USABLE Tools

Peru: Tila

Wed, 01 Mar 2023 00:19:41 +0400

Background

Tila is a journalist who has worked for 10 years in print journalism. She has worked in large cities such as Peru’s capital, Lima. After covering some recent protests, there was a change in her devices. They were not working properly; she had friend requests from trolls across her social media accounts and she kept receiving strange calls. She noticed she wasn’t the only one with the same problems, so she teamed up with several journalists to investigate the issue. Together, they learned that they were being watched by someone through accounts that has been hacked.

Technology use

Tila is active across several social media platforms and blogs. She has a personal Mac computer which she uses for design and audiovisual production. Tila also has a work laptop with Windows. Given the nature of her work, Tila often connects to public Wifi networks and shares devices with colleagues to pass material. She stores sensitive information on her devices without encryption. She uses Google Drive extensions to store information, sends files via Facebook.

Goals

Learn and achieve safer digital habits.

Identify digital risks that go unnoticed.

Learn new strategies and tools for safeguarding information.

Threats

Sexist threats for being a woman journalist.

Adversaries have better technological capabilities to attack.

Threats and intimidation to interrupt/stop journalist investigations from being carried out.

Difficulties accessing media accounts and identity theft.

Strengths

She has a network of journalists with whom she meets to discuss digital security issues and plan joint actions to strengthen digital security.

Seek out communities and organizations that can advise you on digital security issues

She is technologically savvy and has good internet connection.

Questions

How can I back up the sensitive information and make sure it is protected?

What is a safe platform can use to conduct interviews on sensitive topics?

How can I identify attacks on my digital accounts? How can I protect against attacks?

Peru: Oscar

Wed, 01 Mar 2023 00:17:24 +0400

Background

Oscar is a journalist who works daily covering and reporting on important political, social and economic developments. During the height of the Covid-19 pandemic, he has visited hospitals, medical centers, and other crowded spaces to observe and share their Covid-19 reponses. Being at the forefront of events such as this, he has had to implement protective measures for his health and safety.

Technology use

Oscar uses different forms of social media such as Facebook, Twitter, Instagram, etc. to share information. He also has a website which he administers through Wordpress. He is experienced using audio and video editing software. Oscar has some security measures in place, he has updated his operating system and has a good antivirus. He uses similar passwords for his services but makes but uses slightly different combinations. He connects to public wifi networks, where there is no coverage to use mobile data.

Goals

Provide accurate, current and insightful coverage.

Be informed on the concerns of the national (and international) community in order to address informational gaps.

Disseminate information that clarifies doubts about myths and eliminates misinformation.

Threats

Loss of information by hacking the cloud storage.

Email vulnerability by hacking, unauthorized intrusion, phishing attempts

Password theft

Strengths

He has some digital security protection measures in place.

He has devices specifically dedicated for his work.

He understands nothing can be completely protected and wants learn more about digital security strategies.

Questions

How can I tell if a link or website might be malicious?

How can I protect myself when using public wifi networks? Are there alternative ways I can connect?

How do I know if my Operating System issecure?

Venezuela: "María"

Wed, 01 Mar 2023 00:14:07 +0400

Background

María is a middle-aged woman, teacher and psychologist by profession. She was born in a small town in the state of Mérida and as a child she was the victim of various types of abuse by some of her relatives. Growing up, she decided to dedicate her life to helping other women who have gone through situations similar to the ones she went through as a child. María founded an NGO that provides psychological and legal support to women who are victims of rape and gender based violence.

Technology use

María uses instant messaging apps, video conferencing and email platforms to communicate with victims and her co-workers. She saves the files of all the cases they receive in a cloud storage platform.

Goals

Support the fight to end sexism and gender based violence in the country.

Work to reduce the gender gap in the workplace.

Advocate to the State for guaranteed equal rights for men and women.

Threats

Repression by state security agencies.

Gender-motivated violence.

High crime rates in the country.

Strengths

Strong ties and relations with other human rights organizations.

Training in nonviolent resistance.

Knowledge of the national legal framework.

Questions

What safety recommendations can we give to young girls when using the Internet?

How can we publicly denounce bullying and abuse while protecting and respecting victims?

Venezuela: "Antonio"

Wed, 01 Mar 2023 00:10:48 +0400

Background

Antonio, is a 21-year-old gay man who has struggled to find safe spaces for self expression on social media. He experiences constant harassment and mistreatment on the Internet. Antonio is an active member of an NGO that works to educate young people on human rights, with particular focus on the LGBTIQ+ community. He is tired of seeing members of the LGBTIQ+ community harassed and threatened for being themselves.

Technology use

He has a smartphone with an emergency function that he can use to call for help and allows a trusted person to locate him. He uses Facebook and Telegram groups to spread information about how to protect oneself and off the Internet.

Goals

To advocate for equal rights.

To combat discrimination and hate.

To advocate for legal protection of people with sexual and gender diversity.

Threats

Harassment- both physical and on social media.

Targeting of LGBTIQ+ individuals via dating apps.

Lack of support and resources in a country/culture with conservative values.

Strengths

Knowledge of laws and rights.

Network of allies that support his fight.

Commitment to defending the rights of the LGBTIQ+ community.

Questions

How can we safely reach more people so they know how to protect themselves?

What are some tools that can help improve our security?

Venezuela: "Valeria"

Wed, 01 Mar 2023 00:07:37 +0400

Background

Valeria is a young independent journalist who collaborates with different national and international digital media and in her free time she collaborates in investigations with some NGOs, especially those that work on issues of feminism, LGBTIQ+ rights and freedom of expression. She has been injured during coverage of popular demonstrations and threatened by armed groups in her community, who are close to the regime and seek to intimidate dissidents in order to silence them.

Technology use

Instant messaging apps for communicating with her loved ones and coworkers, video calling platforms for work, and email for professional and personal use. Due to the heavy censorship in the country, she must use a VPN to access various web pages.

Goals

Report what is happening in the country.

Overcome censorship and attempts to limit access to information.

Fight against the disinformation and propaganda of the regime.

Threats

Repressive context for freedom of expression (freedom of expression has been criminalized).

High crime rates in the areas she frequents.

Gender-based violence.

Strengths

Alliances with other journalists and organizations.

Advanced communication skills.

Social capital and influence in social media.

Questions

How can we increase the security of our social media accounts?

What are some more secure means of messaging that I can use to maintain contact with collaborators, colleagues, and family?

What security tools can we use in spaces with low connectivity?

Venezuela: "Emilio"

Wed, 01 Mar 2023 00:04:27 +0400

Background

Emilio grew up and currently lives in one of the most dangerous neighborhoods in Caracas. At a very young age he became interested in public affairs and chose to become involved with different NGOs. He leads the chapter of of the National Student Movement at his university. He is also currently part of an NGO that works to provide support to the poorest communities throughout the city.

Technology use

He uses WhatsApp to communicate with allies throughout the communities and his work team. He also uses Zoom to participate in conferences and workshops. Emilio uses and social media platforms to communicate his work and connect to people with people interested in the project.

Goals

Help people living in extreme poverty.

Empower community members.

Create support and solidarity networks in poor communities.

Threats

Armed political groups living in the communities.

Kidnappers looking to extort money.

Political persecution for his social activism.

Strengths

Community support for the work he does.

Legal advice of other human rights organizations.

Alliances with other organizations to denounce attacks.

Questions

What security measures can we take when violent groups come to sabotage activities?

Is it safe to coordinate activities through SMS when we don’t have Internet access?

Ecuador: Yanhya

Wed, 01 Mar 2023 00:02:46 +0400

Background

Yanhya is a human rights and environmental activist. She works with community radios to denounce environmental injustice as well as violence against women. She lives in a community that has suffered the effects of water contamination, oil exploitation, logging, and illegal mining. Access to electricity and internet is poor in her community, she must leave her territory whenever she needs to access more reliable internet.

Technology use

Yanhya uses Facebook and WhatsApp to communicate information/work done by herself or others, to view the news, and search for information. She uses her computer for radio to edit her programs. Yanhya uses her cell phone to collect testimonials for her activism work. She is currently learning to use some design and video editing

Goals

To find other effective ways to disseminate information about women and culture/ find more spaces to tell women’s stories.

To connect with other members of the environmental rights and human rights communities.

Threats

Physical threats to her and her family.

Identity theft and impersonation to discredit her work/spread disinformation.

Attempted hacking of social media and email accounts.

Strengths

Some friends and individuals she coordinates with have started using Signal for more secure communication.

Yanhya is aware of digital threats and is interested in learning more about digital security.

She understands the basics of the Internet and is able to use it as a tool to gather information.

Questions

If my devices are stolen, is there a way to protect the information they contain?

How can I know if my social networks have been tapped?

Where do I backup sensitive information so that it is secure?

Is there a way for me to keep my content from being removed from social networks?

Mexico: Nahua

Tue, 28 Feb 2023 23:55:17 +0400

Background

Nahua is a radio communicator, he belongs to the Tucta community, in the municipality of Nacajuca. Nahua has worked to document the harm and contamination of oil, mining and hydroelectric companies in indigenous territories. He conducts interviews to spread the word about the environmental impact on these communities as well as the discrimination and threats that they face.

Technology use

They have started using Free Software to setup a radio station. And they have also organized with communities to use other organizations’ free community storage infrastructure to strengthen their information security. They have received workshops on VPN use. They have also created their webpage.

Goals

Transparency in the actions of mining companies.

Create spaces for alternative voices.

Generate alternative communication products.

Create intercultural communication that exposes the realities of the communities.

Threats

Mining companies are threatening those who produce and disseminate information criticizing and/or exposing them.

Threats by drug traffickers to journalists.

Cell phone spying and wiretapping.

Strengths

Nahua has basic knowledge of technology.

He has discovered and learned to use Free Software that allows him to securely store and backup information.

He is aware of threats to digital security and wants to learn how to better protect against them.

Questions

How can we be monitored through our cell phone?

Is there a mechanism to protect our privacy when navigating social networks?

What kind of tools can I use to further protect my security?

Ecuador: Michi

Tue, 28 Feb 2023 23:51:19 +0400

Background

Michi is a journalist who works to promote women and feminist rights using radio to tell stories/share information. In the past she has been persecuted for disseminating information on sexual and reproductive rights and presenting reports critisizing and exposing violence and machismo.

Technology use

Michi is an experienced communicator and has been working in radio and radio production for many years. Her knowledge of technology is basic. She uses her smartphone to share information about her work and sensitive issues via Facebook and email. She also uses these platforms to connect with other feminists and feminist groups On her phone she also installs game applications for her children.

Goals

Connect with feminist networks while maintaining personal safety

Use digital networks to support in building alternative discourses to disseminate credible facts to counter misogynistic/sexist beliefs and perceptions, combat violence against women.

Threats

Michi regularly receives threats online from trolls and individuals with conservative/traditional cultural perceptions. She fears for her safety and that of her family in the event that any personal information such as her home location were to be discovered or revealed. She also fears cyber threats such as hacking of personal accounts by malicious actors looking to shut her down or discredit her.

Strengths

Michi maintains contact with a couple of cyberfeminist organizations working in digital security. They have been able to recommend security tips to her.

Michi recently learned about the Signal app which offers encrypted instant messaging. She has begun to use it for any sensitive communications.

Questions

How can can I better protect the data on my cell phone?

How can I better protect my location and other personal data?

Are my email communications secure/is there a way to ensure this?

Uganda: Lakony James

Tue, 28 Feb 2023 23:43:08 +0400

Background

Married 35 year old HR lawyer & activist who works with civil society to advocate for the property ownership rights of women in Northern Uganda. He lives in a post armed conflict region. He speaks & writes fluently in English

Technology use

Social Media platforms, Facebook, twitter, Instagram to create awareness.

Communicates via email, SMS, social media apps, uses a myriad of email list serves (Gmail, yahoo, Hotmail to network), Accesses internet from any location (hotels, public WIFI).

Goals

To conceal his digital trail from surveillance.

Wishes to keep his communication platforms secure

Needs secure open source cloud platforms for backups

Needs to securely stay connected during Internet shutdowns/ censorship

Threats

Intimidation, arbitrary arrest and detention

Some of the software he uses is not licensed.

Government surveillance.

Fear of losing his practicing certificate.

Betrayal from fellow colleagues

Strengths

Understands the prevailing legal framework that supports his work

Has a large online following that supports his online activism

Adopts fairly to new tech applications

Ability to use technology to circumvent censorship & also seek help from his IT peers.

Questions

What will happen to my family incase I’m taken under hostage.

How can I safely communicate to my people who are not using any of the security tools named?

How can I navigate the internet safely when I need to use public internet?

Venezuela: Daniel Suárez

Tue, 28 Feb 2023 23:31:34 +0400

Background

Daniel is a journalist who lives in Caracas. He works as a reporter for digital media. Most of the time he is on the street documenting the news from various sectors of the city and at the end of the day he returns to the office for the coordination meeting that he holds with the rest of his co-workers.

Relevant recent events: A few months ago, government offcials raided the office for no apparent reason, Daniel feels that he must be very vigilant about protecting the information on his phone and on the office computer.

Technology use

Daniel has had digital security training in the past on behalf of the media he represents, so he uses strong passwords and in some cases activates double factor authentication. Most of his teammates have not received training.

Goals

Overcome the censorship imposed by the national government.

Inform communities with little or no access to independent media.

Make the general crisis in the country visible.

Threats

Physical and digital attacks by state security forces.

Website and social media blocking.

Arbitrary detentions.

Strengths

Interest and motivation to learn new ways on how to protect himself and others around him.

International cooperation resources to acquire new equipment.

The organization as a whole has an interest in promoting organizational security policies.

Questions

What communication channels can and can’t the government intervene and how can I protect myself?

What is the safest place to store documents?

What special security measures must be taken into consideration while investigating sensitive topics such as corruption schemes?

Venezuela: Carolina Prieto

Mon, 27 Feb 2023 21:19:53 +0400

Background

Carolina is a journalist who lives in Los Andes region and is a correspondent for several digital media, some with their headquarters in Caracas. Most of the news that she covers is related to the humanitarian emergency: food shortages, failures in public services and health system.

Relevant recent events: Like most people who live outside of the capital city Caracas, most of the time she does not have an internet connection due to ISP failures or the frequent and prolonged power outages.

Technology use

Due to constant power failures and the cost of alternative ISPs, Carolina relies almost entirely on her cell phone to get her work done. She receives most of her inputs on WhatsApp and she writes the news on her computer using data shared from her cell phone.

Goals

Overcome the censorship imposed by the national government.

Inform communities with little or no access to independent media.

Bring useful information to the masses so that they can be informed.

Threats

Lack of infrastructure / equipment to get the job done.

Arbitrary detentions.

Physical and digital attacks by state security forces or irregular armed groups.

Strengths

Reliable coworkers that support each other to overcome deficiencies.

International cooperation resources to acquire new equipment.

Interest and motivation to learn.

Questions

How can I implement the recommendations if I don’t have electricity or internet?

Can communication apps like WhatsApp or Telegram be hacked?

How can I safely document human rights violations?

Ecuador: Joshefin

Mon, 27 Feb 2023 20:44:18 +0400

Background

Joshefin is a journalist, feminist, and trans activist covering issues of gender, diversity, and gender based violence. Through her work, Joshefin promotes sexual and reproductive rights. Joshefin is the Community Manager of a feminist journal. She and other members of her community have organized trainings for journalists on reporting with a gender perspective. She is also alert about cases of femicide to give support to the families, also to trans people who are discriminated against.

Technology use

She uses different social media platforms such as Facebook, Instagram,Telegram, and Twitter to share her work, She has a space/site dedicated to sharing her reports.

She worries about her communications being tapped, especially when working on sensitive topics, and implements some digital safety measures. She uses a VPN sometimes and uses Signal to communicate.

Goals

Share information with a gender and diversity focus.

Denounce threats against the diverse community and women.

Promote communication with a gender perspective.

Threats

Troll attacks on shared content.

Attempted hacking of Web pages, mail and social media accounts.

Phishing attempts.

Reporting of published content to be removed.

Strengths

She is aware of the need for digital security measures.

She implements certain tools to protect her digital security.

She implements strong passwords and uses two-factor authentication for her social media accounts.

Questions

How do I protect my mobile device?

How do I deal with troll attacks?

How do I protect myself from attacks to my accounts?

Announcing the 2022 UXForum: Connect, Create & Shape Tech!

Tue, 08 Feb 2022 09:50:48 -0700

The UXForum is back, April 25-29, 2022!!

A virtual convening to explore human-rights centered design in the open source privacy and security community

Join human rights defenders, digital security trainers, auditors, software developers and designers for a multi-day, online event that will provide space for skill-building, networking, sharing best practices, and exploring opportunities for collaboration.

Help us shape the agenda by submitting a session proposal! The call for proposals will remain open until March 18th, 2022 and we will notify applicants of selection no later than March 25, 2022.

We encourage you to put in a session regardless of your experience leading sessions in other circumstances. Likewise, if you’ve got a great idea but still need to work on the details, we encourage you to submit a session and join us for our open information session Friday, February 25, 2022 at 8:00 am EST or 11:00 am EST to ask questions, discuss your idea, and receive feedback. Links to the sessions will be provided once you sign up here.

In the meantime, don’t forget to register for the forum (registration closes on April 15, 2022) and follow us on Twitter @USABLE_tools for the latest updates.

The event will be guided by the USABLE code of conduct.

16 Tips for Maintaining Trust During Feedback Collection

Fri, 21 May 2021 09:00:00 +0000

Trust is always a prerequisite for working with at-risk communities, but it becomes increasingly important when you are gathering feedback. If trust has been established, users are more likely to participate in the feedback process and provide honest responses without fear of judgment or risk.

This resource is designed for organizational security auditors, digital security trainers, and other practitioners who have already built and established trust with an at-risk community and are planning to collect feedback on privacy and security tools from the community.

Tips for Maintaining Trust During Engagements & Feedback Collection

Though trust can be established prior to an audit, training, or user engagement, the facilitator must take action to maintain and uphold that trust throughout the event. Below are suggestions to help ensure that participants feel safe and supported throughout the entire feedback collection process.

Communicate transparently with partners about what you will be doing together and outline the overall plan. Be sure to manage expectations about time and involvement. Explain how the feedback you are collecting will be used and what impact it may have long-term.
Collaboratively establish rules or protocols for the gathering to ensure people feel safe (i.e. no photos, no social media posts, Chatham house rules, etc.). Confirming confidentiality at the beginning (and maintaining that confidentiality) can also help participants open up.
Where possible, conduct feedback collection in the local language. Participants will likely be able to more easily share challenges, frustrations, or features that they appreciate in the language they are most comfortable with.
Follow through on your commitments and be communicative throughout the process.
Identify and highlight something positive that you hear or learn from participants in order to help them build their confidence. It can be useful to begin a training or audit by collecting best practices. This will demonstrate to participants that they already take certain actions or use certain tools and reassure them prior to beginning.
Encourage participants to share challenges or mistakes from the perspective of someone else (perhaps a persona), so they do not feel shame in sharing.
Explain technical concepts in accessible language so that people can understand how technical tools work and do not feel overwhelmed by complex terms and concepts.
Remind participants that you are not testing them as users, but rather you are testing the tool.
Ensure that your team of facilitators is diverse and representative of the community or organization with which you are working so participants feel comfortable. You can also provide opportunities for participants to be co-facilitators. Cascading or transferring information to a trusted member of the organization or community can be an effective way to communicate a message.
Encourage questions throughout the session and provide different ways for people to engage (verbally, written, etc.). It is critical that you listen to participants. Continuously check-in with each participant and follow-up afterwards via phone or email.
You should plan for the engagement to be interactive and immersive, but you should also be adaptable and adjust as needed.
Location can also play a large role in making sure participants feel safe to fully engage, without fear or distraction. If funding permits, host events in a neutral location.
Give honest and straightforward answers, and respond as quickly as possible to requests for support. You should always be clear and specific about the functionalities of tools so organizations and communities can choose the tool that best fits their threat model.
Ask open-ended questions, and create space for storytelling and exploring emotions.
Include short movement activities, which allow for linking body and content (i.e. finger ladders, shoulder rotation, etc.).
Utilize privacy-preserving measures when collecting feedback from at-risk users. This may require you to use aliases, assign numbers, etc. to ensure that you are not linking results or feedback to specific individuals.

Whether you are just getting started building trust with a new organization or community or you are eager to begin collecting feedback from existing partners, these tips and suggestions will help ensure you are centering the wellbeing of your participants while effectively collecting critical feedback from at-risk users.

AXIS: A Global Feedback Exchange for Trainers, Auditors, Developers, and Designers

Wed, 18 Nov 2020 09:00:00 +0000

Internews, with support from Okthanks and Simply Secure, hosted a month-long virtual event entitled AXIS: A Global feedback Exchange for Trainers, Auditors, Designers, and Developers. This event brought together key communities to map privacy and security tools being used by at-risk organizations and to identify concrete ways that we can support improvements to those tools.

66 participants across the globe attended throughout the month including:

41 Digital Security Trainers and Organizational Security Auditors
9 Designers and UX Experts
4 Tool Developers
12 People Representing Other Communities (journalists, activists, etc.)

In order to maximize flexibility for participants, program content was made available in a variety of formats including podcasts, live sessions, and blog posts. Since AXIS was originally planned as an in-person event, one of our top priorities when making it virtual was to facilitate community building and trust among participants, particularly for those who are new to the digital security and Internet Freedom communities. While building community and trust can come naturally during in-person events, virtual gatherings require strategic facilitation to create opportunities for those connections to be made.

Here are a few of the ways we facilitated collaboration and communication throughout the month:

Welcome Calls. Prior to the start of AXIS, we hosted two “Welcome Calls” where participants could introduce themselves and get to know one another in an informal setting.
AXIS Community Slack. Throughout the month, participants were able to communicate with each other or the hosts via the AXIS Community Slack. The Slack served as a space for participants to make introductions, exchange resources, submit homework assignments, and even share music recommendations and pictures of their pets! Having this informal space for participants to communicate throughout the month (and afterwards) greatly contributed to the overall success of the event.
Community-led Skill Shares. As part of AXIS programming, participants were invited and encouraged to share their own skills and expertise through live sessions, blog posts, and/or podcasts. 12 participants contributed to these skill-shares covering topics such as web accessibility, threat modeling, user research, and more.
Breakout Groups and Shared Notes. During live sessions, hosts used BigBlueButton’s breakout feature and shared collaborative notes on Riseup Pads to create smaller groups and allow participants to engage in the format they are most comfortable with, whether that be speaking or typing into the shared document.

AXIS Outputs and resources

As part of select AXIS sessions, participants contributed to the development of new resources, and provided feedback on existing resources. Content developed during the event, ranging from best practices for feedback collection to templates for archetypes, will be edited, designed, and integrated into the UX Feedback Collection Guidebook.

Building on User Personas, or fictional profiles of individuals created based on the real needs of users, the archetype templates developed during AXIS will expand the resources available to help trainers, auditors, designers, and developers analyze threat models and understand risks. AXIS participants contributed to the development of templates for the following resources:

Organizational Archetypes will provide a snapshot of at-risk organizations who rely on privacy and security tools. These archetypes will highlight threats they face, tools they use, the size of the organization, and more.
Adversary Archetypes will provide a direct contrast to the organizational archetypes, as they will provide a snapshot of common threat actors, including some of their tactics, known targets, and more.

Templates for these resources will be shared with trainers and auditors so that they can contribute to a growing library of personas and archetypes.

AXIS Tracker and Feedback Collection Certification

Each AXIS participant collected a virtual “stamp” for attending a session, reading a blog post, or listening to a podcast. Each stamp represented a different theme or topic, and an editable Progress Tracker allowed participants to track their progress throughout the event. Upon completion of the program, participants were eligible to receive an AXIS Feedback Collection Certificate*. A total of 42 participants received a Feedback Collection Certificate.

What’s Next?

Following the event, AXIS participants were invited to apply for the Feedback Collection Funding Pool, a small grants pool for individuals or organizations who would like to implement feedback collection from at-risk users during their trainings or audits. Many AXIS participants have expressed interest in collaborating with another trainer or auditor to implement these activities, demonstrating an increase in the amount of collaboration happening within the auditor and trainer community, particularly with regards to usability work. This feedback collection, combined with the UXFund, aims to improve the usability of open source security and privacy tools used by at-risk communities around the globe. Check back here for updates as we launch this work!

Logo, Progress Tracker, Icons, and all other design assets for AXIS were created by Juan Pablo Trujillo Romo.

RightsCon 2020: Ensuring Users Have a Voice: Collecting and Integrating User Feedback

Thu, 15 Oct 2020 09:00:00 +0000

RightsCon, the world’s leading event on human rights in the digital age, was held online this year during the month of July 2020. Internews’ Ashley Fowler led a session entitled, “Ensuring users have a voice: collecting and integrating user feedback.” Since 2015, Internews has partnered with digital security trainers, design experts, and open source tool teams to improve the usability and accessibility of open source privacy and security tools. Valuable user feedback collected from across the globe has ensured that users have a voice in the design and development of the tools they rely on. This panel was composed of digital security trainers and accessibility experts who have experience collecting feedback from at-risk users as well as designers working with open source tool teams who have implemented usability and accessibility improvements based on user feedback. Below you can find highlights from the panelists, who shared lessons learned, best practices, and responded to questions about collecting and integrating user feedback.

Moderator: Ashley Fowler, Technical Program Officer at Internews

Panel:
- Nancy Reyes, Trainer and Accessibility Consultant at Accessibility Lab
- Mario Felaco, Security Auditor at Conexo
- Carrie Winfrey, Founder and Design Lead at Okthanks
- Helen Nyinakiiza, Digital Security Trainer in Kampala, Uganda

Why is it important to involve users in the design and development of open source tools? How do we sustain feedback loops between at-risk users and open source tool teams?

