27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University

Christian Stransky; Oliver Wiese; Volker Roth; Yasemin Acar; Sascha Fahl

doi:10.1109/SP46214.2022.9833755

Details

Original language	English
Title of host publication	Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	860-875
Number of pages	16
ISBN (electronic)	9781665413169
ISBN (print)	978-1-6654-1317-6
Publication status	Published - 2022
Event	43rd IEEE Symposium on Security and Privacy, SP 2022 - San Francisco, United States Duration: 23 May 2022 → 26 May 2022

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
Volume	2022-May
ISSN (Print)	1081-6011
ISSN (electronic)	2375-1207

Abstract

Email is one of the main communication tools and has seen significant adoption in the past decades. However, emails are sent in plain text by default and allow attackers easy access. Users can protect their emails by end-to-end encrypting them using tools such as S/MIME or PGP.Although PGP had already been introduced in 1991, it is a commonly held belief that email encryption is a niche tool that has not seen widespread adoption to date. Previous user studies identified ample usability issues with email encryption such as key management and user interface challenges, which likely contribute to the limited success of email encryption.However, so far ground truth based on longitudinal field data is missing in the literature. Towards filling this gap, we measure the use of email encryption based on 27 years of data for 37,089 users at a large university. While attending to ethical and data privacy concerns, we were able to analyze the use of S/MIME and PGP in 81,612,595 emails.We found that only 5.46% of all users ever used S/MIME or PGP. This led to 0.06% encrypted and 2.8% signed emails. Users were more likely to use S/MIME than PGP by a factor of six. We saw that using multiple email clients had a negative impact on signing as well as encrypting emails and that only 3.36% of all emails between S/MIME users who had previously exchanged certificates were encrypted on average.Our results imply that the adoption of email encryption is indeed very low and that key management challenges negatively impact even users who have set up S/MIME or PGP previously.

Keywords

email, email-encryption, encryption, pgp, s/mime, smime

ASJC Scopus subject areas

Engineering(all)
Safety, Risk, Reliability and Quality
Computer Science(all)
Software
Computer Science(all)
Computer Networks and Communications

Cite this

27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. / Stransky, Christian; Wiese, Oliver; Roth, Volker et al.
Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Institute of Electrical and Electronics Engineers Inc., 2022. p. 860-875 (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2022-May).

Research output: Chapter in book/report/conference proceeding › Conference contribution › Research › peer review

Stransky, C, Wiese, O, Roth, V, Acar, Y & Fahl, S 2022, 27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. in Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Proceedings - IEEE Symposium on Security and Privacy, vol. 2022-May, Institute of Electrical and Electronics Engineers Inc., pp. 860-875, 43rd IEEE Symposium on Security and Privacy, SP 2022, San Francisco, United States, 23 May 2022. https://doi.org/10.1109/SP46214.2022.9833755

Stransky, C., Wiese, O., Roth, V., Acar, Y., & Fahl, S. (2022). 27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. In Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022 (pp. 860-875). (Proceedings - IEEE Symposium on Security and Privacy; Vol. 2022-May). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/SP46214.2022.9833755

Stransky C, Wiese O, Roth V, Acar Y, Fahl S. 27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University. In Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Institute of Electrical and Electronics Engineers Inc. 2022. p. 860-875. (Proceedings - IEEE Symposium on Security and Privacy). doi: 10.1109/SP46214.2022.9833755

Stransky, Christian ; Wiese, Oliver ; Roth, Volker et al. / 27 Years and 81 Million Opportunities Later : Investigating the Use of Email Encryption for an Entire University. Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022. Institute of Electrical and Electronics Engineers Inc., 2022. pp. 860-875 (Proceedings - IEEE Symposium on Security and Privacy).

Download

@inproceedings{218dc56bb961444cbb95c0af246498fb,

title = "27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University",

abstract = "Email is one of the main communication tools and has seen significant adoption in the past decades. However, emails are sent in plain text by default and allow attackers easy access. Users can protect their emails by end-to-end encrypting them using tools such as S/MIME or PGP.Although PGP had already been introduced in 1991, it is a commonly held belief that email encryption is a niche tool that has not seen widespread adoption to date. Previous user studies identified ample usability issues with email encryption such as key management and user interface challenges, which likely contribute to the limited success of email encryption.However, so far ground truth based on longitudinal field data is missing in the literature. Towards filling this gap, we measure the use of email encryption based on 27 years of data for 37,089 users at a large university. While attending to ethical and data privacy concerns, we were able to analyze the use of S/MIME and PGP in 81,612,595 emails.We found that only 5.46% of all users ever used S/MIME or PGP. This led to 0.06% encrypted and 2.8% signed emails. Users were more likely to use S/MIME than PGP by a factor of six. We saw that using multiple email clients had a negative impact on signing as well as encrypting emails and that only 3.36% of all emails between S/MIME users who had previously exchanged certificates were encrypted on average.Our results imply that the adoption of email encryption is indeed very low and that key management challenges negatively impact even users who have set up S/MIME or PGP previously.",

