Our analysis identified three key practices of privacy group organizers that explain how they serve pluralistic privacy concerns among their diverse constituencies.
4.1 Situating: in Person and in Public
Privacy group organizers reported that they gave careful consideration to the context in which their meetings were situated. Situating meetings meant creating an environment that achieved several things: trust/safety among members, transparency, and visibility/accessibility to a wide range of attendees. A strong crosscutting theme across organizers’ experiences related to all of these goals was the importance of their events being open and accessible to the public. Although the practice of meeting in public might seem at odds with the objective of discussing privacy issues, the privacy group organizers provided several reasons for why situating the meetings in person, and often in public, was important to connect with their desired audience.
Situating for Trust and Safety. Some of the people the organizers were interested in connecting with were from vulnerable communities who might feel more comfortable approaching the group if the meetings were held out in the open and in not only neutral but safe feeling spaces. One organizer stated:
“Considering the spaces that we were trying to be at whether it was, you know, The Venue, or more directly like Fogwilde Bookstore, which is a feminist bookstore, I think dealing with folks in communities who have historically seen a lot of violence done to them whether online or in person, but certainly [online]. It was always important for us to be accessible so that folks feel comfortable approaching us to talk about these issues, even if they don’t tell us everything about their situation because they might not feel comfortable doing so.” (P2)
A second reason for situating for trust was that sensitive topics that might be more easily discussed if a degree of trust is established. Having repeated in-person meetings where attendees could return and see the same group members present helped foster that trust. One participant explained that having "regulars" who got to know people’s names was important:
"I think that was really, I think that was really useful because we were talking about privacy and sensitive topics and all of it sounds a little bit of conspiratorial. Having actual trust in knowing people is an important step in that, because some of the things we know to be true sound a little crazy.” (P3)
Situating meetings in person not only helped to establish trust among attendees, but also addressed distrust of technologies. Distrust of particular technologies may have motivated attendees to seek our privacy groups in the first place. In-person meetings provide a kind of safe respite from a world of surveillance capitalism [
76]. One organizer explained:
“Yeah, people just want to learn more and more. They’ve heard a lot of things and they want to just talk to someone in person, especially if there’s someone that doesn’t necessarily trust the internet.” (P2)
Situating for Transparency. Another strategy to engender trust was by situating events that encouraged a certain degree of transparency about how the group itself operated. One participant from the privacy collective described how they routinely held group administrative meetings that were open to the public:
"[...] just kind of open once a month open meeting where folks who want to take part in the work or want to learn more about the work that we do can just kind of come by and see how we make decisions and and do stuff. So I think transparency has always been a central part of what what we do and building trust in the folks that we work with." (P2)
Situating for Visibility and Accessibility. Privacy group organizers also situated their meetings in public spaces to increase visibility to people who might otherwise not know about the existence of such groups or not be regular participants in privacy conversations. Accessibility to diverse audiences surfaced again and again in different ways. One organizer asserted that holding events in public places helped expose their organization to people who might otherwise be unaware that privacy groups such as theirs existed:
“With a group that’s new like us and a topic that’s not as readily in the mainstream always, I think, doing the work in public spaces is important for us because it allows us [to] catch the attention of people who may not, who may not already be like plugged in." (P4)
Another organizer expressed that staging public events helped curate a sense of openness to newcomers:
"We just wanted to be open [and] accessible to as many people as possible. So the our events being public was important because we didn’t want to, [a]s much as we wanted to create a community and we want to wanted to have folks come through and feel comfortable, we didn’t want to create like a bubble. We wanted to always be open to new folks." (P2)
Yet another organizer stressed the desire to maintain a low barrier to entry to their events, which included ensuring that cost was not a prohibitive factor:
"We wanted to have the barrier to having people come to us be as low as possible, which included like we had some offers by places to come do workshops and they said, we’ll, we’ll have to charge like a ticket entry fee. And we were like, no, we won’t do that.” (P1)
A few of the organizers stipulated that by situating the meetings in person, those in attendance with more technical skill could work directly with those who were having issues or questions about their devices or would benefit from hands on instruction, creating a community approach to education. One interview participant stated situating meetings in person also helped make the meetings accessible to attendees without a lot of technical skills or experience and who might not be proficient or comfortable with video conferencing tools:
“An open public space, I think, is really, really kind of critical on which leads into the code stuff we can’t do that, and so the main outreach and educational nectar is closed. And I don’t think since since that people we’re trying to reach are […] not technical, I don’t think Zoom calls would be worthwhile.” (P3)
Situating During Lockdowns. The importance of public, in-person meetings may have been accentuated by participants’ recent (at the time of the interviews) pivot to online, remote formats due to the COVID-19 pandemic. We observed that organizers spent a great deal of time carefully considering how to situate online events during the transition. The first author began attending in-person privacy group meetings a few months before the onset of the pandemic, continued attending meetings after the transition to online, and observed as group members navigated extensive discussions about what online platforms were sufficiently privacy friendly and would foster a feeling of safety and trust for remote participants. Making online events accessible was seen as important given the new environment people were navigating during quarantine. Several of the organizers stated that they struggled to find an online platform that they felt confident would provide sufficient security for their attendees.
