Strength in Numbers: Usable Tools Don’t Need To Be Invasive

This post is one in a series of blogs to complement our 2018 crowdfunding campaign, Strength in Numbers. Anonymity loves company and we are all safer and stronger when we work together. Please contribute today, and your gift will be matched by Mozilla.
Usability is about making sure anyone, no matter their technical background, can use a tool. Usability and user experience (UX) work has gained a lot of importance in the last decade as the tech industry has grown. To improve user experience, most of the tech industry relies on analyzing their users’ behavioral data to drive decision making. Mechanisms for collecting this data are often invasive and performed without consent from users, who may never be told their behavior is being analyzed for this purpose. The same means used to collect behavioral data is also responsible for aiding the surveillance economy.
Tor does things differently. We refuse to collect this type of invasive data. Our approach to usability is built on respecting and safeguarding the privacy of our users. We test our hypotheses and make observations in the safest way possible; in most cases, we do this work in-person with our users, not by collecting data about their behavior.
This year, we have focused on connecting with communities in what is sometimes referred to as the Global South. We have met with Tor users in India, Uganda, Colombia, and Kenya. This immersion has allowed us to carry out usability tests in person, so we can see first-hand if what we are building is serving people in different contexts with different levels of technical understanding. Knowing the reality of our users helps us understand their context, empathize with them, and consider solutions to meet their needs.
Running small-scale, short, open-ended, qualitative user tests on specific improvements we could make to Tor Browser allows us to get to know our users better and can bring their various mental models and levels of technical knowledge to light. In the evaluations we carried out, 93% of the people we met said they thought they needed some protection online, but there was a shortage of knowledge about what to do about it.
We met people like Jon, an environmental activist and journalist in Hoima, Uganda, who uses Tor to anonymously publish his blog.
Hoima is an oil city located 200 kilometers from Kampala, the capital of Uganda, where some 30,000 people live. Alison Macrina, leader of the Community team, and I, as part of the Usability team, visited Hoima in April this year to run a digital security workshop and conduct user tests with a group of environmental activists. Five minutes after the workshop started, the light was cut off. When we talk about access, we need to consider whether or not there is available technical infrastructure ready to allow users to access the open web. We found that in addition to infrastructure challenges, several threats--including the hijacking of electronic devices by local police, or the current political party in power, forcing journalists to declassify their sources--were common in most of those communities.
Conducting these usability tests allows us to reach people who use our software in extreme conditions, with poor infrastructure, expensive data packages, or old hardware and learn how we can better build tools for their needs. It would be selfish not to ask ourselves about these contexts and put those user stories in our software development roadmap. Creating technology that respects our users is a design decision, and one that we have always chosen.
We believe that if we can make our product usable for people without technical knowledge, all users will benefit, and that is what we’re striving for. Your donation can help us reach this goal by allowing us to visit more people around the world who use Tor and collect their feedback face to face, rather than by using invasive means like the rest of the industry.
In 2019, we need to reinforce our efforts to make secure and private browsing usable and to empower our community in solidarity. Our impact is not defined by numbers, but by bringing a user experience that helps real people to access the internet safely. You can help us reach this goal by making a donation. If you give before the end of 2018, Mozilla will match your donation, and you’ll have twice the impact.
Thanks for the post, and…
Thanks for the post, and thanks to TP for doing things differently!
I would love to see TP reaching out more to other NGOs on this issue. One NGO with which TP already works closely is Debian Project. For many years some Debian users begged Debian for, essentially, onion mirrors, but until TP got involved Debian ignored us. So thanks again to GK and others for creating and maintaining the onion mirrors. And please try to make using the onions the default for all Debian users, as Tails already does.
I want to point out an opportunity for TP to repeat its success by persuading Debian to do things right in how Debian collects information about Debian user activity. Debian has pretty much always featured a package called "popularity contest" (popcon) by which the system collects information on how often each user calls a command or utility (which is part of some Debian package) and somehow contacts debian.org to report on the user's activities. In principle installing popcon is option, but I notice that even if you ask for it not to be installed, the installer script cheerfully announces that popcon has been installed. (Which makes Debian sound just a bit like Facebook, ugh.)
The idea (when popcon was introduced 15 or 20 years ago) was that Debian can use the data to decide which packages to drop in future editions of Debian. The problem of course is that popcon has apparently never been secure against a global adversary (the usage data has apparently never been encrypted or protected in any way). Naturally people who worry about their privacy and about global adversaries do not knowingly choose to participate in popcon, with the result that privacy-minded packages used by privacy minded people are unfairly penalized.
So I hope TP will consider pressuring Debian to rewrite popcon so it uses onions. Probably popcon should depend upon OnionShare and it should send usage data in strongly encrypted form to an onion run by Debian, possibly with some dummy traffic or other tricks to make things harder for global adversaries. Because Debian certainly should not be trying to make things *easy* for them.