This might seem like an obvious or even inane question, but I think it’s at actually at the heart of a lot of our discussions.
Bare with me! Here’s my case:
Privacy Guides is a respected and fairly extensive resource. While the homepage’s introduction is friendly and simple enough for your everyday internet user—linked by a friend or blog, let’s say—we have articles on everything from web browser and search engine recommendations to AOSP derivatives and release-cycle evaluations. I think that’s great.
Regardless of whether you agree with a particular decision, I think it’s also clear that the team is selective and thorough about recommendations. Further, our community is great at exchanging ideas, making arguments, and sourcing new suggestions. My aim is to streamline those efforts.
We all know that threat modelling is necessary to make any meaningful improvements to digital privacy and security (you’ve read the article, right?). Somewhat parallel, I think that understanding who our knowledge base and recommendations are intended for is essential to productive discussion.
I often link to the Writing Style guide for the simple reason that Privacy Guides is a predominantly written resource. Currently,
Privacy Guides’ intended audience is primarily average, technology using adults. Don’t dumb down content as if you are addressing a middle-school class, but don’t overuse complicated terminology about concepts average computer users wouldn’t be familiar with.
Now, I think that the topic and little details of how content is organized and explained on the website is an ever-evolving and important discussion (and I have some fun information-taxonomy ideas of my own), but this topic is about who Privacy Guides is for. For me, some questions come to mind:
- Who is reading Privacy Guides?
- Who do we want to be reading Privacy Guides?
- What can we expect of those people?
In the same way as identifying threats to important information and implementing the most appropriate means of mitigation, identifying target audience is necessary to make productive evaluations. Obviously, the whole point is that threat modelling exists, and that advice will therefore always differ.
However, in the context of a project with a specific scope, that is besides the point: if someone wants to improve their security and they ignore Windows updates (e.g. because they’re annoying, by default), then you point them to something on the importance of software updates. Likewise, if someone’s having trouble with configuring Nginx for the first time, you point them to the relevant documentation or a helpful guide.
Threat modelling, naturally, will always apply. However, for the purposes of evaluation, it can be helpful to identify target audiences.
With target audiences in mind, we can do a lot of the heavy lifting: extrapolating a likely threat model and determining appropriate mitigations. To that end, target audiences might be people who
- freak out at pop-ups;
- know how to access a settings menu and mostly use social media;
- or are the family “tech support” and like customizing their web browser;
Or, they might be people who
- prefer free and/or open source software—maybe they use a Linux distribution;
- prefer privacy-respecting alternatives to popular tools, and advocate for the right to privacy;
- are familiar with self-hosting, system administration, etc.;
- or are anything beyond: security professionals, researchers, etc.
One of the brilliant advantages of having such an extensive range of information (as I outlined), is that there’s room to consider more than one target audience (and it already happens frequently)! For example, things like native tools and automatic updates are often preferable because they address the likely threat models of a greater number of people, but stringent analysis of encryption design or trust extension can be life-saving for a journalist or activist in a dangerous situation—and there aren’t many approachable public resources with that information.
Now, finally, I will reiterate: rather than re-envision the project, the goal of this discussion is to be able to develop ideas about our target audiences to help focus evaluative discussions.
So, who is Privacy Guides for?