 All right, so We finally fixed everything have a fun with the talk encrypted email from planet Earth with Harry, Mesquil, Gus and Rebel give them a warm hand of applause So the moment you've all been waiting for the ugliest slide of your entire camp and the ugly slide is about an ugly reality which is 25 years After the deployment of open PGP on the internet We don't have virtually any Messages encrypted end-to-end and this is a massive failure of our community and this basically this talk is going to try to Understand how such a large failure happened and what's the sort of different? Angles about how we can fix it. So I'm going to cover the history of how we got to this somewhat fucked up place Mesquil is going to cover the technical aspects Gus Andrews from Simply Secure is going to cover the usability aspects and Evan Hinchaw Plath will cover the growth aspects and Effectively, you know, we don't want to say that it's been a total failure Since the Snowden revelations, there are so many great projects. I hope some of you are in the room, you know Of course, everyone actually the only thing that works today really is a nickname in GPG But we also have the leap encryption access project trying to simplify key management We have mail pile, which is now at a good state of beta. We have pixelated We have the experimental pond and of course the most usable Although post email is a signal and tech secure So we have a lot of good end-to-end products But I think the real question we're facing is why wasn't all these messages encrypted in the end by default and you know People sort of say that the internet was broken by design. Actually, it's a sort of artifact of history, right? So if you just look at the dates The fact the matter is public key crypto So rolled out right after and was under research and development when the core protocols of the internet were under development So you have TCP IP published 1973 public key crypto by Diffie Hellman in 1976 RSA shortly thereafter SMTP shortly thereafter an open PGP more than a decade after and of course, you know It is possible And vent surf in this quote sort of leans to this possibility that there were Attempts by the NSA and other folks are working on sort of end-to-end crypto You know, of course NSA had something like Diffie Hellman before Diffie put in in public Be before the internet sort of hit the public and that there is but the fact the matter is regardless What we've had to do is we're basically we've had to bolt on the crypto After we've already had massive deployment and a lot of people are trying to do this now post-snowden But the fact the matter is we've done it before as you can see Virtually every major protocol had some form of crypto kind of slapped on the on it in a roughshod manner often after It was more fully developed in the mid 90s But the problem Which we're now suffering from is that designing protocols is hard and the fact of the matter is in the mid 90s We really didn't know how to design protocols very well the assumptions of course that people made around the mount of computational power that we can't be in the hands of average people or government agencies was Vastly underrated. Well, we didn't have any good notions of provable security We didn't have any notions of state machines when we're building protocols Algorithm agility has been of course a mixed bag at best while we do have Essentially allows a lot of downgrade attacks and we have a lot of legacy algorithms RSA 1.15 whatnot still in the wild and right now the Standards community is in the process of trying to upgrade all these algorithms We're trying to get off of RSA into elliptic Kerr crypto I'm sure you've all seen Daniel Bernstein's great talk on that But the fact of the matter is we still need some algorithm agility because you know, it's 10 to 15 Maybe 20 years 20 years being sort of we don't really know what the fuck we're talking about But 10 years being a clear and present danger. We do of course have quantum Computation coming up so we have to start getting even thinking about getting post quantum algorithms into our core protocols But it doesn't matter What algorithms you put into your core protocols if your actual state machine? And your actual ability to prove the security of your protocol is flawed from the beginning So this is of course is the triple handshake attack on TLS client authentication You can sort of see it's a sort of miracle that TLS worked as well as it did But when you really get down to it when you bolt this crypto on after the protocols are released in the wild You of course will open yourselves by sheer virtue of complexity to all sorts of attacks and while we at this point You know in the 21st century Understand how to develop cryptographic protocols what we don't understand What do you at all is designing privacy preserving protocols? So typically if you look at the older protocol stacks in the internet We were just sort of throwing identifiers around willy-nilly and we're seeing more and more breaks in this and even a new piece of software for example, you know tech secure has the probably the best post email Sort of protocols we're revealing for example people's phone numbers in multi-user chats And the fact that matters all the move towards post email The the the thing that all the insecure protocols got right is that they were Decentralized that you could actually run your own and they were run through a standards body And we had some core agreement on them right now, of course in the post email world But we actually have some chances of getting all the Indian security right Decentralization is not being taken account of so you're basically in in secure silos where you can't communicate with each other So what I'd like to ask for people to do Before we go on to the actual sort of hardcore problems if you're interested in these We really need you to get involved because the community to be honest has sort of fucked this one up Everyone's producing their own protocols people aren't cooperating properly We'll go into this in much more detail But effectively there are some places where you can really make a difference and standardized things modern cryptos Where most of the good post email discussions are happening if you're interested actually getting PGP working the ITF open PGP working group Chared by the wonderful DKG has finally reopened the ITF the W3C is trying to look at how we could actually make JavaScript Not such a nightmare in the web security IG and of course There's