key: cord-0604295-tfne7dlt authors: Albrecht, Martin R.; Blasco, Jorge; Jensen, Rikke Bjerg; Marekov'a, Lenka title: Collective Information Security in Large-Scale Urban Protests: the Case of Hong Kong date: 2021-05-31 journal: nan DOI: nan sha: c8135211f4dd4ce21c832481ec9f96eac26cc8d9 doc_id: 604295 cord_uid: tfne7dlt The Anti-Extradition Law Amendment Bill protests in Hong Kong present a rich context for exploring information security practices among protesters due to their large-scale urban setting and highly digitalised nature. We conducted in-depth, semi-structured interviews with 11 participants of these protests. Research findings reveal how protesters favoured Telegram and relied on its security for internal communication and organisation of on-the-ground collective action; were organised in small private groups and large public groups to enable collective action; adopted tactics and technologies that enable pseudonymity; and developed a variety of strategies to detect compromises and to achieve forms of forward secrecy and post-compromise security when group members were (presumed) arrested. We further show how group administrators had assumed the roles of leaders in these 'leaderless' protests and were critical to collective protest efforts. Large-scale urban protests offer a rich environment to study information security needs and practices among groups of higher-risk users by relying on a diverse set of digital communication platforms, strategies and tactics, and by their sheer size. In this work, we study the Anti-Extradition Law Amendment Bill (Anti-ELAB) protests in Hong Kong, where most activities and interactions map onto some form of digital communication. The use of different communication platforms as an integral part of the protests has already been documented in various media reports, including: large chat groups on platforms such as Telegram, protest-specific forums on the Reddit-like platform LIHKG, practices of doxxing as well as live protest maps such as HKmap.live to identify police positions [15, 16, 77, 98] . Recent scholarship has also highlighted the significance of digital technology to the Anti-ELAB protests. For example, "novel uses" of communication technology by Anti-ELAB protesters led them to form ad hoc and networked "pop-up" protests, creating a new form of a "smart mob" facilitated by digital technology [103] . Platforms such as Telegram and LIHKG worked to mobilise and establish a sense of community among young activists [86] and created a "symbiotic network" of protesters [60] . Social media was used to maintain "protest potential" over time [67] . To design and build secure communication technologies that meet the needs of participants in large-scale protest movements, it is critical that designers and technologists understand protesters' specific security concerns, notions, practices and perceptions. There is also a need to understand the existing use of secure and appropriation of insecure communication tools within such protest groups, where they fail and where they succeed. Existing qualitative studies have explored security practices of different groups of higher-risk users, e.g. [23, 24, 29, 33, 37, 42, 69, 73, 74, 93] , but none to our knowledge have studied such practices within large-scale urban protests. The Anti-ELAB protests, while specific in nature like any other local protest movement, provide ample material for a case study. This is not only for the features already outlined above -urban, large-scale, digitalised -but also because of the place these protests take in the imagination of protest movements across the globe. The perceived analogue and digital tactics developed in Hong Kong have been imitated by protesters elsewhere, often with a direct reference, see e.g. [21, 49, 83] . Contributions. We develop a grounded understanding of (perceived and actual) security needs and practices among Anti-ELAB protesters through in-depth, semi-structured interviews with 11 participants from Hong Kong. Through an inductive analysis of these interviews, research findings were synthesised into five main categories. We outline these in Section 5 -the tools used by Anti-ELAB protesters and the reasons for their adoption (Section 5.1), the role these tools play for the organisation of these protests (Section 5.2), the tactics used to detect and mitigate compromises through arrests (Section 5.3), the practices adopted to work around limitations of the tools relied upon (Section 5.4) and the routes and negotiations through which protesters arrive at their understanding and practice of security (Section 5.5) -before bringing these into conversation with information security scholarship in Section 6, where we also identify open research questions, and concluding in Section 7. We position our research within studies on digital communication technology use by participants of large protest movements, including existing work on the Anti-ELAB protests to establish pre-existing understanding of their technology use, as well as scholarly work on higher-risk users. The importance of digital communication technology in largescale protests is well documented in the social science literature, focusing in particular on the significant contribution of social media platforms to the mobilisation of social movements [18, 25, 31, 32, 65, 72, 76, 91, 111] . They also highlight the critical role that digital media play in the organisation and coordination of large-scale protests, e.g. Occupy Wall Street and the Arab Spring [5, 34, 48, 57, 80, 104, 108] . Yet, there is consensus in the literature that while the ability to form online networks can support mobilisation and organisation efforts, it is neither the sole driver nor the underlying cause. Scholars also note how digital communication technology enables new networks and movement formations. For example, Bennett and Segerberg [12] describe a form of protest movements not reliant on resourceful organisations, but driven by personal online content and communications -what they call "connective action". Others, e.g. [18, 57, 72] , highlight how digital technology enables the formation of decentralised networks among groups in different locations, through collective action. These movements are able to attract large numbers of participants, partly because they are supported by digital infrastructures [66] . Studies have also suggested that people "self-mobilise" online before taking part in protests [44, 64, 94] . Finally, digital technologies are often used to facilitate on-theground organisation, information sharing and communication between protesters -what Treré [105, 106] calls "backstage activism". Messaging applications. Some studies explore the use of messaging applications in distinct resistance movements and protest environments. For example, Uwalaka et al. [109] considered the use of WhatsApp in the 2012 Occupy Nigeria protest, Gil de Zúñiga et al. [118] and Valeriani and Vaccari [110] studied messaging applications in activism and political organisations, while Treré [106] showed how WhatsApp is used for everyday activities and organisation by protesters in Spain and Mexico. Similarly, Haciyakupoglu and Zhang [40] found that in the Gezi Protests in Turkey protesters relied especially on WhatsApp to circulate information within the protest area. Messaging applications have also been linked to the spreading of rumours and incitement to violence. For example, Mukherjee [78] explored the use of WhatsApp in mob lynchings in India and Arun [8] linked the spreading of rumours via WhatsApp to them. Tracking and hacking on digital communication platforms are also used by private and state actors to counter opposition movements and to suppress dissent [62, 75] . While such prior works do not consider (information) security in particular, they provide broader context and in some cases surface security-related findings. For example, the importance of trust in information, technology and social media networks is explored in [40, 66] and Tsui [107] studies digital technology use and protection from state surveillance efforts, while Sowers and Toensing [95] engage with wider security concerns such as threats to protesters from authoritarian and violent regimes. The protests responded to the Hong Kong Government's attempt to pass an Extradition Law Amendment Bill [63, 68] . Hundreds of thousands of people took to the streets, where networked groups of protesters organised mass rallies and strikes, boycotted pro-Beijing businesses, barricaded streets, stormed public buildings including the Legislative Council Complex, occupied traffic hubs and seized university campuses [47] . Recent studies have emphasised the centrality of digital and mobile communication technology to facilitate these large, dynamic and highly mobile protest activities; with tactics often referred to as "be water" and "blossom everywhere" [41] . Such tactics meant that the protests emerged from the ground up among activist networks in a nonhierarchical, diversified fashion, relying on spontaneous initiatives rather than topdown leadership and organisation. In general, this served two purposes. While it provided protection from prosecution of individual protesters and police detection, it gave rise to fluid, horizontal