3 Problem Formulation

(1)

(2)

Abstract

Instant Messaging Mobile (IM) applications are now ubiquitous and predominant in most person-to-person communications, especially intimate and sensitive conversations. This growing popularity of instant messaging is linked directly to the characteristics of speed, immediate and convenience that an IM holds which is a strong appeal for anyone that wants to communicate and collaborate in real-time with others. However, it is these features including presence awareness (the ability for IM users to know who is online and available), group chats, share media, links, and stream content as well as text and voice messages, that exposes the IM apps to the concerns of privacy and security. This essay aims to study the behavior of higher education students towards privacy and security as it concerns the use of instant messaging applications when communication informally and formally.

To gather the desired data, a quantitative survey was created and distributed electronically at the University of Skövde in Sweden. Through the statistical analysis, this study presents the attitude of the participants towards the security and privacy of mobile IM applications. In conclusion, this report showed that the behavior of Swedish students towards digital security and privacy and the use of mobile IM applications were of low concern but not alarming. The analyzed results give a fair picture of the reasons for the choice of IM apps, the uses of the apps and the participant's knowledge about security and privacy. While there was some level of concern about who else could read messages sent via these IM devices between intended parties, the decision of which IM app participants had a preference for was not driven by privacy or security concerns. Furthermore, the majority of the participants believed that communicating with the IM app could be used for purposes other than informal messaging.

This is significant because the student population will become part of the workforce soon and will handle sensitive, proprietary, and confidential information.

Keywords: encryption, privacy, security, instant messaging, IM

(3)

1 Introduction

The Instant messaging application (IM) has become a requisite communication tool with the rapid adoption of smartphones. Everything instant is the predominant lifestyle for almost every human today (Sinarta & Buhalis, 2017). Even in communication where the traditional methods of communication designed to suite specific kind of information being passed (like whether it is urgent, private, sensitive, one-on-one, or mass) have given way to Instant-Messaging (IM). IM applications are now ubiquitous and predominant in most person- to-person communications, especially intimate and sensitive conversations (Ling & Lai, 2016).

IMs all offer tempting and attractive features that make it difficult for smartphone users to resist them. There are millions of mobile phones which make it possible to install different applications on these ‘super minicomputers’ and perform many tasks, including messaging. Even broadband and Wi-Fi networks have tremendously increased in the last few years. The availability of fast and portable internet mixed with the proliferation of smartphones has led to a new era in communication. Instant messaging apps are immensely popular among users (Smutny & Schreiberova, 2020). IMs have evolved from just sending a text, to sending voice messages and now can be used seamlessly for video and audio calls.

They can also be used to share multimedia files, documents, and group chats. It is suggested that IM is now a cheaper alternative to communicate.

More individuals see IMs as the preferred mode of communication, and even some organizations now allow employees to use IM to some extent, or the staff just use it regardless (Cerulus, 2020). This situation is a significant issue for these organizations because the system administrators are already under much pressure and thereby making the risks of data leakage that come with IM to be overlooked. In the past, for the individual, issues of security and privacy are the least of their concerns when all they require is a convenient method to stay in touch (De Luca et al., 2016). This growing popularity of instant messaging (IM) is linked directly to the characteristics of speed, immediate and convenience that an IM holds which is a strong appeal for anyone that wants to communicate and collaborate in real-time with others (Wang, Ma, Luo & Gao, 2018). However, it is these features including presence awareness (the ability for IM users to know who is online and available), group chats, share media, links, and stream content as well as text and voice messages, that exposes the IM apps to the concerns of privacy and security. For instance, the very act of sharing certain data (files) could be a breach of the GDPR. There can be man-in-the-middle (MitM) attacks, eavesdropping, issues with service providers (selling private information, leaking, passwords mishandling and storing personal data outside of users’ geological residence and jurisdiction) and malware attacks on the IM applications (Wang, Ma, Luo & Gao, 2018).

Consequently, this has led to the rise of so-called secure messaging apps, also known as encrypted messengers. The demand for secured or end-to-end encryption grew tremendously following the Snowden revelations in 2013 (Patsakis, Charemis, Papageorgiou, Mermigas & Pirounias, 2018). Demand for privacy, and concerns over law enforcement agencies, intelligence, snooping from ISPs, state-sponsored espionage, and mass surveillance programs by government are responsible for fueling of such demands.

(6)

2

2 Background

There has been a continuous growth in the global smartphone industry over the years.

As at February 2019, 48% of web page views around the world came from mobile devices, and most of these views were from mobile-first markets like Africa and Asia (Clement, 2019).

The country with the highest number of web views from mobile devices was Nigeria, while India, Ghana, and Kenya were ranked second, third and fourth, respectively. The Americas have the highest penetration rate of mobile broadband subscription of 97.1%, which is followed by Europe with 93.6%. In another report, it is suggested that by 2025, about 72.6%

of internet users would access the internet using their mobile devices (Handley, 2020). A fundamental reason for this fast growth is the declining cost of smartphones. This feeds the positive demand and supply curve. In this section of the report, the reader will be provided with information leading to the understanding of the problem that is addressed by this report.

