This work reports on preliminary research where we questioned how users understand security indicators|either used independently, or alongside text labels, or with explanations|that are shown in an email application that o ers end-to-end encryption1.

Security indicators are graphical clues or icons that, in secure email apps, are reserved to tell users about two speci c concepts: con dentiality of a message, meaning that an email is or has been encrypted, and authenticity and integrity, meaning that the message is coming from a trusted party, that is, from a party whose public key we hold and trust. Di erent choices exist to express those concepts either in their positive and in their negative variants (e.g. violation of con dentiality, untruthfulness of a party, and lack of any knowledge on the matter), but there is no uniformity in how di erent apps should graphically convey those messages.

We investigate the question in the context of \Pretty Easy Privacy"2(p p), a relatively new secure email app that attempts to deploy a tra c-light semantic as a clear and easily understandable presentation of the di erent privacy states that messages and communication peers can have[ 16 ]. The design choices regarding the indicators within p p diverge from those of other applications, and how this re ects on users has not been studied before. Furthermore, other secure email apps also di er from one another. Overlooking that Lausch et al. [ 15 ] discuss that an \envelope" in various conditions (e.g. broken, closed, open) is a better metaphor than a \padlock" in its various forms (e.g. open or closed, and red or green-coloured), applications opt for their own security icons and metaphors|for instance, the popular open-source Enigmail3 for Thunderbird uses padlocks for con dentiality and sealed envelopes for authentication and integrity (see Figure 1). The reasoning underpinning choices is often not explicitly stated. 1.1

p p is an opportunistic peer-to-peer end-to-end encryption software which tries to unburden users from managing their encryption keys. p p automatically generates user keys, appends the public key to each outgoing message, and extracts and stores keys from incoming messages. Messages are automatically encrypted and decrypted. Peers can be veri ed to be authentic by a second-channel out-of-bound communication, e.g. a phone call where the peers verify a humanfriendly version of their ngerprint; this version is a sequence of easily readable words, called trustwords, taken from a dictionary according to an index that depends on the combination of the two peers' ngerprints.

Depending on several factors, each communication channel to di erent peers may have a di erent privacy status. For example, the system can independently and automatically categorise a particular message as reliable whenever it can be encrypted or decrypted with su cient cryptographic parameters. However, the system cannot independently categorise the message as trusted unless the user carries out a p p handshake and con rms to trust the sender in the p p interface.

Internally, p p distinguishes among 13 situations which are surjectively mapped into colour codes

(chosen according to a tra c light semantics), privacy rating labels, as well as corresponding privacy rating explanations [ 16 ]. Table 1 provides an overview of the di erent internal ratings, codes and labels. Table 2 provides an overview of how these ratings are currently displayed in the user interface of p p for Thunderbird.

For instance, the p p rating \mistrust" is assigned the colour code \red", the user interface label \Mistrusted", and explanation \This message has a communication partner that has previously been marked as mistrusted".

In addition, p p uses privacy indicators which are icons from an icon set made up of four coloured shapes (e.g. see Figure 2 and Figure 3) corresponding to the colour code assigned to each situation. \Under Attack", \Broken", and \Mistrusted" are the situations represented by a red square, for instance. The rating codes from 0 to 5 are not assigned any colour label, however, in the user interface, these codes are represented by a gray circle. Reliable communication (i.e. Rating Code -3 -2 -1 0 1 2 3 4 5 6 7 8 9

Rating Label under attack broken mistrust unde ned cannot decrypt have no key unencrypted unencrypted for some unreliable reliable trusted trusted and anonymized fully anonymous rating code 6 ) is represented using a yellow shape, and trusted communication (i.e. colour code 7 ) is represented with a green shape.

The design choice of p p's privacy icons is justi ed by arguments, but not by evidence. While discussing with the p p developers, we were told that the shapes are meant to be easily understood by colour-blind persons, and were suggested after consultation with experts. The colour choices are meant to re ect the universally-deployed tra c light semantic.

There are many interesting questions that could be investigated, such as, how to draw user attention to these indicators; where to display those icons in the user interface; what situations do such shapes suggest to users; are shapes better than conventional icons (e.g. envelopes), etc.

Nevertheless, here we conduct an enquiry into the most basic question of \how would prospective or rst-time p p users understand the p p privacy indicators". Formally stated, we intend to shed light on the following research questions: 1. Which of the 4 visual icons do users associate with the di erent p p privacy ratings? 2. Which of the 4 visual icons do users associate with the di erent p p privacy rating explanations? 3

We conducted three online studies to assess how people would interpret the various privacy rating indicators o ered by the p p email encryption system. Table 3 provides an overview of the user test sessions, the number of participants per session as well as the focus of investigation.

Session 1 Session 2

Session 3 Total evaluations

Understanding why there is a dichotomy between what the developers wanted to convey with the di erent privacy indicators in p p and how prospective users would interpret them, or which privacy indicators could be better in narrowing this chasm, is not in the scope of this investigation. Nevertheless, we hypothesize that the following elements potentially play a role: the shapes of the indicators the colours of the indicators the tra c light metaphor used for the indicators the choice of words in the statements and explanations the perception of risk associated with the shapes, colours, metaphor and wordings of the indicators the clustering of risks the understandability of the indicators the awareness and concern about di erent scenarios and privacy ratings (For each item, the match strength refers to the percentage of participants that associated an icon to a statement or explanation in the same fashion as it is currently implemented by p p.)

