[Air-l] reasonable security with email interviewing research participants

[elw at stderr.org]

> In the case of my project, discussion of the topic matter has the 
> potential to incriminate the interviewee, if they were to talk openly 
> about their own illegal drug-related behaviours without concealing their 
> identity or without encrypting the content. Ethics approval was granted 
> for me to set up a process whereby communication was encrypted or the 
> participant's identity was adequately concealed. Obviously both 
> anonymity and encryption would be the best option, legally and 
> ethically.

You correctly point out that encryption does not ensure anonymity in the 
strongest sense; I think this is important to keep in the forefront.


> I have put together an Encryption Guide to assist participants in 
> setting up secure IM to use both while completing my interview and 
> within their normal IM use. I have consulted with some of the academics 
> who created the open source IM encryption software Off-the-record, and 
> have (hopefully) skilled myself up enough to assist interviewees in 
> setting things up.

In terms of secure IM, using OTR seems like a good choice, in that it 
moves the encryption/decryption step away from some intermediary service 
provider and onto the computers of the participants/researchers.

It probably would be equally reasonable to implement any secure IM 
strategy that relied on public key cryptography - whether 
PGP/GnuPG/OpenPGP or server- and client-side SSL certificates.


> I will begin interviewing in June/July. I have tried to forsee problems, 
> such as people not being prepared to spend time sorting out encryption, 
> which may just not be a priority for them or may be beyond their 
> computer literacy.

People are notoriously unwilling to make simple changes to their workflow 
that better protect them or their confidentiality (or even their incomes!) 
from 3rd-party observation or interference.


> If anyone on the AoIR list has experience in this area and has the time 
> to review my Encryption Guide, I'd be most grateful for comments and 
> suggests on this draft. Also, you can use the guide to set up encryption 
> for your own IM use, and you are welcome to test your set-up with me 
> anytime (this will help prepare me for the interviewees!). You can 
> download it from here: http://www.savefile.com/files/585220

Your guide looks fairly straightforward; remember, though, that you may 
have interviewees who have a serious aversion to our computer jargon.  ;)



With regard to email encryption - the "mixmaster" suite of anonymous 
remailer tools are pretty good, and useful in cases such as these.

[These are the same flavor of tools (different generation, of course) that 
were once used to run the (fairly infamous) anon.penet.fi remailer 
service.]

--elijah