2.1 Smartphone Environment

The proliferation of smartphones has made users to consciously choose between the two dominant operating systems – Android and iOS. Smartphones attract users through application stores, which houses millions of apps. According to a report (Covert, Steinhagen, Francis & Streff, 2020), WhatsApp followed by Messenger (Facebook IM) were the two most dominant apps on the Google Play Store in Q2, 2019. In general, IMs are apps that are used online and compete for users. They do this by continuous improvement with better user interfaces, promises of privacy and security, and many other different attractive features (Covert, Steinhagen, Francis & Streff, 2020).

2.2 Security properties for mobile instant messaging

According to Alsmadi (2020), information security is usually evaluated from the CIA Triad viewpoint of confidentiality, integrity, and availability. Confidentiality guarantees that information sent and received is only accessed the parties it is intended. While integrity refers to the concept that sent information can only be modified by intended and authorized parties.

Also, availability means that information is handy to authorized parties at authorized times (Statista, 2017).

2.3 Security Best Practices

Implementing cryptography correctly is far from trivial, and a single mistake may compromise the whole system (Stallings, 2016). Overall, in defining data-in-transit security aspects, the IM app should ensure that only the intended recipient of the message gets the message and that the message is not tampered with (Sehgal, Bhatt & Acken, 2019).

Confidentiality, integrity, and availability can be achieved by –

• Specifying requirements, like encryption standards, to protect data in transit, especially through data classification of the IM app use case, legal and compliance requirements. It is a best practice to authenticate and encrypt all data in transit while ensuring that the standards and ciphers are enforced.

(7)

3

• Implementing secure key and certificate management. This can be achieved by ensuring that encryption certificates and keys are securely stored and rotated with strong access control.

• Enforcing the IM app’s encryption has defined requirements in line with best practices and latest standards while securing user data.

• Automating data leak identification by utilizing identification mechanism or tool that automatically identifies whenever there are moves to send data out of the boundaries that are defined.

• Verification of the identity of communications through the use of protocols, including IPsec or TLS (Transport Layer Security), so as to minimize the risk of losing or tampering with data.

2.4 Messaging Protocols

Presently, end-to-end encrypted messaging has become quite prominent, with the adoption of end-to-end encrypted messaging by huge exclusive applications including WhatsApp and Facebook Messenger, and the awareness in securing communication privacy motivated by the disclosures of Edward Snowden. When end-to-end encrypted messaging is implemented, data in transit and messages on the server cannot be read even if they are intercepted by malicious third parties because of encryption. The client device is what is referred to as end rather than the server.

Several technologies combine to make up the extensible messaging presence protocol (XMPP). These technologies include open technologies that can be used for instant messaging and voice and video calls. XMPP was developed in the Jabber open-source community with the aim of providing an alternative to proprietary messaging applications. XMPP is desirous because unlike the closed alternatives, it is open standard, free, tested and proven (xmpp.org, 2020).

Signal messaging protocol, “a ratcheting forward secrecy protocol that works in synchronous and asynchronous messaging environments”, is the most remarkable latest development in the IM space, though several end-to-end encryption activities have also been carried out in this area (Cohn-Gordon et al., 2017). At its core it uses the perception of “double ratcheting,” where every message is encrypted and authenticated using a new symmetric key;

it has many attractive assets, such as forward security, post-compromise security, and

“immediate (no-delay) decryption,” which had never been accomplished in combination by preceding messaging protocols (Alwen, Coretti & Dodis, 2019).

Due to the increased awareness of the security and privacy limitations of IM applications, there has been an increase in the release of other protocols that are end-to-end for conversations that are encrypted (Johansen, Mujaj, Noll & Arshad, 2018). New end-to-end messaging protocols have been implemented following the wide acceptance of the old private protocol.

2.5 Network-Level Anonymity

Although this report is more focused on security and privacy at the application level, application-level security and privacy via encryption have limitations as on the network level

(8)

4

data can still be collected. For example, in end-to-end encryption, the identities of both parties, activity logs, IP address, phone number etc., are available to the service providers (including app developer, and telecommunication service provider) and any interested government agency or regulator because the metadata relating to the chat session is collected. This collection of metadata can be avoided at the network level to ensure security and privacy. This issue is not particular to instant messaging alone, email and other forms of communications are also affected by the challenge of service providers having access to user metadata.

Peer-to-peer (P2P) may be an option to improve privacy and security at the network level, but the data stream of a peer may be compromised by a fellow peer whom that is assisting in the data transmission process (Li, 2007; Gheorghe, Lo & Montresor, 2011).

Another method to ensure network-level security is the use of remailers/proxies. According to Haraty, Assi & Rahal (2017), remailers raise questions about the reliability and security of the hosts. Hosts are usually workstations and personal computers located at homes, labs and work, thus making the issue of establishing initial trust important. Additionally, a host on the remailer network is vulnerable as a single point of failure targets.

TOR is an example of an anonymity service which hides metadata such as IP addresses.

It is a low latency anonymity service which makes it suitable for IM use, but according to Fabian et al (2011) still increases network overheads. TOR provides network- level security bypassing encrypted user traffic through several different servers (relays). Traffic is passed through the TOR network in unpredictable routes, making it difficult for observation. Any relay where the traffic leaves the TOR network is called an exit node, and this is the apparent point of origination recognized for an external service provider. Harborth, Pape and Rannenberg (2020) observed in their paper that exit nodes on the Tor network might be malicious, belonging to intelligence agencies of government (Braghin & Cremonini, 2017) or collect unencrypted data.

