27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University

Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

Autoren

  • Christian Stransky
  • Oliver Wiese
  • Volker Roth
  • Yasemin Acar
  • Sascha Fahl

Organisationseinheiten

Externe Organisationen

  • Freie Universität Berlin (FU Berlin)
  • Helmholtz-Zentrum für Informationssicherheit (CISPA)
  • Max-Planck-Institut für Sicherheit und Privatsphäre
Forschungs-netzwerk anzeigen

Details

OriginalspracheEnglisch
Titel des SammelwerksProceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022
Herausgeber (Verlag)Institute of Electrical and Electronics Engineers Inc.
Seiten860-875
Seitenumfang16
ISBN (elektronisch)9781665413169
ISBN (Print)978-1-6654-1317-6
PublikationsstatusVeröffentlicht - 2022
Veranstaltung43rd IEEE Symposium on Security and Privacy, SP 2022 - San Francisco, USA / Vereinigte Staaten
Dauer: 23 Mai 202226 Mai 2022

Publikationsreihe

NameProceedings - IEEE Symposium on Security and Privacy
Band2022-May
ISSN (Print)1081-6011
ISSN (elektronisch)2375-1207

Abstract

Email is one of the main communication tools and has seen significant adoption in the past decades. However, emails are sent in plain text by default and allow attackers easy access. Users can protect their emails by end-to-end encrypting them using tools such as S/MIME or PGP.Although PGP had already been introduced in 1991, it is a commonly held belief that email encryption is a niche tool that has not seen widespread adoption to date. Previous user studies identified ample usability issues with email encryption such as key management and user interface challenges, which likely contribute to the limited success of email encryption.However, so far ground truth based on longitudinal field data is missing in the literature. Towards filling this gap, we measure the use of email encryption based on 27 years of data for 37,089 users at a large university. While attending to ethical and data privacy concerns, we were able to analyze the use of S/MIME and PGP in 81,612,595 emails.We found that only 5.46% of all users ever used S/MIME or PGP. This led to 0.06% encrypted and 2.8% signed emails. Users were more likely to use S/MIME than PGP by a factor of six. We saw that using multiple email clients had a negative impact on signing as well as encrypting emails and that only 3.36% of all emails between S/MIME users who had previously exchanged certificates were encrypted on average.Our results imply that the adoption of email encryption is indeed very low and that key management challenges negatively impact even users who have set up S/MIME or PGP previously.

ASJC Scopus Sachgebiete

Zitieren

27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. / Stransky, Christian; Wiese, Oliver; Roth, Volker et al.
Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Institute of Electrical and Electronics Engineers Inc., 2022. S. 860-875 (Proceedings - IEEE Symposium on Security and Privacy; Band 2022-May).

Publikation: Beitrag in Buch/Bericht/Sammelwerk/KonferenzbandAufsatz in KonferenzbandForschungPeer-Review

Stransky, C, Wiese, O, Roth, V, Acar, Y & Fahl, S 2022, 27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. in Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Proceedings - IEEE Symposium on Security and Privacy, Bd. 2022-May, Institute of Electrical and Electronics Engineers Inc., S. 860-875, 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, USA / Vereinigte Staaten, 23 Mai 2022. https://doi.org/10.1109/SP46214.2022.9833755
Stransky, C., Wiese, O., Roth, V., Acar, Y., & Fahl, S. (2022). 27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. In Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022 (S. 860-875). (Proceedings - IEEE Symposium on Security and Privacy; Band 2022-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP46214.2022.9833755
Stransky C, Wiese O, Roth V, Acar Y, Fahl S. 27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. in Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Institute of Electrical and Electronics Engineers Inc. 2022. S. 860-875. (Proceedings - IEEE Symposium on Security and Privacy). doi: 10.1109/SP46214.2022.9833755
Stransky, Christian ; Wiese, Oliver ; Roth, Volker et al. / 27 Years and 81 Million Opportunities Later : Investigating the Use of Email Encryption for an Entire University. Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Institute of Electrical and Electronics Engineers Inc., 2022. S. 860-875 (Proceedings - IEEE Symposium on Security and Privacy).
Download
@inproceedings{218dc56bb961444cbb95c0af246498fb,
title = "27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University",
abstract = "Email is one of the main communication tools and has seen significant adoption in the past decades. However, emails are sent in plain text by default and allow attackers easy access. Users can protect their emails by end-to-end encrypting them using tools such as S/MIME or PGP.Although PGP had already been introduced in 1991, it is a commonly held belief that email encryption is a niche tool that has not seen widespread adoption to date. Previous user studies identified ample usability issues with email encryption such as key management and user interface challenges, which likely contribute to the limited success of email encryption.However, so far ground truth based on longitudinal field data is missing in the literature. Towards filling this gap, we measure the use of email encryption based on 27 years of data for 37,089 users at a large university. While attending to ethical and data privacy concerns, we were able to analyze the use of S/MIME and PGP in 81,612,595 emails.We found that only 5.46% of all users ever used S/MIME or PGP. This led to 0.06% encrypted and 2.8% signed emails. Users were more likely to use S/MIME than PGP by a factor of six. We saw that using multiple email clients had a negative impact on signing as well as encrypting emails and that only 3.36% of all emails between S/MIME users who had previously exchanged certificates were encrypted on average.Our results imply that the adoption of email encryption is indeed very low and that key management challenges negatively impact even users who have set up S/MIME or PGP previously.",
keywords = "email, email-encryption, encryption, pgp, s/mime, smime",
author = "Christian Stransky and Oliver Wiese and Volker Roth and Yasemin Acar and Sascha Fahl",
note = "Funding information: The authors would like to thank the staff at the Leibniz University IT Services at Leibniz University Hannover.; 43rd IEEE Symposium on Security and Privacy, SP 2022 ; Conference date: 23-05-2022 Through 26-05-2022",
year = "2022",
doi = "10.1109/SP46214.2022.9833755",
language = "English",
isbn = "978-1-6654-1317-6",
series = "Proceedings - IEEE Symposium on Security and Privacy",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "860--875",
booktitle = "Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022",
address = "United States",