a huge policy debate and you can sort of say that this is just Solutionism that we're trying to solve mass surveillance by just throwing out protocols Which is secure and encrypted and privacy preserving But you know if you want to try to solve the laws on this good fucking luck So next Mascar Can I get okay great? So let's get back a bit about to talk about email As he said it's been already almost 25 years since PGP was invented and Still no one just sure probably in this room almost everybody use it But we are a tiny minority of the world and most of the communication of messaging is actually an encrypted We We won the crypto wars. It looks like we already got really far with crypto, but at the end We didn't reach how to make it you available to everybody Many people is saying that there is Many problems on open PGP. I completely agree like we have huge making metadata leakage We are learning from a snowden that metadata actually matters a lot As as Dennis a says we kill based on metadata So for example, we have this thing that we call the wolf trust that To certify keys we sign the keys of each other and they leaks a lot on our network of friends or contacts We have Heather Sony mails as an SMTP that actually put all the emails in clear all the Metadata We have many other problems like for what secrecy now. It looks like it's really important that we have Protocols that preserve your privacy in the future, and it looks like a pee pee open pee pee is not doing it We have many problems with key management like People is not understanding how to use keys and Is actually hardcore mental problem to understand how this public and private key works and how to sign them Learning your so everybody's saying that email is a screw that we cannot fix it. I do agree emails are screwed But I oops, I'm still concerned how much is actually All these problems that I show Problems of open PGP or not just the implementations that we have right now on email So I love I love both sorry for my voice I love all these projects that are coming out like bond with persistence or yeah Sorry Yeah, so Sure, I love all these projects that are trying to reimbursed Messaging It's amazing that the people is experimenting with that we need it but the reality is that the people right now uses email and We come out with another Email solution we will have another more in the stack and it's going to be Problem to get actually mass adoption of it. So I think we're gonna still improve email Probably we cannot fix it But There is a lot of it for right now on many projects trying to improve it and it might be worth it I want to mention Some of the problems that I think are there and I Who I think they can be improved like key management Gas will ensure more things on that. I think many there is many problems on key management that are actually usability problems on the clients So actually We are used to implement crypto software in a way that we expose the users to all that take details of the crypto So for me actually most of the problems that we have with key management in email are actually usability problems we have some problems of availability that All these problems are actually common to all the messaging platforms I think and availability to have many devices Connected to the same thing most of the club of all the new protocols Hard are having problems to solve the issue and Email so we have problems. How do we deal with keys to have actually several devices? That have them that Want to access or email or how do we rescue or email it will lose the device? Asynchronous communication is a basic thing on him on messaging and Forward secrecy and asynchronous communication have many issues to deal with together and It's a fairly hard problem to solve metadata as Harija said Even we persist and that is amazing things have some issues with that Group communication like public crypto is actually meant for one-to-one communication All the crypto protocols that we have are meant for one-to-one And it's really hard to find a solution to make protocols that actually work well in groups so It's true that we have many issues that are really hard I Don't think that this is a specific of email. I think they are General for Messaging platforms and many projects are working on trying to improve that and There's a really interesting project called memory hall that is working on on hiding headers on emails and Signing headers so basically moving parts of the headers to the body of emails when you sign them There's the URL there. Oh, I don't think you can see it. But anyway I'm Google for memory hall Is a process in the process of trying to standardize and the nice thing of the project is that he's joining the force of many different clients like a mile pile or Any mail or leap are working together on this project There is conics conics as a research project on trying to get the authentication of keys done by certifying keys from providers and by having a Proper very fable way of checking that the providers are not giving certifications of keys for different certifications for different people And I think this is going to be probably an interesting future on how to Simplify the user experience on how to get the right keys for certain people Okay And there is many people implementing a secure email like leap where I work or Milepile That milepile Exposed you to crypto, but they're thinking a lot on how to make Make it really easy to use White out it's also there doing really nice things they do a plug-in for the bro for the brochure And they have interesting protocols on how to synchronize synchronize keys between multiple devices and Yeah, I think I can pass the voice to us that will talk about you Okay, I want to thank you all for coming. I'm becoming increasingly clear. There are many things to do at CCC So it's very exciting to have so many people in the room I'm Gus Andrews. I am currently the secure usability or sorry a security Secure usability senior fellow at simply secure, but I should say hello. No, no, no, no, how are we doing this down or space? There we go Okay, one at a time. That's good. Okay So I should say I I'm not speaking for simply secure I wear many hats one of which is an organizer at Hope hackers on planet Earth one of which is the producer of a digital literacy show called the Media show So here I'm mostly speaking from my experience working with a number of tool developers in this field And that also included my earlier work at open ITP the open internet tools project