Panelists highlighted that many open source tools are developed in North America or Europe, far from the communities that heavily rely on these tools for their physical and digital security. Tool teams that do not have direct access to end users struggle to understand the specific needs and threats they face, sometimes resulting in tools that are difficult to use or neglect to account for people outside of North America and Europe. Involving users and creating sustainable feedback loops is critical to the success of any privacy or security tool.

Feedback should not only be collected towards the end of the development cycle, but rather gathered throughout the entire process. Developers must ensure they have structured the process to power continuous feedback loops. For open source donors and funders, it is important to ask how the projects you’re supporting are incorporating feedback from at-risk or marginalized populations. Not only is it important to ask, but also demand that it is included and fund the work.

Nancy noted that it is imperative to also include people with disabilities in the design process of the tool, and seek their feedback early on in the process, in order to build more accessible tools.

Web Accessibility Guidelines exist and can support the inclusion of people with disabilities. Learn more at https://w3.org/TR/WCAG21/.

Are there simple ways to integrate feedback collection into existing training or engagements with end users?

There are lots of lightweight and fun ways to collect feedback! Panelists shared several methods they have used, emphasizing that you can even collect feedback over dinner or coffee. In fact, making it a no pressure, lightweight social event helps people feel more comfortable and results in more accurate, real feedback. If you are conducting a more formal digital security training, you can wander around and observe how people are interacting with the tool and identify where they are facing hurdles. Collect those insights and pain points as feedback you can later send to the tool developer. It can be particularly useful to identify a co-trainer or “observer” whose sole responsibility during a training is to watch and document user behavior, capturing specific feedback that can inform tool teams.

Listening groups, surveys, and trainings are all different channels for collecting feedback. Check out the UX Feedback Collection Guidebook and the Okthanks Exploratorium for more activities! There are also initiatives like USABLE and the OTF Usability Lab that can fund user engagements or design and accessibility support for open source tool teams.

What role does trust play when collecting user feedback?

Empathy is an important factor when collecting feedback. We feel closer to things when we feel connected to the humans who designed them. When you can connect a tool developer directly with users, it helps to build trust and understanding, which in turn improves feedback and the tool! Users will be more likely to engage if they know that developers are interested and their feedback will be heard. Even if you are not able to connect users directly to developers, make sure to let users know that their perspectives matter!

It is also important to stay in touch with the users so that you can follow-up as they continue to use the tool. You can reach out to them to share any development or feature updates as they happen, capture any pain points that may have emerged as they become more familiar with the tool, and get feedback on any changes that have been made.

What prevents users from providing feedback to developers?

It is hard to make sure that development teams are listening. Collecting and sharing feedback requires your time and resources. If you feel like your time and expertise are going into a void, what’s the point? Additionally, connectivity continues to be a huge challenge - both internet connectivity and human connectivity. Digital security trainers, or others skilled at connecting with a particular community, can play a huge role in bridging that gap.

Developers face obstacles as well. Time, access, and resources are obvious challenges. Oftentimes, small tool teams simply may not have the bandwidth to review and act on all of the feedback coming in from users. Internews’ USABLE project has worked to mitigate some of these obstacles. Through the USABLE project, Internews offered financial support to digital security trainers to compensate them for the additional work of collecting and packaging feedback in ways that are easier for developers to receive and act on. For developers, Internews provided funding support for tool teams that were willing and able to implement some of the changes requested through direct user feedback. This approach has been helpful in making sure feedback is not only shared with developers, but also put into practice.

How can I get involved?

Whether you are a digital security trainer, a SAFETAG auditor, or a designer who wants to collect user feedback to help improve open source privacy and security tools, please reach out! We also encourage open source tool teams wishing to integrate user feedback into their design and development processes to connect with us. We have a robust network of community members eager to make tools more usable for those who need them most. Email us at connect@usable.tools today!

Announcing the 2020-2021 UXFund

Thu, 01 Oct 2020 09:00:00 +0000

We are excited to announce the launch of the latest round of the UXFund, a targeted pool of funding dedicated to improving the usability of open source security and privacy tools used by at-risk communities around the globe.

Developers, maintainers, and other representatives of open source tool teams are invited to apply on behalf of an open source privacy and security tool. Winning applications must demonstrate a commitment to high-impact usability solutions, and incorporate human-centered design principles, including user testing, engagement with end-users, as well as a willingness to work directly with digital security trainers and auditors around the globe. The goal of this funding is to support stronger feedback loops among tool teams and their target user base, and ultimately make tools more usable for those who need them most.

The majority of the UXFund will support work addressing the needs of at-risk persons and/or vulnerable populations (e.g. ethnic minorities, LGBTQI communities, people with disabilities, and women), but there are limited funds available for deeper tool re-architecture, if clear usability-enhancing outputs are presented.

This round of the UXFund will also prioritize tools or platforms that apply to address unique challenges that are faced at the organization or community level, such as shared password management or encrypted collaboration tools.

The amount of funding provided will vary based on the specific needs of the tool, but will likely range from $5,000 to $50,000 USD. The funding period will likely span from November 2020 through June 2021.

DEADLINE TO APPLY

All applications should be submitted before November 15, 2020.

WHAT WILL WE FUND?

User-testing/user-engagements designed to collect feedback from at-risk users
Design sprints
UX, design, or accessibility consultants/support
Staff time for the design/development of usability and accessibility improvements (new features, documentation, etc.)
Experts/consultants to support with reviewing and prioritizing user feedback, documentation, etc.
And more!

HOW WILL APPLICATIONS BE SCORED?

All applications are required to include the following:

Must include user testing or feedback collection from target at-risk users (Internews will connect tool teams with communities as needed)
Must work with users and/or training or auditing community
Must use standard usability and accessibility guidelines where appropriate

Please see below for our judging criteria and funding requirements.

Applications will be reviewed by a three-person technical committee based on the criteria provided below.

1. Quality of Program Idea and Associated Activities: 30 Points

Address a need which would improve the usability for one or more user persona developed under the USABLE project (https://usable.tools/personas/)
Improve accessibility and internationalization
Incorporate human-centered design principles and user testing
Tool is open source and has good development practices
Tool already exists (we are not able to fund the development of new tools)

2. Program Planning/Ability to Achieve Objectives: 15 Points

Provide a detailed work plan for tool development and testing phases
Demonstrate how this work is crucial to promoting high-impact usability solutions

3. Institution’s Record and Capacity: 25 Points

Demonstrate legal registration
Be in good standing in performance and reporting under any previous subgrants, from Internews or any other organization, where applicable
Be able to meet all reporting requirements and deadlines

4. Cost Effectiveness (including Cost Share): 20 Points

Be able and willing to demonstrate the tool’s commitment to continuing proposed activities after the subgrant period ends

5. Program Monitoring and Evaluation: 10 Points

Provide a detailed plan to effectively monitor and evaluate grant progress and deliverables

This funding will be administered in accordance with The Department of Human Rights and Labor/Department of State standard terms and conditions.

In addition, regulations and provisions, at minimum, of 2CFR200 and 2CFR600 Uniform Administrative Requirements, Cost Principles, and Audit Requirements for Federal Awards, will apply to subawards issued as a result of this request for applications.

Proposal budgets will be reviewed in accordance with, and selected subrecipients’ costs will be subject to the cost principles that apply to them to assure reasonableness, allocability, and allowability as per 2CFR200 Subpart E, Cost Principles.

HOW TO APPLY?

We’re afraid that applications are now closed

SAFETAG Community Feedback

Thu, 24 Sep 2020 09:00:00 +0000

Over the last few months, we have been working with Tafka, a Mexico-based design firm, to develop a new visual identity for the SAFETAG framework. As part of these efforts, we hosted 3 community feedback calls to gather feedback. Additionally, we shared an open survey for those who were unable to join the calls. In total, we received feedback from over 25 SAFETAG users around the globe.

We have highlighted some of the feedback we received below.

SAFETAG could be described as:

“Complex, yet comprehensive”
“Your really smart friend that you like a lot, but gives very detailed answers to very simple questions”
“Flexible and adaptive”

What makes SAFETAG and its community unique?

We take the time to get to know, listen, and engage with the organization before starting hands-on work during the audit
We are driven by the opportunity to support organizations advocating for civil and human rights, allowing them to do their work more safely and effectively
We strive to provide holistic support to organizations, taking into consideration digital, physical, and psycho-social components of their security
We enable organizations to make informed decisions regarding their digital security, and contribute to building a more resilient and sustainable foundation

SAFETAG users believe the framework’s visual identity should be:

Building blocks, or individual pieces that come together to form something larger and more comprehensive
Colorful and approachable
Casual, yet professional

What challenges do users face when navigating the framework?

It is big. As a new auditor, it is difficult to understand the “big picture”
The document is overwhelming, and it is hard to decide which parts are relevant
No clear hierarchy or organization
The information architecture is not intuitive, and it is difficult to search for content that will be relevant for a specific organization, community, or context

What changes or features would make it easier to navigate?

The ability to hide activities so that you can see a smaller version of the framework
Less words, more visuals. A clear naming structure and hierarchy
A search feature, and a way to select specific activities that are relevant for a particular scenario
Using metadata (such as size of organization, theme of activity, etc.) to sort the activities
Videos, tutorials, and lessons learned for activities
Having a clear “table of contents” so it is easy to locate a specific section or activity

What challenges do users face when contributing new content to the framework?

Many users do not feel comfortable contributing content through GitHub
Others reported that contributing content currently takes too long; there are limited options for smaller, less time-consuming contributions
The process of contributing content is difficult

Thank you to all who joined the feedback calls or responded to the survey! The insights you shared have directly informed the design and development of the new visual identity and web interface. We hope that the new visual assets and interface will make SAFETAG easier to use and more accessible for both new and experienced auditors. We are in the final stages of work and look forward to sharing the final products soon. Stay tuned for updates!

A very short story about digital security for young women

Tue, 22 Sep 2020 09:00:00 +0000

So, why has it become more important for young women to get to know about digital security? Because more and more, they’re using and living in the internet world, either for education, to earn some money, or simply to have fun. The exposure of young women to the digital world brings another effect – online harassment – which also has implication on their offline life. In recent research, Web Foundation mentioned several threats online for women and girls in the internet world.

I won’t write about the material or technical components of digital security training, since every organization has their own module. Instead, I’ll discuss how to set up a training to become more appealing and friendly for a group of young women and less intimidating, without lessening the importance of the training.

Go to a laid back and discreet place

To create a laid back and fun situation, first we need to decide the theme and place. A small home with an open garden could be a good option, or if you have enough budget, we can organize a training in a resort, far away from bustling city life. Try to find a place that is discreet and quiet. To protect peoples’ security, the training will minimize the involvement of social media – no mentions, no tagging, and minimize publications. A lesson that they also will learn in the training is that when it’s necessary, they can completely disconnect from the online world.

Create a fun ambience

While the term “training” could feel intimidating, we can choose a different format that is more fun for participants. Borrowing the format of a book club perhaps could help. When it comes to the session organizing, the participants could divide into a small groups, with 1-2 facilitators. Like a book club, the session is about sharing experiences from participants and the facilitator, covering what they need to know about digital security. It’s possible that ice-breaking activities would be needed to create closeness and gain trust among the participants and the facilitator. The more relaxed the discussion is, the more sharing of knowledge that will take place among participants and facilitators.

Setup the mind

Digital security training material is available widely on the internet. What we need is to raise the awareness and the implementation of these recommendations. Participants can start to become more aware of what platforms they use, and how to be more safe when using them. An introduction to open source platforms could also be a good place to start, as an alternative to closed source platforms that are relatively widely used. All they need to know to start is to be aware that digital harm could attack anybody.

And, what’s next?

There are several ways to create activities after training, as a follow up. Create online groups or some meet ups after the training, if possible. You could create a catchy ‘digital security tips and tricks’ guide, both in online and offline form, as a tool to use when we need to distribute information to people who don’t have sufficient access to the internet.

10 Tips for Collecting Quality User Feedback from Grassroots HRDs, Activists, and Security Tool Users

Fri, 28 Aug 2020 09:00:00 +0000

Security tools are vital to ensure at-risk users like human rights defenders and activists stay safe while doing their valuable work of activism and defending human rights. However, the usefulness of these tools depends on how usable they are to this at-risk community. Many feedback collection activities have been done to provide security tool developers with quality user feedback to ensure they develop these tools with the at-risk users in mind. Through USABLE, feedback is constantly being collected from at-risk communities around the security tools they use to stay safe. Feedback has been collected on security tools like Signal, VeraCrypt, KeepassXC, BitLocker, Tor Browser, and many others. Through conducting different digital security training and tool feedback sessions in East Africa since 2018, I have been able to interact with many grassroots communities and collect their feedback on key tools that they use. Grassroots communities in East Africa are particularly unique in that they face several challenges like poor internet connectivity, lack of electricity, and limited resources and equipment. These factors can greatly limit the adoption of certain security tools. Below, I share my 10 tips for collecting quality user feedback from at-risk grassroots communities.

1. Understand the community using a particular security tool.

It is important to understand the community you intend to collect feedback for. Not only does it enable you to plan accordingly, but it also gives you a clear picture of the needs of that community. This also makes it easy for you to focus on collecting feedback for specific tools used by that community based on their threat models.

2. Know which security tool is used most by grassroots communities and focus on collecting feedback for that tool.

Knowing the tool used by particular communities gives you the ability to make necessary arrangements on collecting feedback on specific features of that tool that is commonly used by the community. Tools like Tor Browser or VeraCrypt have many features and there may be some features that are more frequently used by particular communities. Once you know which tool and its specific features are used by grassroots communities, feedback collection for that tool becomes a little easier than going into a feedback collection activity without knowing which tool or feature is mostly used by that community.

3. Know which method of feedback collection works best for that community.

Due to different factors and working conditions of grassroots communities, not all methods of feedback collection work for them. Grassroots communities, in particular, have many challenging factors which limit you from using certain methods of collecting feedback. For example, using virtual feedback collection methods like sending questionnaires or using surveys to collect feedback from grassroots communities is not a very practical method due to factors like limited access to the internet or low bandwidth.

4. Understand the schedule and availability of the community to provide user feedback.

A lot of grassroots human rights defenders are constantly in the field working and doing a lot of travelling within their communities. If you intend to conduct tool feedback collection outside digital security training, you will need to make sure your schedule matches theirs to ensure the tool feedback collection activity is not getting in the way of their important work. Therefore, know which local events, training, or workshops bring these communities together and use it as an opportunity to organize a tool feedback collection. Liaise with event organizers to publicize your tool feedback collection activity and find a suitable location and time for you to collect the tool feedback during the event.

5. Understand the barriers which exist and have the potential to hinder the community from using a particular security tool.

Before introducing grassroots communities to a new tool for which you want to collect feedback, know which barriers exist and have the potential to hinder its adoption by them. This will save you from wasting a lot of valuable time collecting feedback for a tool which the community has no interest in adopting simply because it’s not useful to them – no matter how useful or usable that particular tool is to another community. Barriers like lack of proper devices and equipment (like good laptops or smartphones) play a big role in the adoption of certain tools because certain tools work best on particular devices with specific system requirements. Also, certain tools like VeraCrypt are a little bit technical and need a certain level of expertise which many grassroots communities do not have.

6. Understand the context in which grassroots communities work.

Different communities work under different contexts and knowing this beforehand enables the feedback collector to prepare in advance on what tools they will collect feedback for from that community. Likewise, grassroots communities also work in different contexts and it is particularly challenging to collect feedback if the feedback collector does not know their working context.

7. Prepare a checklist to act as a benchmark when collecting the user feedback.

The type of feedback that you will collect from grassroots communities during a feedback collection activity will vary from inferior to superior. Having a checklist will enable you to quickly rank feedback for particular features of a security tool and will ensure that you evaluate the feedback collection activity before and after the activity.

8. Categorize feedback collected and rank them by quality. Remember, even inferior feedback can be useful to tool developers.

Collecting feedback from grassroots communities is challenging in terms of the quality of feedback you will receive. This is because people from grassroots communities are new to the idea of tool feedback collection, often get excited, and end up providing all the feedback they have. Collect all this feedback and categorize them according to the quality but submit all to the developers because all that feedback could potentially be useful to tool developers.

9. If possible, have a virtual call with a tool developer during the feedback collection activity with grassroots participants.

Having a video call with a tool developer during a feedback collection activity makes a great difference and can be very motivating for grassroots participants and puts them in the mood to provide feedback for that tool. Many participants of tool feedback collection activities often are in disbelief that the feedback they provide will lead to improvement of the tool, but once they actually get to see and talk with the developer of that tool, they instantly get excited to provide the feedback because they know it will create an impact.

10. Virtually stay in touch with grassroots participants even after initial physical feedback collection activity.

Sometimes collecting feedback from grassroots communities needs constant connection with participants. This is because more valuable feedback can be collected even after the initial activity. Following up with participants through a phone call or WhatsApp chat gives you the opportunity to understand the challenges they have been facing while using the security tool. This method of virtual feedback collection is very efficient, fast, and easy and helps you to reach out to participants without interrupting much of their schedule.

In conclusion, collecting user feedback from grassroots communities is very interesting despite the challenges that come with it but as a feedback collector, you have to always be accommodative and dynamic, ready to make changes as you go about collecting the feedback. One thing you have to keep in mind at all times is that tool feedback collection is a new and constantly evolving activity and it gets easier every time.

Synthesizing and Prioritizing Feedback

Fri, 14 Aug 2020 09:00:00 +0000

Collecting feedback from at-risk users is a critical first step, but it is not the final step in the process. To maximize the impact of the feedback loop between end-users and developers, trainers, auditors, and other facilitators should ensure that the feedback shared is of high quality, relevant, and consistent. This requires time spent reviewing, synthesizing, and prioritizing which pieces of feedback should be shared with the developer. The questions below will help guide trainers, auditors, and facilitators through this process.

What are the common areas of confusion or frustration?

It is important to focus on feedback that is common among multiple users. If multiple people are experiencing similar frustrations, this demonstrates that it is a shared challenge and not a one-off “user” error or misunderstanding. Understanding the scale of the issue will also help the developer prioritize the improvement.

What are the common features or processes that users appreciate or are able to navigate easily?

While it is easy to focus on areas of a tool that users struggle with, it can also be helpful to highlight features or processes that users appreciate or depend on day-to-day. This information will ensure that developers do not change or remove these features in the future.

How frequently does the user need to complete the task?

Consider the frequency of the task, as well as how important the task may be to the overall function of the tool. For example, if the user is struggling with a particular task within the tool, but it is not a task they will need to complete regularly (such as configuring settings), this may not be a priority for the developer. However, if it is a task that the user will need to complete on a regular basis that is causing frustration, this likely will be a priority for the developer. Alternatively, if a task does not need to be completed often, but is essential to the functioning of the tool, this can also be a major barrier that should be prioritized by the developer. For example, if a user struggles to install the program properly or setup the program to run, this may prevent them from properly using the tool, even though it may only need to be completed once.

Is this piece of feedback relevant and actionable?

The facilitator, trainer, or auditor is also uniquely positioned to ensure that the feedback is relevant and useful. Not all users will have technical knowledge, which will influence the type of feedback that they are able to provide. For example, a user who does not understand how attackers could “spoof” a trusted contact even in a secure communication tool may not understand the importance of verifying contacts by comparing what is often presented as a very long code of letters and numbers, and therefore, never do it. While the specific complaint about the usability could be “this is too difficult / the code is too long;” a facilitator or trainer would be able to identify the root cause and help provide more actionable feedback to the developer. A request to “shorten” the code would likely be met with resistance from a cryptographic / security standpoint, but the trainer can suggest better ways to present critical information to the user (e.g., has the code changed?) and help identify more user-friendly but still cryptographically sound ways to present the information.

What concrete suggestions can I make based on the feedback collected?

Beyond simply highlighting areas of confusion or frustration, the facilitator, trainer, or auditor is also a valuable voice when it comes to concrete suggestions for improvements. For example, if the language used on a specific button or configuration is confusing, suggest another word that may make the function of the button clearer to users. Similarly, instead of only highlighting that a specific word or phrase was not translated accurately, offer an alternative translation. These specific recommendations are very useful for the developer and give them concrete actions that they can take to improve the usability or accessibility of the tool or application.

How can I streamline the feedback process and maintain this feedback loop with the developer?

Most developers receive ad-hoc feedback from passionate users, who typically have some level of technical knowledge, but do not usually represent the average user of the tool or application. Trainers, auditors, and facilitators are positioned to capture feedback from real users, prioritize it based on relevance and quality, and share it in a streamlined format. By formalizing this process, trainers and facilitators will be able to share feedback more regularly.

Resources/additional information:

Approachability of KeePassXC: Can anyone use it? Blog post by Okthanks after a usability study of KeePassXC
Simply Secure’s Guide to Gathering Feedback
Simply Secure’s User Testing & Feedback with Tails Blog Post

Stamp for this activity:

From Usability to Threat Modeling

Tue, 11 Aug 2020 09:00:00 +0000

Across our portfolio of technology, training, and advocacy to support a free and open Internet that protects and advances human rights, we are assembling a wide array of foundational resources (all released under Creative Commons licenses!).

Threat Modeling in Internet Freedom Projects

It's important to underline that this is not a new concept -- certainly there are many security tools which already carefully consider threat models during development; there is much written on using use cases and "misuse cases" to expose the security and usability requirements for tools -- this paper provides a good overview, and EFF's Security Education Companion coverage of Threat Models introduces the concept for use in training.

These include user personas with community-built lists of needs, and information about the threats or adversaries they face. This collection of different resources is not coincidental – it builds a space in the middle to create detailed threat models around specific tools and practices and paves the way to more expansive and cohesive long term digital safety strategies for resilient communities.

What we have

At-Risk User Personas	Contextual Digital Risk Assessments
Our USABLE.tools project has a user persona library with 30+ user personas from around the world, representing LGBTQI activists, persons with disabilities, human rights defenders in closed states, and many more. These are not simply idealized stereotypes, however - they are created by the at-risk users themselves to provide authentic insight into the lived experiences, needs, and threats of these communities without putting any specific members of their community at risk. These personas provide critical insights into the needs and threats real people face in challenging environments. Tools for these communities need to be resilient against a wide variety of technical, physical, and legal attacks while also being easy to use, with little or no training.	Risk Assessments are a core of Internews' internal risk management process, and we also strongly encourage auditors using the SAFETAG framework to leverage a similar approach to research the technical and social context that they are working in when assessing an organization's security. The framework provides a guide to research the technical capacity of potential threat actors, including both historical attack data and any indicators of changes to their capacity. Auditors are encouraged to also look at focal areas and trends.

At-Risk User Personas

Contextual Digital Risk Assessments

Our USABLE.tools project has a user persona library with 30+ user personas from around the world, representing LGBTQI activists, persons with disabilities, human rights defenders in closed states, and many more. These are not simply idealized stereotypes, however - they are created by the at-risk users themselves to provide authentic insight into the lived experiences, needs, and threats of these communities without putting any specific members of their community at risk. These personas provide critical insights into the needs and threats real people face in challenging environments. Tools for these communities need to be resilient against a wide variety of technical, physical, and legal attacks while also being easy to use, with little or no training.

Risk Assessments are a core of Internews' internal risk management process, and we also strongly encourage auditors using the SAFETAG framework to leverage a similar approach to research the technical and social context that they are working in when assessing an organization's security. The framework provides a guide to research the technical capacity of potential threat actors, including both historical attack data and any indicators of changes to their capacity. Auditors are encouraged to also look at focal areas and trends.

What we’re building

Under the next phase of USABLE’s work, we will be building two new resources - “personas” which represent the needs of organizations and communities and “personas” which capture the capabilities and motivations of realistic but generalized adversaries.

Organizational Archetypes	Adversary Personas
Organizational Archetypes capture the complex needs of organizations and communities, spanning from grassroots communities all the way up to donors in the space facing state-level adversaries. What are the more complex needs and different threats faced when collaborating? Secure messaging, calls, and document collaboration are all significantly more complex when you have multiple people or organizations involved, and tools which are relatively easy to swap in and out at a personal level become incredibly more complex if an entire organization depends upon them as a core part of their workflow.	Adversary Personas will contain realistic details of generalized adversaries’ capacities and what issues these actors are willing to expend resources and build capacity to undermine. Organizations will be able to use these resources to anticipate potential threats and malicious actions and proactively develop practices and responses to realistic situations. This will enable developers, trainers, policymakers, funders, and others to contextualize their work against a wider variety of threat actors without having to rely on any one specific nation-state as a “bogeyman.” I specifically hope this enables richer conversation around actual threats while removing cultural stereotypes and prejudices.

Organizational Archetypes

Adversary Personas

Organizational Archetypes capture the complex needs of organizations and communities, spanning from grassroots communities all the way up to donors in the space facing state-level adversaries.

What are the more complex needs and different threats faced when collaborating? Secure messaging, calls, and document collaboration are all significantly more complex when you have multiple people or organizations involved, and tools which are relatively easy to swap in and out at a personal level become incredibly more complex if an entire organization depends upon them as a core part of their workflow.

Adversary Personas will contain realistic details of generalized adversaries’ capacities and what issues these actors are willing to expend resources and build capacity to undermine.

Organizations will be able to use these resources to anticipate potential threats and malicious actions and proactively develop practices and responses to realistic situations. This will enable developers, trainers, policymakers, funders, and others to contextualize their work against a wider variety of threat actors without having to rely on any one specific nation-state as a “bogeyman.” I specifically hope this enables richer conversation around actual threats while removing cultural stereotypes and prejudices.

