I: If we can get started, the first thing I want to do is get a sense for your background: can I ask what you studied in school or what your area of employment is?
I’m currently in marketing and sales.
I: Marketing and sales you said?
Right.
I: Did you study anything in college?
I didn’t go to college.
I: The next question is: how comfortable and familiar are you around computers?
Very. From a user standpoint anyway. I don’t know very much about programming but I’ve been using computers for over twenty years.
I: In your daily life, what kinds of things do you do on the computer?
I do everything from word processing to graphics editing to watching videos to doing surveys to messing around on social media.
I: So, as a user, you feel pretty comfortable.
Oh, sure, yeah.
I: What kind of devices do you have? Smartphone, tablet, laptop… what do you use?
I’ve got a smartphone.
I: Do you have a computer?
I do, yeah, I’ve got a desktop. Just a desktop and a smartphone.
I: The last question in this area: when you run into problems with your computer or your phone, what is your approach to solving them? How do you handle troubleshooting?
If it’s something I’m not familiar with, I Google for help and find something somewhere to show me how to fix it. I’ll usually just type in exactly what the problem is.
I: So let’s say you Google the problem and either you couldn’t find a solution, or you did but it didn’t work, what would you usually do then? Who would you turn to for help?
I have a friend who knows more about computers than I do; she’s a programmer. I would call her and see what knows.
Right.
I: So with that, why don’t we move on to the topic for today’s interview. My first question is: what comes to mind when I say the word ‘encryption’?
Encryption? Disguising text or other media or material so that it can’t be viewed by unauthorized persons.
I: What kind of imagery comes to mind when hear the word?
*laughs* The only imagery that comes to mind is a string of gobbledy-gook ones and zeros; that whole sort of thing.
I: Okay, yeah, that’s pretty common. Do you have any idea where these impressions of encryption have come from? Have you read about in the news? Have you seen it on TV? Have you heard about it from friends?
I missed the first part of that question?
I: I was asking what were the sources where you’ve seen or heard encryption. Is it the news, is it TV, is it friends—where are you encountering it?
Occasionally on the news or TV. Mostly on the Net and various news and informative sites and articles mention encryption fairly often.
I: Do you feel like you make an effort to inform yourself on computer news? Or is this stuff that you run into when it’s so big that it’s all over the news?
You know, I kind of keep up on that sort of thing. It’s not something I’m looking for every day, but whenever I come across something that sounds interesting in the news and in my news feed that’s tech-related, I’ll read it.
I: You’ve mentioned that you’ve kind of heard encryption in numerous places. Is it something that you’ve ever made an effort to try and understand?
Nope. I don’t really have any need for encryption and [unintelligible].
I: Okay. Alright then, so why don’t we move on to the next thing. In my email to you, I’d asked if you could have a pencil and paper next to you, do you have those?
Yes, I do.
I: Great. So the next part is the diagramming exercise. Like I said in the email, the point of this isn’t to test your artistic ability or anything like that; it’s just to help me get a sense for how you visualize these things. I’m going to ask you to engage in some diagramming, don’t worry if your drawing is very simple. The important thing is to help me understand.
Okay.
I: If you have that piece of paper ready, can you do me a favor and write the sentence, “This is a message to be encrypted.” Okay. And then can you draw for me what you imagine happens when that message is encrypted? I’ll give you an example. Earlier, when I asked what imagery you had, you mentioned some sort of “gobbledy-gook”. If you could show me 1) what you think that gobbledy-gook looks like and 2) how you come from the sentence you just wrote to the gobbledy-gook, like what’s happening to it. Is that clear?
It is.
I: Great. Go ahead and do that and let me know when you’re done.
[Long pause for drawing] Okay, I’m done.
I: Now, on that same piece of paper or, if you need to, a different piece of paper, can you draw a really simple picture? It could be like a cloud, a tree, a stick figure, anything like that. And then do the same thing, show what happens if you’re going to encrypt that picture. Is that clear?
Mm-hmm.
I: Okay, great. Let’s start with the part at the top where you’re encrypting the message. Can you explain what that second line is to me? You have something on the left and an equals sign and then something on the right and it says one trillion or some very big number. Can you explain that to me?
