Peeking into the black box: Towards understanding user understanding of E2EE

Abstract

End-to-end encryption (E2EE) has become available to end users, but they need to understand the nature and limitations of the protection it offers to benefit in terms of protection. Attempts to explain cryptography in general, and E2EE in particular, to non-specialists have had limited success - in part because they tried to convey detailed expert knowledge. Metaphors are a way to communicate the benefits and limitations more compactly, and support the construction of functional mental models. Previous research that attempted to do this for E2EE reported mixed results, but offered no detailed insight into how participants constructed their understanding and which aspects of particular metaphors helped or hindered their functional understanding. We repeated the previous experiment in form of a qualitative interview study with 12 participants (all users of messaging apps) and used detailed questions to better understand why the participants rated the security properties of E2EE correctly or incorrectly, and how the metaphors had been interpreted and applied. Therefore, we are able to describe to what extent, and how, the metaphors for E2EE changed participants' understanding of the security properties. We found that participants inferred the security properties of E2EE partly from the metaphors, but also from existing beliefs, for instance about the trustworthiness of providers. While the metaphors improved the assessment about confidentiality, they did not correct misconceptions about authenticity. Based on our findings we recommend the development and testing of interventions aimed at the process of changing mental models and correcting persistent misconceptions.