From Resources to Practice

These are collectively designed to enable unbiased discussions and strategy development around the serious challenges and threats users, organizations, and entire communities face, the tools we use to help, and tools, practices, or policies we wish we had.

Responses focused on threats, not just threat actors Threat actors change and evolve, and often have more capacity than is publicly confirmed (but perhaps less than is presumed through rumor). By extracting and de-personalizing aspects of this, we can have clearer discussions. Further, specifying current existing actors, especially in open source tools, can overly complicate the public profile of the tool as well as those using it. If a tool is clearly built to combat a specific actor, then users of that tool can be seen as inherently being aligned against that actor. This has resulted already in excessive targeting and jailing of activists based on their tool choice.
Identification of common, cross-regional threats What attacks, specific techniques, and even malicious tools are being used and re-used globally? Are there patterns we can detect and build proactive defenses against?
Gap identification What gaps remain when we look at this data mapped out? Is anyone working to address them? What solutions (tools, training, policy changes) could be used? How do we sustainably build these resources?
More dynamic responses, more resilient communities By tackling the inputs into this process separately, we can update our models more agilely and plan against a wider variety of attacks to build tools and guidance that are more resilient to more types of threat actors as well as changes in any specific actor.
Future-looking strategies With these fictional personas and archetypes, we do not have to be as limited to current actors and their capacities. We can (within reason) consider possible future threats that activists may face by remixing and extrapolating from current threats. Anticipating these risks will allow us to build tools to mitigate sooner, rather than later. Dystopian cyberpunk scenarios welcome!
These resources can be used to develop tabletop scenarios to explore current and emerging threats and build creative responses to them. These scenarios are useful in advanced trainings, tool development, and strategy building exercises. Fictional but realistic adversaries and personas can get into detail around specific threats and mitigations without being as personal, risking bias, and helping reduce potential of trauma involved in these discussions.

We are just getting started and would love to hear from you on what data you hope to find in these resources, how you would use and adapt them, and more! You can reach us at connect@usable.tools.

Overview of Feedback Collection Activities

Fri, 07 Aug 2020 09:00:00 +0000

Internews

UX Feedback Collection Guidebook

Many of the most at-risk communities around the globe rely on open source privacy and security tools. However, these tools are often designed, developed, and maintained by individuals or small teams who have little to no access to their target audience — journalists, activists, human rights defenders, and other high-risk groups. This often results in tools that poorly fit the threats, challenges, and/or accessibility or usability requirements of end-users.

To further facilitate feedback loops between tool developers and the at-risk communities using those tools, Internews worked with trainers, designers, and developers from around the globe to create the UX Feedback Collection Guidebook a compilation of activities and resources designed to integrate feedback collection into existing digital security training frameworks. These activities and resources allow trainers, auditors, and facilitators to collect relevant and useful feedback from high-risk users that are typically underrepresented in the design and development of open source privacy and security tools.

The Guidebook equips digital security trainers and other trusted facilitators with the skills and resources they need to:

Safely gather information around end-users’ needs, practices, and operating environments
Collect tool-specific feedback from at-risk users
Synthesize, prioritize, and structure information or feedback
Share information or feedback with relevant developers or tool teams

This resource will help practitioners understand the value and process of capturing feedback where possible and how to share it with developers. When done effectively, this process can transform the design and development of the most commonly used privacy and security tools for at-risk users.

Okthanks

In our work, we rely on our trusted local partners to help us understand the needs and desires of communities. Activities and frameworks serve as a guide, so that our partners know which questions to ask and what information is needed to inform the design of a tool. The Exploratorium contains many of the methods and activities we use in our practice when conducting user research, engaging communities in the design process, and measuring impact.

THE EXPLORATORIUM

The Exploratorium is a collection of activities that seeks to inspire participant engagement and foster relationships built on trust, inclusivity, and freedom, so all voices are heard and represented. They can be used as part of a user research plan or for gathering feedback. These activities aim to cultivate honest input, and generate meaningful and actionable insights. Use them in a group setting, at an event, or in a virtual focus group.

Keeping individuals safe and implementing privacy-preserving measures when engaging is very important. ‘Our Research Principles’ outline some of the questions we discuss as a team and with our partners when planning an engagement. Before deploying an activity, please consider how you are protecting the safety and privacy of participants.

You can find all the activities on the Exploratorium page of our website: https://okthanks.com/exploratorium.

A facilitator guide accompanies every activity, outlining everything you need to know to deploy the activity, along with ideas for remote or virtual deployment! We understand how important it is to localize activities and currently have a few options localized, but would love to work together to do more!

To learn more about ways to utilize an Exploratorium activity within your program visit our blog post entitled, “10 Activities to Engage Communities and Gather Feedback.”

We would love this collection to grow, so if you have activities you love, feedback on these activities, or ideas for activities you’d like to see, contact us on Signal or WhatsApp @ +1 209.396.5087 or through email at hello@okthanks.com.

Simply Secure

Gathering feedback can feel overwhelming! We’ve developed a number of resources — lightweight guides and templates — to try to make it easier to add into your regular engagements with people in your communities, at trainings, or convenings depending on the type of feedback you are interested to collect. As we’re frequently working with high-risk participants, we also prioritize safety and security as part of our feedback gathering practice.

If you are new to gathering feedback, it might be best to start with the beginners section of our Knowledge Base or with our UX Starter Pack. Interviews and surveys are great methods for getting in-depth, qualitative and open-ended feedback, but we’ve also found it can be helpful to invite people to draw and annotate feedback on paper. We’ve shared an example exercise like this in our App Feedback Gathering Guide and our Design Spot: Quick Tool Feedback video. These tools and methods can be useful to developers, designers, trainers and auditors and are intended to help bring to light challenges that people have using different tools.

Selecting a Tool and Identifying Developers During the Feedback Collection Process

Fri, 07 Aug 2020 09:00:00 +0000

Trainers and auditors should have the ability and framework to do quick research on tools before beginning the feedback collection process. This quick checklist helps trainers, auditors, and trusted facilitators determine whether or not they should choose to spend time collecting feedback on a particular tool.

Prior to beginning feedback collection on any specific tool, it is important to consider the following:

Is the project active? Is the project sustainable?

Before doing anything else, ensure the project is currently active. This means developers are currently working to update and make improvements on the product. With many open source projects, development may fluctuate due to lack of funding, volunteers, or time. Please refer to the checklist below to ensure the tool is actively maintained.

Begin with a Google search.
Explore the project’s website to find where they host their code. This is often GitHub, but could also be GitLab, SourceForge or a custom site for larger projects.
Check for information on OpenHub.net. OpenHub is a platform that gives you immediate data about current open source projects hosted on GitHub. Simply type the name of a tool in the search function and the output is a status report of the project.
Reference the criteria used by the Open Integrity Index by iilab.
Additional considerations may also be taken depending on your context or concerns within the high-risk community you’re working with - e.g., has the tool been audited or peer-reviewed?

It can also be helpful to check if the project seems to be stable. Does the project have funding? Is it part of an organization? This is often harder to determine, but can save a lot of wasted effort.

Is there a way to submit feedback? Is there a preferred method of feedback submission (specifically for user-feedback)?

To maximize the impact of the feedback you are able to collect, look up the tool developers and how to contact them in advance. It can be frustrating to collect valuable feedback, but have no one to share it with. You may be able to identify specific developers via the tool’s website, GitHub, or the tool’s social media platform.

You may not always be able to know which method of feedback is preferred. If you do and you are comfortable or familiar with this method, contact the developers through this channel. If not, submit the feedback via the method with which you feel most comfortable. Submitting feedback via a less common channel is better than submitting no feedback.

To make things a bit easier, USABLE has put together a quick list of products that have been vocal about wanting feedback from their users. This list of tools can be found here.

Stamp for this activity:

Feedback Collection Certification

Fri, 31 Jul 2020 09:00:00 +0000

We are excited to offer a new AXIS Feedback Collection Certification. As part of our 2020 event, Axis: A Global Feedback Exchange for Trainers, Auditors, Designers, and Developers, we are bringing together key communities to map privacy and security tools being used by at-risk organizations and to identify concrete ways that we can support improvements to those tools.

During the convenings, participants will explore and provide feedback on existing feedback collection resources such as The UX Feedback Collection Guidebook, the Exploratorium, and more. They will map tools being used in at-risk communities, develop organizational archetypes and adversary personas, practice feedback collection activities, learn how to synthesize and prioritize feedback, how to share that information with tool developers, and more.

Each week of the convening offers participants a chance to collect stamps toward the Feedback Collection Certification by engaging and interacting with fundamental concepts important to understanding and implementing feedback within their communities.

Following the convenings, participants will be able to integrate feedback collection into their existing audits and/or trainings, resulting in actionable feedback that will be shared directly with tool teams and developers. Additionally, participants will have the option to apply for funding to put these skills into practice.

Individuals who receive this certification have the following qualifications:

Knowledge of Open Source Tools: Knowledge of open source privacy and security tools being developed and maintained, as well as an awareness of which at-risk communities are relying on these tools
Building Trust With At-risk Communities: Ability to connect and build trust with at-risk communities/users
Understanding User Experience & Human Centered Design: Understanding of human-centered design and user-experience
Tool-Specific Feedback Collection: Ability to collect tool-specific feedback during digital security trainings and/or organizational security audits (utilizing editable templates and activities for feedback collection)
Understanding the User: Ability to understand and capture user needs and challenges at the individual, organization, and/or community levels (and present in the form of personas, archetypes, user stories, etc.)
Understanding Adversaries: Knowledge of common adversary tactics and strategies
Synthesizing, Prioritizing, and Formatting Feedback: Ability to synthesize, prioritize, and format tool-specific user feedback
Communicating User Feedback to Developers: Ability to communicate feedback effectively to developers and/or tool teams
Virtual Engagements with Users: Understanding of how to facilitate feedback collection activities virtually
Networking: Access to a global network of digital security trainers, auditors, UX designers and accessibility experts, and developers

Human-Centered Design and User-Experience

Fri, 31 Jul 2020 09:00:00 +0000

Human-centered design is a principle that intentionally places humans, their needs, their concerns, and their experiences front and center when building a system. This system could be a piece of software or a product, but it could also be a process like conducting a security assessment or creating a resource for your community. Co-creation is an integral part of human-centered design, products and software that are collaboratively developed are more likely to meet the needs of a broader user base. Components of human-centered design include:

Building empathy with the users
Identifying needs based on observations, interactions, and user feedback
Creative ideation to solve challenges users experience
Prototyping without technical implementation
Testing to validate decisions made
Implementing based on findings during the testing phase
Observing and collecting more user feedback

User-experience, or UX, is a holistic way someone may experience the service, the product, or the system from all aspects - usability to information architecture and layout to things like likelihood of making a mistake or being able to recover from said mistake.

How are these two concepts related? If we are able to understand our users, or more importantly, empathize with them using human-centered design principles, we are often left with better results. Our products, services, processes, or overarching system will be more resilient and more effective in achieving their goals.

A key feature to both human-centered design principles and good user-experience is communicating with the user in the form of feedback. In the software development world, it is important to collect feedback early and often to avoid problems later on in the development lifecycle, For example, spending hours engineering a product without inputting user feedback into the process can result in a product that no one will use. Not only is it likely to be difficult for your users, but changes will be more costly if made at the end of the cycle rather than the beginning, when very little to any code is written.

By involving trainers in the feedback process through the activities in the UX Feedback Collection Guidebook, USABLE provides a space for tool developers to learn about specific threats faced by their users, the risks they take, and challenges they face, in addition to tool-specific feedback to improve the design for high-risk users. Likewise, it gives trainers and high-risk users a platform to share their feedback and lived experiences, while impacting security and privacy products their communities need.

To learn more, we recommend checking out:

Nielsen Norman Group https://www.nngroup.com/articles/design-thinking/ and https://www.nngroup.com/articles/definition-user-experience/
Ideo http://www.designkit.org/human-centered-design
Stanford University https://dschool.stanford.edu/resources/design-thinking-bootleg
SimplySecure https://simplysecure.org/knowledge-base/

Stamp for this activity:

Understanding Development Ecosystems & The Role of Trainers and Auditors

Fri, 31 Jul 2020 09:00:00 +0000

Though business models vary case by case, there are significant differences between the development ecosystems of closed source tools (many of which are private and commercial) and open source tools. By understanding the humans and processes behind the tool, we can tailor our feedback and maximize the impact of our usability and accessibility recommendations. This blog explores tool team structures, providing insight into the design and development processes they implement.

Understanding the Closed Source Ecosystem

Many of the most popular private sector tools are closed source and well resourced. Most of these tools have well-established business models (including paid services and advertisements) that provide significant funding streams. They often have large teams of people working on the tool, specializing in particular areas such as design, user-experience, or marketing. In addition to large teams of developers or engineers who are focused on back-end development, many private sector tools will also have entire teams devoted to user testing or providing support to end users.

In this ecosystem, end users are rarely engaging directly with developers. Feedback from users is filtered through multiple team members (user support, UX experts, designers, etc.) and is vetted at multiple levels before eventually being converted into specific edits or changes to the tool.

Additionally, these well-resourced tools often have offices located around the globe and can afford to conduct targeted user-testing if they are seeking input from a particular user group.

A few examples of Closed Source Ecosystems include:

Facebook
Google
Microsoft

Understanding the Open Source Ecosystem

Alternatively, many of the most-used and most-critical open source digital security tools are maintained and updated by “tool teams” rather than businesses or organizations. These ad-hoc groups have little if any institutional capacity, are often under-resourced, and have limited insight into the specific needs of at-risk users.

The survival of many of these tools is dependent on the dedication of volunteers, often working in their free time simply because they are passionate about the project. Some tools are developed and maintained by only one core individual. Additionally, these small teams seldom include specific UX, user-research, or design experts.

While USABLE has experienced great results with tool teams that have the capacity to address identified usability barriers, many tool teams simply lack the necessary personnel or organizational structures that would allow them to respond directly or even receive funding to support a response. This traps tool teams – and by extension, the community of high-risk tool users – in a vicious cycle of only being able to focus on the most immediate and urgent needs without being able to prioritize long-term usability or scalability improvements.

A few examples of Open Source Ecosystems include:

The Guardian Project
Mailvelope
KeePassXC

The Role of Trainers/Auditors

Given these ecosystems, relevant and synthesized feedback from at-risk users via proper channels is incredibly valuable, particularly for open source tool teams with limited capacity. Trainers, auditors, and other facilitators who engage regularly with at-risk users are uniquely positioned to serve as trusted intermediaries between end users and tool teams. Based on their in-depth knowledge of user needs and challenges, as well as their understanding of privacy and security tools, trainers and auditors are able to synthesize and prioritize feedback. By ensuring that tool teams receive high-quality feedback reduces the burden for development teams, particularly those that may have limited bandwidth and resources, and increases the likelihood of tool teams implementing meaningful usability and accessibility enhancements within the tools at-risk communities rely on.

Though resources and structures may vary, the important role that users play in each of these ecosystems is undeniable. It is critical that we continue to connect, build trust, and close the feedback loop between tool creators and end users. In the end, we are all part of the same ecosystem working towards a more usable and secure future.

Introducing ADOPTABLE

Tue, 07 Jul 2020 09:00:00 +0000

Introducing ADOPTABLE: Equipping at-risk organizations with localized expertise, resources, and tools to mitigate digital attacks

Human rights organizations around the globe continue to face ongoing and increasing digital security threats from state and non-state actors. ADOPTABLE (Adaptable Digital and Organizational Protections by Transforming and Building Long-term Ecosystems) is an Internews project designed to help these at-risk organizations access relevant resources (human, financial, and technical tools) that will allow them to continue to operate safely. Without access to local organizational security experts, usable security and privacy tools, buy-in from decision-makers, and support from funders to adopt stronger safety practices, the organizations and their beneficiaries remain at risk, as does their crucial work.

The project consists of four core components:

1. Expanding the capacity of regional and local partners to address organizational security risks

Internews will support experienced partners in Latin America, Sub-Saharan Africa, and Eastern Europe to become regionally recognized centers of expertise on organizational security and build out local and regional ecosystems of organizational security auditors. Partners will conduct Trainings of Auditors (ToA’s) to train and/or upskill local security auditors in their regions on the SAFETAG framework. These newly trained auditors will work with experienced auditors to gain first-hand experience in conducting audits, while also collecting feedback on organizational security tools being used by at-risk organizations. To improve the scalability of this localization of expertise, Internews is also working to improve the SAFETAG onboarding and training process and make the framework more accessible by developing a new interface. More on that process here.

2. Improving the adoption of organizational security practices within at-risk organizations

Internews will fund at least 5 audits or engagements in each of the three target regions. At-risk organizations will undergo a full security audit and receive a detailed Risk Reduction Plan (RRP), which outlines tangible steps they can take to mitigate their risks. Even after a security audit, Internews has found that many organizations lack the resources needed to implement the recommendations provided by an expert. Without the ability to implement these changes, organizations are no more secure than they were before an audit. Internews will ensure that these organizations are able to implement the recommended changes by providing direct financial support after the audits. A variety of mitigation efforts may be eligible for support, including trainings for organization staff, facilitation of a security service by a third party, or the purchase of software and hardware.

3. Developing and enhancing feedback collection mechanisms to ensure at-risk users have a voice in the design and development of open source privacy and security tools

As part of the USABLE approach, Internews created feedback loops between at-risk users, digital security trainers, and open source tool developers. Internews will continue to collect feedback from at-risk individual users, while also expanding to capture organization-wide feedback on security and privacy tools. Most notably, the USABLE approach will be integrated into the SAFETAG framework, allowing SAFETAG auditors to identify gaps and usability issues with privacy tools being used at the organizational level. Through virtual Cross-Regional Convenings, Internews will work with partners to update the activities in the UX Feedback Collection Guidebook, develop organizational archetypes to further build out our library of user personas, and map the current landscape of open source tools being used by at-risk communities around the globe. Following the virtual convenings, Internews will launch a pool of funding for trainers and auditors to integrate feedback collection activities into their digital security trainings or organizational audits. The high-quality feedback collected during these engagements will be shared with developers through their preferred channels. Key communities will convene once more at the end of the project for the third UXForum to continue devising ways to scale and sustain feedback loops.

4. Enhancing the usability and accessibility of open source privacy and security tools

Internews will launch the third round of the UX Fund. This funding pool will provide support to privacy and security tool teams, enabling them to work with UX and accessibility experts to implement human-centered, usability-focused tool improvements. These changes will ultimately strengthen the tools, making them more secure for the at-risk individuals and organizations who need them the most.

Ultimately, we believe that with more localized tools and stronger local support, at-risk organizations will be better equipped to withstand the digital attacks and surveillance they currently face.

IFF OrgSec Village: Day Five

Mon, 15 Jun 2020 09:00:00 +0000

IFF OrgSec Village

Internews is hosting the virtual Internet Freedom Festival (IFF) Organizational Security Village throughout this week (June 8-12)! The event is bringing together security auditors, digital security trainers, and other experts and practitioners for a five-day program of over 20 community-led sessions exploring five major themes in organizational security.

Day 4

Sessions on Day 5 focused on funding OrgSec work and Monitoring & Evaluation. Highlights from Day 5 of the OrgSec village included:

A discussion around how small, local digital support initiatives can fund digital security assistance for nonprofits through strategic networking.
A brainstorm around ways to better support digital security programs through informing and coordinating with donors.
An open dialogue on evaluating audit success from an auditor’s perspective.
A presentation of frameworks to measure the impact of organizational security work.

Key Takeaways

Key takeaways from the discussions included:

Securing funding is a challenge for OrgSec practitioners. Organizations need to better incorporate digital and organizational security into their budgets and marketing and communications plans. More broadly, there is a need for coordination within the local and international OrgSec community to promote knowledge sharing and establish partnerships in order to educate and coordinate with donors more effectively. Donors also need to adopt digital security practices that allow them to engage with organizations and support their work safely.
Community members debated the value of establishing certifications or skills qualifications for work in the space in order to reduce the reliance on trust networks. This could reduce barriers to funding and opportunities for work for new practitioners who may be less known to both funders and at-risk organizations seeking support. However, establishing community-wide agreed upon standards and mitigating the substantial additional barriers to entry (e.g. cost, training opportunities and locations, personal and unfunded time) caused by any such certification system pose a formidable challenge.
Measuring the impact of OrgSec programs is important in order to evaluate and improve approaches and communicate success to donors. While it is easy to focus on measuring purely digital risk, is it important to bear in mind that effective OrgSec should take a holistic approach also incorporating psychosocial support and physical aspects.
Whether to evaluate OrgSec interventions using shared community standards or by measuring change within an organization and against its own threat model continued to inspire debate among community members. The Engine Room shared a Monitoring and Evaluation Framework for Organizational Security - which takes the latter approach - for practitioners to adapt for their own M&E practices.

Thank you for participating in the OrgSec Village! If you;d like to continue the conversation, head to https://orgsec.community/display/OS. We will be posting shared notes from the event on the wiki!!

IFF OrgSec Village: Day Four

Thu, 11 Jun 2020 09:00:00 +0000

IFF OrgSec Village

Day 4

Sessions on Day 4 focused on responding to advanced threats. Highlights from Day 4 of the OrgSec village included:

A conversation on community insights to improve automated threat modeling, gathering inputs from a diverse range of individuals and groups regarding the threats they face.
A session demonstrating how to build a threat lab with your bare hands . . . and a laptop.
An overview of digital threat information sharing for human rights.

Key Takeaways

Key takeaways from the discussions included:

Threat detection isn’t only about fancy technology! A lot of endpoint detection is process and practice-oriented. Impressing the importance of antivirus and software updates, teaching partners what abnormal activity looks like, or making sure they know the process for calling first responders takes training, process development, and awareness raising.
Trust is a key component of threat information sharing. Knowing who and where to share information about threats requires personal connections and existing trust relationships, which can feel like a barrier to entering the space. But community networks like the Computer Incident Response Center for Civil Society (CiviCERT) and information sharing standards such as the Traffic Light Protocol (TLP) can lower barriers and facilitate sharing through established community standards.
Getting started in threat analysis requires trust, skills, and time. Though you will eventually need computers powerful enough to run virtual machines, more advanced skills, and connections to other researchers and communities like CiviCERT, don’t be intimidated by the technical jargon! All it takes to get started is a willingness to learn.
Human rights advocates are facing attacks such as phishing and publication of their identifying details by government or state-sponsored adversaries that are based on online open source intelligence (OSINT) gathering. When threat modeling, it is important to identify the types of public data that makes you vulnerable and that adversaries may try to exploit.

Join us for the final sessions this Friday, with a focus on assessing impact and funding organizational security!

IFF OrgSec Village: Day Three

Thu, 11 Jun 2020 09:00:00 +0000

IFF OrgSec Village

Day 3

Sessions on Day 3 continued to explore examples of OrgSec in Practice. Highlights from Day 3 of the OrgSec village included:

A collective discussion around what we mean as a community when we say OrgSec Crisis Response, and how we can provide comprehensive crisis response support.
An informal session sharing practitioners’ experiences conducting Remote Organizational Assessments, Remote Tech Assistance, and other remote interventions.
A case study of one organization’s experience launching a Website with Digital Security Instructions and the unexpected ways audiences used it.
A presentation on the RAWRR (Risk Assessment Workflow Recommendation Roadmap) tool for documenting security assessments, risk modelling, recommendation development and implementation monitoring.
A review of Security Governance in CSOs exploring ways to scale policy development approaches to different sizes, capacities, and complexities of organizations and communities.

Key Takeaways

Key takeaways from the discussions included:

Remote interventions do work, but require more time and preparation than face-to-face support. Remote interventions can save time and money spent on travel, and can be the right format for rapid response or consultations (especially when trust is already established) as well as for facilitated online learning. However, they require significant time investment, and present numerous additional challenges. For example, remote trust building is tricky, and many people are uncomfortable enabling remote device access. Technical barriers like poor internet connectivity or lack of tech skills among staff may emerge. Finally, it is impossible to provide full technical support if something goes wrong that can’t be fixed remotely.
Web-based digital security guides are not dead (but keep them simple)! Websites with complicated interactive guides addressing specific threat models don’t get sustained engagement and are difficult and expensive to maintain long-term. In contrast, sites with a set of searchable, specific, and updated instructions for different tools and cases can be a useful resource for post-audit and training communications and remote support and incident response. In addition, they are easier to keep up-to-date.
It’s crucial to tailor security audit reports to the audience in mind. Whether the report is for management or IT staff with technical know-how will dictate the specificity and structure of the report. There was community consensus that risk should be the focus of audit reports. Shorter reports focusing on action steps may be useful for organizations with limited bandwidth and interest in holistic security; in-depth reports detailing the process and connecting recommendations to risk are a more useful resource for organizations wishing to replicate the process down the line or build their own internal digital security expertise.
When developing organizational security policies, don’t start from scratch! There are many existing policy frameworks for practitioners to draw upon when assisting civil society organizations. Start with SOAP, SDA, and resources from Access Now and the OrgSec Wiki.

It’s not too late to register!

It’s not too late to register! Join us for more sessions throughout the week on OrgSec in Practice, Advanced Threats, Funding Models, and more! Register here!

IFF OrgSec Village: Day Two

Wed, 10 Jun 2020 09:00:00 +0000

IFF OrgSec Village

Day 2

Sessions on Day 2 explored examples of OrgSec in Practice. Highlights from Day 2 of the OrgSec village included:

A collaborative survey of the OrgSec Community’s Response to Emerging Crises.
A presentation of work carried out with the Mechanism for the Integral Protection of Human Rights Defenders and Journalists in Mexico City, including a typology and workflow for the diagnosis of digital incidents.
A discussion around Non-technical Due Diligence when choosing security tools and services, exploring questions on jurisdiction, open sourcing, and reputation.
An exploration of alliances as a support mechanism to guarantee the Digital Security of Human Rights Defenders Working in Civic and Internet Repressive Environments.
A step-by-step playbook of the OrgSec Audit Process in different contexts.
A hard look at how Digital Security Trainings Can Do More Harm than Good.