2.6 Transport Layer Security

This refers to a cryptographic protocol created to protect the information transmitted between a server and a client. Transport layer security is an independent application protocol;

thus, higher-level protocols can be layered independently on it (Rescorla, 2018).

Basically, TLS is used to secure the communication channel between two peers interacting with each other when the transport has a reliable and in-order stream. The TLS channel ensures authentication on the server-side is always authenticated and there is an optional authentication of the client-side. Asymmetric cryptography such as RSA, a symmetric PSK (pre-shared key) or ECDSA (Elliptic Curve Digital Signature Algorithm) are common ways by which encryption can be implemented. Another merit of TLS is to achieve confidentiality.

Therefore, data is only visible at both endpoints and at no other point on the network.

However, the length of the endpoints is not masked by TLS, but the endpoints can pad the records of TLS to protect the data from network analysis techniques. Additionally, once connection has been established, it is impossible to modify the data transmitted over the network without being detected.

(9)

5

The TLS is made up of the handshake and record protocol components. In the handshake protocol, the communicating parties are authenticated by negotiating cryptographic methods and parameters and establishment of shared keys. The TLS handshake protocol is designed so that active attacks are resisted, and the pairs cannot be forced to negotiate different parameters. Whereas, in the record protocol, those handshake protocol parameters that were established for the purpose of protecting traffic going from one communicating peer to another are divided into record series and protected with traffic keys.

2.7 Instant messaging Applications

There are many instant messaging or mobile apps in the app stores, and in recent times, there has been the emergence of so-called “secure chat application”. It is usual for these categories of IM apps to claim that security and privacy are available by default. Although most of the IMs use different kinds of encryption, it is essential to note that the IM app developers own the servers that issue the keys or that they have access to the message keys.

Thus, they can decrypt the messages. Besides, the lack of access to source code or independent review thereof hinders confirmation whether security claims are correct, and the implementation is as it is claimed.

The results of the experiment by Johansen, et al., (2018) suggest that the applications possess usability varieties and properties of security, none of which are not prone to error. In previous research, Zhang, Ji and Yu (2017), to analyze the security of popular instant messaging applications – WeChat, WhatsApp, and Telegram, focused on investigating the metadata of communication belonging to the participants being collected by these apps.

Furthermore, Aggarwal, Grover and Ahuja (2018) selected WeChat, Facebook Messenger, WhatsApp, Wickr and Viber based on their popularity, business orientation and self- acclaimed security features to study the security aspect in IM applications. In a 2019 study by Hemmings, Srinivasan and Swire, discussed the privacy implications of the Clarifying Lawful Overseas Use of Data Act (Cloud Act, 2018) that was passed to deal with the widespread requirement for members of law enforcement to acquire identified evidence which is stored in jurisdictions that are outside the United States. This so-called CLOUS Act prescribed powers to government of the US to request for evidence from service providers in the US even if such evidence is not located in the US.

This overreaching act can undermine personal privacy of IM app users since there is a lack of control about what makes up possession, custody, or control of electronic evidence.

Users are also turning to open-source secure instant messaging applications (such as Signal and Telegram) and self-hosted alternatives (Jabber/XMPP, Troop Messenger, Rocket chat) because of the growing mistrust for the closed options and especially in light of the WhatsApp, Facebook and Instagram merger (Shelat, Patel & Bhatt, 2016; Zhang, Ji, & Yu, 2017).

In a bid to investigate how users perceive and understand end-to-end encrypted IM apps, a survey was conducted by Rikardsen and Mjølsnes (2017) on three apps, including Crypho, Signal Private Messenger, and Facebook Messenger. The practices and awareness of the students who had used at least one of the apps were explored in the survey. According to a

(10)

6

Statista report (Clement, 2019), the most popular messaging apps for 2019 based on the number of monthly active users were WhatsApp, Facebook Messenger, WeChat, QQ Mobile, Snapchat and Telegram, respectively (Briskman, 2020). Based on popularity, business orientation, and self- claimed security, providing services literature was studied on the following five IM chat applications. In addition, the methods employed to analyze the data in this research was inspired by the research of Rikardsen and Mjølsnes (2017) which was conducted on students of the NTNU Gløshaugen Campus, Norway under similar conditions, statistical tools, and methods.

2.7.1 WeChat

WeChat was launched in 2011, and by the year 2017, it was one of the largest standalone messaging applications used for social messaging by very many users. Several numbers of tasks can be performed using this single application including hailing a taxi, splitting the bill in a restaurant, purchasing a cinema ticket, investing in financial products, money transfer and, online shopping (WeChat Developers, 2020). WeChat is quite popular in China.

WeChat is available on both the Google Play Store and iOS App Store. There is no promise of an end to end encryption, but it uses asymmetric cryptography. It does this by encrypting the message sent between the server and the device, to secure it from a foreign party waiting to intercept the message.