communication within and between dispersed groups of protesters [47] . These tactics were partly rooted in protesters' experiences from the 2014 Umbrella Movement in Hong Kong, where high-profiled protesters were arrested and imprisoned, and which were also supported by digital modes of participation that enabled, for example, real-time coordination of "improvisatory acts" [66] . The Anti-ELAB protests are widely considered to have been "innovative" in their tactics, particularly the interaction between "front line" protesters and others. A "frontliner", roughly, is someone engaging in activities that risk direct confrontation with law enforcement [21] . An example of a collaboration between "frontliners" and others are ride sharing schemes where car owners picked up "frontliners" to transport them out of the protest area because public transport was deemed unsafe or shut down [116] . These schemes were run via public online groups that connected protesters with drivers. Existing scholarship reveals little about the security consid-erations of Anti-ELAB protesters. Ting [103, p.363 ] notes that networked protesters used "encrypted messaging app Telegram and mass Airdrops over Bluetooth" to coordinate protest activities, and that WhatsApp and Signal were used to share protest information and to request supplies. Ku [86] points to the mobilisation of Hong Kong youth activists through Telegram and the Reddit-like forum LIHKG, while Kow et al. [60] show how "hundreds of groups" on these two platforms were used to mobilise the protests through polls and the ability to act anonymously. Importantly, however, none of these studies engaged with protesters, but relied solely on interpretative analyses of social media posts, forum posts and/or wider discourses. Looking beyond large-scale protests, our research ties in with other qualitative works exploring the security concerns of higher-risk users. The use of secure messaging by higherrisk users is considered in [33, 42] . Through interviews with human rights activists and secure messaging application developers, this work outlines common and diverging privacy and security concerns among these groups. They found that while developers aim to cater to higher-risk users, the (perceived) security needs of these groups of users are not well understood and thus not well served. Similarly, in [7] the authors discuss the divide between activists and technologists. They advocate that "security engineers [. . . ] step into the language of collective action within a political project" to produce solutions that cater to the decidedly collective needs of activists and contrast this with a prevalent practice where "in the absence of far away users under threat, designers can invoke them at will and imagine their needs" [7] . The security needs of marginalised groups have received renewed attention from information security academics due to an invited talk by Seny Kamara at CRYPTO 2020 [56, 79] . In this talk, Kamara characterises "Crypto for the People" as "concerned with fighting oppression & violence from Law Enforcement (Police, FBI, ICE), from social hierarchies and norms, from domestic terrorists" [56] and contrasts it with a libertarian-inspired concern for personal freedoms. More broadly, studies have explored security for civil society groups [90] , the security and privacy needs of journalists [70, 73, 74] , privacy concerns among transgender people [69] , protection practices by Sudanese activists [29] , fundamental security challenges experienced by refugees [23, 24, 54, 93] as well as undocumented migrants [37] . Like many of these prior works, our work suggests that the population we study has distinct (information) security needs that must be understood in order to design security technologies that meet those needs. LIHKG is a Reddit-like forum that allows posts only from users with email addresses originating in Hong Kong (cf. [86] ). Signal and WhatsApp are messaging applications that use phone numbers as contact handles and perform endto-end encryption by default on all chats. Both applications support one-to-one chats as well as private group chats of up to 1,000 and 256 users respectively. Telegram is a messaging application that offers the option of end-to-end encryption for one-to-one chats only and supports public and private groups of size up to 200,000 as well as public channels with an unlimited number of subscribers. Telegram requires a phone number for registration but allows this to be hidden from other users. Facebook Messenger is a chat service connected to Facebook, offering optional end-to-end encryption. On the technology level, Telegram makes roughly the same security promises as Facebook Messenger with respect to confidentiality -with its bespoke MTProto protocol taking the role that TLS plays for Facebook -but it makes it easier to adopt a pseudonym. Signal and Telegram secret chats allow users to send disappearing messages which are deleted by the sending and receiving application after a certain time has passed (five seconds to one week). WhatsApp has recently enabled this option but has a fixed timer of one week. Telegram also supports scheduled messages to be sent at a later date and time, before which the sending of the message can be cancelled. 1 Further, Telegram allows a user in a one-to-one chat to delete messages for the other party, and a group administrator to delete messages for all group members. Neither WhatsApp nor Signal used to support this feature. 2 Telegram supports conducting anonymous polls in groups and channels. Life360 is an application that allows remote monitoring of a phone -e.g. location, remaining battery -that describes itself as a "family safety service" [71] but is mostly known for being invasive [81] . WhatsApp and Telegram also support live location sharing with another user for a period of time. In this section, we outline our methodology, which is based on a qualitative research design and a grounded approach [19, 45] , informed by existing social movement research (see e.g. [13] ). Semi-structured interviews were chosen due to their exploratory nature; they are sufficiently structured to provide 1 The messages are scheduled on the server and thus will be sent even if the user goes offline afterwards. 2 As of January 2021, Signal includes limited support for message deletion for everyone (only the sender can delete their own messages, within three hours of sending) [92] , but this was not the case when the interviews were conducted. WhatsApp now supports the same feature with a time limit of one hour. consistency across interviews and to address particular research questions, while leaving space for participants to offer new meaning to the topics (see e.g. [35] ). Interview process. Informed by a topic guide (Appendix A), the interviews explored the use of communication technology within the protest environment and how protesters' security needs and practices shaped this use. Each interview covered topics such as communication technology use in Hong Kong, including specific platforms and applications as well as security concerns related to this technology use. The first two topics covered in the interviews deliberately did not focus on security, as it was important not to 'force' a security angle. However, all participants mentioned specific security concerns related to their use of technology before we asked about them. This is not surprising, since information provided to participants prior to the interviews included information about the broader research focus and the composition of the research team. Moreover, the adversarial context foregrounded security concerns. Interview questions were intentionally broad to ensure that the research remained exploratory. This is an essential aspect of qualitative research, which works in the context of discovery and therefore emphasises openness and depth. The interviews were conducted by one member of the research team, between December 2019 and July 2020, as outlined in Table 1 . Interviews were conducted remotely in English. Participants and recruitment. 