Key Takeaways

Key takeaways from the discussions included:

Cross-sector partnerships can expand OrgSec support. At times, it can be advantageous for organizations providing digital security support to at-risk communities to coordinate with government agencies offering similar support mechanisms. Traditional training methods combined with local and federal protection mechanisms allow for maximum protection for those communities who are most at-risk.
Approaches to OrgSec must be adapted to the local context or threat model. What may be a serious threat to one organization, may not be to another. When working with an organization, it is important to understand the threats that are relative to their work and/or location. What are the risks that they face? What has been happening to similar organizations in the region? It is not a one-size-fits-all approach, but rather needs to be tailored to the needs and capacity of each organization.
Empower organizations with the knowledge and guidance to understand and mitigate their risks. Security can be overwhelming, particularly for less-technical users. It is critical for an auditor or trainer to focus on the how and why and not just the end result. The more organizations understand, the more confident they will be. This will better equip them to replicate the process in the future. Accessible language and easy to navigate guides and checklists can facilitate this sharing of knowledge.
Know when your support does more harm than good. Digital security trainings are helpful – except for when they’re not. As an auditor or trainer, it is often difficult to find the time needed to properly onboard organizations to the security practices they need. Behavior change takes time and cannot be accomplished in a two-hour training session. There is no guarantee that the organization will continue to properly use (or use at all) a tool or software installed or downloaded during the training. OrgSec practitioners must be aware of these limitations, as insufficient training or support may lead to a false sense of security and can ultimately put the organization at a greater risk than they were to begin with.
SAFETAG is meant to be a general framework. The SAFETAG framework serves as a toolbox, or collection of relevant tools and activities that can be used to conduct an organizational security audit. When planning for an audit, the auditor must select which tools and activities are most relevant based on the local context, size of the organization, and resources available. Some activities may be too complicated or irrelevant. You do not need to complete every activity in the SAFETAG framework!

It’s not too late to register!

It’s not too late to register! Join us for more sessions throughout the week on OrgSec in Practice, Advanced Threats, Funding Models, and more! Register here!

IFF OrgSec Village: Day One

Tue, 09 Jun 2020 09:00:00 +0000

IFF OrgSec Village

Day 1

Sessions on Day 1 centered around diverse approaches to OrgSec adopted by practitioners in the community. Highlights from Day 1 of the OrgSec village included:

A co-creation session on making Organizational Security Community Spaces more Useful, Inclusive, and Resilient.
A discussion on ways to Scale Organizational Security Assistance.
A session on Strategies to Avoid Dependency and Deliver Lasting Change through OrgSec interventions.
A conversation around the Importance of Long Term Support and Engagement beyond digital security assessments in delivering organizational change.

Key Takeaways

Key takeaways from the discussions included:

The goal of OrgSec work is to make itself obsolete! While it is easy to focus on tangible outputs like audits or reports, most auditors and trainers prioritize increased internal organizational security expertise and decreased dependence on external security help. Effective strategies include finding digital security champions within organizations and building capacity in the surrounding community. Building the confidence and ability of those in the organizations to put digital security into practice is just as important as hardening their digital security.
Organizational Security assistance is not being made available to those who need it the most. In the US and globally marginalized communities facing the greatest threats are also those with least access to critical digital security resources (both human and financial). It is imperative to address this fact when designing programs and change the language we are using to be more inclusive of these communities.
A security audit or assessment is just the beginning! Most organizations need long-term support to make an effective change in their practices and harden their defenses against digital security attacks. Despite this, funding structures supporting current OrgSec work are not conducive to long-term engagement. Practitioners need to consider how to bake sustainability and long-term support into program design.

It’s not too late to register!

It’s not too late to register! Join us for more sessions throughout the week on OrgSec in Practice, Advanced Threats, Funding Models, and more! Register here!

Join us for the IFF Organizational Security Village!

Tue, 26 May 2020 09:00:00 +0000

IFF OrgSec Village

Internews is excited to announce that we will be hosting a virtual Internet Freedom Festival (IFF) Organizational Security Village from June 8-12. This event will bring together security auditors, digital security trainers, and other experts and practitioners for a five-day program of over 20 community-led sessions exploring five major themes in organizational security.

Virtual Village Format

Based on feedback from the community, we have decided to host live sessions during the week, with each day of programming beginning around 12:30 UTC, and ending no later than 20:00 UTC. Each session will last approximately 50 minutes, with a short break in between sessions. We will be sharing a schedule and additional information on each session prior to the event. You are invited to join as many or as few sessions as you would like!

We recognize that some folks may not be able to join due to timing or prior engagements. To ensure that everyone has the opportunity to contribute in some way, non-attributed, editable notes from each session will be made available. We will also use the IFF Mattermost for asynchronous collaboration and networking. If you do not have an IFF Mattermost account, please email team@internetfreedomfestival.org.

Registration and CoC

Please let us know you will be attending by registering here: https://docs.google.com/forms/d/e/1FAIpQLSd_vzeIABKyYt1pMiq4_Ka-Ffk8kcjGmHnJQw9-n2UCfjAbig/viewform.

We ask that you register even if you are only able to attend a few days or sessions. Event access details will only be shared with registered participants. Please also complete the registration form if you are not able to join the live sessions but would like to review notes or contribute asynchronously.

This event will follow the IFF Code of Conduct.

Community Call for Feedback!!

Wed, 13 May 2020 09:00:00 +0000

Last month, we shared that we would be updating the visual identity of SAFETAG, including the development of a new logo, color-scheme, and iconography. We are excited to share that we will be working with Tafka, a design collective based in Mexico, and are officially starting the re-design process!

Why re-design SAFETAG?

We have decided to re-design SAFETAG to provide a more cohesive and recognizable brand. The new digital assets will be used across the website, interface (more details below), and all other SAFETAG documentation. Our hope is that this new design will make content more accessible for users, particularly new auditors that may have previously struggled with navigating through the framework.

New Interface (coming soon)

In addition to the re-design, we are working with a development team to build a new SAFETAG interface that is easier to use and more accessible for both new and experienced auditors. The new interface will allow auditors to generate “playlists,” or collections of audit activities, tailored to a specific type of organization or risk environment. These customized and shareable playlists can be stored for future reference or shared with other auditors working in similar contexts. We are expecting to launch the new interface during the late summer or early fall of 2020.

We need you!

In order to make sure that the new design reflects the needs of the SAFETAG community, we would like to invite all SAFETAG users, both new and experienced, to share feedback with us. We will be holding two open community calls on May 19, 2020 at 10:30 am ET and another on May 21 at 9:00 am ET. Please let us know you will be attending one of the calls by registering here. We will be sharing details for joining the call directly via email with those who RSVP.

In addition to the community feedback calls, we would also like to invite community members to complete a short survey. This 20-question survey will allow us to collect any ideas and feedback you may have and provide space for those who may not be able to join one of the community feedback calls to share thoughts asynchronously. We look forward to hearing from you and incorporating your thoughts and feedback into this design process!

Apply to Participate in Upcoming Cross-Regional Convenings!!

Fri, 03 Apr 2020 09:00:00 +0000

This year, Internews will be hosting two Cross-Regional Convenings to bring together digital security trainers, SAFETAG auditors, usability and accessibility experts, and tool developers to map privacy and security tools being used by at-risk organizations and to identify concrete ways that we can support improvements to those tools.

Over the past few years, we have worked with the Internet freedom community to develop a variety of activities for trainers to deploy during digital security trainings to collect tool-specific feedback and critical information about at-risk users. We have also compiled useful information on how to identify open source tools interested in feedback, connect with tool developers, and format and prioritize recommendations. All of these activities and resources can be found in the UX Feedback Collection Guidebook. Internews partner Okthanks also developed a set of activities to facilitate a participatory design and development process. Those activities can be found in the Exploratorium. These activities are for the community and any feedback or additions to the collection (or Exploratorium) are highly appreciated. The Cross-Regional Convenings will build on this work, expanding the number of individuals trained in feedback collection and increasing the number of tool teams implementing usability and accessibility improvements.

During the convenings, attendees will:

Review and provide feedback on the UX Feedback Collection Guidebook, the Exploratorium, and other existing activities and resources;
Develop new content and resources focused on capturing feedback at the organizational level;
Map the various tools that at-risk communities and organizations are using and their reasons for doing so;
Document the specific challenges that organizations face, such as sharing passwords or using tools for collaboratively editing documents; and
Make meaningful connections with individuals across sectors.

Following these convenings, Internews will open a small pool of funding to support digital security trainers and SAFETAG auditors wishing to collect feedback within their communities, with an emphasis on trainers or auditors working long-term with at-risk organizations and communities. With funding support through this mechanism, trainings and audits will incorporate creative and effective feedback collection methods to obtain actionable feedback about the privacy and security tools being used in the field.

Simultaneously, Internews will work with trainers and auditors to identify relevant open source privacy and security tools to receive funding to implement the specific usability and accessibility improvements requested by the at-risk communities.

At this time, we are planning to hold certain sessions of the Cross-Regional Convenings virtually over the summer (June-July 2020). If it is safe to do so, we hope to facilitate the remaining sessions at two in-person engagements, hosted between August-October 2020. Participants will only be expected to attend one of the in-person convenings and all associated costs will be covered by Internews. We will continue to provide updates and potential dates and locations for the convenings as we have them.

How to Apply

If you are interested in participating in these convenings, please apply here!

Any and all skill-levels and backgrounds are invited to apply. Whether you have previously participated in a UX event hosted by Internews or you are new to the human-centered design space, there will be relevant programming for everyone.

Please also note our Code of Conduct.

Please submit applications by May 15, 2020.

Bridge Usability and Organizational Security at the Internet Freedom Festival's first-ever Organizational Security Village!

Mon, 20 Jan 2020 09:00:00 +0000

Internews is pleased to host the Organizational Security Village at the Internet Freedom Festival this year. This two-day event (April 23 and 24) will bring together digital security trainers, security auditors, and other experts and practitioners for lightning talks, interactive workshops, collaborative discussions, and relevant hands-on labs and skill-shares.

Add Usability to the Agenda!

In addition to some more traditional “OrgSec” ideas for this village; we are seeking specific user feedback on both the SAFETAG framework (how it works, how the content is presented, etc.) and are also looking to identify critical usability gaps in organization-level security tools - what is needed and how are organizations currently managing secure collaboration needs?

Please complete this application to propose sessions or topics that you would like to explore further. Deadline for submission is February 28, 2020. All selected submissions will be notified by March 20, 2020.

We look forward to seeing you there!

From the Guidebook: GitHub for Non-developers

Fri, 04 Oct 2019 13:50:48 +0000

GitHub is a powerful tool developers use for version control and storing their code in an open and transparent way. However, this platform is complex with many different features that can be daunting for the non-developer. The USABLE team has worked with partners to try to break down several GitHub features in a way that makes the most sense for non-developers, reviewing only what is needed to investigate a tool and to provide critical user feedback.

Note that many of these approaches also work fot GitLab and many other code management platforms!

There are three key ways that non-developers can use GitHub:

To check if a project is active
To investigate who is contributing to the code
To directly share feedback with developers

Before collecting feedback, it is essential that you make sure the project is still active and that someone is actively maintaining or updating the code. A quick search for a tool on GitHub can lead you to the project’s repository. From there, the “Insights” tab provides additional information about the authors contributing to the code, the date of the last release or update, as well as any outstanding issues.

Developers that have previously worked or are currently working on the project are identified as “Contributors.” The profiles of these developers can be found under the “Contributors” tab, which is under the larger “Insights” tab. Each profile captures the contributors work on the project over time, and any other projects or repositories that they work on. Additionally, some developers will include contact information on their profiles, such as their email address or Twitter handle.

GitHub can also be used by non-technical users to submit feedback directly to developers via issues.

An issue is a term GitHub uses primarily as a “bug tracker”, meaning if you encounter a problem with the software, you can submit an issue and the developers (who are in theory monitoring the issues in the queue) will address them according to their internal process and priority level. All issues are public, so this can also be a space to see what challenges or requests other users are submitting. More on GitHub issues can be found here: https://guides.github.com/features/issues

Learn more! Download the UX Feedback Collection Guidebook: Integrating Feedback Collection from High-risk Users into Existing Training Practices

From the Guidebook: Communication Channels for Sharing Feedback

Fri, 04 Oct 2019 10:50:48 +0000

After collecting or documenting user feedback, it is important to select the proper channel of communication for sharing it with the developer(s). Each tool team has a preferred channel for communication. Researching these channels in advance allows you to ensure that you are communicating with the developer or tool team in the most effective way possible. The USABLE team has compiled some of the main channels tool teams prefer to receive feedback or connect directly with users below.

In-app/In-tool: Some tools also offer avenues to provide in-app or in-tool feedback. There may be a chat feature, quick survey, or entire page dedicated to collecting user feedback within the tool.
Via the tool’s website: Some tools have specific instructions or contact preferences that they list on their website. Do your best to follow these instructions when you can; but also keep in mind that many of these instructions or forms presume that you are reporting a specific “bug” in the tool about something going wrong, as opposed to suggestions to improve the usability or request a new feature. They may not all be applicable or even possible to follow - and that is OK, but it is important to try to provide the data they request when they specify it or explain why you cannot.

Learn more about using GitHub at https://usable.tools/blog/2019-10-04-guidebook-github/

GitHub and other issue or ticket tracking systems: Many tool teams store their code on GitHub (https://github.com). The platform can be used to identify which individuals are contributing to the code and to share feedback directly through the submission of “issues.” Other tools use other platforms to help them track, prioritize, and discuss issues and feature development (Tor, for example, has a very active issue system at https://trac.torproject.org/projects/tor/query, and enigmail uses SourceForge for its system: https:// sourceforge.net/p/enigmail/bugs/).
Email: Tool teams typically have a general email account for the tool or project. Some also post the PGP key associated with the account so users can send encrypted emails. Individual developers may also post their personal email accounts.
Social Media: Several tools have social media accounts, such as Twitter or Facebook, where they post updates and engage with users. Look on the tool’s website or in their profile on GitHub, but be respectful of developers who keep their personal social media accounts separate from their tool development work.

Learn more! Download the UX Feedback Collection Guidebook: Integrating Feedback Collection from High-risk Users into Existing Training Practices

From the Guidebook: Tips for Communicating with Developers

Fri, 04 Oct 2019 09:50:48 +0000

Given that many non-technical people do not have experience communicating with developers, the USABLE team worked with partners to compile this list of give quick tips for engaging. Note, it is not mandatory to follow each item step-by-step. The list is meant to give a quick and overarching view of tried and true methods when communicating with the open source developer community.

"USABLE conferences are the biggest opportunities we've had to get usability feedback directly from impacted users, trainers, and communities."
-- Rob Hansen of Enigmail and GnuPG

Check to ensure someone is actively updating the project. If a project has not been worked on for several months, or even years, this should indicate the project is no longer active or the developers may be less receptive to feedback.
Always be respectful and highlight features that you appreciate or value, as well as improvements that could be made.
Establish a personal connection with the developer.
Use a story or scenario to illustrate why your request/feedback is important.
Explain how the design change will impact real end-users, or how the current feature has endangered end-users.
Find the proper channel to communicate with the developer. This may be via email, GitHub issues, or some other channel.
Some tools have guides on what specific feedback they are looking for and what format they prefer. Research and try to follow these recommendations.
Document the steps you took that led to the issue. This is important for developers, as they will try to repeat the problem. * Take screenshots or gifs of the problem. Write out a detailed description. Prepare a user story for the specific issue. Keep logs of how often the issue occurs or the number of people impacted.
If you know how to use GitHub, see if your issue or concern has already been documented. Offer specific suggestions around how the tool could be improved.
Advocate for more secure and user-friendly tools. Enlist other users to help make your case to the developer.
Follow-up with the developer. This can be a quick thank you or a general check-in on progress.

Learn more! Download the UX Feedback Collection Guidebook: Integrating Feedback Collection from High-risk Users into Existing Training Practices

VLog Q&A with the OKThanks team

Thu, 03 Oct 2019 17:00:00 +0000

This month, we are taking some time to catch up with our UXFund grantees, and learn a little more about their organization.

Q&A with OKThanks

OKThanks is an organization that focuses on user experience and human-centered design. The USABLE team is thrilled to have worked with them over the last year. As part of our Q&A series, we are excited to share with you a little bit more about their team and organization. Listen to the interview below!

You can download the MP3 interview

Transcription coming soon!

Launch of the UX Feedback Collection Guidebook

Thu, 03 Oct 2019 16:50:00 +0000

Today, we are excited to release a compilation of these activities and resources, the UX Feedback Collection Guidebook: Integrating Feedback Collection from High-risk Users into Existing Training Practices.

The USABLE project aims to close this gap by establishing feedback loops between the communities who make the tools and the communities who use them.

Since 2015, USABLE has worked with over 50 trainers from around the globe, 11 designers and UX experts, and 7 open source tool teams who build products that focus on privacy and security for high-risk communities to develop and test feedback collection activities. The goal was to identify straightforward and time-efficient activities and resources that would allow digital security trainers to integrate feedback collection into their existing training frameworks. When done effectively, the process of capturing and sharing feedback can transform the design and development of the most commonly used privacy and security tools for high-risk users.

The guidebook is broken down into four thematic sections:

Part I: Collecting Feedback to Better Understand the User
Part II: Collecting Tool-specific Feedback During Trainings
Part III: Collecting Feedback Outside of Trainings
Part IV: Communicating with Developers and Tool Teams

From background information to facilitation guides to editable templates, the guidebook provides trainers and facilitators with the resources required to effectively collect, synthesize, and share valuable feedback from high-risk users with tool developers.

Further details and the full guidebook can be found at https://usable.tools/guidebook

This content is available as a CC-BY 4.0 International license.

Q&A with Accessibility Lab

Wed, 02 Oct 2019 14:00:00 +0000

This month, we are taking some time to catch up with our UXFund grantees, and learn a little more about their organization.

Q&A with Accessibility Lab

Q: How did you become involved with this project? What are your motivations for this work?

A: I became involved when I saw the challenges and barriers that my friends with disabilities had using the internet. My motivation is to increase awareness about digital divide and inclusion of people with disabilities, so they can have equal access to Information and Communication Technologies and better opportunities in education and employment.

Q: How large is your team? Who else is working on the project (full-time, part-time, etc)? How often do you connect and via what channels?

A: Normally we are 6 people:


Nancy Reyes Trainer and Accessibility consultant	Gabriel Fernández Developer	Alberto Arellano Manager	Cris Bori Public Relations	Pedro Bori Head of Training and Designer	María Martínez Trainer and Usability consultant

The developer and I are full time and the rest of the team is part time, depending of the budget and projects we have. Sometimes we have more people on the team, for example, more designers, more developers and more people with disabilities (visual and motor disability). We connect every day. Almost all is online, by mail, by phone, whatsapp, Jitsi Meet, etc. Sometimes we meet physically but not always is necessary.

Q: Why do you think it’s valuable to engage with users?

A: Because from the accessibility perspective, users with disabilities will offer the best feedback to understand their experience in the usability and accessibility of any digital content. A designer or developer will understand the importance of their work and see the difference between being able to use it or not at all independently.

Q: What is the best way for users/trainers/tool teams to connect with your team?

USERS: testing and sharing feedback about the webpage, app or tool.
TRAINERS: being updated about international standard and new technological solutions.
TOOL [Developers]: we can work with any tool to see if it is accessible or not, from a technical and non-technical perspective.

Q: What role do trainers play in the feedback loop? How do you view trainers?

A: Trainers have a very important play because they share knowledge about international standard, best practices, solutions and other relevant information so more people can develop accessible websites and apps.

It is not just about increasing awareness about the digital right of web accessibility, but to offer solutions, tools and knowledge to improve web accessibility and create accessible websites and apps in the future.

Q: Has your team ever used personas to inform design or development?

A: We always use personas to test accessible websites or make audits and offer feedback. Our personas are most commonly blind people and people with motor disability.

Q: Where can people look to learn more about accessibility?

Q: What are the top five things to consider when designing a site or tool with accessibility in mind?

Provide text alternatives for any non-text content.
Provide alternatives for time-based media, like transcripts, captions, audio-descriptions and sign language.
Make all functionality available from a keyboard.
The visual presentation of text, images of text and user interface components must have enough color contrast.
Make forms with accessible structure and labels relationships for users with assistive technology.

Q: What are the future plans for your team?

Continue with our consultant services and trainings for private sector, government and universities.
Free or very low-cost trainings for final users.
Evaluate the accessibility of websites and apps considering the experience of users with disabilities as an awareness campaign.
Create a digital accessibility observatory.
Start providing digital accessibility certification:
To companies and government websites (through a civil organization)
To individuals like designers and developers (through IAAP)
Continue with networking sessions inviting people and companies that want to collaborate.
Create an alliance with the federal office that reviews the implementation of accessible web content with the purpose to certify each government office with the law requirements of web accessibility.
Create video interviews and infomercials with the testimonies of people who have had the benefits of the web accessibility.
Obtain the certification from the International Association of Accessibility Professionals (IAAP) for all their team members:
Certified Professional in Accessibility Core Competency (CPACC) for administrative staff and,
Web Accessibility Specialist (WAS) for technical personnel
Start providing information and content for other countries around the world.
Organize the first “Global Festival of Universal Design and Digital Inclusion”.
Finish our online course about Web Accessibility in Spanish.

Q&A with the KeePassXC team

Wed, 02 Oct 2019 11:00:00 +0000

This month, we are taking some time to catch up with our UXFund grantees, and learn a little more about their organization.

Q&A with KeePassXC

Q: What is your tool? And what is your role?

Screenshot from KeePassXC

A: KeePassXC is an open source, offline password management tool that is available for Windows, Linux, and macOS. Our key features include the most secure encryption available on the market, Auto-Type technology, randomized password and passphrase generation, browser integration, and full compatibility with other KeePass-based tools. We also support several operating system integrations and advanced features for our more technical users.

Since forking from KeePassX in October 2016, we have released four major and fifteen minor versions that have introduced significant capability, usability, and security enhancements. Full source code, issue and feature tracking, and integration reviews are handled openly on GitHub. I co-lead the project development and direction along with Janek Bevendorff (phoerious).

Q: Why should people use a password manager? How can users use KPXC to make their lives easier/be more secure?

A: A password manager is necessary to ensure you have randomized and unique passwords for every service you log into. This is important because you don’t want a breach of one service to also compromise your security elsewhere. It is impossible to remember unique logins that are complex enough to be resistant to hacks. KeePassXC not only stores this information for you, in a secure way, but it also fills in that information for each site you use automatically.

Q: How did you become involved with this project? What are your motivations for this work?

A: I had originally just wanted to bring the browser integration feature to the latest version of KeePassX since I was using it daily. However, it became clear that the original maintainer did not have the time to focus on the application and it was aging quickly. I made the decision to branch from that project, incorporate my work, and bring over all the pending bug fixes and features that the community had contributed over the years, but were never incorporated.

This created an outpouring of support and recognition from the large number of users who were excited to see their favorite tool get even better. I was deeply motivated by the energy and enthusiasm of the community, which has grown every year since we first launched. I am inspired by the diverse groups that use KeePassXC daily to keep their lives secure.

Q: How large is your team? Who else is working on the project (full-time, part-time, etc)? How often do you connect and via what channels?

A: Our core team consists of six individuals who live all over the world; we are all volunteers and work on this project in our free time. Janek and I lead the project by curating our release roadmap and rigorously reviewing code submissions prior to acceptance.

We have four feature maintainers who are largely responsible for their major contribution to the project. These include the browser extension, command line interface, and SSH agent. We also have a large community of beta testers and deployment specialists who help us roll out releases on a regular basis. It truly takes a small army to keep the project rolling due to our security-centric nature and wide distribution channels.

Q: Why do you think it’s valuable to engage with users?

A: Our application was specifically setup to incorporate user feedback and best practices. The ‘C’ in KeePassXC stands for Community. Users provide us issue reports and feature requests daily. These directly inform development decisions and benefit everyone.

A: Users should register a GitHub account, it is free, and submit an issue through our project page. If they do not want to do that we will accept feedback through our email at team@keepassxc.org.

Q: How has feedback previously been incorporated into development?

A: We have over 2,000 closed issues and 900 merged pull requests. These range from simple bug fixes to major new features. The vast majority have been submitted by our user base in both written and code formats.

Q: Has your team ever used personas to inform design or development?

A: We have not specifically used personas, but we do consider the end user when implementing features. This is something we will investigate doing in the future as part of our pull request process for major features.

Q: What are the future plans for the project?

A: Our next major release is version 2.5.0 which incorporates several user interface and accessibility fixes. This release also includes significant improvements to the command line interface and browser integration plugin. The next major release will focus on user interface workflow and styling.

UXFund: SecureDrop

Tue, 01 Oct 2019 14:30:00 +0000

SecureDrop is an open source software platform that allows secure sharing and communication between journalists and their sources. Under the UXFund, Internews contracted an individual UX designer to work with the SecureDrop team to support the creation of a user-friendly, integrated SecureDrop workstation.

After ongoing iterative testing of prototypes, the designer provided experience recommendations with many focused on accessibility such as updating the color palette and typography to improve contrast and legibility, making the header text more intuitive, and enabling keyboard navigation. Additional recommendations can be seen at https://github.com/freedomofpress/securedrop-ux/issues/42.