"I think, I think we’ve thought about this a lot and in trying to make ourselves as accessible as possible, especially now during quarantine, [as] accessible and available to folks who need information as possible." (P2)
Overall, there was a strong trend in the data toward valuing in-person public events over any of the solutions that were ultimately tried in online platforms.
4.2 Structuring: Letting Attendees Lead
A crosscutting theme throughout the interviews was that, ideally, events should be structured to surface and address privacy concerns of attendees. Goals for structuring according to attendees’ needs included serving diverse attendees’ needs and helping people think critically and make informed choices about privacy. This flexible approach to structuring was frequently contrasted with typical cybersecurity trainings or "CryptoParty" events where people share knowledge about how to protect oneself in digital spaces [
72], which was described as hierarchical and tool-centered. A common description of a CryptoParty event involved individuals with technical expertise teaching attendees how to use a specific tool that was presumed to make them all safer. However, the participants who had experienced these meetings found that there was often a disconnect between the varied needs of the individuals they had interacted with and the universal solutions beings taught in other cybersecurity meetings.
Structuring to Meet Diverse Needs. Participants explained that their groups served people with diverse understandings and experiences of privacy and that a universal approach would fail to serve these diverse needs. One organizer explained the structure of the events as predicated on respect for attendees’ experiences and understandings of what threats they face:
“Especially considering especially that we were going into a lot of different spaces and community spaces. We never wanted to tell people what’s their threat models [...] we just start with the assumption that people know what their threat models are and we’re just providing resources and suggestions. So we never really wanted to feel like this group or force that came into a situation [that] was like this [is] what you have to do." (P2)
Individual attendees’ backgrounds and identities played a strong role in organizers’ explanations of why structuring to support diverse privacy concerns was important. P5 stated that common themes like keeping one’s self safe were "very different if you’re talking to a group of protesters" compared with people who were "just focused on what can I do for myself? What can I do for my family?" These different goals might stem from different activities and situations, but might also stem from identity characteristics like belonging to a marginalized group.
