key2kindness
Abstract
If you care about security, you care about safety. So you need to care about abusability and trust. This toolkit will
provide information about why centering peoples’ safety in our digital technologies is important. We present the
concepts of abusability and trust as two important tenets of building such safer technologies, followed by resources
that can help us build safer technologies.
How and why we trust in technologies can have many different meanings depending on the context. For example,
we can understand trust to be a static object (eg. when a trusted user is given access to a system), but we can also
understand trusting as an action (which is impermanent and can waver in time) and being trustworthy as a quality
to aspire to. Despite this complexity, when it comes to designing new technologies, we often only consider trust as
a shorthand for user engagement - if we increase trust in a system, more people will use it. We argue that when we
center peoples’ safety instead of engagement, trust has to become a more complicated part of the development
process. Instead we provie three questions that can help designers and developers more deeply engage with the
topic of ‘trust’ and how it can help us build safer systems: (1) Is trust being used as a verb or a noun? (2) Who,
where, and why do we Trust? And (3) how do we Trust?
Abusability is the possibility that malicious actors might weaponise a system for harmful activity; designers have
a responsibility to anticipate and mitigate this. Abusability plays on the concept of “usability” to ask what kinds
of uses should be restricted rather than enabled in design. This form of threat assessment and testing reframes
security’s traditional focus on an external attacker penetrating or subverting a system from its intended or
authorised purpose, to ask how people use features for harm. Developers and designers should consider abusability
at various stages of the design lifecycle: asking how might a product be abused during threat modelling and
testing, and then making sure there are robust mechanisms for responding to abuse, such as reporting features
and support for rectification. This allows companies to respond to problems on their devices and platforms as
they arise. Mature company practices in this space will move beyond tokenistic inclusion and meaningfully involve
survivors and advocates in designing both preventative measures and responses to abuse.