}

Download

TY - GEN

T1 - 27 Years and 81 Million Opportunities Later

T2 - 43rd IEEE Symposium on Security and Privacy, SP 2022

AU - Stransky, Christian

AU - Wiese, Oliver

AU - Roth, Volker

AU - Acar, Yasemin

AU - Fahl, Sascha

N1 - Funding information: The authors would like to thank the staff at the Leibniz University IT Services at Leibniz University Hannover.

PY - 2022

Y1 - 2022

N2 - Email is one of the main communication tools and has seen significant adoption in the past decades. However, emails are sent in plain text by default and allow attackers easy access. Users can protect their emails by end-to-end encrypting them using tools such as S/MIME or PGP.Although PGP had already been introduced in 1991, it is a commonly held belief that email encryption is a niche tool that has not seen widespread adoption to date. Previous user studies identified ample usability issues with email encryption such as key management and user interface challenges, which likely contribute to the limited success of email encryption.However, so far ground truth based on longitudinal field data is missing in the literature. Towards filling this gap, we measure the use of email encryption based on 27 years of data for 37,089 users at a large university. While attending to ethical and data privacy concerns, we were able to analyze the use of S/MIME and PGP in 81,612,595 emails.We found that only 5.46% of all users ever used S/MIME or PGP. This led to 0.06% encrypted and 2.8% signed emails. Users were more likely to use S/MIME than PGP by a factor of six. We saw that using multiple email clients had a negative impact on signing as well as encrypting emails and that only 3.36% of all emails between S/MIME users who had previously exchanged certificates were encrypted on average.Our results imply that the adoption of email encryption is indeed very low and that key management challenges negatively impact even users who have set up S/MIME or PGP previously.

AB - Email is one of the main communication tools and has seen significant adoption in the past decades. However, emails are sent in plain text by default and allow attackers easy access. Users can protect their emails by end-to-end encrypting them using tools such as S/MIME or PGP.Although PGP had already been introduced in 1991, it is a commonly held belief that email encryption is a niche tool that has not seen widespread adoption to date. Previous user studies identified ample usability issues with email encryption such as key management and user interface challenges, which likely contribute to the limited success of email encryption.However, so far ground truth based on longitudinal field data is missing in the literature. Towards filling this gap, we measure the use of email encryption based on 27 years of data for 37,089 users at a large university. While attending to ethical and data privacy concerns, we were able to analyze the use of S/MIME and PGP in 81,612,595 emails.We found that only 5.46% of all users ever used S/MIME or PGP. This led to 0.06% encrypted and 2.8% signed emails. Users were more likely to use S/MIME than PGP by a factor of six. We saw that using multiple email clients had a negative impact on signing as well as encrypting emails and that only 3.36% of all emails between S/MIME users who had previously exchanged certificates were encrypted on average.Our results imply that the adoption of email encryption is indeed very low and that key management challenges negatively impact even users who have set up S/MIME or PGP previously.

KW - email

KW - email-encryption

KW - encryption

KW - pgp

KW - s/mime

KW - smime

UR - http://www.scopus.com/inward/record.url?scp=85118999773&partnerID=8YFLogxK

U2 - 10.1109/SP46214.2022.9833755

DO - 10.1109/SP46214.2022.9833755

M3 - Conference contribution

AN - SCOPUS:85118999773

SN - 978-1-6654-1317-6

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 860

EP - 875

BT - Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 23 May 2022 through 26 May 2022

ER -