The designer also met with the project team via video conference to present the workstation client visual design, including explorations for how to carry newly resolved branding into web user interfacess for the Source and Journalist experiences. A screenshot of the client prototype can be seen below.

UXFund: Mailvelope

Tue, 01 Oct 2019 14:00:00 +0000

Mailvelope is a free software for end-to-end encryption of email traffic which is integrated within browsers as an extension. Through this round of the UXFund, Mailvelope was able to release the latest version of the tool with user-experience (UX) and user-interface (UI) changes that were recommended by a team of UX designers as well as accessibility updates that were recommended by Accessibility Lab.

Some of the maintenance updates they made through this grant include the ability for the user to:

Upload and delete keys to the Mailvelope key server within the keyring UI,
Change the key password,
Create revocation certificates and upload to key server,
Change user ID, name, and email, and
Set a new expiration date for the key.

f209, a team of UX designers, provided Mailvelope with design proposals for the application and website, ultimately leading them to not just optimize certain parts of Mailvelope, but instead rebrand completely to provide one consistent and improved user experience. Taking these recommendations, along with those from Accessibility Lab’s audit reports, Mailvelope redesigned some of their major interfaces, including: the Mailvelope editor integration in Gmail with improved attachment handling, the file encryption UI, the Mailvelope website, and the extended key maintenance features.

Additionally, Mailvelope was able to reimplement the layer that is used to integrate with the mail provider website. For the users of mail providers such as Gmail, this has the following benefits:

Better performance: Mailvelope requires less resources to scan the mail provider page for PGP messages. The detection is also much faster. Instead of an up to 2 seconds delay required to detect a message in the previous version, there is now an instant detection.
Better compatibility: More mail providers are supported, and several message detection corner cases have been fixed.
Instant decryption: Mailvelope will now instantly decrypt messages without additional user action, since the user’s private key is in the password cache.
Improved usability: The editor button now has an animation and the words “Write secure email”, helping the user understand the functions of the button.

The file encryption user interface in the Mailvelope app has also been redesigned, providing a separate section for encryption and decryption in the top-level navigation. Text and file encryption have now been integrated into one UI, with the signing of data supported across all encryption processes.

Using last quarters accessibility recommendations from Accessibility Lab, the Mailvelope team has also applied recommendations, improving accessibility and design of the Mailvelope website:

UXFund: The Guardian Project

Tue, 01 Oct 2019 11:00:00 +0000

The Guardian Project is a global collective of software developers, designers, advocates, activists, and trainers who develop open source mobile security software and operating system enhancements. Orbot is a free software Proxy server project which allows Android users anonymity on the Internet. Orbot uses Tor to encrypt internet traffic and empowers other apps to use the internet more securely.

Through their UXFund grant, the Guardian project focused on improving the core efficiency and reliability of Tor running as a service within the Orbot app. Since receiving feedback and learning about the confusion existing users were experiencing on the “VPN” feature of Orbot, they worked to redesign the setup, configuration, and text used to introduce and describe the feature.

The Guardian Project worked with Okthanks to complete user stories and host listening groups with end-users via encrypted conference calls. The Orbot listening groups were created to provide a space for users to connect with designers and developers and inform them of their needs and concerns as users. The Guardian team selected users in countries where censorship or surveillance are a reality to participate in these calls and will be using the feedback to adapt Orbot to be more useful to these groups.These listening groups, along with Guardian’s market research, have helped inform the user stories.

Based on the listening group findings, the design team created a new, “mini,” redesign of the Orbot app. After creating an interactive prototype, the team released the beta version of the orbotmini app, which is currently only 4.77 MB (eventually will be 3MB).

*Screenshots of the orbotmini beta app.*

Working with Accessibility Lab, Guardian received a full accessibility audit of the Orbot app and website and have launched their new website using a static Hugo framework. You can view their new website at https://guardianproject.info, which uses a clean web template, enabling them to better implement and support accessibility requirements.

UXFund: KeePassXC

Tue, 01 Oct 2019 10:30:00 +0000

KeePassXC (KPXC), a recipient of one of the UXFund subgrants, is an open source password manager that is maintained by a small group of volunteer developers. Through this grant, the team partnered with Accessibility Lab and Okthanks to include a significant number of usability and accessibility improvements in their two latest releases, KeePassXC 2.4.0 and 2.5.0.

In the first few months of the grant, Okthanks conducted a new-user impression study, collecting feedback from new users of the KeePassXC tool. This study led to recommendations for user-experience (UX) and user-interface (UI) improvements to make it easier for users to get started with KPXC. Accessibility Lab also evaluated and provided accessibility recommendations for the KPXC tool, website, and browser extension. With their 2.4.0 release in March 2019 and 2.5.0 release in July 2019, KPXC implemented several of these recommendations, along with community recommended UX improvements, such as improving the database creation process.

Updates and improvements made throughout the course of this grant included:

KeePassXC-Browser Extension was improved to support screen readers, keyboard-only interaction, and scalability.
KPXC contracted a developer to perform software development and testing of the KeePassXC-Browser extension, with a focus on implementing the accessibility improvements identified by Accessibility Lab.
KPXC finalized and released the “Getting Started” guide, with the focus of helping users without any experience understand how to use the application.
KPXC finalized and released the “User Guide,” which deep dives into the major features of KPXC and ensure users can discover and use critical privacy and collaborative features of the application.
Three maintenance updates to KeePassXC were released, including 6 GitHub pull requests for user experience updates and 7 * GitHub pull requests for user interface updates. These improvements were a direct result of community feedback and incorporating enhanced workflows suggested by the Okthanks team. Community feedback received also led to the KeePassXC-Browser * Extension update which improved user experience and baseline functionality. The “Getting Started” guide and “User Manual,” developed by the documentation writer contracted under the grant, were incorporated directly into the KeePassXC application.

Q&A with Simply Secure

Thu, 26 Sep 2019 11:00:00 +0000

What is your organization? And what is your role?

Simply Secure is a design nonprofit based in New York and Berlin. Our work focuses on building technology that centers the needs of vulnerable populations. We work with practitioners to expand their skill set around human-centered design while focusing on user safety and privacy. We share our tools and resources openly for the community to learn from and continue to adapt. I am our Program Manager, which means that I help with program operations and management, but also work with our projects and partners on their usability and design challenges.
How large is your team? Who else is working on the project (full-time, part-time, etc.)? How often do you connect and via what channels?

Our core team consists of four people, and we have a network of people helping us with various aspects of our work shout-out to the amazing Sans Souci Group for providing on-demand ops support!). My colleagues Georgia, Molly and Ame all have a background in design and many years of experience in both the non-profit and corporate sector, as well as in academia. We are a remote team with an office in Berlin, where three of us show up most days. We connect daily either via Slack or video chat, and we really value our collaborative and yet independent style of working together!
Why do you think it’s valuable to engage with users?

Tools that don’t work for their users don’t work. Engaging with users is a crucial part of user research, which is the first step to building tools that work for people.
What is the best way for users/trainers/tool teams to connect with your team?

We can always be reached at contact@simplysecure.org, but the best way to connect with us is to join our community of over 400 people interested in the intersection between design, security, open source, and human rights. Join our Slack.
How has your team previously worked to incorporate feedback into the design or development process?

We think feedback can be incorporated in a variety of ways, from having a designated user researcher on the team to systematically writing up UX bug reports. The biggest challenge is to ensure that there are existing structures to incorporate feedback gathered from trainings and elsewhere. We have seen many teams, especially teams working in FOSS (Free and Open-Source Software), where there is no pipeline for user feedback. Moreover, many structures only allow for passive feedback gathering (in the form of issue trackers and incoming mail); very few teams implement active feedback gathering (user interviews, observation, testing), which often leads to more insights and better recommendations.
What role do trainers play in the feedback loop? How do you view trainers?

Trainers are in the rare position of being close to users in high-risk contexts, in a way that tool developers often are not. More than that, they frequently witness first-time use of a tool, and can provide first-hand information on usability. This makes their insights extremely valuable! What I also really appreciate is that trainers are leaders in awareness- and capacity-building, and teach people skills rather than workflows. This has the potential to empower people in unknown and unsafe situations, where they can’t necessarily rely on a tool and have to take a more holistic approach. Needless to say: it’s a really hard but important job, and I’m humbled to know so many awesome and dedicated people working as trainers in our field!
Has your team ever created or used personas to inform design or development?

Oh yes! We love personas, and have written about them here and here. We think they are a crucial part of understanding who you are building your technology for. And we put them up everywhere to remind ourselves of why we are doing our work.
What are the future plans for your team?

We are thinking hard about scaling our impact and increasing the sustainability of our space overall. One thing we want to do is experiment with different formats to share our work. As a start, we are making educational videos and hosting monthly community calls about topics in our Knowledge Base. We are also working with funders to make sure usability work is an integral part of the funding process.

UXFund: Accessibility Lab

Wed, 25 Sep 2019 11:00:00 +0000

Accessibility Lab, based in Mexico, is an organization that works with public and private companies as well as Civil Society Organizations to ensure the inclusion of people with disabilities in the digital world. They specialize in accessibility audits, assessing websites, tools, and resources to make sure they can be accessed by persons with disabilities. Through the UXFund, Internews aimed to expand their capacity to work directly with open source tool teams, providing guidance and specific recommendations to improve the accessibility of tools and websites.

Completed Audits

Through the UXFund grant, Accessibility Lab completed audits and provided recommendations for:

KeePassXC’s website, desktop tool, and browser extension. Prioritized recommendations were applied and released in KPXC’s most recent update.
Mailvelope’s website and browser extension. Prioritized recommendations were applied and released with their new website in July 2019.
Guardian Project’s Orbot tool website and Android application. Prioritized recommendations will be applied with their next website release.
SecureDrop’s website and Source & Journalist Experience. Recommendations are expected to be applied in an upcoming release.

Additionally, the Accessibility Lab project lead, Nancy Reyes, attended RightsCon Tunis, and was able to participate in the UX Help Desk alongside the USABLE team and organizations such as Simply Secure, EFF, and Access Now. At RightsCon, Nancy was able to connect with new organizations and explore future collaborations, such as one with Least Authority, which has plans to work with Accessibility Lab on a website audit.

What’s next for Accessibility Lab?

Accessibility Lab has begun collaborations with organizations such as the “Inclusion con Equidad” alliance, and “Fundacion Taiyari” alliance. They have also been working with the “Federal Institute of Telecommunications” to provide training focused on creating accessible web content.

They plan to continue their consultant services and trainings for the private sector, government, and universities, as well as providing digital accessibility certifications to companies and government websites, designers, and developers. They hope to provide information and content for other countries around the world, and organize the first “Global Festival of Universal Design and Digital Inclusion”.

UXFund: Okthanks

Tue, 24 Sep 2019 11:00:00 +0000

Okthanks, an organization focused on user experience and human-centered design, received a 9 month grant from the USABLE project to expand their capacity working with open-source privacy and security tool teams and digital security trainers around the globe. With this grant, Okthanks worked with tool teams to provide direct support in organizing user engagements, collect feedback from at-risk users, and guide future development of the tools.

Over the last 9 months, Okthanks has worked with other UXFund grantees such as KeePassXC and the Guardian Project to achieve these goals.

KeePassXC (KPXC): The Okthanks team hosted an in-person study, bringing together 12 participants for a “First Use” activity of KeePassXC. The goal behind the feedback session was to find how easy it was to use the tool and any barriers users faced when trying the tool for the first time. Feedback from this activity informed the KPXC team of necessary changes and led to the creation of the Quickstart Guide, a resource designed to help first time users navigate the tool.

Guardian Project: A long-time partner of the Guardian Project, Okthanks worked with the team to create individual activities (translated into Spanish) for three tools they would be introducing in digital security trainings in Colombia- ProofMode, Haven, and Circulo. The theme of the trainings, which were hosted in the capital city as well as two rural communities, was focused on “creative ways to use your phone to keep yourself, your community, and your territory safe.” Once the trainings were complete, Okthanks created insight reports for each tool to share back with the Guardian Project and their respective partner organizations, Witness and Article 19.

Additional Engagements

With funding from this grant, the Okthanks team was able to attend the Internet Freedom Festival in Valencia, Spain, where they co-facilitated a session with the USABLE project team, entitled “The Power of Personas.” During this session, the Persona Builder activity was piloted and the Okthanks team was able to receive feedback on other activities shared at the event, ultimately guiding activity updates and improvements for their new exploratorium.

At IFF, Okthanks also deployed activities including:

Witness & Guardian Project, ProofMode: First Use
Greenhost & Free Press Unlimited, Totem: First Impression Cards
Center for Digital Resilience: First Impression Cards and I’m Interested Cards
OpenArchive, Save: 5 minute flyer
Article 19 & Guardian Project, Circulo: My Story (Improved User Story)
IF Community, General understanding: Narrative cards and Persona activity

Following IFF, the Persona Builder activity was shared with the Tor UX designer for their use in creating personas for their team. Okthanks also worked with Greenhost and Free Press Unlimited to generate activity ideas and present ways feedback could be gathered either through physical trainings or within their online tool, Totem.

The Okthanks team was also able to provide resources to Localization Lab for their Thai language sprint, including new activities “One Liners,” “Quick Reactions: What’s your Impression?” and “Emoji’s: Will you use it?”

Website Update and Exploratorium

During the last quarter, the Okthanks team focused on making changes and improvements to the frameworks and preparing content for the website. This included a review of all activities developed so far and updating them with any feedback received. They finalized the webpage layout, access to the individual activities, facilitator guides for every activity with instructions on how to run the activity, and for some provided a “no paper trail,” or digital deployment option!

The Exploratorium is now live and all 12 activities and instructions are ready for download and use. A ‘Guiding Principles’ document was also created, outlining important considerations when conducting user research such as the threat model of a community, which can inform the appropriate way to deploy the activities.

Additional community resources are also linked on their website, and will continue to be updated as more resources become available.

Check out their new Exploratorium!

USABLE at the 2019 Symposium on Usable Privacy and Security (SOUPS)

Thu, 19 Sep 2019 11:00:00 +0000

The USABLE team facilitated a half-day workshop this past August at the 2019 Symposium on Usable Privacy and Security (SOUPS) in Santa Clara, California. The workshop, entitled “Designing for the Extremes of Risk,” was an interactive exploration of what it means to work with at-risk communities, particularly in the context of designing and developing privacy and security tools. The nearly 25 attendees represented a diverse range of professions, from academics to UX researchers to product teams and engineers.

The workshop began with a conversation about “high-risk” individuals and communities. After defining high-risk, the project team provided an overview of the USABLE project and an introduction to the UX Feedback Collection Guidebook (to be publicly released in October 2019). The half-day workshop concluded with four breakout sessions to dive deeper into relevant topics, such as:

Working with High-Risk Communities: Barriers and Solutions,
Trends and Themes Across Demographics of High-Risk Users,
Building a Community of Practice, and
Usable Security for Developers: Integrating UX into the Process.

In addition to organizing and facilitating this half-day workshop, the project team also attended an afternoon session organized by WIPS on Inclusive Privacy and Security. The WIPS team referenced USABLE personas during one of their activities and one breakout group used USABLE persona Marina from Russia as the template for their 3D storyboard creation. See photo below.

The next two days of the conference were focused on technical SOUPS sessions. For a quick summary of relevant papers and presentations, check out this blog post we co-authored with our partners in the usability space: https://simplysecure.org/blog/SOUPS-2019

Below we have highlighted a few main take-aways from our engagements at SOUPS this year.

From a product perspective, it can be difficult to identify at-risk communities, connect with them, and build the level of trust needed to collect accurate feedback. Using trusted intermediaries, such as digital security trainers, can provide tool teams with access to relevant feedback without jeopardizing the safety of at-risk communities.
Tool teams can consider offering incentives (such as small stipends) for individuals who participate in user research. If offering incentives, be sure to research local implications for end users. For example, will accepting a stipend impact any government support that low-income participants may be receiving?
International events and UX convenings are a good entry point for interested parties to meet at-risk users and begin to build trust. It is helpful for people outside the existing Internet Freedom (IF) community to understand what events exist, who attends each one, and what the purpose of these events are.
Always be clear about what will be shared from meetings or gatherings (participant list, notes, attribution, etc.) and set clear ground rules from the beginning to foster a sense of trust among attendees.
Co-design is most effective when it is implemented throughout the entire process. Utilize the co-design process not just for feature or tool development, but also developing the larger feedback collection process.
User personas allow design and development teams to understand users without requiring direct access or communication.
User engagements or any feedback collection activities should always take place in a trusted environment or location.
When designing alerts, it is important to consider the cross-cultural interpretation of the language/design. Images and graphics can be used to send a more universal message or serve users who may be illiterate.
There is no universal catalog for usability security bugs, analogous to the Common Vulnerabilities and Exposures (CVE) catalog for security threats. Are there ways to identify and/or automate the testing of usability failures by referencing “chaos engineering” style approaches (see https://en.wikipedia.org/wiki/Chaos_engineering#10-18_Monkey)?
Reframe “edge cases” as “stress cases.” Account for how people operate under stress, as this is a more universally applicable approach. Though levels of stress can differ, all users face stress at some point. (Credit to 18F staff, who originally shared this reframing.)

Q&A with the SecureDrop Team

Tue, 10 Sep 2019 11:00:00 +0000

This month, we are taking some time to catch up with our UXFund grantees, and learn a little more about their organization.

Q&A with SecureDrop

Q: What is your tool? What is it used for? And what is your role?

A: SecureDrop, which is used by more than 65 media organizations around the world to communicate with sources who wish to remain anonymous (e.g., whistleblowers). I am the project lead.

Q: How did you become involved with this project? What are your motivations for this work?

A: I first became aware of SecureDrop initially as a user: at a Chicago based non-profit I co-founded - Lucy Parsons Labs - we installed SecureDrop in order to provide the most secure channel available for potential whistleblowers to send us information, primarily focused on the police accountability domain.

After that I got more involved with Freedom of the Press Foundation - the organization that currently stewards SecureDrop’s development. I became involved right around the time of the 2016 US presidential election, so it was a time when technologies protecting journalists and whistleblowers were getting significantly more interest.

Knowing how critical these tools can be to prevent journalistic sources from being identified is what keeps me motivated to work on SecureDrop.

Q: How large is your team? Who else is working on the project (full-time, part-time, etc)? How often do you connect and via what channels?

A: Three teams at Freedom of the Press Foundation contribute to SecureDrop:

The core development team (4 people, including myself)
The support team (2 people), which provides installation help and ongoing support for the 65+ media organizations using SecureDrop;
The digital security training team (4 people), which provides in-depth security training and consulting services to news organizations, including for SecureDrop.

In addition, the project is supported by other members of our staff, including our project manager, our CTO, our Security Engineer, and a part-time UX Designer.

Q: Why do you think it’s valuable to engage with users?

A: We need to make sure that we’re addressing our users’ real needs. What challenges do news organizations encounter when communicating with whistleblowers? How can SecureDrop support them in this process? The only way to answer those questions is to ensure that insights from user feedback, training, support, and user research feed back into the development process.

For a security product, it’s especially important that there is no disconnect between theoretical security and operational security practices. For example, SecureDrop uses an air-gapped viewing station for securely reviewing documents. If a journalist then takes a photograph of a document with their phone, that photograph of a sensitive document may be uploaded to a cloud or backup service without their knowledge.

Engaging with users helps us identify these potential disconnects, and think about ways that we can address them through user experience improvements, training, documentation, etc.

A: For news organizations and journalists using SecureDrop, we recommend that they get in touch with us via securedrop@freedom.press (GPG key here) and request an account on our support portal. Because communications about production use of SecureDrop are inherently sensitive, it’s important to use a secure channel by default.

For sensitive security issues, we offer bug bounties via Bugcrowd, or researchers can send us an email at securedrop@freedom.press (GPG key here).

For less sensitive communications, you can find us on Gitter, and we encourage users to open issues on GitHub, including for feature requests.

Q: How has feedback previously been incorporated into development?

A: An example feature that is directly responsive to user feedback is the ability to administer the instance via the local network instead of using Tor which is how administrators access SecureDrop by default. This reduces the amount of time administrators spend working on their SecureDrop when it’s physically co-located in the newsroom.

The feedback loop is often very fast when it comes to documentation changes: if a news organization stumbles over parts of our docs, it’s not uncommon for a fix to be incorporated a day or two later.

Q: What role do trainers play in the feedback loop? How do you view trainers?

A: FPF’s training team is integral to the success of SecureDrop. Given the complexity of the software and the security risks involved, engaging with journalists and administrators directly is the best way to ensure the system is used securely and effectively. The training team routinely shares insights with other SecureDrop team members, including in a debrief after any on-site with a news organization. The team also directly participates in documentation edits and reviews, updates to the threat model, UX discussions, etc.

The FPF training team also creates digital security guides which frequently have relevance to SecureDrop, and which are cross-referenced in the SecureDrop documentation.

Q: Has your team ever used personas to inform design or development?

A: We currently don’t use personas, but are planning to do so in the near future.

Q: What are the future plans for the project?

A: We are working on a new project, the SecureDrop Workstation, based on Qubes OS. The SecureDrop Workstation provides an integrated environment for connecting to SecureDrop and reviewing documents, using Virtual Machines to ensure documents are viewed in a secure, networkless environment that is destroyed after use. This includes the development of a graphical client application. Usable.tools has directly funded the work of one of our contributors, Nina Alter, on the user experience design and research for this effort, which has been instrumental in advancing it.

We are planning to pilot the SecureDrop Workstation with select newsrooms later this year. If the pilot is successful, the SecureDrop Workstation has the potential to become a secure working environment for the most sensitive work journalists are engaged in—perhaps even including other communication tools that are commonly used for tip lines like Signal.

USABLE at RightsCon Tunis

Tue, 27 Aug 2019 11:00:00 +0000

In June 2019, the USABLE team attended RightsCon 2019 in Tunis. In addition to having face to face conversations and meetings with kay UX players in the Internet Freedom community, the team was able to co-facilitate a UX and Human Rights Zero Day event alongside AccessNow, Simply Secure, and the Electronic Frontier Foundation.

The morning of this full day event was focused on individual introductions and a mentoring/paired problem-solving activity, whereas the afternoon held participant-led breakout sessions with topics such as collecting user feedback, funding UX sustainability, queer interfaces & internet, and working in high-stress environments. The full-day event brought together a group of 30-35 designers, UX researchers and practitioners, tool team representatives, and digital security trainers to grow a community that advocates for rights-respecting and consent-based user experiences.

The following day, we co-hosted a UX help desk at RightsCon, where RightsCon attendees were able to learn about UX organizations, receive resources from Okthanks and Accessibility Lab, and connect with individuals from these organizations.

Our program officer, Ashley, also facilitated a meetup session at RightsCon entitled “Creative Ways to Support Diverse Tool Teams,” where tool team representatives and community members met with donors to discuss their limitations and discuss potential solutions. The session was attended by smaller organizations and provided a good starting point for new solutions.

Announcing the Second Round of UXFund Grantees!

Mon, 26 Aug 2019 08:00:00 +0000

The USABLE team is excited to announce the second round of UXFund grantees. These teams will receive small grants for usability and accessibility enhancements, as well as for organizing targeted engagements with at-risk users. After a robust review process, six organizations were selected.

Profiles of this round of UXFund grantees can be found below.

Mailvelope – https://www.mailvelope.com is a free browser plugin for Chrome and Firefox that enables end-to-end encryption integrating directly with your web-based mail provider, whether you are using Gmail, Yahoo! Mail, or Microsoft webmail. Mailvelope is an open-source project currently hosted on github.

KeePassXC (KPXC) – https://keepassxc.org is a password manager that allows users to store passwords safely and auto-type them into everyday websites and applications. KPXC is an actively developed cross-platform port of the original KeePass application. KPXC is an open-source project currently hosted on github.

Okthanks – https://okthanks.com is an organization focused on user experience and human-centered design. They work with tool teams to provide UX/UI support, including organizing user engagements, collecting feedback from at-risk users, and recommending specific changes or enhancements to tools. Under this grant, Okthanks will expand their capacity to work with open source privacy and security tool teams, as well as digital security trainers around the globe.

Accessibility Lab – https://a11ylab.com/en is an organization based in Mexico which specializes in web accessibility audits and trainings. Under this second round of the UXFund, Internews is supporting Accessibility Lab as they expand their capacity to work directly with open source tool teams. In addition to conducting accessibility audits, the Accessibility Lab team will also provide guidance to tool teams and specific recommendations to improve the accessibility of tools and websites.

SecureDrop – https://securedrop.org/overview/ is an open source software platform that allows secure sharing and communication between journalists and their sources. SecureDrop is managed by Freedom of the Press Foundation and is hosted on GitHub.

The Guardian Project’s Orbot – https://guardianproject.info/apps/orbot is a global collective of software developers, designers, advocates, activists, and trainers who develop open source mobile security software and operating system enhancements. Orbot is a free software Proxy server project which allows Android users anonymity on the Internet. Orbot is an open-source project currently hosted on github.

Announcing New USABLE Website!

Sat, 10 Aug 2019 11:00:00 +0000

New USABLE Website

We’re excited to announce the launch of our re-designed USABLE website!

This new site features a clear breakdown of the USABLE project, including descriptions of the various communities we partner with in different capacities. Visitors can easily navigate through user personas, explore USABLE’s involvement at recent events, and find out more about the organizations we work with.

Throughout the month of September, we will be featuring guest blog posts from some of our partners including Okthanks, KeePassXC, SecureDrop, and Accessibility Lab.

To check out the full site, visit https://usable.tools.

A huge thank you to Justin DeBlois for the design of the site, and Squiggy Rubio for development!