2.7.2 Facebook Messenger

This is both an instant messaging service. Originally developed as Facebook Chat, it can be used for the exchange of text messages, pictures, audio or video, document files, stickers between users. Additionally, users are also provided with the ability to make voice and video calls (Facebook, 2020). Multiple user accounts can log into the same application instance.

Facebook Messenger makes use of end-to-end encryption to provide user security Facebook Messenger has over 1.2 billion active users across the globe.

2.7.3 WhatsApp

This is arguably the most commonly used messaging applications across the world, with 1.6 billion users are accessing the app monthly as at late 2019 (Clement, 2019). Users can make voice calls, video calls, Group chats, Group video calls, send text messages, images, GIFs, contacts, and documents in several file formats using the internet. WhatsApp can also be used as a social media tool by a special feature known as status, which allows users to upload photos and short video clips which have a time span of 24 hours to be viewed of contacts of the user. Interestingly, WhatsApp uses end-to-end encryption for all these features and has more than 1.3 billion active users (Church and R. deOliveira, 2013).

While making efforts to allow users of Instagram, Messenger and WhatsApp to communicate with one another without changing IM, Facebook, in 2019, confirmed its plan of strengthening the security of all its messaging services. Currently, only WhatsApp uses end- to-end encryption, unlike Facebook Messenger and Instagram messages. The goal is for the three separate apps, now owned by Facebook, to be fetched together under a single messaging platform or protocol (Wong, 2020).

(11)

7

2.7.4 Signal

With the help of a nonprofit foundation supported by Brain Acton, the founder of WhatsApp, Signal was created by privacy advocates in 2013. The Signal website reads that

"We cannot read your messages or see your calls, and no one else can either." The European Commission recently advised its staff to begin using Signal for secure communications (Cerulus, 2020).

The technology of WhatsApp is based on the protocol made by Signal called Open Whisper Signal security architecture. However, while Signal is open-source and WhatsApp is not (Cohn-Gordon et al., 2017).

2.7.5 Viber

Viber is also another popular free chat application with millions of users around the globe. Sudozai et al., 2017 demonstrated that it was possible to identify Viber traffic over a network and classify its audio and video calls. Viber does not support end-to-end encryption (Viber.com, 2020).

2.8 Security Aspects

Most of the popular IM applications are close sourced; hence the inability to verify the claims of end-to-end security and other privacy features, the following security aspects for IM are discussed.

2.8.1 Encryption for message transfer

Encryption of a message in cryptography refers to the encoding a message that can only be retrieved by intended parties. It denies illegal access; it does not prevent interference by itself. Plain text is encrypted to become encrypted message then decrypted back to plain text to be consumed (Pourbabak, Chen & Su, 2019).

2.8.2 Authentication in IM

Authentication refers to the process of confirming the alleged identity of a system entity. In the context of instant messaging, a system entity could be represented by a user.

IM applications are supposed to provide a security mechanism to authenticate users when using IM clients to access servers. The authentication process is achieved usually with username and password that are chosen by a user when registering for the first time.

Another mechanism used for authentication is Single Sign-On (SSO), a process where the user authenticates himself/herself only once and is automatically logged into Service Providers (IM server) as necessary without requiring further manual interaction.

A known authentication method used in IM apps is SASL (Simple Authentication and Security Layer). It is a generalized technique for providing connection-based protocols with authentication support and is published by IETF. SASL is supported by XMPP for authentication. Consequently, it is important to provide confidentiality for instant messages since IM is happening over public and untrusted networks such as the Internet. The security of transmitted messages on the Internet is managed through the use of the TLS (Transport Layer Security) protocol.

(12)

8

Table 1. General Features and Security Aspects of Instant Messaging Chat Applications

IM App

Month Active Users

E2EE Encryption Encrypted by Default

Encryption Cipher

Legal Origin

Handling of Metadata

Source Code Availability

Weakness / Vulnerabilities

WeChat 1.1

Billion No

Client-to-server and server-to-

client

- - China

Data is stored for 3 months commencing from

the date of log in before it is deleted

permanently.

Closed

No E2EE, Messages remain perpetually

on server

Facebook Messenger

1.3 Billion

Not by default but

possible

Encrypted with

AES CBC No

Symmetric, Asymmetric

ECC

USA Metadata is

retained server side Open No encryption by default

WhatsApp 1.6

Billion Yes Signal protocol,

Calls-SRTP Yes

Symmetric, Asymmetric

ECC

USA Metadata is

retained server side Closed Retaining of user metadata

Signal Unknown Yes Signal protocol No

Double Ratchet Symmetric

Algorithm

USA

All communications protected by TLS;

Sealed Sender feature encrypts

sender's information client

side.