A few of the participants shared that their interest in privacy issues stemmed from their own or an acquaintance’s experiences with targeted surveillance. P6 became interested in privacy issues after learning from a teacher who was a black Muslim about being a target of surveillance as a minority. P4 became interested in privacy issues because of his own experiences being a target of surveillance as a minority, and shared his thoughts on how unequal power structures impact the options available for some groups disproportionately:
"Is privacy equal for everyone? I think now, and I think my focus personally, beyond just also the organization’s focus, is thinking about like what what is privacy and surveillance mean for communities who don’t have the agency to choose privacy as much as they want." (P4)
This organizer went on to posit that in addition to disproportionate power balances producing dissimilar options for individuals to protect their privacy, those with less agency are less likely to be involved in dialogues about privacy-related issues:
"I think these privacy conversations are often reaching a very select group of people. Sometimes it’s like an echo chamber of like talking about privacy and surveillance and often I think the people who are most impacted by some of these questions aren’t always in the room." (P4)
Structuring privacy groups around attendees’ concerns offers a chance for concerns of minoritized people to be elevated and addressed, albeit on a local level. One participant explained that often there is a one-size-fits-all approach to cybersecurity:
"The general approach a lot of people faced when learning about cybersecurity [...] was that it was either kind of like I don’t know how to explain it, but like either our way or the highway or like you do this and there’s really no other sense for you to do anything else. " (P2)
Structuring to Support Critical Thinking about Privacy. In opposition to a universal, tool-centered agenda for their meetings, several organizers expressed that they preferred structuring their meetings around a topic of interest that would allow attendees to share their own connections and experiences, learn to think critically about privacy topics and strategies, and make informed decisions. This approach to structuring echoes learner-centered approaches to education and design [
25,
66]:
"We wanted to take a less top down approach to education and kind of creating try to make it more, without making it completely flat, just a little bit more horizontal. So there’s a little bit less of a gap between those who are instructors and just participants, because we ultimately see that both groups have a lot to learn from each other and we don’t want to yeah, we don’t want to feel like we’re being elitist in any way." (P2)
Another organizer explained that an important goal was to develop critical thinking about privacy and technology because new users might not be aware of all of the specific threats that they may encounter online. Rather than teaching specific technologies and tools, P3 explained that:
"So we were on the list of computer classes, which you know it’s kind of a misnomer like we’re not teaching people how to use Excel or giving them practical skills necessarily but I’m teaching broader things like getting some basic theory and critical thinking when it comes to technology. We would do we have basic one of the recurring things was phishing [...] and teaching people what like bad links there on the Internet and that’s not the kind of question that a new user of technology is going to think that until it’s like far too late." (P3)
Another participant noted that in addition to being technically complex for beginners, encryption and communication tools were not the solution to everyone’s privacy problems and advocated for what was termed "holistic security," which attempts to address the different ways that individuals experience threats to their privacy. While some attendees were concerned about the threats from governments or ISPs, others were concerned about things such as people reading email over their shoulder. Here, we see how the attendee-driven structuring helped accommodate these varied concerns under a unifying umbrella:
"We were trying to practice or discuss this idea of holistic security. We had initially [...] tried to do like the the formal model of a CryptoParty, which is a lot of encryption tools and fairly technically complicated, but the problem is that for communication tools like PGP, if you don’t know people who have already used them, they’re not very useful and they’re also only useful against very particular adversaries. So PGP is great if you’re worried about your internet service provider or maybe the government snooping on your emails. It’s not so great if you’re worried about like a friend reading your emails over your shoulder or something." (P1)
P1 observes in the above quote that structuring according to attendees’ concerns rendered an emphasis on technical training and solutions inadequate. Teaching people about encryption or other privacy-enhancing technologies may not have helped them address the actual threats they perceived in their lives.
4.3 Supporting: Fostering Multiple Forms of Support
While providing informational support was a primary objective of privacy group organizers we interviewed, they also discussed providing and mobilizing exchange of several other forms of support including emotional support, and affirmational support. Provision of informational and emotional support have been examined in CHI and related literature as a feature of online support groups [
69], we also found evidence that affirmational support—personal validation and self-esteem—was important in privacy groups.