Yeah, it’s converted to those various symbols to the power I’ve put it in.
I: And when you say “to the power”, what do you mean, what are you describing?
The conversions are that many times or roughly that many times. There should be a key in there somewhere; I thought I put a key in that.
I: So you’re saying it takes the original message and somehow converts it, and then it keeps converting it over and over and over many and many times. After that number of times, what you get is that
gobbledy-gook at the end.
Pretty much.
I: Now you mentioned, there should be “a key in there somewhere”, can you tell me about that?
Sure, a key is so that the user or the receiver can decode the gobbledy-gook and unravel it to get the original thing.
I: Can you describe for me what you think a key is? I’m not quite getting that.
A mathematical formula attached that equates to the mathematical formula used in the original encryption.
I: Okay.
Kind of like “3 = -3” cancel out there.
I: Okay, interesting. Can I ask why do you think encryption is a mathematical process?
Well, it’s… I mean I suppose you could some word process, but at some point it’s going to come back to math or how else are you going to unencrypt it?
I: Is that something that you’ve heard or, if you were going to create encryption, this is how you would do it?
I’m sure it’s just whatever I’ve picked up over the past twenty years.
I: Interesting. When you talk about this key or transformation process being mapped, what do you think the advantages or disadvantages of doing it with math would be?
It would be uniform, it would follow certain specific laws, it would be rational.
Right.
I: Very interesting. My next question is: let’s say you’re encrypting a message, or a friend encrypted a message for you. As a receiver, you just the gobbledy-gook at the end. What would you need to get the original message back?
You would need that key that we just talked about.
I: If you had a key, what would you do with that key in order to get back the original message?
I don’t know; I suppose there’s encryption and decryption software you would enter the key into.
I: Basically, the software would know what to do as long as you had the key. So you would give the software the key and the message, and it would know what to do to get you the original back?
Right.
I: Okay. This key is clearly important; how do you think you would get the key to your friend if you needed to?
That’s a good question because if I was that worried about privacy, I wouldn’t want to just send it over. I could give it them to physically, obviously. Instead of using the Internet.
I: That makes sense. Let’s say you’re a bad guy, and imagine for a second that you’re an attacker, and you’ve stolen this message that’s been encrypted, but you don’t have the key that’s needed. How hard do you think it is for someone like that to get back the original message?
Well, it would depend on the encryption software. As I understand it, some of it’s relatively easy and some of it’s not.
I: Let me describe it this way. Imagine you’ve encrypted a simple message for your friend, and then NSA has it and wants to read it, but they don’t have the key. Do you think that would be something they could do? Get back the original message? Or would that be too—
Oh, yeah, sure. I imagine they could do it somewhere within a few minutes, or a week or two at worst.
I: Okay, so it would be hard for a normal person, but like a government or something, it wouldn’t be that bad.
And depending on the sophistication of the encryption software, your teenager in a basement might be able to crack it relatively easily depending on how much computing power they had, how much they mind, and what they’re doing with it.
I: Okay. Let’s say me, I’m encrypting a message for you. If I encrypt that exact same message several times, do you think the output is different? For example, here you wrote this sentence, “This is a message to be encrypted,” and then at the end, there’s gobbledy-gook.
The output should be tricky, otherwise it wouldn’t be very useful if it wasn’t.
I: Can you explain to me what’s going on with your stick figure down below?
The same thing. I mean, just converting it into digits and then making it into digital [unintelligible].
I: So you’re just converting it into binary first, and then doing the exact same thing?
Right, it would be the binary but it’s encrypted. To answer your earlier question, if I had to pass an encryption key to someone who was not physically close, I could set up some innocuous way to communicate the message like a bulletin board some way. Depends on what form the key would take but I don’t see why you couldn’t do that. You don’t want anyone to look and it was innocuous enough to not draw any attention.
I: Okay, yeah. I’m done talking about what encryption looks like or how it works. Now, I’d like to talk more about how encryption might be used. My first question is: do you think encryption plays any role in your daily life?
Well, sure, inasmuch as sensitive data that belongs to me has to be protected and encrypted in some form.
