Took part in Everyday Security workshop at UCL!

April 20, 2024

2024

Last year I wrote a couple of thousand words about the different ways in which existing work looks at how risk influences perceptions of secure messaging. This literature is quite diverse and challenging to synthesise, spanning HCI, technical security, cryptography, critical security, Science and Technology Studies (STS), and surveillance studies. I presented these words at a 2023 STS conference organised by STS Italia in Bologna. A couple critiques from the audience stood out:

  1. What about this existing data speaks to the self-perception of people in so-called risky social and political contexts?
  2. How are self-perceptions represented, and can they even be represented through boiler-plate qual and quant methodologies?
  3. Could these be scientific projections of what we assume about other people’s levels of risk?

For some clarity, S&P literature from top tier venues tends to designate certain populations of people as ‘at-risk’ or ‘high-risk’. Low risk (while not a term directly ever used in the literature) can refer to people who are not going to be directly harmed by their information security practices - what people tend to think of as the ‘everyday person’. High/at risk people are thought to be the opposite - typical examples include: journalists, activists (my area and hence the motivation for the review), politicians, etc. What my work initially did was to review the results of studies that looked at high and low risk groups. Now I have rewritten the paper to look at some of the assumptions baked into this (often implicit) binary, some of the relational aspects of risk, and some thoughts on everyday security.

This is the most recent abstract of the article -

Information security research sometimes designates certain groups of people as high-risk/at-risk based on their perceived vulnerability to harm from digital practices. High-risk individuals, including activists and journalists, are thought to face immediate dangers such as targeted surveillance or physical harm. In contrast, low-risk individuals are implicitly assumed to engage in routine digital activities without significant threats to their security. This article critiques this classification within information security scholarship by exploring the conceptual and empirical instabilities inherent in this framework. Drawing on ideas from the interpretative social sciences, the article offers a critique in three ways, 1) by bringing attention to relational aspects of risk; 2) by examining the normative underpinnings of this classification; 3) by discussing ideas of the everyday. I consider which aspects of risk these labels render invisible and explore alternative ways of thinking about information security.

While this article started out as a literature review, the current form is more of a critical review. I presented this paper as a work in progress at Looking for Everyday Security: A Cross-Disciplinary Workshop – which was mostly attended by anthropologists – the feedback was incredible. Some of the ideas I explore in this paper are as follows:

Relational Risk When we say that some group constitutes a high-risk population, we imply a degree of naturalisation and boundedness. We frame this group were a discrete entity with some inherent characteristic inextricably linked to threat. Rather than a universal experience though, ideas of risk are created and maintained by a particular time and place. We can find numerous examples of how risk is linked to context, social relations, and subjective opinions. In other words, even though population-level generalisations are useful for designers, being critical of them is important to be sure that we are not over-generalising.

What do labels do? Labelling across diverse cases is an attempt to manage an unwieldy social landscape. Since the results of studies with different ‘user groups’ tend to depend massively on the specific group being studied, this can create a sense of disarray for researchers trying to paint a single narrative – such as in SoKs. Trying to bring these perspectives together is trying to create one answer to a plural question – which is desirable but often shown through participatory research to flatten the particularity of peoples security needs.

Everyday Security For many people, the things they do to create a sense of security in their everyday lives are just that, everyday. Therefore, peoples conceptions of risk may not follow a template of what researchers expect to hear about – instead of hearing about threats, harms and mitigations, they may hear about participants’ daily frustrations, everyday fears, and conflicts with others. By taking these everyday frustrations as a serious source of data, we can deepen our understanding of how and why people make certain decisions about their technology. This is only really possible by studying in context, rather than through a ‘risked’ classification.

Getting this article out has been put on some serious hold due to my past year of fieldwork. Hopefully one day I can link it here!