Also, I should say I'm from Southern, California, and I tend to talk really fast. So if you see me talking really fast They slow down Just give me the little slow down. I will try to do what I can try to not speed So I'm assuming that many of you are in the room because you want to help people encrypt how many people here want to help other people Encrypts. Yes, of course. How many people here would actually like to build or work on an encryption tool? Fewer that's okay. That's good. Those nice to see some people in the room. Don't All I what I really want to say here is don't make a brand new tool One of the things that we have too much of in this space and in open-source tools for security is Too many tiny tiny teams with people working one by one. Don't be a cowboy. We don't really need more of that in the space Find existing projects hook up with them Also, but if a caveat if you happen to be here You probably have figured this out by now if you're here because you want to encrypt your stuff This is probably not the talk for it. You may want to go find a different talk or a hands-on workshop Just in case there's anybody still hanging out going what's going on here? I want to say after sort of talking with a number of tool builders in this field and working with them for a while It seems like there are a number of trade-offs that developers have to make decisions about and these impact how usable these tools are Frequently what we see and I hate this phrase because I'm a perfectionist But we see that the perfect the perfect ends up being the enemy of the good, right? So you end up striving for perfection and then sort of not ending up with something good And these are the trade-offs that sort of do that There are a number of tools in the fields that are struggling with whether way they should support experts who already know how to Encrypt or whether they should support newcomers. I'm not going to call out the names of most of the Most of the tools that I'm talking about here except if they're doing super awesome things This is an interface from a tool which had been saying we're going to provide an alternative to Dropbox within the next year and This is the interface they're offering people they don't actually have they're not working on a graphic interface beyond this right now So you'll notice that this actually requires the user to go into a config file highlight a word and change it so that means they need to know what to change it to and need to need to not Accidentally paste in the entire contents of like, you know the book of Kells or whatever they have on their clipboard Into this accidentally and screw the entire config file up. That's an awful lot to ask frankly because Users, you know, generally what you want to do is err on the side of not only users letting users make too many mistakes And this URL not only not only does this config file Contain much of what they need to do But they also demand that the user jump between this config file and a web browser at undefined moments So a lot of people find this super counterintuitive So this would be more supportive to experts who want to go in and say, oh, you know I want to change how long might it is till time out or how many different servers I'm sharing these files with the average user isn't going to need that the better solution here for making it usable for Everybody is to hide a lot of the settings deep in a menu someplace. They can still be there Just don't make this the number one thing that people have to interact with Similarly along similar lines we are sort of struggling in this field to strike a balance between educating people and just making it Bloody work for a change, right? So there are a number of really great training Curriculum is fields tactical tech is here. Go find their security in a box thing. It's great The EFF has security self-defense level up has been doing a really great job with training us how to train other people and They are pretty great crypto parties also. I'm a little bit concerned that crypto parties Are sort of using, you know, I don't know that we have Demonstration that they make people they encourage people to use encryption in an ongoing way So I'm sort of looking to to see them, you know, improve their methods spread their methods to other people Any of this into education is up against the thing that people use on a regular basis Some may for many people. It's the iPhone there has one button and you poke it That's all that happens in this day and age We're not most users are not usually used to going to an entire training course to learn how to piece of technology works So we're asking people to make a massive trade-off, right? We're asking them to learn a great deal to use these tools and that once again makes it less likely that those tools will be adopted Let me see. Yes One thing that you developers can do here is consider using graphics to explain things rather than just doing a whole lot of like writing out text One of the developers in our fields said when I was talking to them at one point more options is never the answer Every single word we add to the screen is a new chance to overwhelm and confuse confuse the user That's every single word. We're not talking about every button, but every time you feel like you need to write something out every word can conceivably confuse people so Writing and editing matter and that's not something that necessarily everybody's thinking about Education also the more you have to train people the harder it's going to be for them to adopt things for permanent Right, so once again, there are certain tools that are airing on some tools are airing on this on a easier side than others crypto Cat like when I had a journalist come to me the other day saying help me encrypt my sheets I took them straight to crypto cat first just to make sure that we had a secure channel that probably nobody would be looking at and So we went there By contrast, here's another app that shall go on names that is asking This is the wizard that every user I believe has to go through in order to set up a separate connection on this And that is really really complicated Ideal security versus ease of use many of us are planning for attacks that people may not ever You know like like James Mickens said you have a couple of model a couple of threat models either you're facing Massad or you're not facing massage right like so yes There's some stuff in between but you're either facing a really really serious actor or you know There's