Open

Must register valid phone number to

use app

Viber 260

Million Yes

Concepts of

"Double Ratchet", 128-bit

symmetric

Yes Asymmetric

ECC

Israel, Cyprus,

Japan

Metadata is

retained server side Closed Sent attachments are unencrypted;

2.9 Related Works

Flanagin (2005) asserted that mobile instant messaging was gradually displacing other methods of communication like email among the most dominant age group demographic – students, who are the ones using it the most. The study also demonstrated that the respondents had enhanced multitasking abilities and that these users need to be studied because, over time, they will exit the academic environment into the workplace. In a related article by Yin (2016), it concluded the study concerning the attitude of the student in regard to using WhatsApp in institutions of higher learning that age and gender did not pose any significant need for change to existing security or other features of the IM application. The study also concluded that the study level and computer competence of the student had positive but non-significant effects on the attitude towards the use of WhatsApp IM for academic-related work which means that there is no need to adjust the features of WhatsApp. The use of mobile instant messaging applications in educational environments was systematically reviewed in a related study by Tang and Hew (2017). The results revealed that most students felt that these apps present them with multi-modality, cost-reducing, ergonomic and temporal features. It also revealed how students had adapted its use in their educational pursuit, especially with respect to assessment, helpline, communicating with peers in real time, transmissivity, dialogue, and journaling. This study surmised that IM usage by students had challenges, including privacy and security concerns.

(13)

9

Another study that evaluated how students of tertiary institutions utilized mobile instant messaging applications for learning was conducted by So (2016). In this study, the participants used WhatsApp for academic communications, and it was concluded that the use of IM (WhatsApp) for academic communication was perceived and accepted positively by the students. Similar studies buttressed this fact that students benefited more academically while using tools provided by IM (Gronseth & Herbet,2018) and; nursing students found WhatsApp brought them closer to other students, nurses and useful for placements because of its ease of use perceived usefulness (Pimmer, et al. 2018).

However, when it came to an understanding the attitudes of IT experts and non- experts towards secure IMs, it was discovered that security and privacy features did not play a role in the choice of IMs that both the experts and non-experts made in selecting an IM.

Instead, the choice of IM for users was driven simply by peer influence (De Luca et al., 2016).

Consequently, the work by Aggarwal, Grover, and Ahuja (2018) demonstrated that the many iterations of IMs are built loaded and continuously updated with many features to attract the users, but the developers neglect security features most times. The study concluded that the developers should focus more on security features which translates directly to the overall quality of the IM mobile application.

(14)

10

3 Problem Formulation

This essay aims to study the behavior of higher education students towards privacy and security as it concerns the use of instant messaging applications when communication informally and formally. The rapidly changing instant messaging application market has made previous studies redundant or partially outdated, thereby creating the need to supplement with new data.

The widespread adoption of the instant messaging applications in all aspects of the student user daily life calls for an investigation into their patterns of use and how this can be adopted when they graduate into the work environment. It is generally assumed that these students will continue to use these IM apps with the same behavior towards security and privacy. Organizations have different policies concerning privacy and security because of compliance requirements, trade secrets, propriety and intellectual property and personal and corporate data. Therefore, the understanding of these student behaviors will help to ensure the organizations preparedness for this new workforce.

To achieve the aim of the study, the following research question will be examined – What is the attitude of Swedish students towards privacy and security in the context of instant messaging?

It is assumed that by answering this research question there will be enough data that will represent real life scenarios.

3.1 Motivation

The designers of IMs continually improve these applications to provide optimal satisfaction and usability, resulting in widespread adoption by billions of users. This situation has created a privacy and security challenge firstly among the users and secondly for the organizations they are associated with. Security and privacy are essential requirements desired by every user to ensure that information being shared gets to only the intended recipient, is not tampered with, and is available when it is required.

Instant messaging is used by students in varying degrees and forms. For instance, students use WhatsApp in their private and personal spaces as well as for social daily interactions (Gasaymeh, 2017); the use of mobile instant messaging for educational purposes keeps increasing even as some used it for collaborative learning (Tang, Hew & Chen, 2017).

The adoption of WhatsApp improved the learning achievement of the students (So, 2016);

and students increasingly use it routinely for sharing private and sensitive information (Gasaymeh, 2017).

In the workplace, communication enhances the relationship between employees, and it defines the quality of relationship between teammates. In carrying out certain tasks, e-mails are replaced or complemented with communication mediated by information systems like IM (Instant Messaging) (Richtell, 2010). Aside being used in social settings, in schools and at home, IM is now being integrated into the workplace (Hönlinger, 2018). In a previous study by Rajendran, Baharin and Mohmad Kamal (2019), a review was conducted to show the influence and the way IM helps people in the workplace to enhance their relationship and communication in aspects like business, health care, education, and others. It was revealed

(15)

11

in the study that IM applications could improve the quality of communication among workers when used in workplaces.

According to York (2020), the benefits of IM apps is evident in the workplace, and researchers have noted how instant messaging helped to reduce the constant, back-and- forth phone calls and lessen errors in communications. An instant message has an advantage over an email by offering an immediate and more evident resolution to business concerns that may have lingered unnoticed in inboxes. Students may transit from school to the workplace with their IM user behaviors, these mixed with the promised easy way to communicate can lead to distraction and non-officiality, therefore IM becomes a default conduit for sharing non-work-related information such as inappropriate details of staff personal lives. When students use IM behaviors developed from school in the workplace, vulnerabilities which can be exploited may be introduced. However, the network or system administrator may be consulted in the decision-making process the right IM apps that can be used by employees to share corporate information. By studying the current student behavior (future employees), it is a start towards mapping the best choice for acceptable IM use in the workplace and acceptance of alternatives based on best practices.

