Personas for

Privacy and Security

Produced by the Secure User Practices project of the Open Internet Tools Project

openitp.org/sup

​

What is a user persona?

​

A user persona is a focused, easy-to-relate-to summary of research on a group of people who might use a particular piece of software, hardware, or a service. Personas help us engage in complex systems thinking about people using these tools, and how the tools fit into their lives.

​

A persona is not a description of a single person! Instead, it is an aggregate of a range of interviews and other information from a specific group of users with similar goals and backgrounds. In this way, personas avoid the problems of relying on anecdotes.

​

​

What is a persona for?

​

Personas serve a handful of uses:

• Focus on specific use cases, rather than speaking in more general terms about users
• Identify candidates for user tests, or even a lens through which to view walkthroughs of the software
• Having a common document that everyone from developers to the marketing team can refer to makes it easier to communicate quickly about who is being served
• Justify particular development decisions
• Help teams see and feel through the eyes of the people who may be using the software, empathizing with their situation
• Bring the user experience to developers who cannot observe in the field when distance or physical security is an issue (user or developer’s life or liberty might be threatened if they were in contact)

​

​

How are personas used?

​

Personas come in most useful early in a development cycle (whether you’re calling that “requirements analysis,” “hypothesis statements,” or whatever your flavor of development calls it.)

​

Normally, a range of personas informs the development of one product or feature, specifying different needs users may have. However, it is likely that the specific use cases described here may be better served by a range of apps, websites, hardware, and services — different ones for different cases.

​

These user personas were primarily developed to communicate user needs to developers of open-source tools for the protection of privacy and security. However, we expect the personas will be of use also to developers of mainstream software and services in thinking about sensitive cases.

​

How were these personas made?

​

These personas were developed from a range of sources:

• a persona creation event with LGBT communities and their allies about the security and privacy concerns of their communities;
• an ethnography of Vietnamese bloggers and journalists produced by SecondMuse;
• earlier user profiles developed by SecurityFirst and Amnesty International in developing security apps;
• user tests and interviews performed by the Secure User Practices project at the Open Internet Tools Project;
• and two use cases developed by digital security expert Eleanor Saitta.

​

They were further refined by Gillian “Gus” Andrews of the Open Internet Tools Project, and Robert Stribley of Razorfish. Sketches were provided by artist Rob Vincent.

High technical expertise

Low technical expertise

Needs to be very public

Needs to be very private

Persona Characteristics

Trong

• Vietnamese journalist, 65 years old
• Rural area
• Fed up with government corruption
• Others in the community look to him to verify information

Technology expertise level

• Earliest tech adopter in his area
• Still mostly uses default settings

​

Technology use

• Reading foreign and domestic news sites
• Posting to blogs, Facebook
• When forced to choose between security and communicating, communication wins
• More concerned with secure storage than communication
• Email spam seen as an indicator that mail isn’t safe
• Switched from Yahoo to Google

Access locations

• Home computer shared with family; “privacy” means something different here

​

Threats from technology use

• Being fired for his writing
• Targeted malware/phishing attacks
• Government confiscating devices
• Some providers (Yahoo!) have track record of giving user info to governments like Vietnam’s

Physical threats

• Arrest

​

Needs

• To reach an audience of sympathetic readers
• Accurate information
• To communicate with a trusted community of other tech users, for finding and training on more secure tools

“Help me find trusted tools to share with my community.”

Mamun

• Early 30s Syrian
• Activist
• Journalist
• International traveler
• Has had to leave his country for safety, but is still active in supporting his allies and readers

Technology expertise level

• Presents himself as savvy
• Vigorously seeking new security solutions
• Has experts he looks to for software recommendations
• Also does Google search to research tools
• Does not think about passwords and profile management as part of security

​

Technology use

• Cannot access credit cards or online shopping in Syria
• Uses Tor, VPNs, proxies
• Critical of the speed of these tools
• Email not common, prefer voice calls, chat

Access locations

• Highly limited due to infrastructure destruction and government shutdowns
• Home or cafe - companies here don’t have digital presence or infrastructure

​

Threats from technology use

• Unclear

Physical threats

• Violence
• Death

​

Needs

• To stay in touch with peers and family, even if they have to flee
• Training for him and his peers on the why and how of security tools

“How do I communicate when there is no Internet, no phone?”

Sarah

• Early 30s, American
• Stay-at-home mother of two
• Moved across country from her family and friends
• Abusive husband works in a gun shop and is friends with police
• Fled to a shelter for safety

Technology expertise level

• Newly sensitive to ways technology can be used to locate her
• Not aware of connections between Facebook and browser tracking

​

Technology use

• Facebook to stay in touch with family
• Tells friends not to tag her location
• Shelter staff helps her use Tor Browser Bundle
• Has a borrowed network and a landline phone, no cell

Access locations

• Cannot use cell phone at shelter; revealing location information puts everyone there at risk
• Can use laptop there, with Tor or VPN to hide location

​

Threats from technology use

• Husband’s police friends can track her phone and Internet use, seeing where and when she logs into Facebook

Physical threats

• Abuse
• Death
• Harm to children

​

Needs

• To protect her location at all times
• To stay in touch with her friends and family
• To access resources which will help her maintain independence
• To move closer to her support networks
• For her support networks to maintain the kind of attention to her safety as she does

