Reaching People Where They Are

Part of the Tor Project's mission is to further the popular understanding of privacy technologies, and we believe we can achieve it by combining educational efforts with usability efforts. Popular understanding is to not only be aware of such privacy technologies but to also be able to use and control them.

With that in mind, we decided to integrate user experience research into our digital security training with a single program called 'User Feedback Program’.

When we first launched this program two years ago, we aimed at a diverse and engaged audience of human rights defenders in the Global South. We are happy to share that, in a moderate estimate, these activities reached an audience of 800 people through 71 activities in 22 cities and seven countries: Brazil, Colombia, Mexico, India, Indonesia, Kenya, Uganda.

This was our first major effort to establish a training cycle aimed to strengthen and expand the understanding of privacy technologies and the Tor community in the Global South. Members of the UX and Community teams conducted these trainings in partnership with local non-profits, who helped us reach the communities from their countries who needed this type of education the most.

The results of interviews and usability tests were processed and analyzed by our UX team, and their work with users has led to different projects: a collection of personas to help guide our decisions when working on our tools, interface improvements, bugs fixed, and new features already deployed by the Tor Project developers. We are proud to say that today, the Tor Project has a software development cycle that puts the user at the center while respecting privacy.

That is a huge gain, but is not all we set out to do. We learned a lot running these trainings, and we don’t want to keep it to ourselves. We also want to share some insights into our experiences running trainings in the Global South to empower others to do the same. We know we can’t scale if we need to travel to these locations every time a group needs digital security training.

We must share our skills with our partners and help build local capacity that can help these communities on a continuous basis. We are still building this up, and we know we have a long way to go, but we want to start sharing our experiences here with our broader community. We plan on making the slides, training materials, and other resources to run similar trainings available to everyone once we launch our new Community portal, under a special section just for Trainers.

Inside Tor trainings

To conduct a training, the Tor Project team consisted of a digital safety trainer and a UX researcher. On average, the trainings took place over 10 days in different cities in a country, where this team traveled and carried out the activities pre-scheduled and promoted by partner NGOs.

At least one threat model exercise was carried out in all cities. Participants identified potential adversaries, attacks, what they want to protect, and how they could do it. This exercise, when played collectively, enables each participant to share and expand their own threat model. Threat model exercises are critical to think about security and were inspired by EFF’s Your Security Plan.

The agenda for the day, as well as the content of the training, are customized according to the audience, the number of people, as well as the location. Although we limited the number of training participants to a group of 5 - 25 people, each training had a diverse participation, from human rights defenders, journalists, LGBTQIA+ minorities, political activists, feminists, members of social movements, and non-governmental organizations in the country. In many places, these communities are at risk or under pressure from adversaries on a daily basis. We wanted to strengthen the important work and activism of these organizations by offering the technology we have developed, inviting them to join our community, and trusting in our solidarity.

In some cities, our training was the first time that participants had were introduced to digital security. In regions close to the countryside, there were participants who traveled all night to get to the office of the organization hosting the training. Some of them were peasants who defended the right to produce on their land and wanted to understand the risks of using their mobile phones and how they could communicate in a secure way with other community members.

We also did dedicated trainings for members of specific organizations, and in those cases, we believe it helped strengthen the digital security culture within these organizations. Improving their skills and knowledge on how to protect themselves and bypass censorship whenever necessary.

In trainings customized for journalists, we introduced ways of securely sharing sensitive information using OnionShare, developed by our collaborator Micah Lee, as well as basic operational security tips.

In places where internet censorship was a reality and the use of VPNs was already part of the user experience, we added as a must-have point of explanation on how to use the bridges in Tor Browser to bypass censorship against Tor. A question that arose naturally in almost all training sessions was the difference between Tor and VPNs. We explained that VPNs can be a security bottleneck and must be trusted like a new Internet Service Provider (ISP) who can potentially see all of your traffic. If a VPN says they do not monitor and log your traffic, you have to trust them. That is not the case with Tor. Tor gives privacy by design. We also recommended participants not use a VPN with Tor, unless you really know what you're doing.

During the activities, participants asked about the use of other software: Are they safe? Why? We believe that Free/Open Software/Source is an ecosystem in which each project must support and collaborate with each other. And when we talk about digital security, Tor alone is not enough for your security, so we encourage the adoption of tools developed by our colleagues such as Guardian Project and Tails.

As we like to say, anonymity loves company. Meeting with human rights defenders and activists around the world was our best company.