Hello readers,

I’m Anne, a reporting intern at The Markup and CalMatters.

I loved learning about security and cryptography as a university undergraduate studying computer science: The technical specifications and math equations formed the bedrock for a world of political implications. I’ve long been interested in how the technology meant to enable us to achieve digital safety and privacy interacts with the social and cultural forces we contend with as we use those tools.

I sat down virtually last week with someone whose work has focused on that sort of interaction: Rikke Bjerg Jensen, a professor in the Information Security Group at Royal Holloway, University of London. Jensen argues that security, a field that includes technically gifted experts striving to keep our data safe from eavesdroppers and hackers, can become more useful by understanding our social relations and what we really need from security technologies. Jensen’s work, as they describe it on their website, engages with the “often hidden, unvoiced and/or at-risk groups not generally considered in the design of security technologies.”

For example, Jensen co-leads the Social Foundations of Cryptography project, using ethnography—the observation and analysis of specific cultures—to examine cryptography’s underlying security definitions. Before that, in 2018, she joined seafarers on container ships for a study that highlighted the importance of connectivity to their sense of security, calling into question some shipowners’ practice of limiting WiFi onboard for safety reasons.

In 2021, Jensen was part of a team of researchers that found while messaging apps used by protesters in Hong Kong met technical specifications like forward secrecy, which minimizes the extent to which a breach compromises past communications, they failed to satisfy protesters’ specific needs—like the ability to remotely delete messages, or the ability to remove arrested protesters from communication groups.

Probing Jensen’s thinking on how social context shapes information security feels especially timely now: Information security tools and how people use them lie at the heart of a number of recent controversies, involving everything from government transparency to police surveillance to operating system features. Just this week, top U.S. government officials set off a political and diplomatic crisis by discussing highly sensitive military plans over Signal, an off-the-shelf encrypted chat app (you may remember our Hello World interview with Signal’s president back in 2023). Our conversation has been edited for brevity and clarity.

---

Anne Li: Can you give us the long version of what you work on now, and why you do what you do?

Rikke Bjerg Jensen: [With a number of collaborators and ethnographers in the U.K.:] We have the Social Foundations of Cryptography project. One of the things that was really essential to us was that cryptography models social relations all the time. 

A lot of [what I work on] is rooting information security and security more generally in insights from ethnography.

I’m excited about spending time with people as they go about their daily lives. I hesitate to use the word ‘privilege,’ but I really find it [one], the fact that people accept me into their everyday existence and show me their worlds and their insecurities. Because of course my research specifically focuses on people’s security needs, which is something that’s quite intimate and quite sensitive, even if we don’t talk about trust or risks.

People’s security needs is something that’s quite intimate and quite sensitive.

Historically there’s been an assumption that as security technologists or policymakers, [we] designers have the knowledge because security is an expertise. And I’d like to twist and say, ‘Well actually, we [humans] all do our own security every single day, many times a day,’ and we need to understand ground up. Because we will continue to fail in our ambition to make security for people, whatever that means—but for me, rooting it in people’s lived experiences is absolutely essential. I feel very strongly that we need to engage with people where they are, not to bring them into a lab, and not to get people to tell us what we need them to tell us.

Li: Could you talk about one of your favorite projects and the story of that project from conception through publication?

Jensen: I did some work just before Covid, where I wanted to understand how seafarers onboard container ships considered information security. There was a small piece of funding from the Sailors’ Society in the U.K., and that’s why I kind of like this project. It’s not like the Social Foundations project where we had a big grant behind it—this was like £5,000.

I ended up getting hold of a shipping company who sent me a list of ships. I picked a couple of ships, packed a rucksack and went to the port whenever the ship was going to come in. I got on board the ship [with] I think 20,000 or 40,000 containers and 20 seafarers, and they gave me access to everything: I could just move around the ship, I could engage with them in their settings.

The ship didn’t have Wi-Fi connection, so [seafarers] would buy SIM cards in ports, sometimes very expensive. When they came into the first European port, which was often Rotterdam, they would buy these SIM cards. Every time the ship was close enough to shore they could connect. Sometimes if you’re out of connectivity for 10 days, the minute you got close to shore, everyone would be [on the ship’s bridge] with their phones trying to pick up a signal because they really needed to speak to their loved ones—which also gave them this sense of belonging and security.

They would do that even if it was the middle of the night during rest hours. I remember one example: There’s a Strait of Gibraltar which is a very tricky strait to navigate. You can’t rely on the tech and the navigation system. And there you would have all of them on bridge with their phones because they were close to shore. So this argument from some shipowners, at least, that “We don’t want to provide connectivity because we don’t want seafarers to be distracted,” just didn’t hold. 

[The project] led to the development of welfare packages and Wi-Fi onboard some ships at the time. As someone who doesn’t really think of my research [as having] this very direct impact, it was quite rewarding that I spent time on these ships for a couple of months and understood what the challenges were and could then counter some of these perceptions that existed around the challenges of connectivity: ‘No, this actually gives people a sense of security, and not being connected is insecurity in some ways; we might look at security in different ways.’ It speaks to this idea of: We need to ground it in the social context and the relations that people have, and it’s our job then to make whatever we do work for that setting.

