You are not logged in. LOG IN NOW >

Can an NSA-Proof Chat Be as Easy As Using Facebook?

BY Sam Roudman | Friday, August 2 2013

Photo: zzpza / Flickr

As it turns out, the government really can watch quite a lot of what you do online — maybe even to a greater degree than lawmakers meant to allow. That's sparking a sudden surge of interest in tools to help people preserve their privacy.

Encryption tools like the venerable Pretty Good Privacy, or PGP, and its open source counterpart, GPG, are well-known tools for many privacy advocates. But there's one problem: They're hard to use. Forced to decide between spending hours to learn the ins and outs of public-key encryption and risking their privacy, most people seem to fire up Facebook without a second thought. After revelations that the National Security Agency and other federal law enforcement agencies are capturing and sharing information about what Americans say and do online, and even more information about people abroad, privacy tool-makers say that's starting to change. Responding to changing needs, some developers are at least trying to make privacy software more user-friendly as interest in their field grows and vague privacy fears become more real.

“It’s on the developers," says Francisco Ruiz, an associate professor of mechanical, materials, and aerospace engineering at the Illinois Institute of Technology. "Maybe they need to make [instructions] in red, with arrows pointing.”

Ruiz is trying to practice what he preaches. He developed the message encryption tool PassLok with the idea that it would be easy to use. As opposed to more complex cryptography programs like PGP, PassLok is supposed to be relatively simple. A user types a password in one text box, types or pastes a message to be encrypted in a second box, then clicks “lock.” The message is encrypted into a stream of gibberish. Another PassLok user can then type the combination into the first box, paste that encrypted gibberish into the second box, click “unlock,” and voila: the encrypted gibberish turns back into a message.

But even for a fellow academic, even that process can be a bit much. He says he asked a colleague to give PassLok a shot and wound up having to explain how to use it in a series of emails.

Ruiz is not alone in his difficulties. Although revelations of the NSA’s snooping capacity underscore the importance of protecting electronic communication, those making privacy tools are still figuring out how to design them for the general public.

But they are finding a broader audience.

Cryptocat, an app that allows for encrypted chats in your browser that can't be peeked into by a third party, added 5,000 new users and its server use increased 80 percent in the week following the first stories about the NSA. Open Whisper Systems, which makes apps that allow for encrypted text and voice communication, also reported a surge in users, and the Open Internet Tools Project has seen twice as many requests in recent days for training in secure communications.

No encryption software is perfect, and neither Cryptocat nor PassLok is an exception. On an email list devoted to technology for privacy and free expression, several developers and analysts have chimed in to explain potential security holes in both pieces of software.

Software has to work well enough and to spread to enough users in order to be effective, but that's not all — those users have to make encryption a regular part of their day. And they don't, says James Vasile, director of OpenITP.

“An awful lot of people have encrypted email capability, but only use it sporadically,” Vasile says. For those who have slaved over code to create tools that make emails, texts, chats and calls secure, the lack of commitment from users can be disheartening.

“We spend a lot of time creating robust infrastructure,” says Nathan Freitas, founder of the Guardian Project, which makes a variety of open source privacy apps. “We get really frustrated when users don’t appreciate how awesome it is.”

Freitas has worked on wireless mobile security since 1998, back when the Internet was largely confined to desktops. He says privacy software then was so difficult to develop or even find that there was “a huge lack of interest in usability.”

One challenge of this old regime — access — has been solved by the rise of secure, dependable app stores. To solve some of the others, Freitas says he's adopting a more consumer-focused strategy.

“We’re listening to users, common problems, misconceptions,” says Freitas. They’re streamlining the setup process for installing some of their apps and providing automatic reminders that you need to install a proxy browser to run them (disclosure: I had a Guardian Project app languishing on my phone without connection to a proxy browser for over a year). They’re rebranding their secure chat program Gibberbot as Chat Secure, and generally focusing on simplifying their apps’ designs.

“The burden’s on us right now to get a few iterations to make this easier,” says Freitas.

To get more people actually using privacy software, OpenITP is looking to attract more user experience and user interface experts into its fold. To facilitate this, OpenITP’s Circumvention Tech Summit this fall is providing travel stipends to user experience experts — experts in designing software to be more user-friendly and easier to understand.

“That’s one thing that our community needs desperately more of,” says Vasile.

In the meantime it’s up to people like Ruiz to make their projects easier to use, and after some soliciting some feedback from colleagues via email, that's what he spent his weekend doing. His recent additions to PassLok include a Learn Mode, which displays a confirmation message describing what is about to happen and offering to cancel it every time a button is pressed, and a revamped meter for gauging the strength of your key or combination.

PassLok is easier for non-techies to use now, but Ruiz can't yet be sure it will be enough. “Wherever [people] go they just have to remember the password, and then they think that everything is that way,” says Ruiz, “so when you give them a security interface that is different, I think that confuses them.”