27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University
conference contribution
posted on 2023-11-29, 18:20authored byChristian Stransky, Oliver Wiese, Volker Roth, Yasemin Acar, Sascha FahlSascha Fahl
Email is one of the main communication tools and has seen significant adoption in the past decades. However, emails are sent in plain text by default and allow attackers easy access. Users can protect their emails by end-to-end encrypting them using tools such as S/MIME or PGP. Although PGP had already been introduced in 1991, it is a commonly held belief that email encryption is a niche tool that has not seen widespread adoption to date.
Previous user studies identified ample usability issues with email encryption such as key management and user interface challenges, which likely contribute to the limited success of email encryption. However, so far ground truth based on longitudinal field data is missing in the literature.
Towards filling this gap, we measure the use of email encryption based on 27 years of data for 37,089 users at a large university. While attending to ethical and data privacy concerns, we were able to analyze the use of S/MIME and PGP in 81,612,595 emails.
We found that only 5.46% of all users ever used S/MIME or PGP. This led to 0.06% encrypted and 2.8% signed emails. Users were more likely to use S/MIME than PGP by a factor of six. We saw that using multiple email clients had a negative impact on signing as well as encrypting emails and that only 3.36% of all emails between S/MIME users who had previously exchanged certificates were encrypted on average.
Our results imply that the adoption of email encryption is indeed very low and that key management challenges negatively impact even users who have set up S/MIME or PGP previously.
History
Preferred Citation
Christian Stransky, Oliver Wiese, Volker Roth, Yasemin Acar and Sascha Fahl. 27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. In: IEEE Symposium on Security and Privacy (S&P). 2022.
Primary Research Area
Empirical and Behavioral Security
Name of Conference
IEEE Symposium on Security and Privacy (S&P)
Legacy Posted Date
2022-04-05
Open Access Type
Gold
BibTeX
@inproceedings{cispa_all_3601,
title = "27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University",
author = "Stransky, Christian and Wiese, Oliver and Roth, Volker and Acar, Yasemin and Fahl, Sascha",
booktitle="{IEEE Symposium on Security and Privacy (S&P)}",
year="2022",
}