Li: There’s such a long line of things that go into [a person’s interactions with security technologies], from the underlying cryptographic protocols to the people who design those apps and how the person accesses the apps. You mentioned there are gaps along the way and your research is trying to figure out where those are. What are some of the gaps you’ve seen, and ideas for how to fill them?

Jensen: There’s of course applications people use—there’s Signal, there’s a lot around secure messaging. That’s interesting for the computer science side, and then the social science [side] might go out and understand how this is applied in the world. We had an observation that when the two disciplines or fields came together, it was at the applied stage, rather than trying to actually fundamentally challenge each other.

Because this is not just a challenge to cryptography, it’s also a challenge to ethnography: We observe the world as it is, we write it down in very descriptive text and then I’m like, “Now my job is done.” I don’t actually go out and make it work for people, or I don’t try and translate it or say, “This is wrong and this is right.”

It was really the [Hong Kong protest paper] that started this for us, so whilst that is not ethnographic, it became a pilot for us in different ways. First of all, it became a pilot because protests are important as adversarial settings. We needed settings that are relatively safe for us as researchers that can go and do ethnography, but where there’s something at stake. But also where cryptography might have a role to play. A completely authoritarian regime where you can’t protect yourself with cryptography—that’s not interesting for cryptography.

A completely authoritarian regime where you can’t protect yourself with cryptography—that’s not interesting for cryptography.

When they started the [Anti-extradition Law Amendment Bill] protests in Hong Kong in 2019–20, we saw there was a big download of the Bridgefy app, a mesh network which doesn’t work [for the protestors]. [So] we reached out to some protesters there and we started doing work.

It’s an interview-only study, so it’s not ethnographic, but at least it started to make us aware of some of the discrepancies that earlier work [by Ksenia Ermoshina, Harry Halpin and Francesca Musiani] had pointed to, and we saw it in slightly different ways in the work in Hong Kong: The mismatch, for example, between what secure messaging designers designed for and what human rights activists needed.

The ways in which cryptographers think about post-compromise security and forward secrecy was not the ways in which the protesters in Hong Kong understood that. They wanted protection as it happened—for example, during arrests rather than after arrests.

For example, the kicking out of group members: Often there would be some people staying behind and not on the front line. And they would use different tools—for example, the Life360 app, which is a family tracking app—but also sharing location with WhatsApp, where they could also observe [battery levels]. They would be observing each other. The reason for that was that if someone was suspected to have become compromised, i.e. arrested, they could then protect the rest of the group [by kicking that person out].

Li: How do you navigate entering a community?

Jensen: Ethnography relies on access, and when you work in higher-risk or at-risk contexts—protest settings, activist settings—these are people who have something at stake. We all do to some extent, but their stakes are quite high in engaging with me. Beyond the institutional ethics framework which exists for any research that we do—in your personal relationships with the people that you engage with, it’s really really difficult and you just cannot promise anything.

I usually don’t promise really anything beyond: “I will listen, I will engage, it’s a long-term commitment. And just a long-term commitment doesn’t mean that it will change anything for you.” I think that’s one of the hardest things, especially when you spend months with people. These people become close relations, and you will know them through different situations that you are sharing with them.

I think a lot of the conversation, for me at least, becomes: “Use me in whatever capacity you can.” For example, I’m quite against security training in some ways—because who am I to give you any training, because your security is different to mine—but at least I have something that I know about; I have cryptographers or security managers that I can draw upon, I have networks, and I use that to the best that I can. 

It should never be, at least in my view, that the access and your drive to get access—whether it’s to sources for you, or to research participants for me—gaining access can’t dominate to the point where you promise things that you just are not sure about.

Li: You did a bachelor’s in drama and performance studies, a master’s in journalism, a Ph.D. in media studies and a postdoc with the departments of geography, law and criminology. That sounds like a whirlwind journey. What’s the story behind it?

I never really had a plan.

Jensen: The story behind it is that I never really had a plan. I grew up in a very small place called the Faroe Islands and came to Denmark when I was 15 or something for high school. I didn’t really feel like Denmark was for me, so I traveled for a bit and said, “I guess I should do university,” although I really had this ambition never to go to university.

I was in theater school in Denmark for a bit and I did a lot of alternative theaters. I said, “What gives me an access to university where I can do stuff I actually want to do?” That’s how I ended up doing performance arts and performance studies in Aberystwyth, in Wales.

I got really sick of being creative during my undergraduate. I needed some structure, and I had always done a bit of journalism, so I decided to apply for a journalism degree in London and was accepted and that took a life of its own. I worked a bit as a journalist after my master’s and I got quite frustrated with the way journalism was being done at the time. I observed this ‘media management’ of the narrative of [the Iraq and Afghanistan wars] from inside the establishment.

What I ended up wanting to explore in a Ph.D. was to challenge this relationship between the media [and the military]. During my Ph.D. I did ethnography, I did fieldwork; that became my foundation to understand objects of study through engaging with them in their natural setting. That would become quite essential to how I approached research after that.

Although [my postdoc] was in geography and the school of law, it weirdly was almost like an extension of my Ph.D., so I could not not apply for it. I was trying to understand the use of social media by military personnel and their families. It was very much in a similar way that I had done my Ph.D. research approach.

---

Thanks for reading,

Anne Li
Reporting Intern
The Markup / CalMatters