11 participants from Hong Kong (P0-P10), all of whom had either primary or secondary experience of the protests, were recruited. All participants had attended at least one Anti-ELAB protest and were all members of protest-related online groups. The distinction between 'primary' and 'secondary' denotes front-line protest experience. Participants self-reported as 'only' having secondary experience, because they had not been on the front line of a protest and were therefore less likely to have direct confrontation with law enforcement, while participants with primary experience had. We categorise participants' protest experience as primary or secondary, with the former defined as having been on the protest 'front line'. The protection of participants was our priority at all stages of the research. Initially, we only contacted publicly-known figures in Hong Kong, which led to three initial interviews. We then reached out to potential participants through two local gatekeepers, 3 who shared our contact details and a participant information sheet (PIS) with potential participants. The PIS outlined what participation would involve and how we would protect participant information. Gatekeepers were not involved in our communication with participants and whether someone decided to participate was not shared with them. No specific selection or exclusion criteria were used to target individuals except for their primary or secondary involvement in the Anti-ELAB protests. However, this was by no means a straightforward recruitment process. We contacted more than 60 individuals linked to the protests and recruited 11. There are a number of reasons for this. First, the sensitive nature of the research and the importance of anonymity for protesters made it difficult to identify and recruit individuals with relevant protest experience. Second, parts of the research coincided with China passing a new national security law for Hong Kong, which also imposes restrictions on engaging with "external elements" [89] . Thus, many of our contacts declined to participate for safety reasons. Third, COVID-19 meant that travel to Hong Kong to engage with protesters was not an option. Hence, all engagements were carried out online. Human subjects and ethics. All of our activities were approved for self-certification through our institution's Research Ethics Committee before the start of the research. Given the high-risk environment, and since our priority was to protect participants, we made sure to design our study in a way that minimised the collection of personally identifiable information. We recommended encrypted and ephemeral modes of communication, but followed participants' preferences, while using burner devices and anonymous accounts on our end to limit potential attack surfaces. Interviews were carried out by one researcher and were not audio recorded. With explicit consent from participants, extensive interview notes -verbatim where possible -were captured by the researcher. These were transcribed and stored on an encrypted hard drive. 4 To minimise risks to participants and researchers, we compartmentalised internally and only the researcher who carried out and transcribed the interviews has access to the raw data. Participants were not required to make their names known to us and we did not record any personal details in our interview notes. We do not report demographic information such as age or gender, nor do we report participant locations or their employment status. This is to protect their anonymity. Finally, participants were not compensated for taking part. Interviews were analysed through an inductive analytical process, where the same (one) researcher coded the data through three coding cycles using NVivo 12 [50] . The first cycle used open coding and produced a range of descriptive codes, which were grouped in the second cycle to produce axial codes [87] . In the third coding cycle, the core variables in the data were identified and selective codes were produced and grouped into categories [84] . This form of analysis is employed to identify and analyse patterns across a qualitative data set, rather than within a particular data item, such as an individual interview. At the final stage of the analysis, technological implications were explored by the entire research team. Limitations. A number of limitations should be taken into account when interpreting our findings. First, our study was limited by the difficulties we experienced in engaging participants in our research, as outlined in Section 4.1, and research findings might have captured other practices if further interviews had been conducted. Yet, the semi-structured nature of the interviews was chosen to provide depth rather than scale. Moreover, the analysis suggests that coding saturation was reached. Second, conducting interviews online limited the researcher's ability to observe the participants' physical settings, which might have affected their ability to speak freely. Third, some protesters, who declined to participate, might have been particularly concerned about security. Fourth, while participants spoke fluent English, it might have been possible to recruit a broader selection of participants if interviews had been conducted with the assistance of a translator. Finally, there is an inherent bias in interview-based research, particularly when it concerns security or technology questions, given that participants self-select to take part. Some contacts decided against participation because they did not feel that they knew enough about the technologies they were using. This limitation is not unique to this study, but mirrors other technology-focused interview-based studies; they are inherently biased towards the more tech-savvy end of the population being studied, such as security trainers or attendees of IT security trainings. Future work should consider adopting ethnographic methods of inquiry to overcome this limitation. Our research findings are structured into five subsections: Section 5.1 focuses on the technologies used by protesters and why, Section 5.2 shows how these technologies interact with the social organisation of the protests, Section 5.3 discusses tactics for detecting and reacting to arrests, Section 5.4 shows how protesters address the limitations of the technologies they rely on, and Section 5.5 focuses on how and from where protesters develop ideas about their security. Internal communication between Anti-ELAB protesters was mainly done through two messaging applications: Telegram (predominantly) and WhatsApp, with most protesters joining dedicated protest-related groups on both applications. Telegram was used by all participants and dominated our findings. One participant summarised Telegram as "the most useful platform, followed by WhatsApp" (P0), while another expanded: "For communication and organisation, most people use Telegram" (P6). Participants observed that its popularity in the protests was based on three conditions: (1) its widespread adoption prior to the protests, (2) its security, which was perceived to be better than any other messaging application and (3) the ability to form both large and small groups. Telegram's polling feature emerged as another reason for adoption as well as various of its features used to monitor fellow protesters for arrest, as discussed in Section 5.3. Participants understood Telegram to give them the "most security" in group chats (P0). As explained by one participant: "We have a group on WhatsApp and another one on Telegram, but we use the one on Telegram to talk about our actions [. . . ], because we think Telegram is more secure" (P9). One participant (P5) noted that, although end-to-end encryption was not the default setting in Telegram group chats, this could be enabled. This is incorrect (see Section 6.3) and demonstrates how an incomplete or, as in this example, incorrect understanding of security might shape participant perceptions. WhatsApp was also used by the majority of participants in our study and they assumed that this would be the case for others too: "most protesters use WhatsApp too, yes definitely" (P3). Yet, WhatsApp was seen to be less suitable compared to Telegram because it only allows for groups of up to 256 members. While Signal was brought up by several participants without prompting, our data suggests that it has not seen any significant adoption among Hong Kong protesters. Participants highlighted the discrepancy between what they perceived as their security needs and what is offered by Signal. First, the need to provide a phone number was seen to conflict with the need for anonymity to avoid police detection: "the reason we don't use Signal is because Signal requires that you know the telephone number of the other people if you want to make a contact" (P7) and "The thing is, people in Hong Kong cover their faces when they go out to protest. They want to be anonymous. So, if you have to then give your phone number, it doesn't make sense" (P7). 5 When asked whether they would consider using burner SIM cards to use Signal, they responded that the benefits would not outweigh the risks. Second, the function of being able to delete messages sent by other group members was key for protesters: "You cannot tell people to use Signal instead of Telegram, because that's not realistic and also Signal is horrible at other things that the protesters need. For example, you cannot control what happens to your messages once you have sent them. You can just use disappearing messages" (P6). Thus, participants in our study compared the security offered by Signal to Telegramnot to WhatsApp -when making decisions about which tools to use. While WhatsApp also requires phone numbers, it was already widely used by participants before the protests and they felt confident and, as a result, secure using a tool with which they were already familiar. Where Telegram catered to their need for anonymity in large group chats, WhatsApp was used for small close-knit groups, where anonymity was not a security need. Hence, Signal was not seen to provide them with additional security or required key functionality. Our work speaks to the utility of groups on messaging applications for on-the-ground protest organisation enabling collective practices, strategies and tactics -and to related security requirements. Here, we discuss such practices and show how different types of groups, characterised by