University of Chicago SUPERgroup

Usable Security and Privacy
Problem Set 1

Due in class, on paper at 3:00pm on Monday, April 3rd.

Problem 1 (35 points)

In light of the "Why Johnny Can't Encrypt" paper, you will perform an expert evaluation of a current encryption tool. Pick a tool from Wikipedia's list of encryption tools. In particular, consider tools listed at the bottom of that page under the "disk encryption," "email clients," and "OTR" messaging categories. Download and install (or, if applicable, simply enable) the tool you chose. Inspired by the Johnny paper, perform an expert evaluation of the tool.

You should turn in four paragraphs describing:

  • Paragraph 1: State what tool you chose and describe the steps you took in your expert evaluation. Essentially, we want you to explain your methodology.
  • Paragraph 2: What usability flaws identified in the Johnny paper still persist 15 years later in this tool? Describe them.
  • Paragraph 3: What usability flaws does this tool have beyond those previously identified in the Johnny paper? Describe them.
  • Paragraph 4: What usability flaws identified in the Johnny paper have been addressed to your satisfaction? How were they addressed?

If you believe any of those paragraphs is not applicable (e.g., the tool has no usability flaws not described in the Johnny paper), instead briefly explain why you believe it is not applicable.

Problem 2 (15 points)

In class on March 29th, we watched excerpts of the 12-minute video Edward Snowden made for Glenn Greenwald. We laughed; we cried. Can you do better? In three paragraphs or less, try to explain everything a journalist needs to know about using whatever encryption tool you examined in Problem 1. Do your best! In addition to the paragraph you write, write one or two sentences reflecting on this experience. (For example, Have you communicated everything the journalist needs to know? If not, what's missing?)

Problem 3 (35 points)

You should work with either one or two partners (groups of 2-3 people) for this part of the assignment. If you really want to, you are permitted to work alone. With your partners, observe people in a public place using a computerized system. For example, you might observe people using a public transit ticket machine, a parking garage pay station, a hardware store self-checkout machine, a library self-checkout machine, or an airport self-check-in kiosk. Stay long enough to observe both experienced and inexperienced users using the system.

Alternatively, recruit a few people you know and observe them using a computer or computerized device (cell phone, microwave oven, etc.) to complete a task. Try to recruit someone who has used the device before and someone who has not.

What kinds of problems did people have using the system? What aspects of the system appeared to be easy to learn? What aspects of the system appeared to be difficult to learn? What aspects of the system seemed to frustrate experienced users? Most importantly, how might the design of the system be improved?

Write up a short report on your observations and recommendations to turn in. Include an appendix with photographs or sketches of key elements of the user interface you observed. The report should be 2-4 pages, plus the appendix. Remember: turn in one report per group listing all members' names.

Problem 4 (15 points)

With the same partners from Problem 3, create 2-6 powerpoint slides showing photographs or illustrations of the computerized system from Problem 3 in action. Choose photos that make the usability aspects of the system clear. You may duplicate photos from your Problem 3 appendix.

Do not print out your slides. Instead, one member of the team should upload them before class to the Piazza thread we will make for this purpose as a pdf file.

Problem 5 (officially 0 points, but you cannot pass this course unless you do this)

Complete the online Human Subjects Protection Training Requirement by following the instructions at

Note that the training itself is on the website of the CITI Program, and you log into the training using the University of Chicago's Single-Sign-On process. This direct link will take you there.

You must complete the "Social and Behavioral Sciences IRB Human Subjects Protection Training Course" course. You do not need to take the additional courses in responsible conduct of research, animal welfare, or export controls. Note that this training will take a few hours. Please print out and attach your completion certificate to the homework.

(CMSC 33210 only!) Problem 6 (12 points)

Write a 3-7 sentence summary and short "highlight" for the Woodruff et al. reading assigned for April 3rd.