“Help me reach my support network while hiding my location”

Lilly

• Late 20s, graduate student
• Researching abuses in the prison system
• Works with organizers of demonstrations
• Went into hiding when police interest increased

Technology expertise level

• Has carefully maintained separate profiles for her academic and activist work from the beginning
• Considers her location as well as her identity
• Takes maybe more precautions than necessary, doubling up tools like VPN and Tor
• Practices using security tools for everyday tasks

​

Technology use

• Facebook to announce protests
• Tor for organizing protests

Access locations

• Public computer lab at her university
• Her own laptop and phone

​

Threats from technology use

• Surveillance footage and photo EXIF data could be used to identify her as connected to protests
• Risk to her academic career

Physical threats

• Arrest

​

Needs

• To coordinate with other organizers
• To publish her research
• To keep her identities separate

​

“Help me organize, but keep the rest of my life separate”

Shura

• Mid-20s gay man
• Urban Russia
• Blogger/publisher
• Lives with a bunch of roommates
• Excited by the work he does; sometimes a little too bold for his safety

Technology expertise level

• Social media savvy
• Less smart about operational security

​

Technology use

• Mobile all the way
• Blogs but doesn’t run own server
• Participant in online groups
• Cavalier about posting and privacy settings
• Uses desktop software less often

Access locations

• Anywhere there’s connectivity

​

Threats from technology use

• Lose day job due to being “outed” by thugs researching his activity on social media

Physical threats

• Beating or death
• Jail for activism around LGBT issues

​

Needs

• To remain anonymous BUT wants his pseudonym to be well-known
• Wants to communicate to a lot more people
• Find places to meet in public

“Help me remain unknown, yet still be a visible leader.”

Joseph

• 15 years old
• Poor/middle income family
• Very strict, conservative background
• Suburban Idaho
• Goes to a Christian school
• Isolated by parents: limited exposure to other kinds of people
• Shy, introverted; feels powerless
• Questioning whether gay or trans: I don’t feel like a boy. What am I?

Technology expertise level

• Socially savvy on the Internet but not at all privacy savvy
• Not as savvy with desktop software

​

Technology use

• Uses mobile apps, primarily Facebook, Instagram, Snapchat
• Uses Facebook, Yahoo, AOL on desktop
• Talks to one or two close friends
• Afraid to show any hint of what he’s thinking
• Researching identity: Doesn’t know the term “transgender”
• Looking for community, like minds

Access locations

• At home, parents monitor all their activity with net nanny, shared computer
• Home and school internet are filtered, monitored
• Key sites might be blocked

​

Threats from technology use

• Found out via search results, email, etc

Physical threats

• Kicked out of school or home
• Feels suicidal
• Possibility of physical abuse/drug abuse
• Depression/anxiety

​

Needs

• To know he’s OK!
• To research privately without leaving a trace of queries
• Access to community - to know there are others like him
• Need physical help immediately
• To communicate privately and anonymously
• A mentor

“Help me find support from people I can trust.”

Mary

• Human rights defender from the Democratic Republic of Congo
• Well-known head of a human rights organization
• Travels internationally often
• Based in Goma, which was taken by rebels once last year
• Collects and collates documentation of abuse in rural regions

Technology expertise level

• Office-level computer skills
• Social media user

​

Technology use

• Documentation of sexual violence against civilians and roadside stop incidents.
• Staff store e-copies on the office computer, and paper copies in the office.
• No backups in a while.
• Files often have the names of the accused but not often the names of the victims.
• Physical security measures for the office include a guard, brick wall, and a gate.
• The office filing cabinet is locked but the key is kept in a drawer in the desk.

Access locations

• At work
• Roaming
• Three phones -- smart phone for social media, work cell, and personal

​

Threats from technology use

• Blind threats -- calls to her mobile from sources unknown
• Searches of her device at borders, by organized rebel groups or the army
• Unusual usage (VPNs, etc) may stick out as “suspicious” to the local government

Physical threats

• Kidnapping
• Sexual violence

​

Needs

• Access to the local and international organizations which are her allies and her protection
• To keep colleagues and family appraised of her whereabouts
• A break from the stress of worrying for her safety and meeting with victims of violence

“Help me and my data stay physically safe so I can expose human rights violations.”

Fatima

• Mid 20s Egyptian trans woman
• Recent college grad
• Lives on her own
• Has come out to mother, who is in denial

Technology expertise level

• Mac super-user
• Vaguely aware of institutional surveillance, but not of entrapment

​

Technology use

• Desktop software
• Mobile apps
• Uses Facebook to manage multiple presentations of her gender (work colleagues
• Suspends her account sometimes to keep people from posting to her account

Access locations

• Anywhere the mobile connection works
• Internet cafe

​

Threats from technology use

• Entrapment via engaging with a dating site
• Information getting to the “wrong” Facebook group
• Worries about ads tracking her and her friends

Physical threats

• Beating or death
• Arrest

​

Needs

• Love!
• Sex!
• Social interaction
• But also to keep her dating behavior separate on Facebook from other circles
• Keep her Mom happy
• And communicate in a safe, private environment

“Help me communicate privately and safely with kindred spirits.”