It is a 60 minutes Interview to provide you with basic understanding of how whistleblowers first contact relate to technology. It may also be an opportunity for further dialogue with them. These can then be used to carry out further, more focused research.
Essential parts of the interview are:
Introduction (to explain to the participant who you are, why you are talking to them)
Get consent (to establish trust with the participant)
About the participant (to learn about the participant, and their organisation)
About the tools, and Usage of the tools (to learn about their uderstanding)
Security concepts (to find what people know (e.g. if someone uses encrypted email... we cannot assume they know what a public key is, if they use protonmail for instance) and get a glimpse of their mental model people have for a given concept. It will bring us closer to the mental model of journalists with regard to security tools).
way to take notes (paper, or laptop)
audio recorder (optional)
Hello there, my name is [interviewer]. I am a volunteer helping non-profit improve how they use technology to assist whistleblowers, this is the focus of the Enough project. Thank you for agreeing to speak with me. I'd like to speak to you about the tools you use when you communicate with your sources.
Get consent for recording the audio of the session
I would like to ask you for your permission to record our discussion today. Recording allows me to focus my attention on you. I will use this recording to make notes of our discussion today. Once I've made the notes, I will delete the recording.
May I record our discussion?
Get consent for questions and sharing notes
You can answer my questions to the extent that you feel comfortable. You're free to choose not to answer a question, or to stop the interview at any moment. OK?
We want to keep information from interiews available for the Enough UX team members. With all our interview we can remove personally identifiable information, like names, organisations, countries. We will send you the notes for review and wait for your approval to share them. It would be perfectly ok for you to decide at that time that you don't want them shared with anyone after all.
Do you have any questions before we begin?
About the participant
Can you tell me your occupation?
Alternative: or what do you spend your time doing most?
Could you describe what your organization does, in generic terms?
When you have a technical problem, how do you get help?
How often do you need help?
How long does it take to fix a problem?
What is most difficult when facing a technical problem?
Does your organization provide you with equipement?
Do you feel documents and communications are adequately protected?
What is the most important aspect of this protection?
What is the most important weakness of this protection?
Could you describe the security policy of the organization?
Did you participate in defining this policy?
Do you fully understand all aspects of the security policy?
Do you sometime find yourself unable to comply with the security policy?
When working with people within the organization
When communicating with people outside of the organization
What prevented you from complying?
What do you do when a service or software misbehaves and you don't know why?
Have you looked at the threat model of your organization?
Do you participate in the making of the threat model of your organization?
Could you explain how your first contact with whistleblowers happen, step by step?
Is this your only activity in the organization?
How long have you been working for this organization?
How long will you be involved?
When you are not the first contact, how do you get information?
How did you select the organization?
Did you know what you would be working on
What kind of training did you get regarding the contact with whistleblowers?
When you're not working directly with a whistleblower what are your other activities?
About your vision of whistleblowing ?
Could you define in your own words what whistleblowing is?
How did whistleblowing develop in the past 50 years?
Where do you see whistleblowing in the next decade?
I need legal assistance, my company, a defense contractor obtained a contract bribing a government official. I'm being followed
I don't have Signal, nor Whatsapp, technology is not my thing
About your practices
Can you describe, from memory, the tools involved in the first contact?
Can you describe, from memory, the process to get documents?
How do you establish the most secure communication protocol with a whistleblower?
How long does it take for the whistleblower to upload their first document?
How do you proceed when a whistleblower requires anonymity?
How do you proceed to ensure the contact is secure?
What if a whistleblower requires a very high level of confidentiality?
What is, in your own words, RGPD? What are the obligation and benefits for your organization?
How much time do you spend learning about security or dealing with security?
What tools do you use when discussing a case within the organization?
How often do you make exceptions and use your own devices instead of those of the organization?
What would it take for you to never make an exception and comply 100% with the security guidelines?
How do you verify the completness of the information in a case?
What do the documented procedures cover?
How often did you review the procedures in place?
How ofter did you modify the procedures in place?
How many simulations did you run to learn the procedures? How long did it take?
What are the three most important things that hindered your work?
lack of (hardware, expertise, guidance, ...)
If you had time, what would you change in how you do your work?
About the tools
About your work environement:
What is Free Software?
How does it benefit your organization to use Free Software
What is a technical intermediary? (reformulation)
What is a VPN good for?
Can you tell me what tools you use when you communicate with your whistleblowers?
Further prompt if necessary: Describe what is does/what does it allow you to do?
Could you explain, in your own words, the following concepts. When the interviewee knows the concept, ask for a tool that implements the concept and ask them to explain how it can help protect privacy and/or security. Pick at most five concepts and stop after two concepts are cannot be explained. For those unexplained concepts, give a very short explanation of what it is:
Brute force attack
Internet blocking or censorship
An encryption key
A public key
A private key
A key fingerprint
Shared hosting vs dedicated hosting
Hosted physical machine
Backup and restore
A .onion URL
HTTPS in Tor
TOTP and HOTP
An encrypted disk versus a locked session
mobile device metadata
cleaning metadata on files
passphrase vs password
Live system, tails
If someone steals the disk from your computer (not the whole computer), can they read your files without your password?
A whistleblower communication system
how is a USB storage key different from an SSD or a hard drive
A cryptographic signature
Checksum collision attack
A threat model
An adversary in the context of a thread model
HTTPS compare HTTP
A referer in the context of visiting a web site
The logs of a website
The logs of a service en ligne
Intrusion Detection System
Security update for an operating system
Man in the middle
Fingerprinting of a Tor Browser
What happens when a web page displays an advertisement? Where does the ad comes from? How is it chosen?
Online service fingerprinting
What is a third party? And why it matters for security.
Which third party do you need to trust when using:
Safely erasing a file or a disk
Perfect Forward Secrecy
Definition & examples
Audio and visio-conférence
File storage and sharing
Temporary file sharing
Temporary image sharing
Web site hosting
Tell me about how you started to use these tools.
Further prompt if necessary: why did you start using it?
Who helped you get started?
When was the last time you used them? Tell me about that time, describe what you did.
Further prompt if necessary: what were you trying to do?
Do you work with other journalists who use the same tools?
If you have questions about the tools, who answers them?
Do you help anyone with their tools?
Imagine you have a magic wand. You can use it to change anything in one tool you use. What would that be?
Why do you want to change that?
Is there anything that works well with these tools?
Further prompt if necessary: tell me about that.
What is the most costly (time, money, efforts, etc) part of answering whistleblower?
Which ways of funding are feasible and appropriate to improve call centers?
Thanks very much [NAME/ALIAS] for your time and patience. As a little thank you, I'd like to give you this sticker.
Would it be OK if I asked you for an email address so I can contact you about welcoming whistleblowers?
If you'd like to use PGP encrypted email I will send you my PGP key.
Is there anybody you know who uses tools to communicate with their sources? Would it be OK to introduce me to them so we can talk?