much more simple things you can do to fix things One of the programs in our space This was like oh, we're really worried about the attack where the Attacker can look at the phone and see where you press the keys and like look at the where on those So they scrambled the keyboard the sheer amount of cognitive work It takes a person just to type in a simple thing like a password Which is already very confusing for them is significantly harder and it's more likely for them to give up When they see a keyboard that's been scrambled like this I've also you know had people ask me you know Oh, let's let's make sure that the users can see the certificates for a VPN and When I did an interview with a bunch of VPN users and then also people who ran VPNs Even the people who ran VPN said I never look at the certificates on my VPN like it's just good to know that they're there But you know so a lot of the times users are just not where we are in terms of thinking about how complicated and taxing Once again putting settings further down the menu can help make that easier Gathering metrics versus protecting privacy is another huge trade-off in our field my first day working at the open Internet Tools project I was like, okay, let's find out what users are actually doing and where they're having problems So let's look at some metrics and I was told no you'll never have metrics. You may not have them It is not safe for our users. You'll never protect their privacy that way But then as I got to know tools more and learned what they were doing I learned that like chat secure in the images that you see here You know if they're in an app store if they're in the Google app store if they're an Apple app store There is some data being collected You can see here that I've got the data from Turkey Ukraine and Belarus and I was trying to match this data to figure out whether particular events were spurring Downloading and installing of this you notice that in Turkey you're looking at the blue which is sort of in the background behind the orange It does look like the protests in Turkey actually saw an uptick the number of people downloading chat secure by contrast The protests in Ukraine, which is the middle line there no perceivable impact as far as I can tell There's just been steady growth in use in the Ukraine And I included Belarus there to say yeah, they're collecting this data and we actually kind of learned some things I think it'd be interesting to go in and go why Turkey like why did Turkey pick up these apps and Ukraine didn't But you'll also notice that the numbers are so small in Belarus that it is still possible that you could disambiguate and find out Who a particular user was and that might be conceivably an issue But it's it's worth also talking to users about how they think about these things too I had some users that I was talking to you I'm trying to remember whether they were journalists or Activists or who they were but they said oh, we thought you were gathering data to find out how the tool was working So we're actually surprised that you're not doing it. So And then we heard also Second news we'll talk a little bit more about later did this wonderful project researching with bloggers and journalists in Vietnam who are faced with jail for speaking out against the regime there and The journalists said them and the bloggers said to them. Yeah, we we give Facebook all of our correct information about who we are And where we are because why wouldn't we like we aren't supposed to trust Facebook like we're working with Facebook They need this from us, right? So Talk to users before you make assumptions about what their privacy concerns are I think we need to ask a little bit more and think about what we could be collecting and Evan will talk a little bit More about metrics later on So looking at these tools, what are the things associated with projects that are tools that are more usable? Do they have big teams not necessarily? I had one team I was giving them a sort of like you should be fixing this with your usability You should be fixing that with your interface and they said we're not Google. You're not being fair And I said well no actually I was comparing you to mail pile like mail pile as a team of three people shout out to mail pile I can see you in the room Mail pile was a team of three people And their interface looked very new and up-to-date and I actually had people confuse it with Google So it was nice and clean and simple to use So it's not about How big your team is how many people you're working with but it's where you choose to allocate your efforts the team That was whining about not being Google had 11 people on their team They've been around for 10 11 years and yet they're still not creating usable interface because they don't have anybody who's dedicated They haven't found somebody they haven't prioritized giving their resources to a person who is actually going to build a better interface That's what really matters if you have somebody who is who has a dedicated UX person you tend to see a more usable interface That said still having a team of one to two people is not optimal I had another team say to me we are only going to have two developers working on this project because If we had any more than that you when you know when you add more developers The number of bugs goes up exponentially and I'm not sure I buy that because their tea tool is just still not usable And I think they're still having trouble stomping other bugs This is sort of the most important thing and I think Evan's gonna talk about this as well Good projects usable projects observe their users and they listen to their users They do it early and they do it often the what you're seeing here is Storymaker which is sort of a tool peripheral to this space has printed out all of their interfaces and They've invited a bunch of potential users in to put a bunch of post-it notes up and go Well, why don't you just put these two on the same screen or this looks confusing to me? Or what if we had a button for this right? So that's a one way to begin to get feedback from users, which is you know pretty low impact You know like people don't necessarily have to say who they are when they're putting these things up there And you know there's there's a lot of it's very easy for people to actually comment on what's actually going on There's a lot of tools out there. You can ask me for more of them for doing this as well Don't use mailing lists Oh, I just I don't even know why when some