I: Can you give me an example?
My bank.
I: When you’re saying that they’re encrypting the sensitive information, when do you think that is happening?
When do I think it’s happening? As soon as any new data is entered.
I: You’re saying you think the information is encrypted on their end?
Right.
I: So banks deal with sensitive information; is there anyone else that you think might use encryption that you deal with?
Maybe Facebook. I don’t know how they’d do it, but I guess any site that takes a password must use some sort of encryption, but I don’t know.
I: So why would you associate encryption with sites that use a password? What is it about a password that makes you think of encryption?
Password can be very sensitive information or it can be almost meaningless. [unintelligible]
I think that people in business settings would use encryption regularly, if they’re handling any kind of data that’s sensitive to the company, I assume. They’d encrypt that. There are lots of other reasons that people in general might want to use encryption. If they’re doing something they’d want to keep private.
I: I want to ask the reverse question now. If encryption is good at protecting sensitive information, why might people not be using encryption? What might stop somebody from using encryption?
I don’t need it. My bank, I’m sure, is doing it for me. I don’t need to keep anything that private.
I: Okay. In your case, it’s because anything that’s actually sensitive, someone else is encrypting it for you already.
Right.
I: That makes sense. I now have a couple examples of places where encryption does get used, potentially, by normal people. I’d like to talk about them now. If you’ve never heard of these, don’t worry about it. The first one is smartphone encryption. If you have Android or iOS, it’s possible to encrypt your smartphone. The question I want to ask is: what do you think that even means, to encrypt your smartphone?
I’m sure if you have a lock set on it, the password to get into it may be encrypted. I guess you could encrypt a lot of the data on it. From your contacts to just about anything else could be encrypted. It’s not something I’ve ever actually bothered to look into.
I: Does that mean you don’t feel there’s any sensitive information on your phone?
Nothing I’m worried about. I can lock it so anybody who finds it if I leave it can go and get into it, but I’m not worried about the NSA coming and taking my phone and finding anything because there’s nothing that interesting on my phone.
I: So you feel like it’s not like your phone is foolproof security-wise, but the lock is enough to keep anyone normal out, and anyone else, there’s not anything on your phone worth looking at?
The only sensitive things on my phone are the passwords that it keeps. That’s it. Banking sites. That’s sensitive.
I: If you have passwords on your phone, to your bank, for example, would you ever consider encrypting your smartphone?
No.
I: Is that because you think the passcode lock is good enough?
I think it’s pretty much good enough. I’m not going to lose my phone anyway and anyone more skilled who could actually get into that thing and dig out that password isn’t going to go to that much trouble and time. I just don’t have that much money in the bank.
I: Okay. In that case, why do you think Apple and Google added this functionality to iOS and Android? Why might someone want to encrypt their phone?
I think a lot of people are very sensitive about privacy and these days, they like the idea of being able to encrypt their phone. They don’t like the idea of all their data floating around throughout the Web. They don’t like the idea of the NSA overreaching its Constitutional authority to spy on anyone it wants. It makes them feel a little bit secure.
I: You would think of it more as a privacy concern than a security concern?
For a lot of people, it is a security concern. There’s a lot of people who handle sensitive data. There’s a lot of people that have data that they want to make damn sure it doesn’t get out. But, most people just aren’t that interesting.
I: Okay. The next example that I want to talk about is HTTPS. Have you ever heard of it?
Say it again?
I: HTTPS. For example, on your browser.
Yeah, yeah, yeah.
I: You might have seen a lock or something like that.
Mm-hmm.
I: Has anyone ever explained to you before what those represent?
No.
I: I can tell you right now, when you go to visit a website, and it uses the HTTPS or you can see the lock icon, what it means is that the data that goes between your browser and the website is being encrypted. My first question about this is: what do you think the encryption is doing for you? Who is it protecting you against?
Anyone trying to spy on what I’m doing on that website.
I: And who might be that? Who do you think might spy?
Hacker trying to get a password. Or someone else.
I: How common do you think that is? Do you think this is something that might actually happen to you, so that you would actually need that protection?
