Last update: Jan 10 2019
Drawing upon work experience with at-risk communities, this checklist is for tool developers who want their designs to protect digital security and privacy for communities they are helping. It provides a lightweight guide for people with limited resources in user research and design. By answering the questions in steps, you will be able to shape a development plan with necessary user research, feature design, and testing agenda.
**How to use this document:** Read through each statement. Check the box if you have incorporated the practice into your design and development process. Consider the action items that you haven’t addressed.
Before you start building the tool, platform, or technology, you want to know the people who will be using them. Consider collecting and analyzing information from your stakeholders and research participants.
User research involves many methods — interviews, ethnographic field research, focus groups, surveys, etc.[1] — that means you would retain information from others. It will be your job to protect them and their information. It will be your job to protect them and their information. Answer the following to gauge how you are doing.
☐ I have assessed the risks of how I am storing information from my research subjects in digital mediums (e.g. storing notes in cloud-based software, or on a hard drive). I store these notes in the following spaces _________________ because _________________
☐ The medium where I store my notes is relatively secure — it is end-to-end encrypted, and difficult for third parties to access (such as law enforcement requests).
☐ My research does not create a digital paper trail. (For instance, I consider how metadata, like the times we have contacted each other, can expose at-risk users.)
☐ If I have identifiable information about my participants, I have thought about where I will store this information. I have created a plan for keeping this information safe.
☐ I have a list of topics I should not ask my intended audience about.
☐ I know the kinds of topics I should keep off-record.
| Tips |
|---|
| Comms and Info Gathering: |
| [a] Partner with human rights organizations or have them as part of your research network. |
| [b] Always use end-to-end encrypted channels when you can, and find for your contact the best way to safely contact you. |
| [c] Secure the data you keep and pay attention to protecting the identities of people in your research. |
| [d] If metadata is a concern for your audience (e.g. having evidence of you and the contact chatting or calling), do you have an alternate method of communicating? |
☐ I have a vetting plan and a trusted network to reach out for the vetting.
☐ If I keep documentation of my research process, I have considered the risks of keeping that information. (The same concerns in Communications and Information Gathering apply.)
| Tips |
|---|
| Due Diligence: |
| [a] Vetting subjects include the group you are helping, their biggest problem you want to solve, and the context. Find your measures of success, dealbreakers, and gather as much feedback as possible to ensure the objectivity. |
☐ I use simple and jargon-free language to describe my project reviewed by my peers.
☐ I work closely with someone — within the group that I am researching — to be mindful about their culture.
☐ I always ask for consent. I remind people of safety and security concerns.
☐ I keep a friendly, tolerant, and constructive space for feedback and opinions.
| Tips |
|---|
| Diversity and Inclusion: |
| [a] Always respect and consider diversity and inclusion in your process — tone, words, contact methods, etc. |
| [b] Always be empathetic and considerate. |
With the initial research results, you now have a direction to build the prototype of your tool, tech, or platform. During this process, in particular to test your demo, you may have several checkpoints to refer back to or continue your initial research.
Building a product / service that balances security and usability necessarily brings up questions of practicality. Answer the following to gauge how you are doing.
☐ Features of my tools are usable across a wide spectrum of connectivity environments. (e.g. Networks at refugee camps, places with frequent internet shutdowns.)
☐ My font settings are suitable for the language(s) of my user groups.
☐ My design considers the local digital literacy level. (I have thought about what tasks my audience are able to do, e.g. if they can download tools on their own or if they need help.)
☐ My design incorporates universal styles. (e.g. The connotations of icons, interpretations of signs and colors across cultures, etc.)
☐ My design is culturally sensitive. (e.g. It considers cultural taboos of the user group.)
| Tips |
|---|
| Contextual Concerns: |
| [a] Local connectivity and internet environment varies dramatically from place to place, country to country. If you can not test it in the field, ensure you have trusted representatives in your network to gather local test results. |
☐ I have reviewed the types of technologies local people are using.
☐ I have a device — similar to that of the intended users — that I can test with.
☐ I understand the security limitations of the tested devices.
☐ My tool / tech / platform is easy for people to acquire / setup.
☐ I have considered the repercussions of whether my tool / tech / platform costs data, collects personal information, or requires other things on the user’s end.
☐ My tool / tech / platform does not use a lot of storage space.
☐ My interface is accessible to people with disabilities, following commonly accepted content accessibility guidelines.
☐ I have considered whether my system collects sensitive data.
☐ My system’s design uses end-to-end encryption and takes other measures to prevent third-party access (e.g. access to my server).
☐ I have considered whether my tool / tech / platform should allow cloud settings.
☐ I have considered the physical security needs of using my tool / tech / platform.
☐ I have thought about whether internal documentation should store sensitive data.
☐ My internal documentation takes measures to prevent third-party access, such as using full-disk encryption and end-to-end encryption (e.g. I have thought about people trying to access our servers remotely and in person).
| Tips |
|---|
| Practicality Concerns: |
| [a] While it is unrealistic to accommodate the whole spectrum of stakeholders, we recommend strategically prioritizing the needs of stakeholders based on capacity and limitations. |
| [b] Consider the stakeholders’ physical security needs — how much you know about the risks for local activism, including government surveillance, censorship, the power of law enforcement, etc. |
Once you have a final product, prepare a thorough release strategy and document the process. It is very important to nurture a culture of feedback. Invest in experts who can help you create a feedback gathering plan and agenda.
Your research continues in this phase as you are coming back to the conversation you had with your testers. Answer the following to gauge how you are doing.
☐ I have a clear messaging for my user of why and how this tool can help them, as well as how to get it.
☐ I am working with someone who has relationships and trust in the communities I am reaching out to.
☐ For gathering feedback, I am providing people with safe channels to contact me (e.g. end-to-end encrypted emails).
☐ I have created and tested a user manual or guide. I keep updating it based on the testing feedback.
☐ It is easy for people to see the updates for my tool / technology / platform. (Consider if you have a public webpage or portal and if you regularly update them and track the updates.)
☐ I revisited my research methods and analysis.
☐ My work met my original research objectives.
☐ If I have learned anything new in the test, I have written it down in my documentation.
☐ I have a contingency plan for unexpected situations (e.g. Connectivity issues, a trusted alternative network, Code of Conduct, a mechanism for reporting problems, etc.).
| Tips |
|---|
| Comms and Info Gathering: |
| [a] It is always a good practice to allow people to reach you securely and anonymously. Consult newsroom whistleblowing platforms for tips and recommendations. |
| Evaluation and revisions: |
| [a] It is particularly important to set a Code of Conduct and problem tracking mechanism for your tool / tech / platform if you aim to nurture a community through your rights-protecting product or service. |
For further information, inquiries, user research resource, or partnership opportunities, please contact:
Natalie Cadranel, natalie@open-archive.org
Anqi Li, anqi@accessnow.org
An Xiao Mina, an@meedan.com
Caroline Sinders, csinders@gmail.com
Current and Past Contributors also include: Martin Shelton, Matt Mitchell, Soraya Okuda, TTCat, Max Anderson.
[1] For more about user research methods, visit Nielsen Norman Group’s summary at https://www.nngroup.com/articles/which-ux-research-methods