This checklist provides suggestions to promote digital security and privacy for people who are designing and developing tools for targeted communities.
Before you start building the tool, platform, or technology, you want to know the people who will be using them. You need to collect and analyze information from your stakeholders and research participants.
- User research involves many methods — interviews, ethnographic field research, focus groups, surveys, etc.[1]. — nearly all of them mean you need to gather information from others. It will be your job to protect them and their information.
☐ I have assessed the risks of how I am storing information from my research subjects in digital mediums (e.g. storing notes in cloud-based software, or on a hard drive). I store these notes in the following spaces ___________________________
☐ The medium I store notes in is relatively secure — it is end-to-end encrypted, and difficult
for third parties to access (such as law enforcement requests).
☐ My research does not create a digital paper trail. (For instance, I consider how metadata,
like the times we have contacted each other, can expose at-risk users.)
☐ If I have identifiable information about my participants, I have thought about where I
will store this information. I have created a plan for keeping this information safe.
☐ I have a list of topics I should not ask my intended audience about.
☐ I know the kinds of topics I should keep off-record.
| Tips |
|---|
| Comms and Info Gathering: |
| [a] Always use end-to-end encrypted channels when you can, and train your contact to securely contact you. |
| [b] Secure the data you keep and pay attention to protecting the identities of people in your research. |
| [c] If metadata is a concern for your audience (e.g. having evidence of you and the contact chatting or calling), do you have an alternate method of communicating? |
☐ I have a trusted network to vet my research subjects.
☐ If I keep documentation of my research process, I have considered the risks of keeping that information. (The same concerns in Communications and Information Gathering apply.)
| Tips |
|---|
| Due Diligence: |
| [a] Partner with human rights organizations or have them as part of your research network. |
☐ The language I use to describe my project is written simply, and is free of jargon.
☐ I work closely with someone — within the group that I am researching — to be mindful about their culture.
☐ I always ask for consent. I remind people of safety and security concerns.
☐ I use participatory research methods.
| Tips |
|---|
| Diversity and Inclusion: |
| [a] Always respect and consider diversity and inclusion in your process — tone, words, contact methods, etc. |
| [b] Always be empathetic and considerate. |
With the initial research results, you now have a direction to build the prototype of your tool, tech, or platform. During this process, in particular to test your demo, you may have several checkpoints to refer back to or continue your initial research.
2.Building a product / service that balances security and usability necessarily brings up questions of practicality.
☐ My design is applicable across a wide spectrum of connectivity environments. (e.g. Networks at refugee camps, places with frequent internet shutdowns.)
☐ My font settings are suitable for the language(s) of my user groups.
☐ My design considers the local digital literacy level. (I have thought about what tasks my audience are able to do, e.g. if they can download tools on their own or if they need help.)
☐ My design incorporates universal features. (e.g. The connotations of icons, interpretations of signs and colors across cultures, etc.)
☐ My design is culturally sensitive. (e.g. It considers cultural taboos of the user group.)
| Tips |
|---|
| Contextual Concerns: |
| [a] Local connectivity and internet environment varies dramatically from place to place, country to country. If you can not test it in the field, ensure you have trusted representatives in your network to gather local test results. |
☐ I have reviewed the types of technology\ies local people are using.
☐ I have a device — similar to that of the intended users — that I can test with.
☐ I understand the security limitations of the tested devices.
☐ My tool / tech / platform is easy for people to acquire / setup.
☐ I have considered the repercussions of whether my tool / tech / platform costs data, collects personal information, or requires other things on the user’s end.
☐ My tool / tech / platform does not use a lot of storage space.
☐ My interface is accessible to people with disabilities. (e.g. following WCAG guidelines.)
☐ I have considered whether my system collects sensitive data.
☐ My system’s design uses end-to-end encryption and takes other measures to prevent third-party access (e.g. access to my server).
☐ I have considered whether my tool / tech / platform should allow cloud settings.
☐ I have considered the physical security needs of using my tool / tech / platform.
☐ I have thought about whether internal documentation should store sensitive data.
☐ My internal documentation takes measures to prevent third-party access, such as using full-disk encryption and end-to-end encryption (e.g. I have thought about people trying to access our servers remotely and in person).
Once you have a final product, prepare a thorough release strategy and document the process. It is very important to create a culture of feedback — always be open to feedback, and think of constructive ways to gather feedback.
3.Your research continues in this phase as you are coming back to the conversation you had with your testers. practicality.
☐ I have identified specific platforms or channels for my tool to reach out through.
☐ I am working with someone who has relationships and trust in the communities I am reaching out to.
☐ For gathering feedback, I am providing people with safe channels to contact me (e.g. end-to-end encrypted emails).
☐ I have created a user manual or guide.
☐ It is easy for people to see the updates for my tool / technology / platform. (Consider if you have a public webpage or portal and if you regularly update them and track the updates.)
☐ I revisited my research methods and analysis.
☐ My work met my original research objectives.
☐ If I have learned anything new in the test, I have written it down in my documentation.
☐ I have a contingency plan for unexpected situations (e.g. Connectivity issues, a trusted alternative network, Code of Conduct, a mechanism for reporting problems, etc.).
| Tips |
|---|
| Comms and Info Gathering: |
| [a] It is always a good practice to allow people to reach you securely and anonymously. Consult newsroom whistleblowing platforms for tips and recommendations. |
| Evaluation and revisions: |
| [a] It is particularly important to set a Code of Conduct and problem tracking mechanism for your tool / tech / platform if you aim to nurture a community through your rights-protecting product or service. |
For further information, inquiries, user research resource, or partnership opportunities, please contact:
Anqi Li, anqi@accessnow.org
An Xiao Mina, an@meedan.comc.
[1] For more about user research methods, visit Nielsen Norman Group’s summary at https://www.nngroup.com/articles/which-ux-research-methods