In recent years, the concerns about privacy and security including integrity and especially surveillance have made it relevant to protect communications passed through Instant-Messaging end-user mobile applications. Man-in-the-Middle (MitM) attackers and other forms of data-in-transit attacks are used to monitor, and intercept data sent via these applications, thus requiring end-to-end encryption (Foster et al., 2015). Nevertheless, end-to- end encryption was adopted by popular IM apps like WhatsApp with the promise of protection against MitM attacks. Today, a major privacy issue in modern-day civilization is the unrestricted nature of the surveillance capacity of digital communications. With the so-called E2E (end-to-end) encryption, it is believed that mobile instant messaging applications can secure users’ confidentiality and protect their communication from eavesdroppers, including eagle-eyed telecom operators and the government. Even when the main messages are encrypted, the metadata such as sender/receiver identity, time/date and the message size is still unencrypted and for valuable surveillance purposes. It is not necessary for IM users to trust any third party or network provider.

Compared to preceding generations, the typical student user who will get into workplace soon after graduation are more technology-oriented, and are more likely to utilize messaging applications throughout their lifetime. This constitutes a problem because of the lack of demarcation between private and official communication when the students become employees in the future (Tsai & Men, 2018; Mohsin et al., 2019). Thus, the motivation of this study to understand the behavioral patterns as it regards security and privacy while using IM applications. The results will add to the scientific body of knowledge on how this generation already make use of this technology as students and suggest how it will see it should be adopted by employers for formal and informal communications in order to ensure privacy and security.

(16)

12

By providing scientific knowledge about the use of IM applications among Swedish students and their security awareness, this research will provide useful information in the area of study to show that the usability by students of IM in all areas of their lives need to be researched further because of the security and privacy implications of the information that are being transmitted through these applications, especially data classified as confidential, proprietary, trade secrets, personal identifiable information, private, etc.

3.2 Objectives

This research essay has the following objectives presented in a chronological order.

3.2.1 Focus of the Study

The study is focused on understanding the use of instant messaging applications among Swedish students and their level of privacy and security awareness.

3.2.2 Research Variables

The independent research variables are Age group, Academic programme, and gender while

the dependent variables are choice of IM app used, frequency of use and security knowledge.

The independent variables are fixed and cannot be changed. They are required in this study to indicate to show whether differences in certain variables affects the attitude of the student concerning instant messaging application use and its security awareness.

The dependent variables are based on choice and decisions that provide an indication of the degree of security awareness.

3.2.3 Steps in the Research

The steps involved in this research are as follows:

3.2.3.1 Creating and testing online questionnaire.

An online questionnaire will be created. The choice to use a questionnaire allows the collection of information that may have statistical implications on a population. It is also suitable for cases where there is a need to define the behavior of a group of people. This is in addition to the relative ease of analysis of the data collected using this tool. A questionnaire is a cheap tool that can be used to collect data quickly from a large sample size. Therefore, because the primary data source this report is sourced from online questioners, it is paramount that validity threats handled when identified during the research.

The developed survey will be tested by the researcher for a period of 1-week in order to properly calibrate and fix errors that were either missed or not apparent while the questionnaire was created and before distribution.

3.2.3.2 Collecting data

The authorities of the university were the research will be conducted will be contacted and a copy of the survey provided so that it will be approved before distribution to willing participants.

(17)

13

3.2.3.3 Analyze

The collected data will be compiled and analyzed so that it can be properly presented and understood.

3.2.3.4 Expected results

It is expected that the result of this study will show the attitudes and behaviors of the students towards security and privacy while using IM apps for regular communication. The expected outcome of this study may show that students, in general, may select certain IM for use just for social relevance and not because it provides security and/or privacy. It is also expected that there will be a low awareness among students with less technical backgrounds than those that are technical students.

These results will benefit the average student user by increasing their awareness of privacy and security in deciding which IM application to choose. Furthermore, the corporate community may benefit from the results because the observed behavioral patterns can be used as a basis for policies on the use of IM applications for work-related communication. The employers will also need to raise awareness about the security risks associated with the use of IM, particularly in occupations with less technical knowledge, e.g. within healthcare.

Therefore, the postulated variables are as follows –

• What are the main uses of IM apps by the students?

• What drives the students’ choice of the IM app that they use?

• What is the student perception of using mobile IM apps for transmitting information that can be classified as sensitive?

What is the level of security awareness as it pertains to mobile IM apps by the users?

The survey questionnaire will be distributed to 600 students with an expected completion and return rate more than 70%.

3.2.4 Limitations of the Study

In conducting this research, some limitations could be experienced. Firstly, despite the online questionnaire method using Google Forms being free and easy to distribute, the personal or human element. This is necessary to provide a personal introduction or ‘put a face to the name’ of the researcher by providing clarification of grey areas or help in sorting our objections. This factor coupled with the short time used for the survey may result in low participation. The distribution method via email can also be an issue because some emails go unattended and others have anti-SPAM protection which may send the mail for the survey into the recipient’s junk mail when the sender (researcher) is not on their contact least. Furthermore, Google Forms cannot be used offline, the internet is required to complete the questionnaire. Another limitation to the study is the willingness of the intended respondents to participate in the study and peer influence.

