User Personas for Privacy and Security

“Personas summarize user research findings and bring that research to life in such a way that everyone can make decisions based on these personas, not based on themselves.” — Steve Mulder, The User Is Always Right

Activity: User persona creation.
Takeaway: When making and using user personas for security, it is best to ensure you are highly specific to different populations’ concerns.

Who needs apps for their security and privacy, and why? When developing apps, it’s useful to clarify and specify distinct user groups with different characteristics and needs. A common way to make these needs distinct and tangible is to develop personas: profiles of hypothetical users which summarize a body of data about those users.

The Open Internet Tools Project’s Secure User Practices program has developed the personas below in conjunction with other organizations and individuals concerned with digital rights. These personas make vivid the needs of journalists, activists, LGBTQI populations, domestic violence survivors, NGO workers, residents of war-torn regions, and others who may have specific needs for tools which protect their privacy, security, and ability to access the Internet. Comments on these personas can be added to this Google document, where you can also download the entire slide deck. (This version may also provide a more manageable version of the images below to those who use screen readers.) We welcome feedback, additional suggestions for personas, and sharing and making use of these personas as they may help you in developing new applications!

What is a user persona?

A user persona is a focused, easy-to-relate-to summary of research on a group of people who might use a particular piece of software, hardware, or a service. Personas help us engage in complex systems thinking about people using these tools, and how the tools fit into their lives.

A persona is not a description of a single person! Instead, it is an aggregate of a range of interviews and other information from a specific group of users with similar goals and backgrounds. In this way, personas avoid the problems of relying on anecdotes.

What is a persona for?

Personas serve a handful of uses:

• Focus on specific use cases, rather than speaking in more general terms about users
• Identify candidates for user tests, or even a lens through which to view walkthroughs of the software
• Having a common document that everyone from developers to the marketing team can refer to makes it easier to communicate quickly about who is being served
• Justify particular development decisions
• Help teams see and feel through the eyes of the people who may be using the software, empathizing with their situation
• Bring the user experience to developers who cannot observe in the field when distance or physical security is an issue (user or developer’s life or liberty might be threatened if they were in contact)

How are personas used?

Personas come in most useful early in a development cycle (whether you’re calling that “requirements analysis,” “hypothesis statements,” or whatever your flavor of development calls it.)

Normally, a range of personas informs the development of one product or feature, specifying different needs users may have. However, it is likely that the specific use cases described here may be better served by a range of apps, websites, hardware, and services — different ones for different cases.

These user personas were primarily developed to communicate user needs to developers of open-source tools for the protection of privacy and security. However, we expect the personas will be of use also to developers of mainstream software and services in thinking about sensitive cases.

How were these personas made?

These personas were developed from a range of sources:

• a persona creation event with LGBT communities and their allies about the security and privacy concerns of their communities;
• an ethnography of Vietnamese bloggers and journalists produced by SecondMuse;
• earlier user profiles developed by SecurityFirst and Amnesty International in developing security apps;
• user tests and interviews performed by the Secure User Practices project at the Open Internet Tools Project;
• and two use cases developed by digital security expert Eleanor Saitta.

They were further refined by Gillian “Gus” Andrews of the Open Internet Tools Project, and Robert Stribley of Razorfish.

Sketches were provided by artist Rob Vincent.