It is often the case that visual input tends to dominate other modalities when it comes to our perceptual and memorial judgements [ 18 ]. Colour is one of the characteristics of human visual perception that can carry important meaning and can have an important impact on peoples a ect, cognition, and behaviour [ 6 ]. According to Elliot & Maier's colour-in-context theory [ 5 ], some colour meanings and e ects are biologically-based, while others are posited to stem from the repeated pairing of colour and particular concepts, messages, and experiences. They state that observing colour-meaning associations over time and cultures can contribute to reinforcing and extending the applicability of those links to objects in the broader environment, such as signs and signals. We did not have the opportunity to perform this investigation with existing p p users. We would be interested in comparing such results with the current ndings and looking at the role of experience with the system on the interpretation of the privacy ratings and indicators.

Disregarding some regional variations, tra c signs and tra c lights are now found all over the world, and their meaning is internationally recognizable. The corresponding tra c light rating system (red, amber, green) is something we have repurposed in many di erent domains, from nutrition labels for pre-packed products [ 22 ] to energy consumption labeling [ 9 ] and project management status reporting [ 7 ], to name a few. In that respect, the provision of the tra c light colour codes can serve to communicate more accurate, relevant, and comparable information to users, as well as to transmit certain levels of risk or allow for a quick recognition of potential hazards.

Nevertheless, while signs and pictograms have been standardized in speci c areas, in many di erent contexts harmonized communication or a shared understanding of the risk communicated by signs, symbols, or colours cannot be taken for granted [ 21 ]. The reasons can range from cross-cultural di erences [ 14 ] to varying levels of technical expertise within a speci c domain. Research on human aspects in the context of end-to-end email encryption suggests that non-expert users have incomplete threat models and a general absence of understanding of the email architecture [ 19 ]. As expressed in Section 1, the number of di erent situations that arise in secure email is not so small. Deciding which ones and how many to represent graphically, as well as, which metaphor to use, is not an easy choice. There is probably not a straightforward answer and there is de nitely not a unique one. There are di ering views about how transparent should systems for end-to-end email encryption be [ 1 ], [ 20 ]. In the case of Item 9, it is evident that p p attempts to nd the balance between these two approaches: on the one hand they would like to instill a sense of security provided by the automatic end-to-end encryption akin to other secure messaging and emailing systems, but on the other hand, they would still like to warn the user of potential threats such as a man-in-the-middle attack that they could be susceptible to if they do not verify the corresponding party via a second secure channel (e.g. by comparing the trustwords in person or over the phone).

While over time, we are likely going to recognize more consistency in the symbols used by security and privacy-critical systems, widely-available UI kits or even standardized icon sets, in the immediate term, developers of such systems should devote an equal amount of attention and resources to understanding their (target) users and the di erent dimensions and requirements of their socio-technical proposition. As a starting point, developers, and especially teams without user research/UX pro les, should inform themselves of the general paradigms and design principles that align security and usability [ 23, 13 ], followed by more recent lessons learnt in this highly-challenging domain that brings together the usable security, HCI and UX disciplines. Fine-grained inspiration could perhaps be drawn from the vast body of work on browser security indicators and warnings (e.g. [ 11 ]), in particular, the incremental user-centred approach where proposed designs and changes were validated with thousands of users. Caplin's book [ 2 ] could potentially be a useful reference to some developers in the speci c context of icons in computer interface design, however, as pointed out by Felt et al. "Millions of Internet users have recently come online via smartphones without learning 'standard' iconography from desktop browsers" [ 11 ], thus it is important to acknowledge that the expectations of users in terms of interfaces are not necessarily associated with desktop computing and, in many cases, obsolete metaphors. 6

We reported on a 42-participant study of users' perceptions of email privacy ratings in the context of pretty Easy privacy. Although our preliminary study has an evident limitation mainly due to the limited sample size, the outcome suggests that prospective or rst-time p p users would have a di culty understanding the privacy information communicated by p p.

The ndings call for a broader and deeper investigation that would seek to assert which design choices in terms of the privacy rating statement, explanation and visual icon (shape, colour, metaphor etc.) would need to be reconsidered if p p would like to accurately communicate the degree of protection that it o ers to its users as they send and receive email through its system bearing in mind their experience, awareness and concerns. Our work has triggered a deeper discussion at p p on the existing icon design choices and a potential overhaul of the privacy indicators is being deliberated.

From a broader perspective we believe that further and more holistic analyses of the di erent secure communication systems would be needed in order to identify the di erent types and degrees of security information communicated by those systems, the e ectiveness of the deployed security and privacy indicators as well as their suitability for target audiences with di erent characteristics and levels of expertise.

We are of the opinion that despite looking trivial, this interaction experience should not be in the way of users adopting systems for end-to-end email encryption, let alone a source of confusion or frustration that could result in unsecure behavior or unwanted leakage of con dential information. This is particularly relevant within an organizational setting, where policy and culture may also contribute towards the way users go about employing end-to-end email encryption. 7

Authors are supported by the Luxembourg National Research Fund through grant PRIDE15/ 10621687/SPsquared, and the project pEp Security SA / SnT Protocols for Privacy Security Analysis. We would like to thank the p p team for their collaboration, input and feedback in this project, as well as, the participants of the Human-centered cybersecurity workshop at CHItaly 2019 for the fruitful discussions. Last but not least, we would like to thank the anonymous reviewers at ITASEC 2020 for their comments and suggestions for improvement.