their size, imply different, at times opposing, security requirements. Two types of groups were identified in the data: large Telegram groups, sometimes with 2,000, 20,000 and 50,000 members and small(er) groups on both Telegram and WhatsApp. The former comprised public groups set up to disseminate protest information across large networks, facilitate collective decision making and reach and connect disparate groups. The latter were formed around more or less close-knit groups of protesters. All participants in our study were members of several Telegram groups; some small groups, made up of people they had met during the protests, and some large groups, which they predominantly used for information-gathering purposes. This divide also mirrors the division between participants' protest experience; those with only secondary experience had never been part of small protest groups, but were in several large public Telegram groups. Participants with primary protest experience were members of both types of groups. All participants, regardless of protest experience, gave examples of how they knew that the large Telegram groups were infiltrated by e.g. local police officers, who monitored the groups to gather information about protesters and protest strategies. Several participants also reported deliberate attempts to undermine the protest efforts in these groups by presumed infiltrators. While there was general consensus among participants that the disruption caused by these infiltrators was minimal, it highlights an important aspect of big group chats: all participants accepted that confidentiality could not be achieved in these large groups, while they assumed that it could be achieved in the smaller groups. However, large groups were essential for the successful organisation of protest activities because of their scale and reach -and crucial for the collective actions that they facilitated, such as joint decision making. For all participants with primary protest experience, being able to organise quickly and securely was the key motivating factor behind having smaller rather than larger groups. The large groups were run by dedicated administrators (see Section 5.2.4), while the small groups were formed "quite organically and not that organised" (P5). Each small group, however, had its own identity, its own utility. One participant explained this by drawing on two groups, one with 26 members on Telegram and another one with six members on WhatsApp: "there are still some differences between those 26, because I met six of them and formed a small team. But the other 20 joined later. So, actually, those 20, I haven't met them before, face-to-face. We have the WhatsApp group, only the six of us. And on Telegram we have the 26" (P2). The importance of secure messaging applications for protesters has already been articulated in previous works, e.g. [33, 42, 106, 118] . In the Anti-ELAB protests, such applications more specifically cater to the particular strategies and tactics employed by protesters: a flat structure, mobile, dynamic and large-scale in nature. All participants in our study explained how the ability to collectively decide on strategies and tactics in real time across large and geographically dispersed protest sites was essential to the success of the protests. One participant articulated how Telegram provided a "safe online space" to collectively decide specific actions: "we use Telegram to talk about our actions, our equipment, our strategies, our tactics" (P2). Another participant spoke about how Telegram enabled immediacy, which was needed when tactics had to be altered during a protest: "during the protests themselves, the information is more related to strategy, like, what to do right now" (P5). Both quotes highlight the sense of urgency felt by participants when talking about sharing tactical information during protest actions. Several other participants expressed a sense of information overload given the volume of information being shared during protests. This often made it difficult for them to keep up with evolving protest tactics. One participant noted: "When protests are actually taking place, the groups are much more active, there's information all the time and it's difficult [. . . ] to know what the strategy is" (P9). Such statements exemplify the challenges experienced by protesters when faced with multi-directional and extensive information in both adversarial and highly digitalised environments: "it's hard to keep track of stuff" (P10). All participants with primary protest experience spoke of how they would have to make tactical decisions within seconds when receiving information about police locations or new gathering points. For many, this meant deciding which groups to "keep open and which to close" (P7) while participating in protest activities, hence, limiting the information they would have to digest. Protests are by their very nature a collective endeavour and the mobilisation of protesters has been the topic of many recent works, as identified in Section 2.1. However, beyond mobilisation, our data reveals how Telegram and LIHKG were used to make collective decisions about protest tactics, in real time. Several participants in our study exemplified how large Telegram groups were used to vote on "the next move", as explained by P7, while LIHKG was used to vote and decide on broader protest strategies at the start of the protests. "This forum called LIHKG. We used it for strategy and stuff. Like in Reddit, people can vote [. . . ] And we used it because you can only register with a Hong Kong email provider" (P9). These features -collective and limited to people with a Hong Kong email account -made LIHKG a central platform early on in the protests. One participant suggested that it enabled "nuanced discussions about strategy and to vote on strategy" (P5). Yet, many participants noted that, over time, the organisation of on-the-ground actions "couldn't be done on the forum because the police is monitoring it" (P9). Thus, for real-time voting on tactical moves during protest actions, protesters had moved to Telegram groups, where polls on, for example, "where to go next" (P10) often received several thousand votes. While all participants in our study also assumed police monitoring of the public Telegram groups, the speed with which collective decisions could be executed made police infiltration less of a concern. Forums were, on the other hand, generally seen to be slow and not suitable for live protest action. One participant explained how the voting worked best when only a few options were given, enabling protesters to make a "simple choice between A or B" (P3). However, based on our data, we see that the option with the most votes is rarely followed by everyone. Given the anonymous nature of these groups and of the polls -and since anonymity was a key security need for Anti-ELAB protesters -it is unclear who votes in these polls. The scale of these groups was, however, critical for the success of the protests for two main reasons: it established a strong sense of collective decision making which, in turn, meant that no single person was seen to be publicly leading the protests. For the protesters, this had a security function as well, as it was seen to spread the risk of arrest to several thousands of people; to everyone who voted. The centrality of protest groups on messaging applications meant that group administrators occupied key positions in the protests. Without public leaders, our data suggests that group administrators were seen as the leaders of the protests. While not directly articulated by the participants in our study, many of them spoke to the multiple and critical roles performed by group administrators and the trust that protesters placed in them. Importantly, however, group administrators remained anonymous leaders, hiding their identity to avoid police detection. Moreover, most groups had several administrators to "spread the risk [for the group] to more than one person if one admin is compromised" (P9), allowing non-compromised group administrators to revoke the administrator capabilities of those compromised. The same administrator also often managed several groups at the same time through different accounts. Our data contains several examples that support the interpretation that administrators took the role of leaders. One participant noted: "We have groups for voluntary medical support, and we have many groups for legal support. So, the whole protest, without leaders, is organised by these group administrators" (P9). This mirrors how many participants experienced the protests themselves: as a decentralised movement, with "many people who lead but no organisation" (P3) or "flat but not leaderless" (P2). To illustrate the central role of administrators, we use an example that was recounted by all participants in our study: a voluntary ride-sharing scheme. This was critical to get protesters ("frontliners" in particular) to/from protest sites, as using public transport was "too dangerous for protesters because the police go to public transport to attack and arrest people" (P3). However, many participants noted that the scheme required protesters to trust the administrators of the groups through which the scheme