Users' Assumptions and Trust in Software vs. The Technical Reality

Abstract

Most of what increases software security and protects privacy, be it implementation or configuration, falls under the domain of security experts. But sometimes, those mechanisms need to be exposed to users who are no experts. In order to take meaningful action here, users must then be able to resolve the situation in line with their objectives. To build software that can accomplish that, it is helpful to understand how users perceive and interact with those features as well as why they do so. <br /> Contributing to this, I studied two cases of software and researched the participants' interaction with it. I did so in three online studies with a total of 1933 participants and two lab studies with a total of 27 participants. Both apps I investigated are popular and exemplary from a technical standpoint, being open-source and focusing on privacy and security. Making them best-case objects of observation to study what users currently understand and observe their behavior. <br /> The first software was the Corona-Warn-App (CWA), the official German digital contact tracing app. To study the CWA I conducted three online surveys. The first survey was conducted right before the app was released, and the second was conducted shortly after the release. This allowed me to measure the intention behavior gap and observe the participants' shift of reasoning, knowledge, and perception. Both surveys and contemporary related work showed that the participants had many misconceptions about how digital contact tracing worked. To investigate this further, I surveyed German participants for the third time. I found that users knew more than non-users. However, the difference was not as large as I had expected. With those surveys, I contributed to the discussion about what influenced decisions to install the CWA and what role the architecture and technical features had. <br /> The second software I studied was the Signal app, an instant messaging application. I developed an interface for a new authentication ceremony protocol called SOAP. SOAP was developed by colleagues at ETH Zurich as part of a joint project, the "Centre for Cyber Trust" of the Werner Siemens-Stiftung. Our task at the University of Bonn was to test and improve SOAP's usability. The protocol allows users to verify that they are communicating with the intended person by letting the contact prove the possession of a social media account. The hope for SOAP was that its concept of social authentication would more closely align with the users' already existing concepts for authentication. I conducted two lab studies investigating the interface's effectiveness in preventing insecure communications and its relation to user understanding in a whistleblower scenario. Throughout the studies, I could improve the interface so that only one in 18 failed based on SOAP. With the study, I was able to show the pitfalls of common authentication ceremonies and discuss where SOAP can improve the situation.