keywords = "email, email-encryption, encryption, pgp, s/mime, smime",

author = "Christian Stransky and Oliver Wiese and Volker Roth and Yasemin Acar and Sascha Fahl",

note = "Funding information: The authors would like to thank the staff at the Leibniz University IT Services at Leibniz University Hannover.; 43rd IEEE Symposium on Security and Privacy, SP 2022 ; Conference date: 23-05-2022 Through 26-05-2022",

year = "2022",

doi = "10.1109/SP46214.2022.9833755",

language = "English",

isbn = "978-1-6654-1317-6",

series = "Proceedings - IEEE Symposium on Security and Privacy",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "860--875",

booktitle = "Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022",

address = "United States",

}

Download

TY - GEN

T1 - 27 Years and 81 Million Opportunities Later

T2 - 43rd IEEE Symposium on Security and Privacy, SP 2022

AU - Stransky, Christian

AU - Wiese, Oliver

AU - Roth, Volker

AU - Acar, Yasemin

AU - Fahl, Sascha

N1 - Funding information: The authors would like to thank the staff at the Leibniz University IT Services at Leibniz University Hannover.

PY - 2022

Y1 - 2022

N2 - Email is one of the main communication tools and has seen significant adoption in the past decades. However, emails are sent in plain text by default and allow attackers easy access. Users can protect their emails by end-to-end encrypting them using tools such as S/MIME or PGP.Although PGP had already been introduced in 1991, it is a commonly held belief that email encryption is a niche tool that has not seen widespread adoption to date. Previous user studies identified ample usability issues with email encryption such as key management and user interface challenges, which likely contribute to the limited success of email encryption.However, so far ground truth based on longitudinal field data is missing in the literature. Towards filling this gap, we measure the use of email encryption based on 27 years of data for 37,089 users at a large university. While attending to ethical and data privacy concerns, we were able to analyze the use of S/MIME and PGP in 81,612,595 emails.We found that only 5.46% of all users ever used S/MIME or PGP. This led to 0.06% encrypted and 2.8% signed emails. Users were more likely to use S/MIME than PGP by a factor of six. We saw that using multiple email clients had a negative impact on signing as well as encrypting emails and that only 3.36% of all emails between S/MIME users who had previously exchanged certificates were encrypted on average.Our results imply that the adoption of email encryption is indeed very low and that key management challenges negatively impact even users who have set up S/MIME or PGP previously.

AB - Email is one of the main communication tools and has seen significant adoption in the past decades. However, emails are sent in plain text by default and allow attackers easy access. Users can protect their emails by end-to-end encrypting them using tools such as S/MIME or PGP.Although PGP had already been introduced in 1991, it is a commonly held belief that email encryption is a niche tool that has not seen widespread adoption to date. Previous user studies identified ample usability issues with email encryption such as key management and user interface challenges, which likely contribute to the limited success of email encryption.However, so far ground truth based on longitudinal field data is missing in the literature. Towards filling this gap, we measure the use of email encryption based on 27 years of data for 37,089 users at a large university. While attending to ethical and data privacy concerns, we were able to analyze the use of S/MIME and PGP in 81,612,595 emails.We found that only 5.46% of all users ever used S/MIME or PGP. This led to 0.06% encrypted and 2.8% signed emails. Users were more likely to use S/MIME than PGP by a factor of six. We saw that using multiple email clients had a negative impact on signing as well as encrypting emails and that only 3.36% of all emails between S/MIME users who had previously exchanged certificates were encrypted on average.Our results imply that the adoption of email encryption is indeed very low and that key management challenges negatively impact even users who have set up S/MIME or PGP previously.

KW - email

KW - email-encryption

KW - encryption

KW - pgp

KW - s/mime

KW - smime

UR - http://www.scopus.com/inward/record.url?scp=85118999773&partnerID=8YFLogxK

U2 - 10.1109/SP46214.2022.9833755

DO - 10.1109/SP46214.2022.9833755

M3 - Conference contribution

AN - SCOPUS:85118999773

SN - 978-1-6654-1317-6

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 860

EP - 875

BT - Proceedings - 43rd IEEE Symposium on Security and Privacy, SP 2022

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 23 May 2022 through 26 May 2022

ER -

Research@Leibniz University

27 Years and 81 Million Opportunities Later: Investigating the Use of Email Encryption for an Entire University

Authors

Research Organisations

External Research Organisations