was run and their vetting procedures, which relied on drivers sharing their licence details with the group administrator(s). This was a way for them "to verify the driver's identity before referring them to the protesters" (P2). When a protester requested a driver through the group, the administrator would "link up the car/driver and me as a protester. We don't know the driver or the administrator, but we know the licence number" (P7). Some participants noted that while administrators would try to verify the driver's identity before referring them to protesters, they knew of several examples of undercover police officers pretending to be drivers, resulting in arrests. Still, participants with primary protest experience had all used this scheme and said, in different ways, that they had no choice but to trust. The practice of establishing close-knit groups on Telegram and WhatsApp led to a number of security constraints for protesters, which centred on the need to establish trust within highly digitalised and adversarial environments. All participants with primary protest experience noted how their groups had developed particular onboarding practices rooted in interactions at sites of protests. This was seen as necessary to verify the identity of any newcomer to the group and ensure trust among group members. Based on the experiences of the participants in our study, specific onboarding practices were adopted for both Telegram and WhatsApp groups with between five and 30 members. Our data shows how small close-knit groups were formed around protesters who had met face-to-face during the protests "before moving the connection online" (P4), as "seeing each other and standing on the front line together is very important for trust" (P10). These trust bonds were described to be established through shared aspirations and were seen to be key for the success of the protests as they enabled affinity groups to form and carry out essential tasks, e.g. provide legal or first aid. This was supported by another participant, who noted that it was important for their group that any new members supported their faction: "So we see them in person first and we then also know that they are chanting the right slogan" (P9). Participants also explained how offline connections would only be moved online once rapport had been established with new group members. Our data suggests that, for most groups, this form of gradual onboarding to establish trust sometimes took weeks and sometimes months. We unpack this collective process by using an example given by one participant, who belonged to two small affinity groups. They explained: "First, we have to meet them faceto-face. It's not that you just meet them and then add them, it's about values and beliefs and aspirations. We want those newcomers to work with us in the field several times first. If they share the same beliefs and aspirations, they can officially join our Telegram group" (P0). For the close-knit groups, where specific protest activities related to the group would be discussed (what protesters deemed "sensitive information"), all existing group members would have to meet any new group members before they would be allowed to join. Our data contains some examples of specific onboarding processes where some group members had been unable to meet a new group member. This would then become a negotiation between existing group members: "someone in the group will say 'I know a person who might be able to contribute to this group', and there will then be a short discussion and then a decision" (P3). Participants noted that while this was not "bullet proof" (P10), it was also important for them -and for the success of the protests -to accept group members who they thought would be able to contribute to their efforts. However, this form of onboarding was accompanied by a level of distrust for some participants, who would insist on meeting all potential group members before accepting them into the group: "I would want to meet all group members in person first, before accepting them" (P1). As expressed by another participant: " Sometimes you have to make a choice, even if you haven't got enough manpower, you only recruit people who you trust" (P10). The main concern was articulated as "potential infiltration of police" (P7). This was a common worry expressed by participants and was connected to their experiences with large Telegram groups, where police infiltration was explained to have led to several arrests. Our data demonstrates that the threat of arrest during a protest and the subsequent compromise of the arrestee's close-knit affinity group was a key concern for participants. Our data shows that different protest groups adopted subtly different approaches to monitoring each other while attending protests. Our data also suggests that this was a widely adopted collective (security) practice for Anti-ELAB protest groups. Our data contains three approaches to monitoring: the use of specific monitoring applications, scheduled messages or regular messages. The use of specific live-tracking applications was practised by several participants and comprised a system whereby when some group members went onto the street, the rest of the group would be responsible for monitoring their whereabouts using WhatsApp or Life360. Some participants explained how they would use both applications simultaneously to ensure that they would be able to receive constant updates. This was seen as particularly useful to determine whether a group member had been arrested: "There are some signals that tell me that the person got arrested. For instance on the live location, if they disappear from the map then I know something is wrong [. . . ] if I know they have battery and suddenly disappear then I can call them. If no-one picks up the phone for a long time and we can't find them in the field, then we will track their last location. And then we know whether they have been arrested" (P1). Another participant detailed their group's approach to live monitoring, which relied on regular messages: "If my friends go out in the protest, I'll stay up and every hour I'll text and ask 'are you safe?' And if they don't respond within two-three hours I'll assume that they are arrested" (P3). The same participant reported that "there's a feature in Telegram that allows you to periodically send out a message. So, it does something automatically periodically -so these pings are exchanged among a group and if you see that someone isn't responding to the ping, then probably something bad has happened" (P3). 6 Another group used timed or scheduled messages to alert group members should their phone be inactive for a period of time: "we use timed messages, so others know that if they receive the message, I'm probably arrested" (P9). That is, protesters would schedule a message to be sent later and would cancel this scheduled message once they returned from the site of protest. If they failed to cancel the message, this was taken as an indication of a problem. Other participants gave similar accounts and noted that these practices had been systematised within many groupsand that groups had learned from each other -in response to a growing number of arrests. For them, being able to monitor each other was seen as a way "to protect others when someone gets arrested and also to provide legal assistance" (P3). For all participants in our study, this form of monitoring was important to protect and support group members in the event of arrest: first, by arranging for legal aid and, second, to control access to information about or related to other group members. It is for this reason that the ability to delete messages sent by any member in a group was seen as vital. In case of an arrest, the group administrator(s) were responsible for removing messages from the arrestee's device and to remove them from the group. This feature was seen as key: "I can delete the messages for others, not only for myself" (P7); as allowing them to "control the conversation" (P4) or to "control what happens to your messages" (P5) and to kick out anyone who had been arrested and to delete all group messages -"so we can at least keep the others safe" (P2). Our data highlights a number of concerns and conflicts raised by participants in relation to such live monitoring practices. First, the concern that their live locations might become available to the police showing that they had "committed crimes by being in locations they aren't meant to be" (P7). Thus, this appropriation of consumer applications with unclear privacy guarantees illustrates the limitations of existing security technologies. Second, live monitoring through specific location-tracking applications was also seen to limit participants' control over access to data as it is not possible to delete the data in Life360 or WhatsApp: "if a group member is arrested, the police can track the others via the app as we cannot delete for others" (P2). More broadly, participants articulated how they would try out different technologies to find "the best solution available" (P5), but also know that these did not serve their security needs. We expand on this point in Section 5.5. We present the additional practices adopted by protesters to address the