18 Dec 2015 by Ame Elliott

Straight Talk: New Yorkers on Privacy

We spent last week in New York doing field work on mobile messaging. Thank you to the Design Insights Group at Blue Ridge Labs for connecting us to such great participants. Many thanks also to the research participants themselves, who gave us permission to share their stories and images.

NYC background images
Apartment building in Brownsville (left); jewelry store + phone center in Harlem (right).

Real New Yorkers with Real Stories

We talked with twelve New Yorkers from across the city, meeting with people in libraries, offices, restaurants, and homes. We spent an hour listening to each participant talk about how they currently message, their privacy concerns and security practices, and their opinions on secure messaging. These conversations provided insights into how to design secure communication tools for a mass audience.

NYC interview images
Learning how real New Yorkers use mobile phones by interviewing them.

Most participants were Android users, with one iPhone user and one person declining to say. All of them used multiple messaging apps on the same phone, with the native messaging app, WhatsApp, Kik, and Facebook Messenger the most commonly used, along with direct messages in Twitter or Instagram. Many people have developed a hierarchy based on how well they know someone to determine how they message them: letting someone know your Instagram handle is less intimate than giving them your phone number.

Emoji for Fun and Security

Going out into the field is always surprising. One unexpected insight during this research was participants’ use of emoji as a privacy-preserving strategy. Emoji were an important part of messaging for many people, with apps like Bitmoji and Expresser used to add graphics across multiple platforms. One teenaged participant even used emoji in place of names in her contact list; the people with emoji were the most intimate or frequently messaged.

NYC phone images
Left to right: Bitmoji, Expresser, and a participant’s contacts list.

Using emoji to hide the names of contacts can be an effective strategy if, like these participants, your main privacy concerns are related to other people getting physical access to your device. Shoulder surfing, people rifling through your phone, and screenshotting were some of participants’ top worries. Concealing the name through emoji makes it more difficult to identify the contact at a glance.

Stay tuned for more research findings and design directions from this work.

Related

Encryption is not for terrorists

Blog post by Sara “Scout” Sinclair Brody on 20 Nov 2015

Recent attacks by Daesh in Turkey, Egypt, Lebanon, and Paris have fanned the flames of an ongoing debate about software that is resistant to surveillance. It seems that some participants in that debate are trying to use these attacks as an excuse to drum up fear around end-to-end encryption. They argue that these events tell us that the general citizenry shouldn’t have access to strong privacy-preserving tools. A lot of people are saying a lot of smart things on the subject, but I want to briefly outline a couple ways in which this call for limiting encryption is problematic.

Video Roundup

Blog post by Sara “Scout” Sinclair Brody on 05 Feb 2016

It’s always great to attend security and privacy conferences in person. But in cases where you have to miss an event, online videos of the talks can be a great way to stay current with the ongoing conversation. Art, Design, and The Future of Privacy As I promised back in September, the videos of the event we co-hosted with DIS Magazine at Pioneer Works are available online. The DIS blog had a great writeup with summaries of the different panels, and you can find transcripts over at Open Transcripts.

Data Handling Best Practices

Blog post by Eileen Wagner on 04 Jun 2019

Doing data handling with privacy and security in mind means spending some time to identify different threats, culminating in a threat model, and coming up with strategies that fit the particular threat model. We’ve compiled some best practices for both risk assessment and security strategies.