> 2) How do you express what's happening to the user in such a way that they >will actually take action on it and not just click-through dismiss it?
We approach by providing information on order-of-magnitude risk. If someone is MITM while you are in an airport looking at Washington Post you probably do not care. When you log in to work or some other system, then the risk you are looking at, combined with your individual risk posture and momentary context determines if this is acceptable. This echoes Elinor's call for understanding the risk domain when working with activists. Since we cannot predict which tools will be used in which domain, one way to approach that is to try to communicate the risks which will and will not be mitigated by tool use. The risks that will be *created* by tool use are also important. Loss of deniability was discussed here; others are more mundane: block all scripts, cannot watch videos; block flash, badly implemented sites are not functional; block all MITM, good luck establishing a network connection at many airports or hotels; use Tor, must learn patience............................ Speeding in the rain is inherently obviously risky. Accepting all scripts is risky, but not obviously. Having just read about Hong Kong demonstrators being targeted by malware *which required they voluntarily download said malware*, to me this indicates a very serious structural communications problem. No one should be downloading high-risk software without knowing they are taking a risk. So how wrong is the key? This is a probability of an event, a risk distribution where the person has to bring awareness of the possible harm. And if we tell people incorrectly or tell them too often or fail to distinguish order of magnitude, they will reasonable ignore us. Alas, it is not as if that probability distribution is easy to calculate either: is it the hotel demanding payment or the NSA voraciously feeding its demand for pointless surveillance? I guess which is more risky depends on if you are broke or worried.
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at [email protected].
