The Operator Foundation is a non-profit based in Austin, Texas that makes usable tools to help people around the world with security, privacy, and resistance to censorship. Our purpose is to promote Internet freedom, open communication, and global Internet security through technology development, deployment, and education.

The Mission

In 2015, the Operator Foundation sent a team to Mexico City to conduct one part of a research study on Internet censorship in various countries. During this trip, we were introduced to the Mexico City contingent of the research team, including Internet freedom activists Jesús Robles Maloof and Luis Garcia. Through these contacts we were introduced to a variety of journalists living and working in Mexico City.

We took this opportunity to talk to the journalists about their security needs. What we found is that these journalists wanted to be able to send and receive emails to their sources and to other journalists in a safe, secure way. We saw that this might be a good opportunity to promote the use of email encryption, and so we attempted to help them set up PGP on their laptops. It quickly became clear that this solution was not able to address their needs due to the high barrier to entry and required technical knowledge. While we did succeed in getting some journalists set up with PGP, they said that they were unlikely to ever use it or encourage others to use it as it seemed far too difficult to use. Our interview with these users led us to realize that they needed a secure and encrypted email client that required minimal setup with a journalist-friendly user experience. After meeting with and talking to these users we developed the following two personas to help guide our product process:

With these personas in mind, we set to work creating the first version of Postcard, the Operator Foundation’s end-to-end encrypted email client with a usable, friendly interface. Operator felt it was important to distinguish Postcard from other encrypted email clients by implementing the following characteristics:

• All messages sent with the application are encrypted and signed. There is no way to accidentally turn off encryption or signing.
• Only messages which have been properly encrypted and signed will be shown when reading mail in the application.
• Key management is automatic and largely transparent.
• Postcard verifies that the public key associated with an email account was actually sent by that email account.
• We use simple, modern cryptography functions and file formats.

Increasing Usability

After creating the first version of Postcard it was time to follow up with our users. We wanted to increase the user friendliness of our application and were fortunate to receive a grant from the USABLE project in 2016. USABLE is an initiative to connect communities world-wide with leading UX experts and digital security tool developers to solve real problems, build better tools, and create lasting, re-usable user personas for others to incorporate. Through the USABLE grant, the Operator Foundation sent two Postcard developers, Dr. Brandon Wiley and Adelita Schule, to Mexico City to engage in further user research. The team conducted interviews with journalists and security trainers. We showed the prototype to the community of intended users, gathered feedback, and discussed key management UX design tradeoffs.

Our research revealed that our users were concerned primarily about whether email encryption would affect their workflow as journalists. They wanted to know about features such as lost key recovery and accessing encrypted messages across multiple devices.

Implementing User Feedback

We took our users’ feedback to heart. We implemented multi-device syncing and lost key recovery using Apple’s iCloud Keychain technology. We also developed the following threat model based on user feedback from our particular user community:

• Online account hacking
• Theft of devices
• File stealing malware

Based on this threat model, we refined our security practices to defend against these attacks. All emails are encrypted end-to-end, protecting users against unauthorized access to email contents through online account hacking. Emails are also encrypted at rest on the device, protecting users against unauthorized access to email content through device hacking or file stealing malware. We also included a “lockdown” mode for situations in which users are worried that they are in imminent threat from device theft or file stealing malware. When lockdown mode is initiated, all unencrypted email contents, as well as the private key necessary to decrypt emails, are immediately removed from memory. Users can trigger this behavior either through clicking a button in the user interface, or by simply putting their computer to sleep. On laptops, for instance, the user can initiate this behavior simply by closing the lid.

Next Steps

Our user research has also revealed that journalists in Mexico City primarily use Mac laptops for email, as well as iPhones. Use of Windows computers and Android phones was not common among our users. They also predominantly use Gmail as their mail provider, with Hotmail being the second most used email provider. Even journalists with company-provided email accounts use Gmail as their organizations use the G Suite applications, which utilize Gmail as a backend for organizational email.

There are also some areas that we discovered where we are not currently meeting user needs. Journalists in Mexico use their phones for emailing extensively and desire an email solution that allows them to switch between their laptops and phones. They also expressed a need to have a secure place to store documents, including those received via email attachment. Operator is currently seeking funding for the next stages of this project, which includes porting the macOS application to iOS devices as well as adding options for encrypted document storage at rest for mobile and desktop.

How You Can Help

If you would like to help Operator Foundation, we accept public and private funding via grants and donations. You can make a donation today on our website. Operator is also available for design and development contracts. We work with organizations all over the world to help enhance the privacy, security, and censorship resistance of their existing applications, as well as developing new applications for our global user community.

Designing an End-to-End Encrypted Email Client was originally published in Operator Foundation on Medium, where people are continuing the conversation by highlighting and responding to this story.