The most fundamental task in information security is to establish what we mean by saying that information is secure: what is it that we are trying to achieve?
One subfield of information security that takes great care in tending to its definitions is cryptography. Indeed, finding the correct security definition for a cryptographic primitive or protocol is a critical part of cryptographic work. However, these security notions -- and everything that depends on them -- do not exist in a vacuum. While the immediate objects of cryptography are not social relations, it presumes and models them. This fact is readily acknowledged in the introductions of cryptographic works where authors illustrate the utility of their proposed constructions by reference to some social situation where several parties have conflicting ends but a need or desire to interact. Yet, this part of the definitional work has not received the same rigour from the cryptographic community as complexity-theoretic and mathematical questions.
The broader social sciences offer a wealth of approaches to answering questions about social situations, relations, (collective) needs, imaginations and desires. However, they are often relegated to a service role in information security, e.g. to perform usability testing of existing security technologies after those have been designed. In contrast, in this project we ask social science to establish core notions for technology. To establish what security means within social settings -- to identify and understand security concerns -- one approach stands out in promising deep and detailed insights: ethnography.
Ethnography is uniquely placed to "unearth what the group (under study) takes for granted". A key challenge in engaging those who depend on security technology is that they are not trained information security professionals. They do not know and, indeed, should not need to know, for example, that confidentiality requires integrity, that existing onboarding practices can be phrased in the language of information security, which different security notions cannot be achieved simultaneously and what guarantees, say, cryptography, can give if asked. Therefore, to know exactly what is taken for granted, or put otherwise, expected or desired, in social interactions, social and technical protocols and, indeed, cryptography is of critical import.
Some more commonly relied upon social science methods in information security, while much more practical and less time consuming than ethnography, are therefore less suitable research approaches in this context. For example, questionnaires and surveys, both the qualitative and quantitative kind, are limited means of inquiry here. While interviews provide some opportunity for deeper engagement, ethnography allows us to learn that which people do not know themselves. Through close observations and analysis of everyday activities and relations, ethnography reveals "the knowledge and meaning structures that provide the blueprint for social action" within the group under study. The exploratory nature of ethnographic inquiry, rooted in fieldwork with the group it aims to understand, is thus a key enabler in unlocking an understanding of individual and collective security needs and practices. The inherently reflexive and embedded nature of ethnography enables such insights.
In this project we adopt this approach to the specific example settings of large-scale protests. These, on the one hand, offer rich and diverse settings where security needs are paramount, while also being sufficiently different from standard cryptographic use-cases (e.g. in e-commerce) to promise novel insights. Based on our ethnographic findings, we will study existing technologies on whether they satisfy the security needs identified and will design novel cryptographic notions and solutions to satisfy these identified needs.
|