limitations of the technologies they use. Protesters spread their identities across different accounts and devices to achieve a level of pseudonymity and a variety of low-tech tactics were adopted to handle congested networks. All participants in our study spoke about how their involvement in the protests had heightened their focus on personal and information protection. For participants, particularly those with primary protest experience, any personal information was considered sensitive. In security terms, their (online) identity was closely tied to their protest activities, driving a growing need for pseudonymity: "protesters make their profiles private, they use a separate SIM card, they use pseudonyms and so on" (P6). Several participants explained how protesters had "a separate phone when [they] go out and a separate SIM card" (P4) and how they had "another group with a different number which is attached to a different SIM card and completely isolated from the usual groups" (P2). This separation between protest groups and phone numbers was seen as a key mechanism for protecting individual anonymity and to go undetected by the police: "So, that's why we don't want to give out phone numbers, even with burner phones" (P9). Another participant articulated how they, along with other group members, had several phones and other devices as well as several accounts on different applications. This is in addition to several protesters sharing one account, which was said to be done to ensure that others "won't know they are not the same person" (P10). These desires to protect their identity and the identity of group members, combined with what many participants referred to as increasing surveillance measures by Hong Kong authorities, were articulated as causing a critical need for anonymity. This need was also linked to the popularity of Telegram as a protest tool in Hong Kong: "I think Telegram is particularly good because it allows you to stay anonymous" (P5). Yet, participants also noted how the "move to Telegram" had created a "conflict between trust and anonymity" (P9) because they were no longer able to "look at people's Facebook profiles" (P7) to establish their identity; a practice that was used extensively during the 2014 Umbrella Movement. Hence, online vetting of potential group members had become impossible. All participants with primary protest experience had also experienced being disconnected, due to network congestion, while taking part in protest activities. They explained how they had found alternative ways of communicating with other protesters. These took different forms. First, some participants with primary protest experience articulated how they relied on interactions with other protesters in the street, which enabled them to develop and use hand signals to pass on messages: "Sometimes it's just much easier just to wave or communicate using some hand gestures, when the network is down" (P10). Participants gave specific examples of this form of non-verbal communication. They noted that hand signals were often used to communicate which supplies were needed on the front line: "If you see someone doing a cutting motion with these two fingers [index and middle fingers] you know that scissors are needed" (P9). Arms orbiting the head was said to indicate that helmets were needed on the front line (P7). Second, some participants spoke about how they would go to places with WiFi facilities to try to send messages during the protests. Yet, this approach was only adopted at critical points when they saw no other ways of communicating. Third, some participants noted how they would "revert" to using SMS, at times when they could not connect to the Internet. Exemplified here by one participant: "there was a time when I was at [location] because of the protests and couldn't connect to a network for some reason and couldn't connect via Telegram or WhatsApp. So, we could only connect with the outside via SMS. Paid messages" (P2). Finally, most participants had heard about the mesh networking application Bridgefy (see [3] ), which according to news reports saw a spike in downloads in Hong Kong in September 2019. However, none had successfully used it: "it just doesn't work" (P7). These alternative approaches of connecting when the Internet is not available speaks to the disconnected needs of Anti-ELAB protesters. While Hong Kong authorities did not resort to shutting down the Internet, protesters experienced significant disruptions to their digital communications. These disruptions, which are a feature of the protests' large-scale nature -"A million people just makes it impossible to communicate" (P9) -render the technologies that protesters rely upon largely futile, at the height of protests. We explore where Anti-ELAB protesters' notions and ideas about security and their own security needs have come from. In so doing, we first show how previous protest experience shapes protesters' practice of security and how the adoption of messaging applications is a result of a change in security mindset among protesters. Second, we show how protesters with no or limited protest experience adopt the technologies and practices employed by more experienced protesters. It is worth noting, however, that our data reveals that participants with only secondary experience of the protests assumed greater adoption of applications such as Bridgefy and Signal than what was exemplified by participants with primary protest experience. This is not surprising given how (inter)national media outlets have reported on some of these technologies [59] . Yet, it is important to distinguish between actual and perceived adoption and requirements, and it points to the urgent need for secure technology designers to engage with the groups of users they seek to serve, as also noted in [7] . Our data suggests a change in protesters' security mindset during the Anti-ELAB protests, with most participants highlighting a growing need for anonymity, due to heightened surveillance, and confidentiality, in relation to trusted and close-knit small groups. All but one participant with primary protest experience had also taken part in previous protests in Hong Kong and had experience of using technology within such protest environments. These participants compared their experiences in the current protests with those of the 2014 Umbrella Movement, where "you basically had no access to the Internet as there was so much traffic and the network was super slow" (P3) and "most was organised over Facebook" (P2). In addition to changes to technology, several participants highlighted how the protest environment had become increasingly adversarial: "In the 2014 movement, things happened much more slowly [. . . ] There was no conflict most of the time. But this is very different now" (P9). Many participants noted that this had led to a shift in security mindset among protesters. While "before June last year [2019] , people would be gathering on Facebook" (P6), "just talk about about sensitive information on Facebook's messenger" (P10) and "not think about end-to-end encryption" (P2), this had changed with what they described as an increase in police surveillance and arrests. This shift in mindset had led to a greater adoption of Telegram. For Anti-ELAB protesters, as articulated by the participants in our study, information security is a collective endeavour. It is practised by individual protesters, who have their own security perceptions and needs, yet these are shaped by the security decisions of the group. At a high level, this is not surprising given the centrality of groups in these protests, the practice of voting on strategies and tactics, and the fact that not everyone holds the same security knowledge. It does, however, speak to how security is practised within groups. It also demonstrates that, to be a group member, protesters have to buy into the security collectively decided for the group. One participant explained how they had tried to convince members of their group to switch to Signal after they had realised that "people in other countries use Signal" (P2). Yet, this had been unsuccessful as other group members preferred to keep the group on WhatsApp, as they were already familiar with this application and its (perceived) security. This led to them having to compromise their own security needs to be a group member. One participant said that they had changed their practices to be in line with other group members: "I only started to use Telegram during these protests. I didn't use it before. I heard that Telegram is used by terrorists, because it is so secure. And it is used by my groups" (P1). This participant accepted that they "had to conform to be in the group". Participants explained how they had observed others "change their security mindset" to buy into the security of their group (P3). Our data also contains several examples of how participants were either unsure about the level of protection offered by some of the technologies they used or knew that a particular application was not "the most secure" (P10). For example, one participant explained how they had accepted that they could not "do everything to protect" themselves (P9). This was reiterated by another participant: "I do not know if