developers when they're saying yes, we listen to users. They say oh, yeah We have a mailing list You're asking people to constantly be in their mailbox all the time frequently with also your developers there Or you're more technical users you're going to have your Developer in there who is constantly yammering about how he wants to take this build and make it work on his raspberry pi with his Custom brew hackety, you know version of your software Don't listen to that guy that guy is gonna overwhelm your mailing list and drown out all the people who have very quiet They're very quiet concerns that they aren't necessarily even sure they can speak up about you know things that they think are their False is talking with some trainers earlier and we were sort of saying a lot of the time users think things are their fault So they're not even to speak up and if the discourse is all about like you know You know perfect forward secrecy people are gonna start to drop out and you're never gonna hear from them Going back to they it's the idea of talking to your users Only a quarter of the developers I talked to Actually say they talk to users before they start developing their software. How do you know what people actually need? Maybe people don't actually need encryption. Maybe they need more help with their Facebook settings. Maybe they need Some way to protect their mobile device better Maybe they don't actually need to encrypt their email you need to listen before you develop a tool and then also Still once again only a quarter of developers Actually talk to users afterwards too. So this is something that our open source developers really need to improve on talking with a Number of people I'll talk more about how to do that in a bit other people working on your code base Don't count as users don't count those Also, don't only hear from people on github because once again you're pre-selecting for people who are highly technical And you're not gonna find the real pain points for average users Thank you. Thank you. Thank you. Also. Yes, I appreciate that So, yeah another thing we don't see enough of in this field is reliance on standard standard patterns I went looking for this one particular tool that once again will not be named I'm not sure why this this is the interface the image of the background is the interface I'm not sure so why it's so stretched out and weird-looking But these sort of weird swoopy bits the fact that it's asked for number or address at the top This is a sip client once again When you ask for number or address it gets very confusing and we I was doing user tests on voice tools last year And a number of these tools were leading because they also supported regular phone calls We're leading people down calling on a pots line a plain old telephone number and those calls would be insecure But because people you give people a phone keyboard They're gonna click those and then they're gonna make an insecure call So people are introduced introducing things into their interfaces that are actually causing people to be insecure Don't roll your own interface. There are patterns out there from OS X from Android from you know probably from Google as well that will say you know when you're designing Please do this use these colors give this much space to such and such a thing. Those are free You don't have to pay for them go out and find them There's one URL from there, and I think I've got more in the links for this talk as well The other thing about this interface that I was oh, you can't quite see it there You can see it on that one. There's a weird little orange button at the bottom. What do you think that button does? Anybody Yes Pulls up the keyboard, right? I don't think it did it did something else entire was this weird little orange basketball button And it did it count totally counter-intuitive thing what you're looking for when you're using a standard design pattern is For somebody else to have made all the mistakes for you first, right? And then go and find out what they've already learned about how to not make interface mistakes There's a lot of knowledge out there about interfaces Okay, what else should you do in order to help people get encrypted is what you should do is you should build a new tool And roll your own encryption have we learned nothing? Okay, no, don't do that. No because you wouldn't you wouldn't build a left. What? Yes, I know. Sorry, you wouldn't I'm just getting riled up. That's all You wouldn't put this shit in a computer in a pizza box So don't don't build your own don't build your own go out and find people first of all other people who are developing tools Don't be a cowboy go find your own go find other people then go find users to speak to you who are not like you Observe them I'll be talking a little bit more in a second about why observe is more important than ask questions But listen to them and don't interrupt The key thing is to look for places where users get confused and or stop and especially if you're the developer the tool The instinct is to go. Oh, no, no, no what you should actually do is don't do that I have put mesquio on the spot. I've looped him in on user tests for Bitmask earlier and he was utterly stoic about this. It was it was great We put him on a video conference so he could see what the user was doing on the desktop and I muted him So he couldn't actually speak up and go. Oh, no, no And so he had to suffer through the users going I just can't make this work I can't and it hurts and it sucks but get used to it. It's just the way that this is going to go Right when I say observe people don't use focus groups Focus groups are probably the reason if you think the soft sciences are soft and creepy and squishy and weird And it's just people's opinions and a bunch of stories That's because you've probably have thought about like you've heard from people using focus groups and focus groups have a Very deep bias towards people Responding to other people in the room and doing what they think should they should be doing or saying what they think they should be saying So that's one tool to avoid in general What you learn when you do Social science research is that self-report data is unreliable when you're just asking people what they do They will tell you what they think you want to hear it is better Whenever you can to observe them actually doing a thing and you find so many Wonderful amazing mistakes you just ask people why did you do that and then they can clarify? You know their understanding