Provision of informational support. Getting people the information they needed was a common thread throughout our interviews. One strategy for providing strong informational support was ensuring there was accessible and approachable technical information at events. One organizer explained the consensus among their group:
“[...] we’re on the same page, there was kind of a nice emphasis on creating accessible material that doesn’t shame participants for their lack of knowledge in the subject area and that’s, you know, true of folks who have had you know, maybe who are less computer literate o[r] folks who are maybe more computer literate, but just don’t have a lot of knowledge in this particular sector.” (P2)
What P2 highlights here reflects threads that appeared throughout our interviews and were sometimes juxtaposed with other findings—for example, recall that participants noted situating events in person allowed non-technical attendees to receive direct, individualized informational support from more experienced organizers or community members. P5 explicates that although resources are available, many people are not able to invest the time required to find them, and if the informational support provided is not customized to the people they are working with then it will likely not be useful:
“I think this gets to broader theme[s] of this sort of work. Generally, that if you’re willing to invest a lot of time [...] everyone has the resources out there that people can use to address a lot these questions. The most crucial thing though is that very few people have the time to actually invest in, and so that’s why it’s really so important in this educational work to do the job of distilling the information into actionable formats based off of the needs of the specific groups that we are serving in that training. Because if we don’t have that hyper-customized approach, you can give someone a ton of information, you can give them a stack of printouts, and it will just gather dust in the corner.” (P5)
Provision of Emotional Support. For our participants, emotional support was a critical feature of privacy groups because attendees came to deal with a wide range of threats and fears. One organizer described privacy group meetings as providing a space where attendees could share their feelings about being surveilled without judgement or blame and be reminded that surveillance is a product of public policy and culture:
"People who come to our events are the ones interested in grappling with this feeling of living in a world where they feel there’s a constant invasion of privacy in one form or another, and how do I confront those feelings, both technically, but also, I think we offer just a space for people to feel that, you know, it’s okay like to be surveilled in this world. It’s not like an individual failure. It’s one of policy and culture." (P2)
P2 further explained that if all the groups provide for people who experience harassment or stalking was a place to talk about it that was "super, we’re happy with that, just a place for people to feel that they can talk about it."
Another element of the emotional support given was the establishment of a space where people were able to simply talk about their experiences, even if an ultimate "solution" that resolved the issue was not provided. An organizer described some of the experiences that brought people to privacy groups:
“People who had experienced some form of online harassment or cyberstalking or hacking who had not been able to find help anywhere else, having maybe gone to the police, having tried to [...] deal with the problem, personally" (P1)
Returning to the concept of holistic security, one of the organizers noted the importance of physical and emotional security while acknowledging the multidimensional aspects of an individual’s privacy that might not always be evident:
"Because there’s a lot that we don’t know, and we approach a lot of the work we do with this idea of holistic security. So it’s not just the digital that’s important. It’s also the physical, emotional security, which is important as well. And there could be aspects of any of that, an individual’s or community’s cyber, physical, or emotional security that they may not be talking about that we might not be aware of. So we don’t want to give people advice that could potentially hurt them, or at the very least, not apply to them because we, you know [made] an assumption about an aspect of their [threat] model. So we, we just try it. Yeah. We try not to be assertive, we tried to be approachable." (P2)
Provision of Affirmational Support. In addition to informational and emotional support, organizers stressed the importance of providing what is referred to as affirmational support—an inclusive space for the attendees to feel validated and heard. P2 described:
“Having the public events, allowing people to kind of put a face on who this group is, or make connections with folks and kind of network with people who are also very concerned about their cybersecurity needs, who may be in a world of people who don’t see the importance of their cybersecurity concerns, that they can meet other people who be like, “Okay, well yeah, this is this other person. I feel a bit validated.” (P2)
These physical spaces provide a space for validation as well as combat feelings of paranoia that might have accrued through interactions with skeptical friends or family members. P2 went on to offer that:
"[...] just space for validation seems very important because I think a lot of times people in this field [...] are kind of written off as paranoid and um, yeah, just paranoid, like the government’s listening to them that you know corporations are listening to them, which we know is true in a lot of ways, but in I think the way that even though this [is] becoming more and more popular [in] conversation. The amount of I think denial around the the data surveillance that any citizen could come into contact with knowingly or not is, it’s pretty vast." (P2)
Sometimes the organizers shared personal stories about not being believed by their own friends or family members. This interviewee shared that:
"So yeah I think that that can’t be forgotten, I remember like five years ago I would talk to my family about this stuff and they’d be like you’re absolutely insane that doesn’t happen, I mean [the NSA] doesn’t literally record every phone call and I’m like, but they do. Here’s the giant data center they store [it in] in Utah. It’s [a] Wikipedia page." (P3)