Recommendations for handling (multiple) user IDs - personal and company ones
Robert J. Hansen
rjh at sixdemonbag.org
Mon Jun 10 05:52:32 CEST 2013
On 6/9/2013 11:14 PM, Hauke Laging wrote:
> The reason hardly anybody uses crypto is not that its usage was
> complicated (I know, I a minute Rob will post his usability study
> link and ask for my sources...).
Yes, I will repeat my mantra: unless you're looking at peer-reviewed
usability studies you don't really know anything -- you're going off
your accumulated anecdotal experience. That's not to say you're wrong:
you might be completely correct. It just means I can't take the claim
seriously.
For what it's worth, the usability study I keep going back to agrees
with you. The number one factor inhibiting adoption of encrypted email
is fear of public scorn, whether being seen as one of "those paranoid
people" or "I don't want people to wonder what I have to hide" or
what-have-you. Inconvenience runs a close second.
That's why I'm so skeptical of all claims that if we just fix the UI
we'll solve the adoption problem. The problem isn't UI.
> The reason that most people do not use crypto is the most trivial
> one: They don't think they need it.
This is not supported by the studies. Many people who do not use crypto
openly acknowledge that maybe they "should", in a vague "I really should
eat more salads and less meat" sense. However, they see the risks to
themselves as diffuse and distant, and the consequences mild. If you're
a political campaign worker and you send an unencrypted email of your
contact list, and it gets intercepted by the other side, your screw-up
has done enormous damage to your candidate... but you, yourself, will
likely never face any real punishment for it.
Bruce Schneier has gone on the record as saying something to the effect
of, "Whenever I hear a business exec tell me they have mandatory
security training, I ask how many people they fired in the last year for
violating security policies. If it's zero then they don't have
training, they have an hourlong all-hands meeting that no one will pay
attention to. And really, why should they?" (I'm paraphrasing him
quite loosely: I'm certain I've got the gist and spirit right, but I'm
certain the words are horribly wrong.)
More information about the Gnupg-users
mailing list