for more about why you should use certain methods. I did a talk at hope last year. I'm sorry not 2014 Yes last year was 2014 Time goes quickly. Okay Right, but where though? Where do I find these people I should talk to? Librarians are your privacy allies in the United States in particular. They are obligated to help protect their users from You know governments mandates to go in and look at people's records So they are interested in the things that we're interested in also they work with their digital skills teachers They work with populations of people who are interested in learning more about computers, but no that don't know that much Non-governmental organizations absolutely Human rights organizations LGBT organizations absolutely go talk with them They have people who want to learn about these things too, and you it's they have easy cases to explain to them Why formally incarcerated people as well people on welfare? Coffee houses, I know the whisper systems team just goes out to coffee houses and ask people And that is a very brave thing that minutes. Oh gosh. I'm super running late journalists also totally our allies Ask people like if you've already interviewed one person or worked with one person say to them. I'm sorry Go back. Oh now we're totally gone. What happens? It knew I was going there we go. Okay Okay Okay Don't ask your family and friends. There's this thing called biasing of network effects You're gonna end up hearing things you're not gonna hear from as a range of people if you ask your family and friends Watch what questions you ask if you ask ask how often do you encounter blocked websites? What you hear back what you're expecting is that people know that things are being blocked, right? So don't do that Ask do you think you're being blocked? Don't ask. Do you encrypt people may not know what that means? Ask how do you and protect your privacy? Don't ask how do you face censorship if you're talking to people in China? Especially I had somebody get up and walk across the room without even talking to me anymore Yeah, he couldn't even be seen with somebody who was talking about censorship. So yeah, that's pro tip Don't talk to people China about censorship Move from general questions to more specific questions And this will work for you I promise this great anecdote that we have from a circumvention tech festival in Valencia is that you know Nick mail came in they had only been hearing from people on their mailing list Look at that mailing list and how dense the amount of information is that they need you the user to read and that they have you You have to give to people And he came in and he was talking with a number of people who trained journalists and activists and the people were coming up to him and Saying thank you so much. You've saved my friends. You've saved my family Your tool is just central to what I'm using and he came away saying I have learned more in the past five days of talking to people than I have in the past five years on our mailing list he also said and people were hugging me and I felt really bad because they had all these serious problems and Yet I you know I'm just this guy who codes things and I felt really awkward you said and then he's like, but that was really good I know I should feel really awkward. So it was this total come-to-Jesus moment. We promise you if you talk to people It would be great. We've developed some personas if you can't go talk to people. These are some idealized situations with particular kinds of people LGBT activists Human rights activists journalists in Vietnam check out this particular page. Those are open source previews Like I said second news has done some wonderful Reviews of what the Tibetan exile communities and what Vietnam's digital activists need Check those out as well to do list. I'm just gonna go this really quick and then I'll let Evan talk Is that feedback by the way that I'm hearing? Whoosh, I think that's something else nearby. Okay Um Before you build tools ask people what they need don't build anything that they don't need Test early with people test often you may not have a working prototype to give them that you can always print out your interface You can even sketch out an interface and say where do you think you would go if you were going to in this interface If you're going to encrypt your or make your emails safe, right? Find other people to work with if you have an idea for a project don't work alone Go find designers to work with in particular dribble DRI triple B le and then also modern crypto project are great places to go find designers who are interested in helping take settings Put them in a menu Trainers I hear from say that they want the help for a given app in the document not on the web Try using graphics to give instructions. That's really helpful Evan will talk a little bit more about metrics and Yeah, and if you can't come if you get to use a research yourself come talk to simply secure We actually have a mandate to help people who are working on tools in the space and we'd love to help you out So we're not moving Yeah, so Yeah Okay, so I want to in the last five minutes talk a little bit about why Why open source and free software that we've been writing hasn't been getting mass adoption in particular? secure communication software and why people are using startups or corporations communication software and Why they're not using our stuff and in particular. I want to encourage us to steal ideas and techniques From from the capitalists in the startup community because they have ways of making software work that that are needed These are sort of startup techniques and so some of these techniques may seem Sketchy, and they certainly are different than the way Community developed software has been created, but I think they're the reason we're losing Because if you have two kinds of software that are being developed and one is just going in and you're you're Thinking about what you should develop and you only have programmers contributing and you build it You have another kind of software which is Concerned a lot with how it gets adopted and used Even if that other software is not so good They're gonna be really good at getting people to use their stuff And so we get people using Gmail because it's it's really good at getting you to use it And those techniques are things we can use as as developers when we want Non developers to use our software. We need to stop thinking about scratching our own itches For the the ultimate free software