I think the chances are pretty low of it happening but it’s conceivable. They might target me randomly sometime.
I: Does it make you feel safer now that I’ve explained to you that the traffic between your browser and the website is encrypted? Does it change how you feel about Internet browsing?
Not really. Any influential site is pretty much already being encrypted anyway.
I: Okay. So even before I pointed this out, you were already assuming they were encrypting sensitive stuff anyway?
Any site dealing with sensitive data, sure.
I: Makes a lot of sense. My last question: do you use any instant messaging apps on your phone? Something like WhatsApp, Facebook Messenger, Signal, Telegram, anything like that?
No, just the text messaging app that came with the phone, that’s the only thing I needed.
I: That’s fine; how frequently do you send text messages? Is it something you use a lot?
It depends. If I’m seeing someone, I end up messaging a lot; otherwise, only occasional.
I: Okay. There are a set of apps, like the ones I just mentioned, that are similar to the text messaging you’re doing, but one of the things they’ll do—like WhatsApp—is they’ll encrypt all the communications you send over the app. My question is: why do you think someone might use something like that? If encryption is protecting us from hackers or from people who are stealing information, well, we’ve been talking about sensitive information, so why would someone want to protect their everyday
communications?
Maybe cheating on their spouse and want to encrypt what’s going on there, or maybe they’re not cheating and just don’t like the idea of their spouse getting in their phone. Maybe someone doesn’t like someone else in their household. I can’t think of another reason offhand if they’re not doing anything illegal. I wouldn’t be ashamed of my messages in my texts anyway.
I: So you feel like when it comes to something like this—daily communication, not talking about bank information, passwords, stuff like that—the only reason you’d want to encrypt that is if you have something you want to hide?
For the most part. That’s all I can really think of offhand. I’m not saying— I mean I believe in privacy and I don’t like the idea of the government being able to get their fingers all up in my electronic
communications, but that’s just the modern world; I’m not going to lose any sleep over it.
I: Unlike the stuff we were talking about earlier, like financial information, where hackers were trying to steal that, just this kind of faceless person over the Internet, are you saying that when it comes to securing these types of messages on these types of apps, you view it as protecting against people around you? Physically nearby?
I’ve never sent or received a text message that would cause me problems if it became public if somebody got a hold of it. But I don’t see any other issue with it offhand. No one likes to be
I: Okay. So one thing you’ve mentioned is the government, and you feel okay if the government is looking at this—
I wouldn’t say I feel “okay” with it, but it is what it is, and I’m not gonna worry about it.
I: So it’s not your preference, but if it’s the reality, you’re okay with it.
No, I’m not “okay” with it. I’m just not gonna lose any sleep over it. It is what it is.
I: Oh, okay.
I would certainly vote for politicians who want to rein in the NSA, because I think they’ve gone way too far. But there’s nothing I can do about what they’re doing and I don’t care so much that I’m going to lose sleep over it.
I: So, you might not lose sleep over it, but would that be enough to get you to start using an app like WhatsApp? No. I: Why not?
They’re not going to find anything on my messaging except the occasional love letter or something to a friend of mine saying “What’s up?” There’s nothing that’s going to interest them in my information.
I: If that’s how you feel about the government, how about other companies? How do you feel, for example, about your telephone provider knowing what you’re texting or somebody like Google or Facebook knowing what you’re communicating?
It’s kind of the same thing. I mean Google has access to Gmail, every email I’ve ever written and sent. In exchange for that, I get Gmail. I get Google Search and Google Chrome. It’s not something that concerns me. The whole big data thing gets kind of scummy and all, but now that they’re gonna do it, I wish they’d get a little bit better with their targeted advertising cuz it misses more often than it hits.
I: What about your telephone provider then? Are you comfortable with them knowing what’s in your text messages?
I’m not... concerned with it. What are they going to do with it? Try to advertise to me?
I: Basically, you feel like they wouldn’t do anything with it that would actually hurt me?
I don’t see anything they could do with it that would hurt me. I could be mistaken. But I mean what are they going to do with all these text messages? They could find out what kind of food I like to eat, who I hang out with, but that’s not really private information anyway.
