Together with Nicola Wendt, I wrote this piece on how ethnography can contribute to information security, which appeared in the ISG Newsletter 2020/2021.
An emerging body of information security scholarship has explored the security needs and practices of distinct groups of people, often focusing on those who are either marginalised or at higher security risk, e.g. activists, refugees, undocumented migrants. What these works highlight, among other things, is that information security relies as much on people’s experiences of security in their interactions with technology as on the security of the technology itself. Underpinning this work, while not expressed explicitly, is an understanding of information security rooted in collective behaviours and practices, where the security of the individual is grounded in trust relations and shared security goals within groups.
The understanding of information security as a collective endeavour is the starting point for our work on security needs and practices with people living and working on what we might call ’the edge’ of societies. More specifically, our work engages the often hidden or unvoiced social groups not generally considered in the design of security technologies. While existing studies have employed qualitative research approaches, such as interviews and focus groups in particular, to understand such security needs and practices, we take a different approach. Our work starts from the premise that in order to truly understand information security as something that is practised by social groups as much as by individuals, we need a methodological approach that is grounded in the settings and groups it aims to understand: namely, ethnography. Indeed, ethnography has already established itself as a methodological practice within various branches of research into technology use, focusing in particular on informing human-centred technology design and often within a workplace setting.
The distinction between ethnography and qualitative research more generally is articulated by, among others, Paul Atkinson, a key figure in ethnography:
There is a world of difference between a commitment to long-term field research - spending time in one or more social settings, with a number of people as they go about their everyday lives - and the conduct of a few interviews or focus groups.
For security, this distinction is particularly important as interview and focus group based studies rely on participants self-selecting to take part. This often leads to a skewed sample, where study participants have pre-established ideas of security or consider themselves security conscious. Indeed, qualitative studies with, for example, higher-risk groups often end up engaging security trainers for these groups or “community leaders”, instead of those who have to rely on security technologies for individual or collective security. Therefore, ethnography, rooted in extended field studies and driven by immersion and observation with and within the social groups it aims to understand, is uniquely placed to uncover actual security practices and needs as they transpire in people’s everyday lives. Put differently, it allows us to learn that which people do not know themselves. With Atkinson we can say that interviews and focus groups “are ‘qualitative’ but they are certainly not ethnographic”, while for security they fall short when trying to establish actual and lived security needs and practices.
Ethnography enables long-term explorations of, for example, what security looks and feels like for the groups under study and how this might change over time. How security is experienced and voiced as well as how it is negotiated and shared between group members. How security technologies are used within groups and for what purposes. What security expectations and goals are held within groups and how they manifest themselves. Ethnography further allows to explore and understand the contextual structures that govern and influence collective security practices, facilitating a more comprehensive analysis of social groups’ security behaviours, concerns and needs; thus, opening up the potential to ground technological innovation and security notions in the actual (observed) experiences of people, rather than in how people articulate security concerns and needs through, say, interviews when prompted.
It is, however, important to distinguish between different ethnographic approaches. In line with Crabtree et al., ethnography is “an empirical matter of uncovering through fieldwork the methods that members employ to account for, accomplish and organize action and interaction in the settings they inhabit” (emphasis in original). Ethnographic work is thus capable of unearthing ‘social facts’ about the groups we study and goes beyond rhetoric, cultural interpretation or critical discourse found elsewhere.
To exemplify this, we briefly draw out a few insights from two separate field studies: (1) seafarers onboard two container ships and (2) Greenlanders living in Nuuk, Greenland and Copenhagen, Denmark. Both studies were grounded in ethnographic research and comprised extended fieldwork with the groups under study. While Nicola spent one month in Nuuk and two weeks in Copenhagen, Rikke spent five weeks onboard two container ships in European waters. Each study aimed to understand how (information) security is practised by these groups and what security concerns arise in their use of digital technology. While the insights differ for the two settings, they share some overarching findings made possible through ethnography.
We observed how the particularities of the physical environments distinctly influenced people’s digital practices and security needs in ways they themselves took for granted. In both settings, digital connectivity was limited and distrupted, which led to a series of workarounds. In the seafarer study, onboard observations highlighted how seafarers rationed their Internet usage by using low data consumption applications or by structuring their work and rest routines to connect when the ship was within phone signal range. This need to connect every time the opportunity arose often perturbed established security practices onboard the ships, including navigating the ship through busy and narrow sea passages. Observations also revealed specific collective practices, such as the sharing of account details in order to access each other’s data allowances and collective strategies to circumvent monitoring mechanisms put in place by the ship’s operating companies. Trust relations between crew members emerged as the bedrock of onboard notions of security. This was underpinned by the fact that the confinements of the ship (limited shore leave, ship monitoring, increased automation, stricter socialising and alcohol consumption policies and larger ships with smaller crews) led to increased isolation and separation from wider support networks, which meant that seafarers largely relied on each other for security. However, this security was short-lived and had to be constantly re-established. Variations in employment contracts (from three months for the captain to nine months for the crew) and uneven manning logistics, meant that crew compositions were repeatedly changing, making it difficult - if not impossible - for crew members to maintain continuous relationships or establish sustainable collective practices to mitigate shared vulnerabilities.
In the Greenlandic context, unreliable and expensive digital connectivity forced many of Nuuk’s inhabitants to restrict online work activities or interactions with friends and family to places with WiFi access, generally their homes or workplaces, with transitions between these places being perceived as disruptive. As the only place which offered publicly accessible WiFi, Nuuk’s library had evolved to become a meeting place for economically disadvantaged Greenlanders who came there primarily to use different online services. After opening hours, people of all ages were observed leaning against the library’s outer walls with their phones in their hands, continuing to use the WiFi. Digital connectivity hence emerged as an increasingly important tool for a number of individual and collective security practices. As Greenland’s population lives dispersed across a vast area with little physical infrastructure connecting individual settlements and towns, digital connectivity has materialised as a central tool to counteract the effects of physical and social isolation. Digital connectivity offers access to platforms for entertainment but also civic engagement, education, business development and the maintenance and creation of bonds with friends and family. Particularly Greenlandic women, who noted that digitalisation was paralleled with an increase in harassment, were observed engaging in the shaping of these online ‘safe spaces’ to foster digitally enabled collective security practices. Through oberservations, digitalisation itself thus emerged as an emancipatory agent, enabling and fostering economic independence, political engagement and personal security; particularly for Greenlandic women.
While only covered in brief and high-level terms here, both studies show how an ethnographic approach can uncover security practices and needs that social groups take for granted. They reveal the emergence of distinct collective security responses to individualising technologies and environments as well as institutionalised structures. This is precisely why ethnography matters to information security.
 In this piece, we do not cover how quantitative studies fail to provide insights into people’s actual security needs and practices, but simply note that both surveys and questionnaires are rather futile means of inquiry here.
 In ethnographic terms, the time spent conducting fieldwork in both settings was somewhat short.