3.3 Demarcation

Swedish university students in Skövde were considered for this study because this population subset is representative of Swedish student population based on distribution by age, academic programme and gender (Ugeo.urbistat.com, 2020). Also, the students are the future workforce who are likely to engage in similar behavioral patterns exhibited as students

(18)

14

in the organizations that they eventually become employees of. Student groups from non- technical disciplines – Nursing and technical groups – Information technology, were contacted for this study. This is to provide a representation of the future workplace where technical and non-technical employees exist.

The results are not dependent on the participants belonging to a certain gender, age, or academic programme of study, and all students will get the opportunity to participate. The reason why it cannot depend on a group of students is that then it will not represent all students in general.

In addition, this study aims to provide relevant information for IM app developers, system administrators and policymakers. For example, what are common trends in mobile IM use for Swedish students? However, the study will not attempt to explain why these differences in perception might exist because it does not fall within the scope of the network and system administration program.

(19)

15

4 Methodology

In this section of the research essay, all the methods used to achieve the objectives of the research effort will be discussed. The process used in creating the questionnaire, including question construction, sample size, and the method of administration is discussed. The validity threats are also discussed in this section and a full list placed in the appendix for reference purposes.

4.1 Methodology Overview

Proper planning was undertaken to ensure that viable and untainted data was sourced and analyzed. The two main methods to accomplish this is either a quantitative or a qualitative method. The choice between quantitative and qualitative hinges on the aim of the study the research questions.

Quantitative method of research is used best when differences are being compared, leading to analysis before presentation via statistical analysis while quantitative method is best for “how” questions such as “How many times a day do you use an IM app?”, but the qualitative method is better applied in “why” questions such as “Why do you prefer this IM app?” (Mikkonen & Kyngäs, 2019).

However, when it has been decided on what can kind of data is to be collected, it is now necessary to determine the best method to collect the chosen data type. This can be carried out through interviews or questionnaires. Mikkonen and Kyngäs (2019) explain that a survey can be used to collect data about the attitudes and behavior of people. Questionnaires are a very good tool for this data type (Wholin, 2012). This makes the questionnaire the best tool for the collection of data in this study because the research is aimed at understanding the perception of the Swedish student of security and encryption as it relates to instant messaging applications.

The quantitative methodology is chosen and implemented in this study because it aims to provide an insight into the perception rather than explaining why the students display those attitudes. Besides, a quantitative approach is desirable in quantifying results by descriptive statistics to be presented in the results (Mikkonen & Kyngäs, 2019). The questionnaire is administered online because of the nature of the study.

4.2 Survey Methods

The following are all the aspects that must be considered in creating a research questionnaire.

4.2.1 Standardization

Driscoll et al. (2017) describe standardization is a crucial element in conducting online surveys using the questionnaire method. For the purpose of this survey, standardization is the process of putting together questions so that they can be uniformly interpreted by every survey participant. When standardization is high translates to the fact that every research participant reads and understands the questions in the same way. It is important for the survey results to be high because a low standardization equates to a varied understanding of the questionnaire by the participants and therefore reducing the comparability of the results.

(20)

16

The researcher is not physically present to clarify grey areas in an online administered survey.

Therefore, it is important to test for standardization before the survey is administered.

4.2.2 Choosing Between Close- and Open-ended Questions

Open-ended questions refer to those questions that do not provide ready-made answer alternatives. When they are used, the user must formulate their answers themselves (Mikkonen & Kyngäs, 2019). In contrast, in close-ended questions, the respondents are provided with a choice of possible answers to select from (Mikkonen & Kyngäs, 2019).

Driscoll et al. (2017) reported some issues regarding the use of open-ended. Open- ended questionnaires have a known issue which is the time load required for review, analysis and comparison. Factors contributing to this may be the fact that some people give long and detailed answers and others write in code or jargon, which must first be interpreted by the researcher. Open-ended questions give a level of difficulty for the participants to understand questions and doubt their responses.

When reply alternatives are provided the participants find it easier to comprehend and respond to questions in the survey. In addition, there are people who are uncomfortable with writing due to literacy levels (Driscoll et al., 2017).

Conversely, close-ended questions are those questions that have reply alternatives.

The disadvantage of using questions that are close ended includes limitation to the number of reply alternatives (Mikkonen & Kyngäs, 2019). For instance, with a hypothetical question such as “How often do you send messages to a friend that you consider to be sensitive?”. If the reply alternatives are 1 -3, 4-5 and 6-7, then a user who sends sensitive messages between 3-4 times will have a difficulty responding to this close-ended question. Inclusion of an “other”

option usually helps survey participants to still have a response should none of the alternatives turn out to be appropriate (Mikkonen & Kyngäs, 2019).

This study’s primary goal is to explore the perception of the students as it regards security and encryption as they make use of mobile instant messaging applications. For this reason, all questions will be close ended to ensure that there is no need for further interpretation of answers received from the questionnaire.

4.2.3 Wording of Questions

Surveys conducted using a questionnaire must be carefully designed to give the most appropriate questions. This ensures that every respondent can understand the questions. It will also lead to an increase in the number of people that are willing to respond to the survey.

The validity threats of skewed answers will be avoided in the process too.

