What is "good encryption"? A pragmatic turn from a tool-centered to a user-centered approach
Ksenia Ermoshina, CNRS Francesca Musiani, CNRS Mykola Kostynyan, Digital security trainer and expert,
An important body of work in the field of science and technology studies (STS) in the last forty years has addressed the ‘making of’ systems of classification, categorization and measurement as a crucial component of human interaction and governance processes (e.g. Bowker and Star, 1999) in a variety of fields. Our current research within NEXTLEAP shows that fierce debates – exemplified by the ongoing revisions of the Electronic Frontier Foundation’s Secure Messaging Scorecard – are taking place on what makes a reliable secure messaging application, and what constitutes a ‘good’ measurement system to assess (usable) security and encryption, able to take into account all the ‘relevant’ aspects – not only technical but social and economic.
Drawing on this context, this session of the NEXTLEAP seminar will discuss how actors in the field of secure messaging, from developers to users, define ‘good encryption’ from a pragmatic standpoint. In particular, we will examine how this definition increasingly often uses as a starting point not the tools themselves, but users and their contexts of use: e.g., for a journalist working in conflict zones, WhatsApp will be deemed as insufficiently protective and qualified as ‘bad’ encryption, while for a design firm employee whose first preoccupation is to avoid targeted ads, the very same tool will provide ‘good’ encryption. On its end, the EFF proposes a standard set of requirements constituting the core of good encryption: open-source, end-to-end, and peer-reviewed code, and advise users on what could be the best-adapted tool for their needs, provided that it satisfies these basic requirements. The talks will provide several examples of this ‘pragmatic turn’ in the assessment of the quality of encryption. In presence of and with the help of practitioners, we will discuss this dialectic between standard and ad-hoc configurations, and how standardized tools such as guides can be produced in such an articulate and varied landscape of tools and practices.