is you know every developer out there everyone will be a programmer We'll all just scratch our own itches and we'll build stuff and it's great for software aimed at other geeks and developers But for privacy Software for encrypted email and cryptic communications We need we need a broad spectrum of society using it to provide security for everyone And so we need to not be just providing tools that a small group of people can use So we need we need to build things That that people will use we need to build things that people want to use build things that people love and you do that Not by having a great vision Like Steve Jobs has of oh the light bulb appeared over his head But you use a set of techniques and use a little set of experiments and so I think Even though you look at the sort of lean startup customer development You know ideas of product market fit and it sounds very alien to this community, but the idea of Launching things quickly getting feedback Learning and iterating based on use is something that needs to be done in this community Rather than just saying oh well we know about these hard problems We're gonna go off and spend a bunch of years developing You know leap is doing really interesting work in terms of development But they they wrote down all their hard problems and then they sat in front of their computers for a few years and worked on solving them and Hopefully they built the right things But they really should have learned Whether or not they were going down the right path and everything else Before they started writing code not a couple years later And The startup world because it's dependent on money and people are running out of money They're very focused on learning quickly as possible and and we need to be doing that, you know, there's a a term called growth hacking which is basically figuring out how to get people to use your software and how to get them to keep using your software and the Normal hacker community that's building all these tools doesn't think about growth hacking we launched the software and it will be good and we do some about pages and Then people will sign up and use our software because it's great and that's not the way it works or more to the point if you have one set of tools which are closed source and Not secure But they're really good at getting people to sign up and you have another set of tools which might be great technology but don't Figure out all the tricks to get people to sign up and stay using it that software will never get adopted Like it doesn't matter if we solve the security communications problem If we can't get people using it if we can't have them discovering the software or signing up for the software Using it promoting it to friends coming back and using it again The security aspect of it almost doesn't matter if we can't if we can't grow the user base Um, we need to learn quickly We need to figure out ways in which when you're developing software when we're launching this stuff you learn within Hours and not months You know When the startup world launches software, they don't write the software first They launch the page that describes the software and then they have the the sign up button Dropbox everyone's talking about a secure alternative is a brought box The first version of Dropbox was a video that was put on YouTube. The software didn't exist It didn't work What he did was he put up a video of what he thought the software would be and got tens of thousands of people to sign up for it and then Everyone who signed up for it said join the beta program. Oh, I'm sorry. The beta program is full It didn't exist. He got the users. He sold the software first and then he wrote it and The secure communications community Spends a tons of time writing the software and never figures out how to get anyone to use it So we need to learn how to learn quickly and not learn very slowly The the the game of Getting software adopted is how to make it around this loop as quickly as possible from ideas to building it to launching a product to measuring the data and then learning again now If you take a year to do that cycle You're gonna lose to someone who is taking a day to do it So we need to figure out how all of these tools can learn really quickly We need to be testing everything we need to be testing every aspect of our software every feature you write Should be written in such a way that it's an a B test that you have a set of data and cohorts so that you know Changing the login interface or making all the buttons purple Made your software better or worse Right now. We don't know whether or not everything we launch makes things better or worse We don't know if we're improving things. We don't know if not releasing a new version. You'd get the same level uptick You know Facebook has no idea where they're taking their platform because each engineer just launches little experiments to small percentages of the user So they don't know where they're gonna do it They don't know what to improve it, but they knew they want they know they want you to keep you using the site and keep that engagement And so as long as they are playing the game of let's do 10 million tests a day to see how to make our software more addictive and We outside that space aren't playing that game We're not going to make addictive software that people use as their primary communications medium And so as long as we don't play the game of how do we make this software better in everything? We do how do we collect data on its use our software? We'll get we'll get you know, it might be great software, but it just won't get adopted and Making secure email and communication protocols it needs to get adopted. Otherwise. There's no point in doing it The last thing I want to talk about is something that's very popular within the startup community It's something called a pirate metrics It's a it's a very simple idea of how you acquire users And it has this is it simplified down But basically it says for anyone using your software you need to acquire the user as in get them to go to your website You need to activate it Which means get them to to sign up and create an account or download the software you need to keep them there You need to make money on them because this is a startup world So they're doing that but we can change that so you just need to keep people using the software on a real basis And then you need them to refer other people and you can track the growth message message sort of metrics of Programs by this so every