Telegram or WhatsApp are safe to use or whether the Chinese government can listen in, but I use them because others use them" (P7). Moreover, some participants had accepted that their security needs would not be met by the technologies they used but that they offered "good enough" security (P0). Participants with less protest experience or who did not perceive themselves to be security conscious noted how they relied on other protesters for advice. At a group level, the security approaches and technologies adopted by one group would often be adopted by another group. This is evident from comments made by participants about how they would look to more established groups for security advice. Our observations about onboarding practices and live location monitoring also exemplify this point. First, onboarding processes adopted by groups were generally performed in similar ways. Second, live location monitoring was practised by all groups that included participants with primary protest experience. These subtly different approaches centred on only a few technological solutions and established practices. In this section, we reflect back our findings to information security scholarship, with a focus on cryptography. Telegram. The participants in our study reported Telegram as the predominant messaging application used by Anti-ELAB protesters. This finding is corroborated by media reports, e.g. [11] , and corroborates prior work that established the use of Telegram by activists [33] . However, Telegram has received relatively little attention from the cryptographic community [53, 58] or information security research [1, 6, 97] . As noted in [58] , academic attention is focused on the Signal Protocol partly due to its strong security promises such as forward secrecy and post-compromise security. Indeed, even when Telegram is studied, its end-to-end encryption in secret chats is the focus, cf. [53, 58] . This feature, however, has little impact on the actual security provided by Telegram in the use case considered here, since secret chats are one-to-one only. Group chats are secured at the transport layer by Telegram's bespoke but understudied MTProto protocol, which Telegram typically uses in place of TLS. 7 Telegram also implements a variety of features meant to support anonymity within groups, often in response to user demand [99, 100], which have not been rigorously examined. Our work suggests the study of MTProto and the anonymity guarantees of Telegram's group chats as pressing problems for future work. Messaging Layer Security (MLS). Our findings support the decision by the MLS working group to support groups of up to 50,000 users [96] . On the other hand, our findings indicate diverging security goals for different types of groups, roughly characterised by their size, in the setting under consideration: anonymity of group members towards each other but no confidentiality in large groups forming one type, and another one being confidentiality and authentication in small, closeknit groups. Our data presents a use case where a hierarchy of permissions in groups is central and where out-of-band authentication of group members may be assumed, weakening the need to trust the Authentication Service as defined in [96] . MLS does not model group permissions at a cryptographic level but aims to be compatible with this use case when such restrictions are externally enforced. It is worth noting that MLS supports multiple devices per user, while our data presents the practice of multiple users sharing the same account. It is plausible, though, that this conceptual difference does not make a difference in practice on the MLS level. Compromise. In the literature, the notion of forward secrecy (FS) [38, 61] is understood as the protection of past messages in the event of a later compromise of an involved party and the notion of post-compromise security (PCS) [22, 28] as the protection of future messages some time after a (usually full state) compromise. Both of these security notions work with a persistent, global adversary of some form. Post-compromise security protects against an (ordinarily at some point passive) adversary after a compromise. Forward secrecy protects against an adversary that either passively observed the communication (weak FS) or even actively attacked it before the 7 In [33] it is incorrectly reported that group chats default to TLS. compromise. 8 The compromise the participants in our study were most concerned about was during and after an arrest. Here, they were concerned with both forward secrecy (remote message deletion) and post-compromise security (excluding an arrestee from a group). However, their notions differed from those in the literature. First, a cryptographic scheme achieving forward secrecy would not achieve the notion of forward secrecy desired by the participants in our study as messages remained stored on the recipient's device. 9 That is, our participants assumed and aimed to protect against a compromise that reveals not only key material but also the entire chat history (stored on the phone). Second, a security goal of the participants in our study was to protect themselves during the compromise not just afterwards. As indicated in our research findings, there is a variety of behaviours attempting to detect and control compromise as it happens, including location monitoring, timed messages, revocation of administrator capabilities and message deletion for others, all done on behalf of the compromised person by the remaining group members (we discuss the resilience of these methods in Section 6.3). Critically, their notion of post-compromise security was at a group level (removing the compromised party) rather than for the compromised party. 10 Overall, the adversary model of the participants in our study is both stronger (the adversary also compromises the chat history; protection against an adversary during a compromise is intended) and weaker (detectable) than those in the literature, i.e. the resulting security notions are incomparable. Time and place. Implicit in our data is that security and access requirements change with time and place. Group members away from the front line are assumed to be relatively safe, compared to those on the front line facing immediate arrest. This suggests a partial solution for forward secrecy. Group membership could be restricted while out in the fielde.g. messages disappear faster, no access to the list of group members, only pseudonymous handles, no admin rights -with fuller access being restored using a secret-shared key afterwards. 11 More broadly, it suggests modelling the dynamic nature of access privileges over time and place. Anonymity and authentication. The use of forums such as LIHKG and large public Telegram groups, combined with the desire to avoid being tracked, suggests a need for a different kind of communication platform. If infiltration is assumed, the focus shifts from protecting confidentiality to protecting identity. As our data shows, this focus on anonymity surfaces the question of how to establish trust. A number of proposals exist in the literature: Dissent [27] claims a "collective" approach to anonymous group messaging with accountability, Riposte [26] aims to provide a secure whistleblowing or microblogging platform that resists disruption and Anon-Rep [117] presents an anonymous reputation system for message boards. The systems vary in cryptographic assumptions, threat models as well as ability to scale, but none of them provide real-time messaging and are hence only suitable for public forums that are not time-sensitive. None of the cited works have moved beyond the prototype stage, and many open research questions remain in the area. Closely related is the study of reputation systems, whether centralised [14, 36] or decentralised [9, 82] , originally motivated by the information leakage in services such as eBay or Uber which utilise public user ratings. It is not immediately clear how such a system could be translated to the setting of user trustworthiness in anonymous messaging, but the emergence of crowdsourced services such as the voluntary car scheme reveals potentially more straightforward applications. Yet, the context in which reputation systems are reasoned about is largely limited to marketplaces and cryptocurrencies. Moreover, given the strong emphasis on collective or group action indicated by our data, it is an interesting open question where (if anywhere) group [20] or ring [85] signatures, the primitives often underlying reputation schemes, may productively be deployed. However, the high level of mutual trust required to operate in small affinity groups and the practice of sharing account credentials might make the functionalities of these primitives unnecessary. Trusted third parties. Our data indicates that the Anti-ELAB protests rely heavily on trusted third parties. This is true in a technological sense, e.g. group chats are not end-to-end encrypted and facilitated by Telegram's servers, which are protected by geopolitics, i.e. the limited reach of the current adversary. This observation corroborates prior work on activists [33] . While this technological reliance might be an artefact of necessity -viable alternatives are absent -our data also shows