rodney Whitaker wrote, "do not fall into the error of  
the artisan who boasts of twenty years experience in his craft while  
in fact he has only one year of experience -- twenty times."

As near as I can see, the principal problems are:

	1.  Gross ignorance
	2.  Fear of social disapproval

With respect to #1... one of the most prestigious crypto conferences  
out there is called Financial Cryptography.  A few years ago some  
enterprising grad students asked each FC attendee to fill out a very  
short questionnaire as part of their sign-in process.  The results  
were astonishing: 60% of FC attendees did not know if their email  
client supported crypto, period -- even fewer knew if it supported  
OpenPGP or S/MIME.  Only 50% were interested in switching to email  
clients with better crypto support.

If only 40% of FC attendees know if their email client supports  
crypto, and only 50% care enough about crypto to consider changing  
their email clients, do you really think the general public will jump  
on board OpenPGP just if we create a snazzy interface with a lot of  
chrome?  That's delusional.

With respect to #2... Ed Felten has a really good sociological paper  
out on the intersection of computer security and the workplace.  He  
and some of his grad students interviewed people at a politically- 
active nongovernmental organization (NGO) with an awful lot of  
enemies.  Many (most) of the employees had been trained with PGP and  
found it reasonably easy to use.  Despite that, they still didn't use  
it for email.  Felten and his grad students wanted to find out why.

It turns out that social disapproval played a very heavy role.  There  
were a couple of people in the NGO who were privacy enthusiasts and  
active PGP users, and they were considered "paranoids" by the other  
workers in the office.  Employees said things to the effect of "yeah,  
I know email is dangerous, but I don't want to turn into, you know,  
one of _those_ guys."



... the general public does not know what email crypto is, does not  
want to know what email crypto is, does not want to care about email  
crypto.  They just want to send email.  Making GnuPG "easier to use"  
is a fine goal and worth pursuing in its own right, but it's not going  
to substantially improve GnuPG's adoption in the world.

Saying "the world needs a good book, that's why book sales are down!"  
may be a true statement, and may be worth pursuing in its own right.   
However, the real problem is "first we need to learn to read."

"GnuPG needs a good interface, that'll improve its usage numbers!" may  
be a true statement, and may be worth pursuing in its own right.  (In  
fact, I think it is.)  But the real problem is that people don't know,  
don't want to know, and to the extent they do know they really don't  
care.

More information about the Gnupg-users mailing list