Encryption software and internships have one thing in common: They have ridiculous high demands.
When applying for a straight forward office internship, one needs to have fluent demand of at least three languages, being able to fly a Boeing 747 while stewarding the plane and willing to fetch coffee, do the laundry and clean, preferrably for free but otherwise a small stipend will be provided.
Encryption software depend on you to have at knowledge of the command line in your operating system, two programming languages (HTML is markup language so that doesn’t count), to be able to read thoughts of the programmer who made it, and being extremely good at solving puzzles Indiana Jones style, when you’re just trying to read your damned email.
Just as one simply does not just walk into Mordor, one does not just use TOR, PGP, Pond or whatever the newest trend is. It is probably more difficult to use this software than to get a paid internship at the UN. It is simply not for beginners to figure out how to configure TOR bridges, install Tails or understand that the Seahorse program is connected to your encryption keys.
And yet everybody says:
“Use Tor!”
“You have to use PGP – blah the most recent Snowden revelations!”
“We just have to teach users good internet hygiene!”
“Free and open operating systems are morally superior than those of the big corporate giants!”
As much as I agree with this, those arguments fall like a house of cards when thoroughly examined. One big point has not been taken seriously by the free and open source software community developing a substantial part of these tools.
User interface
Communicating how the software is to be used is a far more necessity than to brainwash people into believing that encryption is the way to go. The brainwashing part is easy, but as it is today, I don’t have much to show when people ask me for advice on secure communication tools. There is simply nothing there with an acceptable user interface I can recommend to people.
The current state is more or less useless, because, it cannot be used by normal human beings.
It is important that the developers of tools enabling more security on the Internet realize that if they fail to communicate how the software is to be used, set up, or function it is a bug. It’s not a bug in the code, but a bug in the wider sense of the function of the code or the system – It is a Human Relation Bug and involves the step which actually makes the software work: By being used. Software not used is failed software and the responsibility is not on the user’s end to learn abstract techology, but on the developer’s end to communicate their intentions to humans.
The problem which result in Human Relation Bugs can be classified into three main problems:
a) Communication
b) Assumption of different startpoints when starting to explain what you’re supposed to do
c) It is simply not expected that a non-technical user is using the software.
Communication
In most cases the problem is the communication from the software developer to the user is lacking. This can sometimes just be fixed by updating the text on the webpage with additional information, or clarify in the program what a certain action actually means.
What does a ‘signature’ mean? For most people it means what you have on the bottom of your email, not that you have done a proper key exchange of electronic signatures via a third party program. What is a bridge? What was the name of that program again where I can look up keys? What’s a certificate?
Different expectations
Sometimes it is different expectations of the start point. It is not logical, just as the linux downloading instructions for Tor, that you’ve to enter the downloads folder via terminal for doing the demand line to start it up. Neither is what the LANG means in the instructions. If I am trying to connect to the Internet through the Tor Browser, the instructions of the more advanced settings are ambiguous.
They assume that you already have secure enough access to the Internet to be able to mail them should you need any help to configure for example, Tor bridges. This is a single point of failure which could easily be mended by adding, let’s say, a free phone number which can be called in emergencies. Access Now is currently running an emergency service like that, but that information is not included anywhere on the Tor Webpage nor when you’re actually in a critical situation trying to connect to the Internet via the Tor browser.
Non-techies not Welcome
Other times, it’s just assumed that the technology is not used by non technical people. The instructions are based on documentation of the code, it is assumed that you can do whatever the coder was doing and have good command on the highly specialized language, including various abbreviations.
It is simply not assumed that a non-technical person is using Linux to download Tor. This can be concluded when comparing the instructions on downloading tor for Windows, OSx and Linux. The Windows and OSx do have graphical installers, quite straight forward. The Linux version, however, relies on command lines. In addition to the abstractness of using command lines, they don’t include that you’ve to do something like ‘cd Downloads/Tor-Browser-Bundle’ and then press enter and then follow the instructions. The Tor Browser Bundle for does not come with an icon either, so I actually have to Google “How to start Tor on Linux” to restart it.
If it is to be used – Make it usable
If the software should be used it has to be usable to the general public. That means the graphics, the text, the communication and analyzing how people think and understand computers is essential. It is essential to make it actually work – as in being used on a normal human being’s laptop, you know, the kind that thinks Google and Facebook is the Internet.
Until then, all I can do is to pray for encryption. That’s how bad the user interface status of the current encryption technology is.
Accidentally... 