Online security and privacy awareness of activists

Abstract

Bosnia-Herzegovina and its entity, Republika Srpska are among the most fragile democratic post-war environments in Europe. During the initial phase of our long-term participatory design case study, we engaged with the main activists in the region, which led to the structured view of their information and communication technology practices, benefits, needs, and the various constraints under which they act. This analysis highlighted the interest in the ICT, as well as the intense use and dependency of social media for the activists in the region, resulting in more efficient access to their target group, easier information sharing with general society and international community, and faster reaction to the “offline” activities. Simultaneously, it shed light on the limited budgets and project sustainability, low knowledge level around ICT use and maintenance of the activists, high dependency of the external stakeholders and outsourcing, and a major lack of awareness regarding privacy and security. We concluded that the socio-political activists in RS, but also in the other regions such as Middle East and North Africa, or Southeast Asia are very exposed, often unaware, or ignorant of the risks and lack the remediation measures, esp. related to the secure, private, and anonymous network and social media use. The work on the development of privacy and security tools has not always recognized the nature of the political processes in emerging democracies and authoritarian regimes, frequent naivety about threat, nor the “occasioned” responses of activists because activism can be a “one time” endeavor, prompted by specific events. Using the combination of qualitative content analysis, field/empirical studies and abduction based on grounded theory, a four-layer, “pyramidal” threat model was derived. This model describes defamation, legal action, material loss and physical harm, and sensitizes activists to the range of threats they might be subject to in the context of security and privacy. Due to the rising number of threats and impact of the recent incidents in this domain, we created a technical design Cyberactivist to raise security and privacy awareness within activist circles and non profit organizations. We applied iterative, participatory design to create the prototype and offered the free web application to RS/BH activists for testing. Their feedback helped us to focus and develop the next version of the tool, which supports activists by raising awareness, challenging ignorance, lowering exposure, and enabling remediation within the privacy and security domain. Authors then again engaged with RS, but also international activists and HCI activism researchers to assess the global applicability of Cyberactivist. Based on this qualitative feedback we defined the functional and non-functional requirements for the tool improvement, and through several iterations, further addressed “usable security” and “privacy by design” to ensure its better applicability. We also elaborated why the design of the corresponding target-group trainings based on our lessons learned would complement the Cyberactivist, and further raise awareness and enable risk remediation.