USABLE Personas

Tue, 16 Jul 2019 11:00:00 +0000

The USABLE project has harnessed the knowledge of the digital security training community to build personas of high-risk users from around the globe. This has allowed the training community to play a critical role in communicating high-risk groups’ needs and use-cases for products directly to developers.

Too often developers in the open source community are constrained in their understanding of users’ needs, making decisions based on their life experiences, assumptions, and their local environments. However, these all may be dramatically different than the experiences of high-risk groups using their products. Whether they are designing for a human rights activist in China or a journalist reporting on the frontlines in Crimea, for developers to design products that are useful and usable, they must better understand who their users are, their motivations, and their willingness to adopt such important security tools.

Personas allow developers to better understand the threats, risks, and general activities of their ideal user. Personas pull out patterns of real users, and are not based on a single one person’s experience or circumstance. They are used to communicate a profile of characteristics, enabling developers to build a product based on real needs, rather than making assumptions. Personas are valuable in the design process because they allow for tool developers to make informed design decisions during the development process, facilitate the development of scenarios that simulate how an end-user would use the product, and push development teams to allocate resources based on real needs.

The USABLE Response

Fri, 12 Jul 2019 11:00:00 +0000

USABLE aims to create sustainable feedback loops among digital security trainers working with at-risk communities, open source tool developers, and user-experience (UX) and design experts. These successful feedback loops lead to more localized and usable tools, ultimately better equipping at-risk individuals and organizations to respond to existing and emerging digital threats.

Communities of security trainers around the globe are uniquely positioned to bridge high-risk civil society groups and tool developers. Trainers have extensive knowledge surrounding the threats faced by their communities, the risks they take, and the challenges they have with specific tools. Through a series of regional workshops, USABLE enhanced digital security trainers’ ability to integrate feedback collection activities within their existing trainings, while building up their capacity to communicate directly with tool developers about specific usability roadblocks hindering the adoption of important security practices.

Following the regional workshops, trainers put what they learned into practice, implementing Tool Feedback Sessions during their trainings and sharing this feedback with developers. By formalizing and expanding feedback collection, USABLE benefits at-risk users, trainers, and the open source developer community. Developers receive improved, higher-quality, and prioritized feature and tool modification requests, trainers have a direct path to improve the tools they train on, and voices of vulnerable populations are amplified. The result is more security and privacy tools that are easy-to-use for those who need them most.

To date, USABLE has reached more than 400 end-users, jump-starting an important feedback loop that was previously missing.

Number of Trainings	Number of End Users	Pieces of Feedback Collected	User Personas Created
44	432	148	49

In parallel, USABLE provided direct support to open source developer teams through two rounds of the UX Fund support, which offers targeted small grants for user-driven usability and accessibility improvements for open source digital security and privacy tools. As trainers continue to share collected feedback with developers, they not only improve developers’ understanding of their users, but also allow developers to capture and implement tool changes that result in more user-friendly and useful products.

In 2018, the USABLE project hosted its second UXForum, a multi-day event that brought together key communities including human rights groups, trainers, open source and private sector developers, and design experts to continue devising ways to scale and sustain these feedback loops.

Blog

Mon, 20 May 2019 23:50:48 -0700

Blog

Check out the latest updates from the USABLE project and partners!

Events

Mon, 20 May 2019 23:50:48 -0700

Events

Check out the latest updates from the USABLE project and partners!

Personas

Mon, 20 May 2019 23:50:48 -0700

Personas

Personas, or profiles of end users, play an important role in the design process and allow developers to better understand community needs and facilitate the creation of user stories and more concrete use-cases for their products. In some of the most challenging security environments in the world, understanding the users capacity, threats, risks, and strengths can be difficult. The USABLE project has harnessed the knowledge of the digital security training community to build personas of high-risk users from around the globe. Learn more about USABLE Personas here.

USABLE at IFF 2019

Mon, 20 May 2019 23:50:48 -0700

The USABLE team attended the 2019 Internet Freedom Festival in Valencia, Spain. During the week, the team connected with digital security trainers, open source tool teams, and user-experience (UX) experts to discuss past, current, and future USABLE work.

USABLE partnered with Okthanks to co-facilitate a session entitled “The Power of Personas.” The one-hour session provided a general overview of user personas and featured multiple examples, including USABLE personas and Okthanks personas. The remainder of the session focused on the process of creating user personas, demonstrated via a group activity.

The Persona Builder activity was developed by the Okthanks team, and facilitates a step-by-step process to create a user persona. This activity is useful for tool teams and digital security trainers hoping to better understand the needs of their users, and community members seeking to map their risks and behaviors.

USABLE at ILGA World

Mon, 20 May 2019 23:50:48 -0700

The USABLE team attended ILGA World 2019, a bi-annual convening of LGBTQIA advocates and funders from all over the globe. Attending this conference allowed the USABLE team to meet with LGBTQI users, discuss the tools that are currently being used in the field, and better understand the threats that this particular community is facing in different parts of the world. Ultimately, this information shapes the tool teams that the USABLE team works with and expand the network of at-risk users with whom the project team can connect relevant developers.

In partnership with Grindr for Equality, the USABLE team co-organized a session entitled “Protecting Ourselves in a Digital World: The Basics of Digital Security and Online Safety.” The first component was a quick activity designed to capture current practices, threats, and questions of the community members in attendance. Participants were given three different colors of sticky notes and asked to spend 3-5 minutes documenting the following:

What tools or practices are you currently using to protect yourselves online?
What are the current threats facing you or your community?
What questions do you have about digital security?

During the second component of the session, the USABLE team provided attendees with five simple steps they could take immediately to improve their digital hygiene. Azza Sultan, Associate Director at Grindr for Equality, then briefly presented the current security features offered by Grindr, as well as an overview of future features that they hope to develop soon.

The final component required the attendees to divide into two smaller groups. One group focused on providing tool-specific feedback on Jitsi Meet. Attendees used the task-ranking worksheet developed during the regional UX Workshops to document their thoughts and feedback. The second group focused on providing feedback on Grindr’s security features.

The session was very well attended and everyone repeatedly voiced the need for more conversations around digital security in this space.

Bangladesh: "Habibur Rahman Sujon"

Mon, 20 May 2019 23:15:28 -0700

Overview

Habibur is in his twenties and identifies as a Muslim gay man. He lives in a small town where he must constantly hide his sexuality. Recently, Habibur went to Dhaka, the capital of Bangladesh, to attend a party for gay men. Police raided the party and he and some of his friends were arrested. The police outed them as gay men in front of the media.

Habibur has an “anonymous” Facebook profile that he uses to connect with other gay men. He is an active member of a closed Facebook group for gay Bangladesh men. He often attends events that are posted in this group. Many people do not have access to a smart phone in his remote village, so he relies on Facebook groups to stay connected to other people in the LGBT community.

Goals

Habibur needs to be able to connect with other members of the LGBT community, without fearing for his safety.

He is interested in learning more about how to safely use online dating tools.

Threats

Habibur’s identity was revealed when he was arrested during the raid of a party. Bullying and social harassment increased significantly following this incident, particularly within his university.

LGBT people are extremely vulnerable when using social media or dating applications.

Many of the risk mitigation materials that currently exist are only available in English. Habibur only speaks Bangla and therefore has limited resources available to protect himself.

Strengths

Habibur owns a smart phone and knows how to use mobile applications.

He understands the basics of the Internet and he is able to send and receive emails.

Questions

How can I safely navigate Facebook groups and dating applications for the LGBT community?

Are there risk mitigation materials available in my native language of Bangla?

Bangladesh: "Tabassum"

Mon, 20 May 2019 23:15:28 -0700

Overview

Tabassum identifies as a lesbian and has recently become an active voice for the rights of the LGBT community in Bangladesh. During the day, she works as a clerk at a local bank. She volunteers at an unregistered LGBT rights organization. She also works with other activist groups for local and international advocacy. She is out to a few of her friends, but not to her colleagues or family.

In order to conduct meetings with other LGBT activists and the community, Tabassum needs to rely heavily on messaging applications like Facebook Messenger and WhatsApp. She also uses her personal email regularly to communicate with ally organizations.

Goals

Tabassum wants to advance the LGBT rights movement in Bangladesh by repealing Section 377.

She also wants to raise awareness and implement sensitization programs designed to create an accepting and inclusive society.

Threats

Homosexuality is illegal in Bangladesh and LGBT activists can be arrested by authorities according to Section 377 of the law.

There have been reports that activists are under digital surveillance from both the government and religious militant groups. These activists are being tracked through social media.

Strengths

Tabassum has a strong peer activist network for support.

She knows which communication tools use encryption and which do not.

She always meets other activists in public places or a secure home.

Questions

How do I know if I am under surveillance?

How can I stop information from being leaked to other people?

China: "L. N."

Mon, 20 May 2019 23:15:28 -0700

Overview

L.N. is in her early 20s, and is outgoing and charismatic. She lives in a major metropolitan area in mainland China, and is a recent college graduate with many social connections; fluent in Cantonese and Mandarin, and proficient in English.

L. N. is a key member of an active women’s rights group in China that has gained national and international media attention for some of its activities. She is committed to activism aimed at promoting the social and cultural change necessary to bring about equal rights for women in China.

She has come under pressure to get married. Her resistance to this this pressure found expression in several videos that she co-produced with her group and posted on WeChat. These videos were widely shared and led to a larger conversation throughout social media on the topic of women’s place in Chinese society. This attention has caused L.N., as well as members of the rights group, to come under closer scrutiny by the authorities.

Goals

Ongoing ability to speak freely and advocate for women’s rights

Maintaining social connections with network of fellow activists

Finding secure communication tools that work reliably to share with networks

Threats

Activism brings constant and sophisticated surveillance, and can lead to restrictions on freedom of movement and association, including loss of employment and imprisonment.

Digital devices are often confiscated with sensitive data, media, and private personal networks exposed.

Social isolation and related depression stem from an inability to communicate privately, and a real fear that friends and family will also be targeted.

Strengths

Highly trained on digital security tools and techniques.

Conducts highly sophisticated, thoughtful analysis of threats and choice of tools.

Incredibly savvy on operational security and maintains separate mobile devices for regular activities for secure conversations

Questions

How do I communicate with individuals not already on secure communication channels?

Are there secure tools that do not require VPN to access?

How can I collaborate securely with inner circle?

How can I protect my data - on my phone and my computer - against confiscation?

China: "Z. W."

Mon, 20 May 2019 23:15:28 -0700

Overview

Z.W. is highly educated, and also respected and accomplished professional with many connections. He is reflective, respectful, careful, principled and is in his late 40s with wife and two children. He is fluent in Mandarin, Cantonese, English.

Z. W. recently posted an article perceived as critical of government authorities about a land-grab case occurring on the outskirts of a town in his hometown province. Due to Z.W.’s international connections, previous political statements he has made, his influential position as an academic, and the popularity of the current article he wrote, he was recently visited by government authorities and detained for questioning. Several suspicious activities—including phishing emails, and questions from the authorities directed to him about topics not widely known by others—make him certain he is under active surveillance. He is currently investigating moving his family out of the country to ease pressures and is exploring opportunities.

Goals

Means to communicate securely with family and network both inside and outside of China, both now and if he emigrates.

Ability to make purchases that are not traced back to him (e.g, new devices, travel, etc.).

Ability to lock down his accounts to prevent further surveillance, without raising his profile or drawing attention.

Threats

Accessing and downloading secure tools and applications could be considered a criminal offence due to new NGO and other related laws.

Surveillance of network activity and digital devices confiscated.

Imprisonment, torture, and the mental and physical health issues afterwards.

Strengths

Trained on digital security tools and techniques; will implement techniques and tools if they work reliably, are usable (i.e., meet the basic usability standards offered by tools such as WeChat, OneDrive, etc.)

Comfortable with and regularly uses social media.

Regularly accesses databases and conducts fairly complex data analysis in support of academic research work.

Questions

How can I maintain social connections with my international network without secure communication methods?

How can I convince my personal networks to use recommended secure communication tools (e.g., PGP, ChatSecure, Jitsi, etc) when these tools are considered too onerous to setup or so unreliable in functionality and service?

Cuba: "Yasmany"

Mon, 20 May 2019 23:15:28 -0700

Overview

Yasmany is a married man in his thirties. He is a journalist based in Cuba and a vocal advocate for Afro-Cuban rights. He uses public transportation to reach his sources and often has to pass through security checkpoints.

He uses technology to communicate with his colleagues, family, and friends. He also uses his mobile device to record interviews and take pictures. Yasmany has grown accustomed to habitual harassment from the police.

Goals

Yasmany needs to protect himself and his stories from the government.

He needs to communicate securely with his sources and keep his files safe.

He needs to be able to record interviews on his mobile device.

Threats

Limited internet connectivity and expensive data plans restrict Yasmany’s options when it comes to communication.

Most of the computers he has access to have government spyware that can track and record both online and offline activity.

He is the subject of raids and sometimes his devices are searched at security checkpoints.

Strengths

He is aware of the risks that he faces.

He makes sure he does not disclose sensitive information in calls and text messages.

He always updates the software on his devices.

Questions

Can the government read my communications?

Can I delete the content on my phone before handing it over to the police?

Dominican Republic: "Jackefine"

Mon, 20 May 2019 23:15:28 -0700

Overview

Jackefine is a woman in her mid-twenties living in the capital of the Dominican Republic. She is currently attending university and working as an administrative assistant. In her free time, she supports feminist causes.

Until recently she lived with her family, but she now lives with a friend. Her favorite social network is Facebook, which she uses to confidently publish her daily activities. She has a mobile data plan that allows her to use Facebook and WhatsApp.

Goals

She wants to learn how to use social networks and applications to express herself in safe ways.

She wants to be able to explore her sexuality without facing harassment online.

Threats

Explicit, sexual content of Jackefine was published on social media and other platforms by her ex-boyfriend.

She is now receiving a wave of offensive and sexist messages.

Her phone was also compromised and the photos were sent to all of her contacts.

Strengths

Jackefine owns various devices, including a mobile phone and a tablet.

She has a very strong support network of friends and coworkers.

She is an experienced woman and she knows her rights.

Questions

What do I need to do to express myself safely?

Are there applications that allow you to protect your identity when sending elicit photos?

How can I prevent the spreading of my photos without my consent?

Indonesia: "Ayu"

Mon, 20 May 2019 23:15:28 -0700

Overview

Ayu is in her early twenties and identifies as a Muslim transwoman. She grew up in a small village and is part of a conservative family. After facing violence and harassment, she dropped out of high school and fled to Jakarta.

She currently works as a sex worker and serves as an advocate for the LGBTQI community.

She uses the same social media networks and platforms for her sex work, activism, and to connect with friends and family. So me of these applications are location-based and use her real photo.

Goals

Ayu wants to continue her work and activism without risking her life or endangering the people around her.

She needs to develop cost-effective strategies to keep her work and activism separate from her personal life and to ensure that her information is secure.

Threats

She faces daily online harassment and attacks based on her identity as a transwoman, a sex worker, and an activist.

People, including the government and religious conservatives, can collect information about Ayu from her online accounts and use it to persecute and attack her both online and physically.

She invites clients to her home which poses a physical danger to her.

Strengths

Ayu is tech savvy in terms of using and navigating applications on her Android phone.

She works independently and has the power to choose her clients.

She is very committed to activism and is a strong voice within the community.

Questions

How can I use social media for my work, my activism, and personal life securely?

How can I respond to online attacks?

How can I separate my personal and professional lives?

Indonesia: "Husna"

Mon, 20 May 2019 23:15:28 -0700

Overview

Husna is an Indonesian woman in her mid twenties. She is an advocate for both freedom of expression and religious freedom. For many years, she has worked on issues related to peace building, deradicalization, and journalism that supports the peace process.

She uses social media to spread messages and information to the general public. She also uses social media to coordinate activities for different minority rights groups. The various groups are using Facebook, including Facebook Messenger, to coordinate their activities. The groups use Twitter to gain more public interest and support.

Goals

Husna hopes for a better society.

She hopes that Indonesia will protect pluralism.

She wants to make sure that the government does not pass discriminatory policies against minority religions.

Threats

There are often government agents or intelligence officers physically present at the events Husna helps coordinate.

She is at risk of attacks from paramilitary groups.

State actors use surveillance to track Husna.

Strengths

Husna is a very brave advocate.

She believes strongly in the values of pluralism.

She supports and has access to a large network of people that have different beliefs.

Questions

How can I keep myself safe while using Facebook and other social media sites?

How can I keep myself safe while the government is monitoring me?

What type of chat applications or communication channels are safe for us to use?

Jordan: "Ahmed"

Mon, 20 May 2019 23:15:28 -0700

Overview

Ahmed is a student at a Jordanian university. He is concerned about the state of affairs in his country and he wants to raise awareness about what is happening.

Ahmed always tries to express his concerns securely and anonymously, usually relying on social media networks to do so. He has not yet faced any prosecution or retaliation.

Goals

He wants to oe able to express himself freely and securely.

He wants to communicate securely using WhatsApp and anonymously using faoebook.

Threats

He fears that being vocal about his opinions online will endanger his safety and might lead to arrest.

He fears that expressing opimions that are different will alienate him in his society.

He is worried he may be surveilled or his devices may be confiscated.

Strengths

Ahmed owns a smart phone.

He is familiar with using social media networks for communication.

He can write and understand some English.

Questions

How can I be anonymous on facebook?

How can I protect myself from surveillance?

How can I make sure messages to my friends are only read by the intended recipient?

Kenya: "Alexandria Christian"

Mon, 20 May 2019 23:15:28 -0700

Overview

Alexandria is based in Nairobi, Kenya. She is married and in her late twenties with a young child. She is a lawyer by profession, but is also a champion of women’s rights. She has been very vocal about FGM and has received some backlash for her activism.

As part of her anti-FGM work, Alexandria uses an application that enables volunteers to rescue young girls and relocate them. Alexandria is responsible for coordinating the volunteers.

Goals

I need to be able to track the movement to my volunteers.

I need an application which has an emergency button for when there is no time to communicate.

Threats

Alexandria’s child has been downloading apps on her phone without her knowledge. The downloaded software included malware, which compromised sensitive information stored on her device. The malware is also capable of downloading and installing other apps and can do so without detection. Alexandria does not know how much information has been leaked so far, but the volunteers are vulnerable to attacks since their identities have been revealed.

Strengths

Alexandria makes sure that her software is always updated.

She also makes sure that all volunteer files are encrypted and is able to use the application to spread her message and get more people involved in anti-FGM efforts.

Questions

Can I still safely use my phone after deleting all the apps?

What can I do to avoid such incidents in the future?

Kenya: "Mary"

Mon, 20 May 2019 23:15:28 -0700

Overview

Mary is a digital security trainer, gender policy expert, and a research consultant with many years of experience conducting research for different organizations. She also trains activists and local communities on skills for adopting strategic non-violence and movement building to affect social change. She works as an IT assistant for an organization that promotes environmental rights. Recently, the organization was hit by ransomware and they lost a lot of information.

She uses a laptop for work and trainings and uses bitlocker and Veracrypt to encrypt files and drives. She makes sure to use secure plug-ins in browser to enhance security. She also uses a cellphone daily and occasionally uses social media.

Goals

Mary wants to learn more about ethical hacking in order to help human rights defenders better protect their systems. Since her organization was recently attacked by ransomware, she wants to make sure she has the best antivirus possible to protect their network and data. She would like to strengthen her organization’s IT policies, including back up procedures, to prevent this from happening again.

Threats

Distributed Denial of Service (DDOS) attacks have been happening to other Human Rights Organizations in the region.

Spam and phishing emails and SMS messages are often received by members of her organization.

Physical security is a concern, as office and home break ins are common in the area.

Strengths

Mary is able to train others in digital security, including those in her organization.

She uses file encryption and a password manager to store strong passwords.

She has a strong technical background, and can install and configure different operating systems.

Questions

How can internet of things devices be secured?

How can I stop or minimize spam emails in my gmail inbox?

Kenya: Denis

Mon, 20 May 2019 23:15:28 -0700

Overview

Denis is an IT Officer and project manager in his early 30s. He does work for an organization that works towards the realization of environmental and human rights for the economically marginalized communities around extractive industries and toxic sites.

Denis is married and has one daughter. In his free time, he works on designing a tool that his community can use to report cases on industries that toxify the environment.

He uses his computer and cell phone daily, and uses KeePassXC to manage his passwords and Tresorit to back up the organization’s data.

Goals

Denis wants to become a computer and data security expert in order to help his community learn how to store their data and keep their computers safe. With his knowledge in programming, he wants to develop a tool that can track manufacturing industries in his country.

His other goal is to have a secure communication channel for the organization that can be used for reporting cases and complaints from the community to the office.

Threats

Surveillance of phone calls and the hacking of organization’s online accounts.

His physical security is at risk, as targeted office break-ins are common in his city.

His laptop and phone may be stolen during a break-in or robbery.

Strengths

He can train others to create strong passwords and enable two-factor authentication.

He is able to identify a computer threat and clean it. He can use any computer programming language.

He is known as a trusted technical expert in his community.

Questions

How can I encrypt my phone calls free of cost?

How can I be anonymous online?

What is the best tool to recover deleted data?

Kenya: Peter

Mon, 20 May 2019 23:15:28 -0700

Overview

Peter is a health worker in his community and also works for an environmental and human rights advocacy organization based in Mombasa, Kenya as a researcher. His day to day activities include researching the possible dangers that industrial waste can cause to humans and the environment. He lives with his wife, two sons, and one daughter.

Peter uses a laptop for work daily, and a cellphone to communicate with colleagues as well as his family. He uses dropbox to store findings from the field, and uses Skype often to communicate with colleagues and partners.

Goals

Peter’s biggest concern is the privacy of his patients. He wants to make sure that he is using a secure application that can store the details of patients securely, in order to protect their privacy. He would also like to have an application that can monitor the supply of government drugs in hospitals to ensure that they are adequately stocked.

Threats

As an environmentalist, he is at risk of being targeted and cyber-bullied

If his devices are stolen, all of his research data will be at risk

As a healthcare professional, he is at risk of patients’ data leaking

Strengths

He is aware of the risks that he faces if he does not take steps to protect his accounts.

He uses 2fa on Facebook and Gmail accounts to keep them secure.

He is a great communicator, and can make presentations for those in his community.

Questions

What is the best tool to encrypt my data on my computer?

How can I protect the details of patients from being stolen and leaked?

How can I bypass blocked content on the internet?

Lebanon: "Lara"

Mon, 20 May 2019 23:15:28 -0700

Overview

Lara is a Lebanese woman in her late twenties. She works as a journalist and is also a well-informed activist. She stays up-to-date on all current events and the latest news updates.

As a result of her activism, she has been targeted by the government and other entities.

She uses chat applications like WhatsApp to communicate with her colleagues and connect with sources for her reporting.

Goals

She needs to communicate securely with her contacts and sources.

She wants to better understand how to safely use the applications she is already using.

Threats

She has previously been the target of “man in the middle” attacks.

She could be imprisoned as a result of defamation.

She often receives phishing links.

Strengths

She believes that she has nothing to hide.

She writes bold articles that educate and inspire others.

She knows that unencrypted apps are the most vulnerable in terms of security.

Questions

Is it safe to use WhatsApp?

Is there another application that I should be using for secure communication?

How can I encourage other people to use secure applications?

Mexico: "Maria"

Mon, 20 May 2019 23:15:28 -0700

Overview

Maria is in her mid 30’s and is passionate in advocating for the rights of people with disabilities in Mexico. She has been blind since she was very young and faces a slew of accessibility challenges when using technology in her work and personal life. She must use a screen reader to navigate her laptop and mobile devices, using a free and open-source version for Windows called, NVDA, and the built-in reader for iPhone, called, VoiceOver.

Maria and her colleagues face unique privacy and security concerns both as activists and as persons who are blind because their inability to autonomously handle their most sensitive information makes it impossible to handle such information securely. They are also more susceptible to other forms of digital attacks, as software is not consistently accessible and navigable –- making it hard to pinpoint or identify abnormal activity sometimes on their devices (e.g. pop-ups, advertisements vs malware and viruses).

Goals

Advance accessibility for all persons with disabilities through public advocacy and policy changes in both the public and private sectors and through the promotion of accessibility standards and testing products using the free and open-source screen reader, NVDA and VoiceOver.

Develop a strategy and build the capacity of users with disabilities to prevent misuse of their data and personal rights.

Threats

From digital security tools to normal tasks like checking bank statements, online shopping, or captchas; tools that are inaccessible are not usable. This requires Maria to rely on and share private information with family and colleagues.

Loss of information, fraudulent sites, malware, and webcam activation can happen without accessible alerts informing the user.

When people with disabilities cannot complete tasks online, they must go to a location in-person, which can lead to physical threats due to infrastructure problems.

Strengths

Very comfortable with technology and developing ways to work around accessibility problems to accomplish tasks.

Committed to supporting the rights of persons with disabilities and increasing awareness of these accessibility issues in technology.

Interested in fostering a community of people with disabilities with whom to share experiences and ideas about improvements that can be made to improve technologies and make them accessible.

Questions

How do I determine which websites and tools are accessible and secure?

If a security tool is not accessible, what are my best alternatives?

Who can I contact about making this tool more accessible or if it is not working properly with NVDA or VoiceOver?

Nepal: "Chumi"

Mon, 20 May 2019 23:15:28 -0700

Overview

Chumi is a lesbian woman in her mid thirties. She grew up in a small town in Nepal, but now lives in the capital and works at an organization focused on advancing the rights of LGBT people. Her organization advocates for gender equality and LGBT inclusive environments around the country.

She uses Facebook, WhatsApp, and email to communicate with community members, collect stories from the community, provide real-time counseling, and share legal updates.

