Okay, if PGP and OTR* are the best we’ve got for encrypting our work—I’ve got a question.
Can we (well, you, developers) build a wizard—a page by page set up assistant—that helps new users, step by step, set up PGP or establish an OTR-encrypted connection—a wizard that launches every time we open PGP, Pidgin, or Adium?
Could you make a special link taking new people to the wizardized version of these programs? If the goal is to get activists and journalists to use strong encryption, to save their lives and keep them free (free as in Syria, Iraq, Bangladesh, Rio, London, and where you live) this would help a lot.
It’s true--you yourselves would never use this. And it’s true—encryption doesn’t solve every surveillance problem. But it could save the life of an activist under threat who otherwise can’t get PGP to work correctly in, say, the space of a week or two. Because when activists most need encryption, they may be least able to seek help.
A wizard, updated as the software evolves, would solve the problem of overly general, outdated (and therefore confusing) info on how to set up encryption. Yes, a wizard is a workaround. But it would sit atop existing, strong encryption. It would be a lot easier to update a wizard than to build a new encryption algorithm.
A big problem for nontechnical people is that--even after they—okay, we (okay me, at the moment)—figure out how to use PGP or OTR—there’s no network effect. We may know only one or two people who use encryption (the person we urgently need to talk to with encryption, and the person who taught us to use the encryption software—whom we’ve guiltily dragged into our problem). Unlike software developers, we aren’t surrounded by people to ask technical questions. Very likely, the one thing that’s been drummed into us is not to ask sensitive questions online without encryption software.
You see the problem.
Even now, not a lot of activists and fewer reporters use encryption. With no one to talk to (with encryption), new users may only use it every few months. And between times, we forget how to use it and forget our long, obscure, rigorously safe passwords.
This isn’t rocket science. It’s user experience.
At high-tech startups, if the customer doesn’t understand your product the first time— you’re toast. So there are usually crystal-clear (term of art = “dead simple”) tutorials to show them how to use it. There’s money to be made getting a user to understand, say, MailChimp for the first time.
“Dude, suckin’ at something is the first step to being sorta good at something.”
There is no money to be made in getting someone to use PGP the first time. But we have the technology. There are thousands of people who know how to explain and tweak the user experience so that compete idiots or brilliant activists can use the software. Startups use A/B testing, poll their users and do focus groups using real users from their target customer base (not other software developers) –all tools that can advance the field of encryption software.
Being forced to watch an important activist dismiss your tool in real time, in person, as impossible to use might be instructive. I’ve seen it—I wish you could, too.
So what would be in the wizard? A series of unambiguous slides, tested on real activists, in their home language (start with English, then Arabic, then Chinese?) geared at about the 6th grade level—as many slides as it takes, with screen shots and links. It’s a lot easier for an activist to click through 20 slides and achieve encryption than 5 poorly planned ones that lead to confusion and failure. Which is where we are right now. I say from experience. Right now.
And then a list of vetted people who have agreed to chat with the activists using this encryption software. Until they get the hang of it.
This would take the place of:
An outdated YouTube video (if activists are able to access YouTube—not available in China--and if accessing a YouTube video about PGP seems like a good idea given our threat model).
Badgering a list of well-meaning cryptographers who don’t understand us or our problem (if we have access to such a list and if asking PGP questions on a publicly-indexed list seems smart).
Being walked through the system by a good-hearted social-justice-oriented cryptographer or hacktivist who really needs to be spending his time on something other than being a help desk.
Most common: A long struggle, followed by Nothing. (Followed immediately by an insecure communication and a sick feeling.)
So, what do you say? Not a glamorous solution, but it’s only kludgy if it doesn’t work, right? And the usability data will be glorious.
Know how to build a wizard and want to help? Contact me at katiePHR@gmail.com.
*PGP = Pretty Good Privacy (GPGTools.org); OTR = Off the Record; the encryption used for chat clients.