This talk will revisit joint work with Harry Halpin and Ksenia Ermoshina, conducted in the frame of the H2020 European project NEXTLEAP (2016-2018, nextleap.eu). Due to the increased and varied deployment of secure messaging protocols, differences between what developers “believe” are the needs of their users and their actual needs can have very tangible and potentially problematic consequences. Based on 90 interviews with both high and low-risk users, as well as with several developers, of popular secure messaging applications, we mapped the design choices made by developers to threat models of both high-risk and low-risk users. Our research revealed interesting and sometimes surprising results, among which: high-risk users often consider client device seizures to be more dangerous than compromised servers; key verification is important to high-risk users, but they often do not engage in cryptographic key verification, instead using other “out of band” means; high-risk users, unlike low-risk users, often need pseudonyms and are heavily concerned over metadata collection. Developers tend to value open standards, open-source, and decentralization, but high-risk users often find these aspects less urgent given their more pressing concerns; and while, for developers, avoiding trusted third parties is an important concern, several high-risk users are in fact happy to rely on trusted third parties ‘protected’ by specific geo-political situations. We conclude by suggesting that work still needs to be done for secure messaging protocols to be aligned with real user needs, including high-risk, and with real-world threat models.
Francesca Musiani (PhD, socio-economics of innovation, MINES ParisTech, 2012), is associate research professor at the French National Center for Scientific Research (CNRS) since 2014. She is Deputy Director of the Center for Internet and Society of CNRS, which she co-founded with Mélanie Dulong de Rosnay in 2019. She is also an associate researcher at the Center for the sociology of innovation (i3/MINES ParisTech) and a Global Fellow at the Internet Governance Lab, American University in Washington, DC. Since 2006, Francesca’s research work focuses on Internet governance, in an interdisciplinary perspective merging information and communication sciences, science and technology studies (STS) and international law. Her most recent research explores, or has explored, the development and use of encryption technologies in secure messaging (H2020 European project NEXTLEAP, 2016-2018), “digital resistances” to censorship and surveillance in the Russian Internet (ANR project ResisTIC, 2018-2021), and the governance of Web archives (ANR project Web90, 2014-2017 and CNRS Attentats-Recherche project ASAP, 2016). Francesca’s theoretical work explores STS approaches to Internet governance, with particular attention paid to socio-technical controversies and to governance “by architecture” and “by infrastructure”. Francesca is the author of several journal articles and books, including Nains sans géants. Architecture décentralisée et services Internet (Dwarfs Without Giants: Decentralized Architecture and Internet Services, Presses des Mines [2015], recipient of the French Privacy and Data Protection Commission’s Prix Informatique et Libertés 2013).