single project that you work on where you want mass adoption You have to be tracking these numbers you have to know What percentage of users go on to the next stage and what percentage of people refer to others? Because that's how you get viral growth and and we're not going to get that growth just it you know Hacker meetings where we're signing each other's keys You know, it's it's a race that we face. It's a race between Different applications to get secure communications. We need to win that race and right now We're we're not going to win that race right now we have all these different projects very bravely and valiantly fighting out there and We're not learning quickly. We're just sort of going with the flow and as long as that happens We won't build better software and people will still use the insecure alternatives So if we do this if we think about it, there's lots of easy wins There's lots of easy ways to get the software adopted more quickly We just have to look beyond the normal open-source community. I want to thank you Thanks a lot. So we have a few minutes We have a few minutes for Q&A if you have any questions, please line up in front of the microphones If you decide to leave early, please do so quietly any questions and science What if I make in their way there? Ah Over there the one with the blue shirt Sorry Please hi I have a question actually about usability. Is there going to be anything else going on that you're participating in with the camp? To to do more exercises around this and learn about usability and then secondly, do you have any references around? Helping people who want to become more product people to learn this because it's a whole different like Skill set than understanding the technology and the encryption and all of that stuff. Yes, totally. Absolutely Thank you for asking. I will pitch that I am well. This is sort of more a one-on-one thing I'm actually going to be going around Hopefully user testing a couple of encrypted email clients So if you want to come in on that that can both sort of like show you how I do user testing and then also You can help me out with the testing. I can show you the rig that I use and things like that in terms of resources actually one of the things Evan used to work at an organization called Neo and some of the Folks at Neo put produced a book called lean UX that I'm very fond of it Does a lot of sort of teaching like sort of giving you the general shape of like how to Just how to sort of iterate quickly. I think that's sort of the main thing. That's about Interface wise We also released a book called talking to humans. Yeah Both of those books the lean UX book and the talking to humans books are about how to do this process for developing software And I recommend that you read them. Yeah, I think there's also a book What was the one I recommend if people are interested in getting involved in this simply secure has a slack channel If you mail me at Gus at simply secure secure.org I can get you on there And we will be talking about things there and periodically people post resources there as well We've got some really amazing people in there from IDO from Nielsen Norman group from like the gold standard groups in Usability and so it's just been a great discussion there. We highly recommend you join us there, right? Thanks over to you so This is a race Don't you think that email by itself will lose the race to other forms of communication and That we should focus our efforts to improve other forms of communications instead of plain old email I mean I can yes that so I mean I'll try to address that really quickly Which is? It is very possible and part of me really hopes That in five four years. I come back to the chaos computer camp and everyone is using end-to-end encrypted post email signal or whatever Unfortunately people keep using email and the reason people keep using email is even though people are slowly being sucked in these silos You know gmail etc. Which are nonetheless email there seems to be something about the fact that you do have a baseline of interoperability Yes between in I can email you of course from Google to yahoo etc etc to rise up And we do not have that interoperability right now in post email and whatever the fuck Comes after email and until we get that and I work for standards body and we'd love to have you all come to us and sort This out I highly doubt we're going to get post email in fact what we're likely going to get rather than a decentralized Secure end-to-end email is we're much more likely to get everyone on a terribly insecure Facebook Messenger and pray to God that moxie and Trevor fix what's that and will basically be stuck in centralized post email silos That's the current trajectory because these silos are doing the techniques that Gus and Evan Are talking about and we're not and this is a problem for me at least couple more data points on trends here One of them is the reason we are kind of stuck with email is business like business still Works with email in a lot of ways, and I think that's going to be sort of a big immovable object The other large object with a great deal of of inertia is China However, and like the country of China where email is just not a thing So it'll be interesting to see whether that has an influence whether you know increasing Business and growth in China somehow moves us away from email and that way, but do you really want a future? We're all using qq. I mean, this is terrible It's we chat use people using China. Okay, thanks. We got time for two more questions. So over to you Just just a quick one apologies. We missed this at the start, but what's the best way to get in contact with you all? Oh Let me actually bring that slide back up. I'm sorry interfaces. They're just terrible Yes, I hadn't mentioned. It's not just us all technologies broken. So There we go All right, so that is Yeah, that's Andrew's work So Hey, you in the right in the red t-shirt question Yeah, just a short one Basically, are you developing on any open source projects on your own? The Didn't I see don't do that Basically the you said you should Talk to users before starting a project and I think basically that's missing the Idea and motivation behind most open source projects I think most people started just because it is cool We want to have it on our own. Yes. So, yeah, my cool project is talking to users for open source tools Well, thank you. Thank you very much. Could you give our speakers another round of applause? Thank you very much