Goals

She wants LGBTI community members to be able to live in society with dignity.

She wants to make others aware of laws.

She wants to protect herself, the people she works with, and her information.

Threats

She has received death threats due to her advocacy for the LGBTI community.

Her personal information is on the internet and is published frequently by the media, which means other people have access to it.

She is harassed online because of her LGBTI identity.

Strengths

Chumi has strong advocating power and a lot of community members who support her activities.

She is very active online and the media looks to her as a trusted source of information.

She has a lot of experience using technology.

Questions

How can people safely tell their stories on social media? Do people have to make anonymous accounts?

What is the safest way to video conference with community members?

Which tools are secure? Which should I recommend for community members?

Nepal: "Maya"

Mon, 20 May 2019 23:15:28 -0700

Overview

Maya is a Nepalese woman in her early thirties. She is an information advocate, an avid researcher, and is very active on Twitter and Facebook.

She is a well-known journalist in Nepal with many Twitter and other social media followers. She primarily writes about politics, sharing news and tweets related to political events or incidents happening in the country. Often times, she investigates and reports on her stories by physically going to the location of the incident or where the event is taking place, putting her at risk of physical harm. When she publishes her stories, many times they are seen as sensitive or controversial in nature.

Goals

Maya believes in the right to information and is therefore committed to sharing sensitive information with the public.

As she has already been a victim of violence, she prioritizes the safety of herself as well as those she works with.

Threats

She often shares sensitive information about important and powerful figures in Nepal.

She covers controversial issues from corruption to migration.

She takes the same route every day. She is concerned that she will be stalked or harassed on her commute.

Her devices could be confiscated.

Strengths

Maya has strong research skills.

She is known by many as a pioneer of the right to information and is regarded as one of the most credible sources in Nepal.

She uses her Android phone for public uses and her iPhone for personal uses.

Questions

How can I protect my devices?

How can I have free mobility despite being very active on social media?

How can I protect information about myself and my friends?

Nicaragua: "Esteban Ramirez"

Mon, 20 May 2019 23:15:28 -0700

Overview

Esteban is a journalist in his mid-twenties. He works at a small newspaper in Managua, Nicaragua. He reports on thematic issues, often using public transportation to meet with sources.

As a journalist, he relies on technology to communicate with his sources. He wants to improve his digital security to ensure that he is not endangering himself or those he interviews.

Goals

Esteban needs a secure chat platform to use when communicating with his sources, many of whom are people at risk.

He wants to be sure that his data and conversations are not revealed to third parties.

Threats

Esteban’s sources have limited access to the internet and little knowledge about safe applications.

Esteban and his sources use devices with low storage capacity.

Strengths

Esteban has connections within the technological community, including with developers and bloggers.

He is constantly up-to-date with new technology.

Questions

What applications will allow me to securely communicate with my sources?

Are there tools that are easy to use?

Russia: "Marina"

Mon, 20 May 2019 23:15:28 -0700

Overview

Marina is in her mid-thirties and works as an activist, blogger, and local community organizer.

She uses different technologies to post about local issues, to communicate with fellow activists, and to organize protests.

She often takes photos to post on social media and has organized petitions that are sent to local administrators.

Goals

She wants her voice to be heard by the community.

She also wants to use tools that are easily accessible for other activists and community members.

Threats

Local authorities launch DDoS attacks and employ trolls and hackers against her Facebook account.

Police can arrest Marina and confiscate her phone.

Her followers and supporters could face persecution if exposed.

Strengths

She is knowledgeable about social networks and social applications.

She is internet savvy and is fluent in English.

Questions

How can I prevent the identities of supporters from being leaked?

How can I protect my Facebook, email, and IM from hackers and prevent them from being blocked?

Russia: "Sasha"

Mon, 20 May 2019 23:15:28 -0700

Overview

Sasha is in his early thirties and works as a systems administrator at a civil society organization. He is very skeptical and has a critical approach to everything.

He relies on technology to keep his organization safe.

After work, he sometimes attends concerts, plays computer games, or hangs out with friends.

Goals

Though he would never show it, he is an activist and he believes it is his duty to keep the organization safe.

He believes that everything should be very well organized and work correctly.

Threats

His organization works on politically sensitive issues li1ke hacking, protests, eavesdropping, and provocations.

Pro-government youth movements are regularly verbally attacking his colleagues and sometimes unexpected office visits from pro-government stations occur. Sasha’s colleagues are not tech-savvy and they often make a lot of critical digital security mistakes.

Strengths

He is skilled with technology and views everything through a critical lens.

He has access to his entire organization’s network, which he set up by himself.

Questions

How can I teach all of my organization’s employees better digital security practices (use of strong passwords, 2-factor authentication, etc.)?

How can I be sure that people will use the tools I train them on?

Sudan: "Fatima"

Mon, 20 May 2019 23:15:28 -0700

Overview

Fatima is in her late twenties and is an advocate for women’s rights in Sudan. She works with students from the local university and other local women, advising them on funding opportunities.

She relies on her phone and computer to stay connected with the community and to store important data. She also uses Skype to communicate with women remotely.

Goals

She wants to make FGM and child marriage illegal in Sudan.

She wants to raise awareness about gender-based violence and domestic violence.

She wants to help women in her country raise their voices.

Threats

Working on these issues makes her a target of phone tapping, email hacking, and home raids. If targeted, her data could be Lost or compromised.

She is also at risk of verbal and physical abuse or arrest.

Strengths

Fatima has knowledge of the community and has many strong relationships.

She is also familiar with technology and she is comfortable using it.

Questions

What can I do to make sure I do not lose my data?

If needed, what ways can I hide sensitive information on my laptop?

How can I make sure everyone is safe when they contact me?

Syria: "Majeed"

Mon, 20 May 2019 23:15:28 -0700

Overview

Majeed is a civil society activist who works with a large network of Syrian activists involved in efforts to advocate for democracy. He is well respected within this community.

He needs to use a plethora of communication applications to coorainate with activists and influencers. Communication is critical to their cause and success.

Majeed is most concerned that he will become a target of the Syrian government and their allies.

Goals

Majeed needs to maintain contact with many activists, but wants to reduce the number of applications he uses.

He also needs to reduce the risks he faces and exposes others to.

Threats

He is afraid that personal information or incriminating data about him or his network will be exposed.

He is worried about losing contact with people due to application deprecation.

It is also possible that Majeed’s devices could be lost or confiscated.

Strengths

Majeed is computer and mobile literate and is also aware of digital threats.

He is well respected and is considered a leader in the community.

He is not dependent on the government internet.

Questions

There are so many communication applications out there. How do I know which is the best?

The more applications I use, the more I am exposed to risk if one is compromised. How can I mitigate that?

Syria: "Marwa"

Mon, 20 May 2019 23:15:28 -0700

Overview

Marwa is a 20-year-old journalist who grew up in Syria, later moving to a neighboring country due to increased violence in her region.

This experience has made her resilient and quick to adapt. Although she has fled the physical danger of conflict in Syria, she now faces new threats because of her profession, from targeted surveillance to advanced malware, as well as an increasing number of border skirmishes and assassination attempts on journalists.

She uses a wide-range of applications, but most notably Facebook, to share her stories with a broader audience inside and outside of Syria. She is often willing to take risks and has been desensitized to a point where securing her data is not a high priority most of the time.

Goals

She needs to communicate and share what is happening in Syria as efficiently as she can, sometimes as a form of criticism or dissent, but mostly to disseminate information and raise awareness.

She also requires regular communication with her vast network of friends and followers (some of whom she does not necessarily know personally).

Threats

Phishing attacks and malware exposure to her devices both from state and non-state actors.

Surveillance of her communication by both the hostcountry and Syria and misinformation about their capabilities.

Imprisonment and unintentionally putting others at risk through their connection with her, particularly family.

Revealing networks due to device confiscation.

Strengths

Fearless journalist with a strong voice and a powerful message.

Very adaptable to a range of circumstances.

Committed to returning home and supporting her people in the meantime.

Questions

How can I trust that what you’re telling me is true?

How do I secure my social networks? And how can communicate with my network if they don’t use a particular tool?

Getting my message out is more important than security. What are some ways I can balance this?

How can I protect myself and my friends?

Uganda: "Jomeo Richard""

Mon, 20 May 2019 23:15:28 -0700

Overview

Jomeo is in his late twenties and based in Uganda. He works with anti-corruption groups to create public awareness about the ongoing and severe violations and abuses of human rights by both public and private individuals.

His work involves monitoring and documenting human rights violations and corruption through digital media.

He is not very experienced in the use of technology to collect sensitive information, but he has used Signal and PGP to communicate securely with his contacts. The group he works with has some technical capacity and experience with digital security.

Goals

Jomeo wants to continue to use the internet as a primary medium to expose corruption.

He needs to build his capacity to promote governance, human rights, accountability, and transparency through social media and avid blogging. He also needs to maintain a secure environment to protect his work and his sources.

Threats

He is the target of intimidation and harrassment by police.

Office and home raids lead to the confiscation of phones, laptops, flash disks, modems, and soft and hard copies of documents by security operatives.

Surveillance is a concern, as phones have been tapped. Other concerns include imprisonment and degradation of the organization.

Strengths

Jomeo has previously attended security trainings. He learned how to maintain strong passwords, enable 2-step verification, and how to securely communicate via encryption.

He also backs up confidential documents to ensure safe storage.

His groups are helping keep him up-to-date with digital security measures.

Questions

What can happen to me if I am arrested without my colleagues knowledge?

How can I communicate with my contacts about the arrest?

Uganda: "Paul Mukasa"

Mon, 20 May 2019 23:15:28 -0700

Overview

Paul is LGBTI in Uganda, where it is illegal and not socially accepted. He faces both ostracism and physical risk.

Paul and his organization work with politicians and civil society leaders to improve the acceptance of LGBTI issues across Uganda.

Paul is currently leading an internal project at his organization to improve their security practices - both at the organization and at many staff members’ homes, they have biometric alarm systems installed after a series of break-ins and office raids where laptops were stolen. Other practices Paul is working to address are sharing laptops in the office and discouraging using cybercafes.

Paul is between 29 and 35. He is single and lives alone, as his close family have emigrated.

Goals

Keeping himself and his colleagues safe – both at their office and their homes

Maintaining ability to advocate for social change

Ability to have an active social and family life

Threats

Strong social norms against LGBTI - including everyday people, religious fundamentalists, police with prejudices, and illegality

Office and home raids and robberies; including the seizure of laptops. Stolen information can be sold to the media, which “out” activists publicly

Intense government surveillance of activist and NGO activity using powerful tools

Strengths

Paul has readily adopted many digital security practices - enabling two factor authentication for accounts

Paul has developed complex operational security practices, such as having personal protocols of how to engage with new contacts in public spaces instead of at the office, to reduce associational risk.

After recent office raids, Paul and other staff have moved to saving documents in cloud storage and not on laptops.

Questions

How do I protect information against my devices being confiscated?

How do I encourage colleagues, partners, and funders to adopt better security practices?

Ukraine: "Anna"

Mon, 20 May 2019 23:15:28 -0700

Overview

Anna is a middle-aged woman, working for an anti-corruption non-governmental organization in Ukraine. She leads many cases against high-profile corruption within the Ukrainian government.

She stores important documents on her Laptop. She uses WhatsApp to communicate with her team and family. She often needs to print documents in order to file legal requests.

Goals

She wants to win her cases against corrupted officials.

She wants to keep herself and her team merrnbers safe from state-Level actors.

Threats

Her phone was stolen and then returned by a ranaom person.

Her team conversations on WhatsApp have been repeatedly leaked.

There may be some documents on her device that could potentially incriminate her and other innocent people.

Strengths

Anna uses full-disk encryption and all of her devices are password protected.

She uses WhatsApp for all important conversations and has 2-factor authentication enabled on all important accounts.

Questions

Can someone break into my device if it is locked?

I was told that WhatsApp is safe, so how can our information be repeatedly leaked?

Ukraine: "Maksym"

Mon, 20 May 2019 23:15:28 -0700

Overview

Maksym is in his late twenties and works as a history teacher in Ukraine. During his free time, he works as an admin and editor for a social media page of a local activist group. The group fights against city gentrification and the destruction of local parks for residential development.

He uses his Laptop to access his personal pages and advocacy groups on Facebook and VKontakte. He uses Telegram to communicate with his fellow activists and ephemeral online notepads (i.e. privnote.com) for sensitive communication. He uses different VPN clients to access VKontakte pages that are blocked in Ukraine due to sanctions on Russia, as a large part of his audience still uses the site.

Goals

He wants to keep his true identity secret in order to protect his job as a teacher.

He needs to me sure that his Facebook pages are secure and available at all times.

He wants to engage the local community in the struggLe against gentrification and corruption of city officials.

Threats

Several members of his group have been temporarily arrested in the past on fake charges and their devices were confiscated. Their social media pages were deleted after devices were confiscated by authorities. This caused them to lose a large portion of their audience.

He is afraid that his identity will be revealed by law enforcement or corrupt officials.

Strengths

Maksym’s devices are password protected and he has 2-factor authentication enabled on all important accounts.

He uses Telegram for most conversations and privnote.com for sensitive communication.

He also uses aliases on all his personal social media accounts.

Questions

Can someone track me using my phone number (since you do not need to register a SIM card with a specific name in Ukraine yet)?

What can I do to protect our social media pages from being deleted if my devices were to be seized?

Ukraine: "Masha"

Mon, 20 May 2019 23:15:28 -0700

Overview

Masha is based in Kyiv, and works for an NGO tracking human rights violations ocurring in the contested Donetsk region of Eastern Ukraine.

She coordinates monitoring missions of volunteers who travel into Donetsk to interview and document violations using their cell phones, and return to share and organize the information. Her responsibility is to plan the missions and logistics, select and send volunteers to the area, and monitor their work and safety.

Masha is an experienced user of digital security tools, including encrypted email and password managers.

However, the volunteer network she works with has high turn-over, and different skill levels and understanding of digital security.

Goals

She needs the ability to track the volunteers’ movement in the area in real time.

A fast, safe tool to synchronize data from volunteer smartphones, so the data does not get confiscated and lost.

Volunteers need an “SOS” button for when there is no time to communicate, but need to send an alert.

Threats

The documentation the volunteers gather is very sensitive to both sides of the conflict; neither side wants these facts.

To preserve the information and keep the volunteers safe, they need to remove the data from the mobile phone as fast as possible, as the devices may be seized at any moment.

The situation in Donetsk is unpredictable, and communications channels may go down without warning.

Strengths

Advanced user who has been trained in and adopted digital security methods. She has different passwords for different services, and updates her software regularly.

She uses file encryption for files on her laptop, and uses gmail with two-factor authentication for her email.

The volunteers have widely different levels of tech skills and need tools which are fast to learn and easy to use.

Questions

What happens to the information if the mobile phone is confiscated?

Can it work if communications are blocked or completely cut off?

How can I safely track the location of the volunteers without revealing that information to anyone else?

Ukraine: "Oleksandr"

Mon, 20 May 2019 23:15:28 -0700

Overview

Oleksandr is in his mid-thirties and works as a television journalist. He covers stories in the combat areas of Eastern Ukraine.

He uses his mobile phone and iPad for communicating with colleagues, sources, and others. He also takes photos for Facebook stories on his mobile phone and iPad and stores sensitive files on his laptop.

Goals

He wants to be sure that his communication with sources will be private.

He needs to make sure that soldiers will not be able to access his sensitive files (photos, documents, etc.).

Threats

He has to leave his laptop in hotels and connect to public WiFi near combat areas.

His laptop can be searched at the border or check-point.

His Google and Facebook accounts could be targets of phishing attempts.

Strengths

Oleksandr has encrypted his iPhone, iPad, and MacBook already.

He has also attended a one-day digital security training.

Questions

How can I secure communications via Gmail, Facebook, and Viber?

Can the military get files from my laptop without my password?

Ukraine: "Oleksandr"

Mon, 20 May 2019 23:15:28 -0700

Overview

Oleksandr is in his forties and works as both a lawyer and human rights defender. He is currently working on legal cases of human rights violations, which involves preparing documents for international courts.

He uses 2-factor authentication with Gmail, Google Drive, and Facebook. However, he is always forgetting his passwords. He writes the passwords down on a sheet of paper, but still sometimes struggles with logging in to his Gmail account.

Though he is a lawyer, he is not aware of how police are inspecting devices.

Goals

He needs to be able to store sensitive data safely.

He also needs to be able to transfer the data securely.

He wants to make sure human rights defenders are not imprisoned.

Threats

His laptop, smart phone, or flash drives could be confiscated.

At the border, authorities could gain access to his devices.

He could be the target of malware or phishing attacks.

Strengths

Oleksandr has encrypted his laptop using Bitlocker.

Both his laptop and smart phone are password protected.

He knows the laws and can access remote IT support when needed.

Questions

What happens if I lose my password again?

What happens to all of my data if my laptop or smart phone is confiscated?

What happens if my laptop or smart phone is infected with malware?

SOUPS 2019 Workshop Designing for the Extremes of Risk

Thu, 17 Jan 2019 23:50:48 -0700

The USABLE Project team will host a workshop at SOUPS 2019!

This workshop will cover how to adapt UX design and user feedback collection techniques when working with high-risk communities, through an overview of the different marginalized groups and their needs that the USABLE.tools project have worked with from around the world over the past 2 years.

The USABLE.tools project builds feedback loops around the globe by connecting at-risk communities with digital security trainers, usability experts, and security tool developers. USABLE has worked with over 50 trainers and engaged end users in high-risk areas, and supported open source security and privacy tools with funding as well as direct design and implementation support to take this feedback and incorporate it into their tools through human-centered design processes.

Representatives from the project will discuss their methodology and outcomes from working with regional and local digital security trainers from around the world to gather feedback and build personas to represent marginalized, vulnerable, and other at-risk communities.

Call for Presentations

We welcome community input (via a simplified Call for Papers/Projects) to present on similar topics and then via breakout groups discuss open questions around building lasting structures to help designers and tool developers responsibly solicit and implement feedback from at-risk populations.

Please submit a short summary (less than 1000 words, approximately 2 pages) of your work, with references/websites/papers linked if relevant, and what topic you’d want to present on during the workshop to Connect+CFP@usable.tools, plaintext/markdown formats preferred, PGP keys for encryption available on request.

Workshop paper submission deadline: Friday, May 30, 2019
Workshop paper acceptance notification to authors: Saturday, June 8, 2019
Workshop camera-ready papers due: Wednesday, June 19, 2019

Logistics

USENIX will be charging a registration fee ($75 per half day tutorial/workshop, $150 for full day) this year.

All USABLE project events are governed by our Code of Conduct. In addition, SOUPS is governed by the USENIX Code of Conduct.

Announcing New USABLE Personas

Fri, 28 Dec 2018 11:00:00 +0000

Through a series of regional User Experience (UX) Workshops, the USABLE project is enhancing digital security trainers’ understanding of specific usability roadblocks that hinder adoption of important security practices for the highest risk groups across the globe and how to capture and articulate these challenges to tool developers.

Personas, or general profiles or snapshots of end users, play an important role in the design process and allow developers (who are largely male and based in the U.S. and Europe) to better understand the needs and use-cases for their products in some of the most challenging environments in the world. Too often developers in the open source community rely on assumptions from their respective locations and experiences, which is dramatically different from the lived experiences of high-risk groups using their products. Whether they are designing for a human rights activist in China or a journalist reporting on the frontlines in Crimea, for developers to design products that are useful and usable, they must better understand who their users are, their motivations, and willingness to adopt such important security tools.

During the five regional UX Workshops, trainers learned how to create and use personas to communicate with tool developers. These personas include a brief description of the user, along with a summary of their goals, strengths, and threats they face. It also includes questions from the user about specific tools or security concerns, giving the developer insight into the users’ mental model around security in general.

Trainers were also given time during the workshop to create their own personas based on specific communities with whom they are working. Following the workshops, the USABLE team worked with several of the trainers to finalize their personas and format them for publication. 6 personas from Southeast Asia, 5 from Europe and Eurasia, 4 from the Middle East and Northern Africa, 3 from Sub-Saharan Africa, and 3 from Latin America were published and are now available at usable.tools/personas.

From LGBTQI advocates to journalists, these personas capture a variety of user backgrounds, experiences, and needs. The goal is that developers will be able to use these personas to better understand the individuals using their tools, and will then be positioned to make more informed design choices that ultimately make tools more secure and accessible for high-risk users.

UXForum 2018: Dublin, Ireland

Fri, 20 Jul 2018 23:50:48 -0700

The second UXForum took place in Dublin, Ireland in July 2018. The event brought together human rights defenders, digital security trainers, design experts, and software developers to discuss how to capture and integrate user feedback from high-risk communities on digital security tools, and make those tools stronger and more effective as a result. Over 20 different countries were represented at the event.

Over eight tool team representatives, from password managers to VPN tools, attended the event and had opportunities to directly connect and understand security challenges at risk groups across the globe face when doing their work.

The first two days of the UXForum focused exclusively on the Internet Freedom community. Digital security trainers, UX experts, and open source privacy and security tool developers began by discussing larger themes, such as localization, accessibility, and transparency. Tool teams were also given time to connect directly with individuals using their tools. During these sessions, developers were able to share some of their priorities for improvements as well as answer questions and collect feedback from users. A series of discussions happened during the first two days. Topics covered included, but were not limited to:

Additional Use Cases for Personas
Effective Ways for Communicating Feedback to Developers
Designing for Users with Disabilities
Documentation and User Onboarding
Sustaining Tool Usage Post-Trainings

The final two days consisted of more structured panel discussions. These sessions were also open to private sector attendees. The President of Internews Jeanne Bourgault provided the opening keynote address. The following two days were filled with dynamic and informative panels covering topics ranging from designing for extremes to understanding security challenges in context.

The Forum was impactful for all attendees and the small scale of the gathering allowed for the diverse attendees to easily connect with one another. For several tool developers, this was the first time they had connected with non-Western users.

Additional financial support for the UXForum was received from Facebook, Balsamiq, and the Ford Foundation. This support allowed the USABLE team to bring additional digital security trainers representing diverse backgrounds.

USABLE at RightsCon 2018

Thu, 17 May 2018 23:50:48 -0700

The USABLE team led two sessions at RightsCon 2018 in Toronto. The first of these sessions, entitled, “Making the Tech USABLE – how to gather and share user feedback from our digital security trainings,” was co-facilitated with Defend Defenders, one of our partners in East Africa, and a trainer from the East Africa UX Workshop. The session consisted of a UX Activity for feedback collection, where participants were split into smaller groups and acted as training participants, providing feedback on five specific tasks in the Signal app. After completing these tasks on the app, the participants provided feedback using a 1-5 scale on the difficulty in completing those tasks. After the activity, the groups came together to exchange feedback on the tool as well as the usefulness of the UX Activity itself.

The second session co-led with, the Design Lead at Access Now, was a UX/Tech Meet-up. The goal of the meetup was to connect talents across sectors and to share experiences and lessons from existing projects. Everyone introduced themselves to the group and explained their interest in/experience with UX/UI. The group then divided and focused in on two themes. One group focused on specific resources (either existing or needed) that could be used within the UX context, while the other focused on highlighting tangible opportunities for collaboration among those attending the meetup.

The sessions at RightsCon, along with various side meetings, provided a space to create connections, introduce USABLE to new tool teams and individuals, and advertise for the second UXForum, which happened just a few months after RightsCon.

USABLE at RightsCon Toronto

Thu, 10 May 2018 11:00:00 +0000

In response to the emerging security and privacy concerns in product and user experience design, we would like to invite you to the UX/Tech Meetup at RightsCon Toronto on behalf of Internews and Access Now.

This meetup will be on Thursday, May 17th, 2018 from 1:20pm to 2:20pm in Demo Room.

Our theme for the meetup is how technologies can better protect people’s digital rights with user research and strategic design thinking. We are hoping to connect talents across sectors, share experience and lessons from existing projects, and combine efforts and identify collaboration opportunities. If you have any ideas you would like to share or topics to discuss, you are more than welcome to bring them to the meetup.

USABLE at the Internet Freedom Festival

Fri, 03 Mar 2017 11:00:00 +0000

The USABLE team is excited to be gearing up for the Internet Freedom Festival this year to contiue sharing lessons learned by developers looking to listen and engage with their users. Internews will be co-hosting the session with web accessibility expert, Nancy Reyes of HearColors Mexico, to talk about the biggest takeaways developers are learning as they continue with user-testing and exploring different ways to engage with their target users, how they are turning user feedback into concrete usability improvements, as well as the intersectionality of usability and accessibility and why it’s important. The conversation will be led by our UXFund grantees, including Mailvelope, Benetech, Peerio, Operator Foundation, and Least Authority.

The session, Usable and Accessible Security – Lessons Learned by Engaging with Users, will be on Monday (March-6) from 5:00 - 6:00pm in the Attic at the IFF venue.

Hope to see you all there!

Announcing the UXFund Results!

Wed, 28 Dec 2016 08:00:00 +0000

The USABLE team is proud to announce the UXFund results for the small, but targeted usability enhancement grants. Many great proposals were received and, after a thorough review process, five organizations for short-term awards were selected. A core component of all grants will be to more directly engage and listen to users, so tool creators can better understand and implement usability improvements that are needed from high-risk communities across the globe.