There are other key factors that have been identified by Elson (2017) which includes maintaining simple and short questions, and not creating questions that are leading. An example of a leading question is “Will you say that WhatsApp protects your information better than…”. Leading questions such as this can have a potential influence on the respondent. Another common error is contradictions in questions, these can create a confusion and difficult for the participant to understand and know what exactly to respond to. Another common error are double-barreled questions. These kinds of questions ask two things at the same time – “Is your instant messenger secure and private?”. The issue with

(21)

17

such a question is that the respondent might have a private mobile device that only they can use or access to the IM app password-protected, but the messages transmitted are insecure, and vice versa.

Furthermore, the survey should not be too lengthy with too many questions that require too much time to complete. Any questionnaire that is constructed in this way will be time consuming for the volunteer and pose a likelihood for a negative result outcome such as the respondent abandoning the survey along the way (Mikkonen & Kyngäs, 2019). Another good method reported by Driscoll et al. (2017) is for the start of the survey to contain some warmup question that will make the participant to become committed to completing the survey.

4.2.4 Likert Scale

A Likert scale is usually used for the administering of a questionnaire aimed at studying the attitude of research subjects. A Likert scale is designed such that the options used for relying are presented in a simple horizontal scale. Both extremes of possible options are presented to the survey participants to investigate their attitudes. A classic example is a question regarding the degree of satisfaction from using and Instant Messaging App. The corresponding alternatives will then range from “Strongly disagree” to Strongly agree”.

However, asides the options inbetween, a neutral reply alternative is usually provided in some variations of Likert scales (Chyung, Roberts, Swanson & Hankinson, 2017).

A Likert scale has the advantage of gauging the various levels or attitudes when it is difficult to do so with a simple yes or no question. Unlike open ended questions, a Likert scale makes it easier for a researcher because the need for interpretation is eliminated. It is always useful to provide adequate choices to the respondents when using a Likert scale on a survey to avoid confusion. Nevertheless, the options in the Likert scale should not be too many because this too can lead to confusion when there is little difference in meaning between the options. As a rule, the minimum recommended option on a Likert scale is 3 and a maximum of 9.

This study has set out to explore perception in attitude towards security and encryption in IM thereby making the Likert scale a good method to implement for those questions.

4.3 Sample Size

This study is limited to the students at the University of Skövde. This is a relatively large sample size that requires a quantitative approach in gathering data. This university is chosen, and the research limited to allow for adequate time to collect and analyze data thoroughly. Additionally, a non-probability sampling method would be used as is common in small-scale surveys conducted in defined spaces such as workplaces and schools (Etikan, 2017).

When data is gathered, arriving at a good conclusion is dependent on using a large sample size, and a better, more inclusive result can be obtained. When there is a large sample size, the risk of accidental sampling is avoided. An example of accidental sampling in this

(22)

18

study could be, for example, be if the study only ended up including participants using just the Signal IM app (Etikan, 2017).

In this research, the data was gathered by having students voluntarily accept to complete the survey when it was electronically sent to them.

4.4 Instrumentation

Google Forms is a free service available from Google. Creating surveys with Google Forms is easy, simple and it provides an intuitive experience for the respondents. Also, with Google Forms, since there is no trial period, it can be used for collected data for a long period.

It has the additional feature of adapting with MS Excel and presenting the collected results in a graphic format.

4.5 Ethics

Whenever scientific research involves humans, there are important ethical factors worth considering. The issue of an informed consent by every respondent is compulsory based on the consideration of all provided basis of the study (Etikan, 2017). All participants who opted to complete the survey were informed that it was part of a research essay for a final year project in the university of Skövde. The purpose of the study was clearly stated at the beginning of the questionnaire. The statement also clearly stated that participation was voluntary and that responses will remain anonymous (Etikan, 2017). To preserve the identity of the respondents, no personal data was collected or formed part of the study. Even the general questions such as gender and the program of study were complete anonymized.

The researchers contact information was made available to the participants for further enquiries. Maintaining an ethical study required that no invasive questions that erode the privacy of participants or reveal their security protocols were asked. Nothing that could be used to identify the study participants was utilized.

4.6 Societal Aspects

In a student community, social development affects the behavior and attitude of the Student. It is common to find students dressing, communing, and congregating in certain ways that forms the culture of the community. This is also applicable to the kind of IM apps that they use in communicating and how the students perceive the security and privacy of these IM apps. Thus, participants of the survey may demonstrate a similar trend seen their responses to the questionnaire because of the social aspects of the campus community.

4.7 Validity Threats

When a study is performed, the degree of reliability of the results is referred to as the validity of the study (Newton & Burgess, 2016). A high validity is obtainable when the threats to the study are identified during the planning phase and are effectively handled. When this research was performed, the validity threats to the results included the possibility for the respondents to have difficulties in understanding the survey questions, poorly worded questions and a low statistical power. Validity threats can be classified into internal, construct, reliability and external validity. In managing validity threats, usually a compromise must be made. When drawing participants from a pool of university students for instance, threats like heterogeneity and low statistical power are reduced. So, even though a high

3 Problem Formulation

Abstract

Table of Contents

1 Introduction

2 Background

3 Problem Formulation

4 Methodology