Where It Goes Is More Important Than How It Gets There
User perceptions of sensitive data in transit versus at rest.
Many users seem to care much more about what happens to sensitive information once it arrives in the hands of the recipients than what happens to it while it is in transit.
Every day, people transmit all kinds of data — files, videos, voice messages, and everything in between — across computer networks. Some of this data can be pretty sensitive, such as transferring medical records to a new doctor, exchanging financial records with an accountant, or submitting birth certificates and property tax information to enroll a child in school. Security researchers have spent significant effort to improve secure communications infrastructure, making it easy for millions of people to send encrypted messages with strong privacy guarantees. Less is known, however, about how people exchange sensitive documents: are they sending these documents securely? If not, is that because they don’t know how, because the tools for doing so are too hard to use, or simply because they don’t consider the documents they send to be at much risk?
Our team at UMD investigated how people currently do (or plan to) exchange sensitive documents. We found that the biggest concern of users may in fact be what happens to their data once it arrives at its destination, rather than in transit. This reveals an important mismatch between secure communications tools, many of which focus on risks in transit, and users’ threat models.
To investigate how people send (or plan to send) sensitive documents, we designed a short survey and administered it to crowdworkers. Each participant was asked about three different scenarios (among nine possible options) involving transfer of sensitive data; examples include hiring a CPA, registering a child for school, and transmitting a password for a shared resource. We asked each participant how they have handled similar scenarios in the past, how they would transfer the sensitive data now, and whether they had any concerns about privacy or security. Most questions were open-ended, allowing the participants to explain their thinking rather than choosing from a list of predefined options.
Not unexpectedly, participants commonly transferred their documents in insecure ways, such as via standard, unencrypted email attachments. Many participants assuaged security concerns by delivering documents by hand. We saw almost no instances of participants using communications tools designed for secure transfer of documents. These results may reflect the fact that participants’ threat models primarily focused on risks after delivery of documents, rather than in transit. For example, participants worried that the recipient might use the documents inappropriately: “A facility or institution misplacing, losing, or selling my information to a 3rd party can be worrisome.” Others expressed concern the recipient might not properly protect the documents from a breach: “A security breach of the company’s information may put my information at risk.” In particular, participants worried about identity theft and breaches of privacy due to their information becoming publicly available at some point after the recipient got the documents.
Our results have interesting implications for the design and deployment of secure communications tools. If people are largely unaware of risks in transit, designers must focus either on increasing this awareness, on making secure transmission automatic and transparent, or both. At the same time, our results reveal a gap: more work is needed to address concerns about data handling after transmission. Perhaps tools designed for transience could help. We hope our work sparks further conversation about extending secure communications to encompass documents as well as messages.