Profiles of the UXFund grantees can be found below:

Mailvelope -- https://www.mailvelope.com Mailvelope is a free browser plugin for Chrome and Firefox that enables end-to-end encryption that integrates directly with your web-based mail provider, whether you are using Gmail, Yahoo! Mail, or Microsoft webmail. Mailvelope is an open-source project currently hosted on github (https://github.com/mailvelope/mailvelope). Martus (product of Benetech) -- https://martus.org Martus is a free, open source, secure information collection and management tool that empowers human rights activists to effectively collect, store and transfer potentially sensitive information. Martus enables more secure information management and backups for groups and individuals across the globe. Peerio -- https://www.peerio.com Peerio is an end-to-end encrypted communication client that works on both desktop and mobile phone. The client allows users to setup an account for free, with paid premium versions. Peerio is an open-source project currently hosted on github (https://github.com/PeerioTechnologies/peerio-client). Postcard (product of Operator Foundation) -- http://operatorfoundation.org Postcard is an open-source and free encrypted email client with a simple user-interface for maximum ease-of-use. Postcard is free and open-source and is currently hosted on github (https://github.com/OperatorFoundation/Postcard). Gridsync (product of Least Authority) -- https://leastauthority.com Gridsync aims to provide a cross-platform, graphical user interface for Tahoe-LAFS, the Least Authority File Store that allows for backing up local files, synchronizing directories between devices, and sharing files and storage resources with other users across all major desktop platforms (GNU/Linux, Mac OS X, and Windows). Gridsync is a free and open-source software that is hosted on github (https://github.com/gridsync/gridsync).

If you are interested in working to help any of these organizations or getting involved in supporting the USABLE project, please contact us!

USABLE Updates, Resources and more!

Tue, 20 Sep 2016 11:49:01 +0000

We can’t believe it’s been two months since the UXForum! To be fair, we had a lot of sleep to catch up on, and there have been some exciting staff transitions over on our team.

Going forward, Megan (Megan@usable.tools) will be leading USABLE while Jon takes on directorship of our global portfolio (including supporting USABLE!). We are also onboarding additional program support to help out.

We’ve added a massive Resources page that captures a ton of links and references from the UXForum, our reading lists, and more.

We also have some new User Personas we’ve put together from the UXForum and TFT work with our communities. These personas represent a wide variety of users of digital security tools facing a mix of threat actors.

We have created these from many common shared experiences, but for the privacy of our communities, none are 1:1 connected, and all are created from a combination of people and the work they do. The photos are public domain or Creative Commons stock photography, and the names are of course made up.

We are working with a few teams to support UX walkthroughs, accessibility, and user testing of open source digital secutrity tools! We will be focusing on our UXFund grantees first, but please ping us at connect@usable.tools if you are a tool developer and are interested in this – and also check Open Technology Fund’s Usability Lab they run in partnership with SimplySecure.

Power to the Users -- From trainings to the UXForum and onwards.

Tue, 20 Sep 2016 11:35:00 +0000

Three years ago, I led a digital security training for independent media in Kyiv during the peak of the EuroMaidan protests. It didn’t go as planned.

This spring, we returned. We worked with an amazingly skilled trainer who led the local Digital Security School which had since emerged thanks to the hard work of eQualit.ie, and we brought together an amazing community of experts and practitioners who face complex challenges in their work as they dealt with the repercussions of the post-Maidan Ukrainian reality. This alone would have made for a successful training; but our goal with USABLE is to scale beyond this and get to underlying problems around tool uptake. So, we also brought a designer (who is now leading frog design’s social impact team) and a developer who led a digital security tool that the community was interested in learning more about.

Building this “Tool Feedback Training” approach to connecting high-risk users and tool developers through the training and design process, and the results we have already achieved, has been an amazing journey. It may – and should – seem simple, but the complexities of making that precise connection is far too often presumed, but not actually done. Real people facing very specific and complex security challenges become an amorphous “they.” “They” needs many things from constant, bleeding-edge security improvements to changes supporting very specific use cases; but it turns out that if you actually engage the people beyond the “they” - that you learn real, often simple, changes in user experience are the path forward.

The Kyiv training followed tightly on the heels of another, and we then went on to test this approach out in 5 total communities across the globe, from LGBTI activists to election monitors to media activists to women journalists to persons with disabilities. Each training blew our minds in new and amazing ways. Can the tool protect you against both censorship and intense surveillance? Can it be used with a screen reader? Does it work offline if the network is shut down?

Hear from some of the digital security trainers we worked with directly

After these events across the world and thanks to our funders, including the Department of Human Rights and Labor, Yahoo! and Vodafone, we were able to bring the facilitators and many of the participants back together for a week-long event in San Francisco - the first ever UXForum for digital security tools. The Forum brought the trainers, designers, developers, and at least one community member from each of our Tool Feedback Trainings, as well as inviting in additional members of the open source and corporate communities. We worked through difficult problems impacting all of the communities, shared stories and threats faced, and mapped out ways to move forward - how to better connect users, trainer, and developers, how to weave user testing into trainings effectively, and developers and designers worked on paper prototypes and explored using their tools through screen readers. Yahoo! even hosted the trainers and community representatives to share their experience at Yahoo! and visit with Yahoo’s UX and Accessibility labs - read more on Yahoo’s Tumblr.

The week closed with some clear next steps and, at the open-to-the-public “UX in a High Risk World” event; the opening of the UXFund, targeting usability enhancements to open source digital security tools committed to user engagement throughout the process. The Fund’s first round closes at the end of this month – apply at /uxfund!

UXFund: Extended to September 30!

Thu, 15 Sep 2016 20:21:01 +0000

We are extending the UXFund deadline for two more weeks - through Sep. 30! Apply Today!.

User Testing in Digital Security Training

Thu, 07 Jul 2016 10:47:00 +0000

During our first Tool Feedback Training, we faced some natural reluctance to “complain” about a tool being trained upon, which was magnified by the effect of having a representative from the tool in the training. To accommodate this, we leveraged the high number of facilitators during each hands-on activity to gather observational data. The trainer would set a short goal (create an account, create a record, share a record), and the participants would work in small groups to accomplish this task, with a facilitator observing each group to note where confusion or problems were occurring. To balance this with maintaining the flow of the training, the facilitators would keep each group from floundering, and the trainer would review the process for everyone before moving onwards.

This essentially provided user testing during the ADIDS “deepening” stage by encouraging exploration to achieve these goals. Between activities, the facilitators could dive in and ask more about the problematic parts of the process without embarrassing either the tool developer or individual participants.

We brought this same strategy to the second TFT, and had challenges working across language barriers. This approach requires both a hands-on session with very definable “steps”, and a grouping structure that also works with the participants, the size of the group, and any translation needs.

We approached this slightly differently at each training, and it provided valuable insights into tool usability with specific pain-points from users. Some version of this could be worked into the broader digital security training process to create a feedback loop from trainers, representing their participants, and tool developers.

At the UXForum next week we will be talking about how different approaches worked across the different communities we worked with to find any common approaches to recommend.

Yahoo!

Thu, 07 Jul 2016 10:47:00 +0000

Thanks to our friends over at Yahoo! for a great blog post outlining their amazing support of our work!

Security and Product Design with Human Rights in Mind

By Katie Shay, Legal Counsel, Business & Human Rights

Cross-posted from Business & Human Rights, https://twitter.com/YahooBHRP

Twelve security trainers, tool developers and human rights activists from four continents came to our headquarters in Sunnyvale, California. Their mission? To share their unique perspectives with our Yahoo products, engineering, security, public policy and legal teams. Yahoo’s Business & Human Rights Program, the Paranoids and Yahoo for Good orchestrated this ‘hack of the minds’ in partnership with Internews and the USABLE Project.

USABLE Project’s aim is to inform the development of security tools that are easy to use and simple to understand for users from diverse backgrounds and skill levels. Their goal is to support vulnerable populations around the world who use the internet for more than just sharing pictures of cats or Venmoing a friend for lunch. In many cases, these users rely on the internet to exercise their right to free expression, expose corruption or fight against injustice in their communities. For these users, the ability to be secure online is critical.

In July, Yahoo was proud to sponsor the USABLE Project’s first ever public forum, UX in a High Risk World in San Francisco, bringing together frontline digital security practitioners, users, tool developers and UX experts from around the world. In addition, Yahoo participated in the final day of USABLE’s four-day closed-door workshop leading up to this event, working directly with this community to build concrete, actionable roadmaps to improve usability in security tools.

Following the forum, the delegation from USABLE that visited Yahoo shared their on-the-ground perspective on why remaining secure online is so important to their work. They explained how they use Yahoo products, including Flickr and Mail, why it’s important to have a principled approach to responding to government requests for user data and content moderation, as well as the importance of baking in security features to products from the outset by turning them on by default. These visionary leaders are working toward solutions for activists facing censorship, hacking, surveillance and suppression in some of the world’s most challenging environments.

During the delegation’s visit, our Yahoo teams asked pointed questions to understand the experience of some of our most vulnerable users and to explore how their experiences might inform Yahoo’s product development and online security work.

We are grateful to the USABLE team for sharing their stories with us, and for inspiring our teams to continue to find new and innovative ways to put our users first!

Protecting High-Risk Tech Users: A Movement for Usability

Wed, 06 Jul 2016 15:01:01 +0000

Connecting developers with users improves tools for human rights defenders

Janvier Hakizimana has a radical idea.

“Governments and large global bodies like the United Nations subsidize new medications to fight disease. Why not also subsidize the adaptation of technology so that it can meet the needs of local communities?”

Adaptation — making tech tools more open, accessible, and customizable — matters in Janvier’s line of work. He works to support human rights defenders in the East and Horn of Africa who need secure tools to document and report human rights violations.

*Testing the usability of secure apps through screen readers, at a USABLE training in Mexico. Credit: Mariel Garcia M*

When a tool can’t adapt to local conditions — when it is entirely reliant on an internet connection, for example, users in low-connectivity areas may not be able to use it on a broad scale.

Relying on a hodge-podge of tools that each does one thing well makes work inefficient. Worse, relying on tools that aren’t secure puts high-risk communities in danger.

Janvier supports human rights defenders, in part as a trainer for USABLE, a project designed to connect high-risk users of digital security and communications tools with the developers who make those tools, in order to make the tools usable.

Next week, USABLE will hold its first UX Forum in San Francisco, bringing digital security trainers and activists from Africa, Latin America, Eastern Europe and the Middle East with developers in the center of US tech development, for three days of hands-on collaboration. USABLE’s focus on human-centered design focuses the process on the real-world needs of activists working on sexual orientation and gender identity rights, media, democracy, and human rights in challenging and threatening environments.

Mariel Garcia M, a technologist and USABLE trainer in Mexico, has seen first-hand the real risks for activists. “[Mexico] is a country where activists are at great risk; not just of intervention of their communications, but they’re also at risk of death, and torture.”

And while Mariel finds activists are well aware of the risks — “If you talk to activists who have been active since the sixties, they will tell you never to speak on the phone,” she says — there are numerous road blocks to their use of secure tools.

“Many developers and many of us would think if you have a secure tool, and your choices are secure or not secure, the activist will choose secure, but that doesn’t explain all the things that go into the decision-making process,” she says. “What if they’re the only person using that secure messaging app, and none of their friends are? Do they want to invest their efforts in getting everyone to adopt that tool, when they could be focusing on the next protest they’re organizing?”

*Security workshop notes taken in braille. Credit: Mariel Garcia M*

Being outside the tech community also hinders adoption. “You have to be in certain tech circles to know that there is this tool, or to keep up with the discussion. What if this tool stops being developed — will [the activists] ever find out? They will have been to one workshop where they heard about it, but to stay updated, you really need to be part of a tech community, and many of them don’t do any tech-related work.”

In Ukraine, trainer Mykola Kostynyan has seen a dramatic change in awareness around digital security since the Euromaidan protests in 2013, but like Mariel, sees long-term change as a challenge for organizations.

“Before Euromaidan we hadn’t even heard of digital security — it wasn’t an issue. Now, thousands of people have awareness after going through training. A lot of organizations are migrating corporate email to more secure systems, and storing and transferring documents in more secure ways. We can see a lot of interest. We are very far from the ideal situation, where each organization has security policy implemented and has people responsible for that. We are very far.” The need for continuity and long-range organizational change directly supports Janvier’s idea, that adaptation of technology is worthy of broad support and investment by governments, and shouldn’t be left to one-off solutions.

“User-friendly software development is not really promoted and well-funded,” says Janvier, giving an example of a software project that was funded for five years of development, and rolled out to the local NGO community in Uganda, but ultimately abandoned. “Instead of starting new project, we would like to have software which will be used by this generation, and improved for next generation.

Finally, the trainers say there’s just no way to know all the needs of users without asking. Mariel recently led a USABLE workshop with activists focused on the needs of the visually impaired.

*From a USABLE conference in Mexico, participants demonstrate an adaptation of Rock, Paper, Scissors for players with visual disability. Credit: Mariel Garcia M*

“Most digital security trainers have plenty of experience with the difficulties that people face when they don’t have disabilities. For example we know that a certain app has this particular bug. A digital security trainer can give you a pretty exhaustive list of what goes wrong with all these tools. But not many of us are in the community that needs special tools, like audio readers [for the visually impaired]. It brings interesting security risks. For example, how do the visually impaired use secure applications if the buttons are not properly tagged for screen readers to read aloud?”

Tools made with accessibility in mind are not necessarily made with security in mind, and vice versa, which is why building connections between users and developers is so vital.

“I wish that people would come together more often to collaborate at all levels. So that all the valuable feedback I gathered from one tool would reach the developer, and that someone would fund that. Trainings should be more informed by the people developing the tools, who have a deeper understating of how [the technology] works. I’m really excited to see USABLE promoting this kind of collaboration. I think it’s been missing from the ecosystem,” says Mariel.

“If I have connections with developers,” says Mykola, “I can give them some advice. And maybe try to get tool user sessions here in Ukraine independently, to test new tools and give feedback to developers — to start more than a separate event, more of a movement for usability.”

Re-posted from Internews’ Medium blog

UX in a High-Risk World is a public event scheduled for July 14 in San Francisco, in tandem with the UX Forum. Register for the event. At the event, Internews’ USABLE team will launch the UXFund Call for Proposals. UXFund is a small-grants program to support usability and accessibility improvements for open-source digital security tools.

Join us for UX in a High Risk World!

Fri, 17 Jun 2016 16:57:00 +0000

For one night only, we are opening the doors to this event!

Come meet the visionary leaders who are piloting and developing solutions for activists facing censorship, hacking, surveillance, and suppression in some of the world’s most challenging environments.

RSVP Now!

Featuring Jeanne Bourgault, President, Internews with community representatives, developers, designers, and trainers including:

Mykola Kostynyan – Ukraine: Mykola has trained over a thousand Ukrainian human rights defenders, journalists, and NGO activists over the past two years, working with many organizations, including the eQualit.ie Digital Security School, Internews, OSCE, IWPR, Freedom House and The ISC Project.

Mariel Garcia M – Mexico: Mariel is an ICT for change advocate. She does instructional design and training on digital security, privacy and media literacies with youth and women’s groups in Mexico. Mariel was recently featured by the BBC on International Women’s Day

Helen Nyinakiiza – Uganda: Helen is a trainer of safety and security tools for human rights defenders. She is a consultant for Amnesty’s Panic Button project and currently working on the USABLE workshop program by Internews. Helen participated on research publications for human rights defenders in the East and Horn of Africa and is passionate about sharing knowledge on digital security and human rights.

P.S. At UX in a High-Risk World, Internews’ USABLE team will launch the UXFund Call for Proposals. UXFund is a small-grants program to support usability and accessibility improvements for open-source digital security tools.

UX in a High-Risk World is held with support from Vodafone Americas Foundation, ThoughtWorks, and the Innovation Hangar, with community outreach support from Simply Secure, Access Now, and the Internet Freedom Festival.

Please also note our Code of Conduct.

Learning how to balance design and training

Thu, 28 Jan 2016 13:29:00 +0000

The USABLE team is halfway through our Tool Feedback Training process, and the first two TFTs were hugely informative. We worked with groups doing amazing work while facing widely different challenges; including censorship, targeted malware, and situations where digital security problems can become physical security ones.

One of the concerns we had going in to this process was balancing the digital security training for the participants with human-centered design exercises, which is why we spent so much time working through this during our Security and Design Workshop.

In both trainings however, the participants not only responded enthusiastically to the design exercises we conducted, but expressed ongoing interest in applying design thinking to their project work. The design-centric agenda items have actually meshed well with the digital security curricula, engaging participants in the design process, creating users personas, and supporting the tool developers in coming up with prototyped design changes. We’ll post soon on building user testing directly in to the training process.

The dSchool’s Wallet Exercise has been very useful as a short, fun way to get into the mindset of design, as it leads you through a series of thought, listening, and feedback exercises with a partner. It - along with many of the other design exercises – creates a great icebreaker effect by putting everyone on the same level as they work through a problem.

We’ve updated the TFT schedule to better reflect how these first TFTs went - you’ll see a back-and-forth between threat modeling, design exercises, and tool trainings.

Day	Description
1	Project Overview and Introduction to Design Experience sharing: "A Day in the Life" Threat modeling introduction Digital security overview
2	Design exercises: "The Wallet Project" Persona creation and discussions about risks and tools Digital security tool training with participant observation feedback Defining expectations and requirements for digital security tools Digital security tool training with user testing observation and participant feedback
3	Further digital security training (depending on scope and complexity of tools)
4	Review tool experience from a design perspective Open discussion around digital security needs Roadmap and prioritization of challenges Finalize user personas

Indeed, the integration of thinking through how a tool works – and how it could be improved – deepened both TFTs. These opened discussions around how the tools interact with the risks that each group faced, and what features were most important for them to filter their choice of tools on. The second group even built their “top 10” (well, 14) ranked list of features around secure communication tools:

Usable; fast and easy to set up
Cross-platform, mobile
Works on slow connections
Secure by default
Tool is consistently updated
Sync across devices?
Provider cannot read messages / metadata
File transfer
Offline support
Open code
Code Audits
Perfect Forward Secrecy
Documentation
Localization

A good reminder that usability is security.

Training and Design

Sat, 21 Nov 2015 12:09:25 +0000

At the Security and Design Workshop, we realized that our original plan of book-ending a classic digital security training with human centered design exercises was not ideal – many elements of learning and exploration that are key to training are similarly core to collaborative design.

To test this out, we spent one afternoon running a digital security training on mobile security. We based the training on the ADIDS adult-learning approach, and used a selection of Level Up curricula components, integrating human-centered design components into the flow of the training. The rest of this post will run through the components of the training and the outcomes from it.

The ADIDS model uses a mix of engagements to help adult participants learn a specific topic, starting with an opening Activity that introduces the topic in an engaging fashion, then Discussing the topic, then the lecture/training section (“Input”), followed by a hands-on “Deepening” - often installing and using a specific tool, and closing with a Synthesis that summarizes the entire topic and answers remaining questions. (Learn more about ADIDS at LevelUp).

For the beginning Activity, we used We are the Internet (adapting it for mobile communications) by adding in participants (wearing tin-foil hats) as the cell towers.

The Discussion and Input sessions came from the private mobile communications curricula set.

Adding extra letters to ADIDS - ADIDDS?

The training then shifted to a more human centered design process. Before jumping in to working with specific tools, we added a “Design” component – asking participants to provide the design elements they would want, as well as some participants were concerned about when making a secure mobile call.

By having already run through some design “warm-up” activities, the participants were able to throw out a collection of ideas for secure mobile communications relevant to our desires for easy communication and informed by the Activity, Discussion and Input sessions.

We then moved into the deepening component, with hands-on installation and practice using the Signal app. Signal is well-regarded as an amazingly usable app which provides high-end security without a confusing interface – so it was a bit of a surprise when we discovered that there were still other improvement suggestions from the participants (in many cases due to the differing application security frameworks across iOS and Android). This underlined that even the “best in class” digital security tools can benefit from this process.

(The issues we wrestled with, mainly around confusion with the different, but very small lock icons in the Android version, are already present in the Signal issue queue in various forms - Inadvertently sent insecure messages via SMS without clear notification and 3 different padlock icons plus a mild confusion around the fact that the lock is absent in Signal on iOS, as Signal does not take over default messaging in the way it can on Android)

Learnings from the Security and Design Workshop!

Fri, 20 Nov 2015 12:09:25 +0000

The USABLE project is built around a core commitment to listen - to users, to trainers, and to our partners. As we began assembling the team of amazing designers and usability experts we are working with, a common thread emerged around a desire to connect and frame their inputs as usability experts for the digital security space and map out how they would engage during the tool feedback trainings.

We were able to bring together a Security and Design Workshop in mid November, thanks to the amazing generosity and flexibility of our partners and hosted in ThoughtWorks’ new San Francisco offices. This gave the USABLE team a chance to go over operational security concerns for working with vulnerable populations and let the designers experience firsthand both some of the digital security tools we hope to work with, and the process of a digital security training. More importantly, however, was the chance to really dig in to our plans for integrating need-finding and human centered design into the digital security training process to create the “Tool Feedback Trainings” (TFTs) we envision.

For needfinding, USABLE is integrating core aspects of the SecondMuse’s Internet Freedom Need Finding Toolkit into this process to supplement our pre-training interview and engagement processes with our local partners and trainers. Members from the SecondMuse team were able to join us and help us work through their framework and adapt it to the Tool Feedback Training model in USABLE. This helped us discover what information is valuable to match a community with a tool developer, as well as understanding the threats and capacity of each community that goes into digital security trainings.

For the rest of the workshop, we worked on integrating HCD practices into the training process. The final day began with a series of human centered design exercises led by ThoughtWorks that would be adaptable for the TFT scenarios, from introductory exercises to more practical ones, such as having participants design the training or manual for a tool as a way to focus the tool’s actual interface on those aspects that truly require training, as opposed to those which could be set to secure defaults, automated, or provided as “advanced” options.

Learnings

Blending training with design

Our initial vision for the TFT schedule was an approach that bookended a more traditional digital security training with a pre- and post- session on design. During the Workshop, it became clear that a fully integrated approach where design aspects were combined into the flow of the training would be much more effective. We did a test-run of this which we’ll detail in a future blog.

Building respectful, useful Personas

Another core learning from the Workshop was around the generation of the personas, and how to present this exercise in the TFTs in a way that respects the individuality of the participants while balancing the value of a cohesive, representative persona that has utility for developers. This will not only lead to stronger outcomes, but will provide clearer representation for niche needs and barriers that sub groups of each community might have.

Unexpected outcomes are exciting

Design exercises, even short, open-ended ones like the “5 ideas” aspect of the Wallet Exercise can also be conducted even without a specific tool in mind, as a way to enable participants to design ideal theoretical tools for themselves (through a process of interviews, risk discussions, and talking about current practices). This helps the participants and facilitators understand the community’s approach to and tolerance of risk and can reveal hidden barriers to tool adoption (such as remote connectivity, battery consumption).

This process can also turn up local innovations to mitigate risks, and even expose gaps where no current tools are available to meet a need.

Finally, this provides a rare security training exercise with no “wrong” answers.

How usable is too usable?

We also wrestled with some powerful questions that could help change discussions around the pushback against some tool usability. A classic debate has been balancing making specific complex tools easier against removing some of the deeper understanding that the users are expected to learn before using them. In response to this, ThoughtWorks’ design lead asked “is this an educational tool or is it a usable tool?” This led further to potential interplay not only between the UX expert and the TFT participants, but also with the co-facilitators, to help identify the aspects of the trainings where the process tends to be “just do these 12 steps….” and identifying how to better automate or hide those processes.

Preparation and follow-up

The workshop underlined the importance of follow-up interactions among each TFT “ground team” (Internews, the UX designer, and the trainer, with developers once identified) to provide further operational security guidance as relevant to the country and community, as well as to enable the UX expert and the trainer to co-design the need finding interviews. We will be conducting these via calls, emails, and an on-site, pre-TFT meeting of the facilitators to iron out schedules and facilitation.

Announcing USABLE!

Fri, 09 Oct 2015 12:09:25 +0000

We’re very excited to announce USABLE: Usable Security Apps By Leveraging End Users! USABLE, a project of Internews, brings a human centered design lens to digital security tools through a three-phase process (detailed out below) with add-on benefits of producing community-led user personas, connecting tool developers with trainers and at-risk users, and encouraging sharing of design patterns and usability challenges along the way.

We’re just getting started and are locking in our first communities, and expect to be running these needs-based trainings throughout early 2016. We will be sharing the user personas and learnings from these trainings over the next few months.

PHASE I: Tool Feedback Trainings

USABLE starts by working with communities around the world with concerns about privacy and digital security because of who they are or what they do. USABLE is working with local partners on a needs assessment, and then will design a digital security training based on those needs.

This will not be a “normal” training (if indeed those even exist), as we will match-make the needs of the community with a digital security tool that addresses the security needs, and work with interested developers to send them to the training. In addition, a usability expert will also attend and co-facilitate, leading some “blue sky” design work, and helping the community craft a user persona to represent their capabilities, constraints, and desires to others.

These trainings will work with each community through design exercises to reveal both pain-points with the tool they have focused on, but also broader insights into challenges which impact multiple digital security tools.

PHASE II: UXForum

The second phrase brings together the facilitators and key participants from each of these Tool Feedback Trainings for a 4-day workshop to cross-share the experiences, identify low-hanging fruit, and put together roadmaps to address achievable usability improvements. This “UXForum” will take place in Summer 2016.

At the UXForum, we will also run some sidebar conversations around formalizing design practices in trainings and working with developers.

PHASE III: UXFund

The third phase will be providing tool developers with funding to implement usability enhancements based on these experiences, adopting a more human-centered design approach through continued engagement with design experts, and through user-testing with the communities (where safe) and trainers.

Onwards!

We are pursuing opportunities to expand this work even further with additional Tool Feedback Trainings, and adapting and evolving our approach as we learn more from this process. Interested in where we go next? Please get in touch a connect@usable.tools