that trusted third parties, in the form of anonymous group administrators, are a central feature of these 'decentralised' and 'leaderless' protests. The work of Azer et al. [10] highlights the significance of what they call "connective leadership" in digitally enabled and self-organised contemporary activism. Echoing this work, our findings illustrate how even 'leaderless' protests require leaders to connect protesters and protest groups. In the Anti-ELAB protests, due to their highly digitalised nature and experiences from the 2014 protests, group administrators act as connective leaders. This makes understanding their information security practices and needs a critical area of research for information security researchers, as the compromise of one of these administrators can have significant consequences, see e.g. [102] . This is particularly pertinent as large-scale protests around the globe adopt the strategies developed in these protests -their dynamic, mobile, digital and flat structure. On a technological level, recalling that the administration duties are often split between different individuals, and that the most prevalent form of compromisearrest -may be detectable, MPC solutions, even in the efficient non-malicious setting, might suggest themselves. The participants in our study made security decisions based on specific functionality needs and explicitly formulated domainspecific security perceptions. However, our data reveals several mistakes in their perceptions of the security guarantees of the tools they relied on. Participants assumed that end-toend encryption could be enabled in Telegram group chats, which is incorrect. The data also highlights that the ability to delete messages on other users' devices and to remove them from a group after an arrest drove the adoption of messaging platforms. Yet, these tactics assume that the compromised device continues to receive and process deletion requests; the more this tactic catches on and thus registers with the adversary, the more dubious this assumption becomes. Such misconceptions are not unique to our study. For example, several studies on usability, e.g. [51, 112] , highlight user misconceptions and false mental models in relation to security. Other studies, e.g. [2, 30] , also suggest that users find it difficult to understand the security of the applications they rely on and whether it fulfils their needs. For higher-risk users such misconceptions can have dire consequences for their safety, especially since the misconceptions identified in our study tended to overestimate the security guarantees given. Critically, however, our data highlights the negotiated and collective nature of adoption in this setting, in contrast to individual preferences foregrounded in previous work. Our findings speak to an understanding of information security that rests on collective practices, where security for the group is negotiated between group members and where individual security notions are shaped by those of the group. They show how Anti-ELAB protesters practised security to fulfil their own security needs as well as those of the group. Where these were in conflict, our findings suggest that protesters accepted the security approaches collectively decided for the group. Group membership was conditioned on realising specific security goals related to the Anti-ELAB context -anonymity in large public groups and confidentiality and authentication in small close-knit groups. Practices such as collective decision making to provide 'security in numbers' and tactical 'buy in' from group members substantiate the notion that, for the participants in our study, information security is a collective endeavour. The idea of collectivity in information security is not novel, yet, research on group-level information security is sparseand is largely limited to work on employee groups [4, 55] and socialising contexts [115] . Moreover, usable security scholarship generally considers security at an individual level, as do user studies on messaging applications, see e.g. [1, 2, 30, 88, 113, 114] . While, collectively, these studies highlight a series of usability shortcomings of messaging applications, they do not consider the social environment within which these are used, nor do they consider collective security practices which dominated our study. They generally treat such shortcomings as technological problems and/or incomplete mental models among individual users, rather than also considering how users' wider social context and collective, negotiated practices shape their use of these technologies and how (in)secure they feel in doing so. Our findings demonstrate that the particularities of this adversarial context, the Anti-ELAB protests, shaped participants' collective security needs and responses. Participants explained how social relations and trust were established at the protest sites rather than online and how this shaped their security practices, such as onboarding of new group members. In contrast to most usable security assumptions, our data shows that protesters go to great lengths to fulfil their security needs, conditioned on their adversarial setting and their group membership, but that such needs are not fulfilled by the technologies they rely on. As we show in Section 2.3, other interview-based works on higher-risk users also emphasise the significance of the social context for the practice of information security. In bringing our findings into conversation with these studies, we note some high-level connections. For example, the participants in our study reported employing both technical and non-technical protection strategies, which has also been noted in recent studies on, e.g., journalists' use of security technology and related defensive practices [73] and political activists' "low tech" protection mechanisms in the context of the Sudanese Revolution [29] . Yet, while studies on other groups of higher-risk users, such as refugees and migrants, identify several cultural, social, economic and technological barriers that lead to unfulfilled security needs [37, 93] , for the participants in our study, such barriers predominantly related to misconceptions about the security offered by the technology they relied on, the appropriation of insecure technology and their highly adversarial setting. While it is possible to make some high-level connections between our findings and existing studies, the diversity of security concerns experienced by distinct groups and within specific contexts, requires grounded and situated research that is sensitive to this diversity. Moreover, our study, clearly illustrating how security is practised collectively among Anti-ELAB protesters, shows the critical need to situate technological security questions within the specific social contexts of groups, who share particular security goals. Thus, to understand col-lective security concerns and needs, future research should consider employing an ethnographic approach to "unearth what the group (under study) takes for granted" [46, p.551 ]. We conclude by summarising our key findings and by synthesising, with caution, requirements for (secure) messaging applications to serve the needs of protesters. Our interviews paint a diversified picture of group communication patterns, security needs and practices and they show how these are facilitated by a select few messaging applications and digital platforms. Protesters rely heavily on Telegram and WhatsApp for their communication. Our findings illustrate how central these tools are for organising on the ground, by facilitating a collective approach to establish tactics, e.g. through anonymous polls, which was seen to provide both 'security in numbers' and 'buy in' for the chosen tactic. These decisions were made in groups of varying size and the administrators of these groups adopted the roles of leaders in these 'leaderless' and 'decentralised' protests. Overall, we found that these protests were organised in a mix of large public and small close-knit groups, with differing security requirements: anonymity within the group, on the one hand, and confidentiality and authentication, on the other. To bridge the conflicting requirements of anonymity and trust, participants reported a long, offline onboarding process before adding new members to a group. The participants in our study developed tactics to detect compromise and to achieve some form of forward secrecy, i.e. protection of secrets against a later compromise. Group members monitored the movements of fellow group members to eliminate traces of the group chat from their phone in case of an arrest and to render legal aid. This explains the importance attributed to the ability to remotely delete messages on other people's devices. Participants adopted a variety of practices to address (perceived) shortcomings of digital communications and conflicting security needs. For example, to facilitate pseudonymity, compartmentalisation through the use of multiple devices and burner phones was widespread. Participants also reported how security decisions were collective, requiring group members to buy into the security practices of their group. This was a process fraught with conflict as differing security needs confronted each other. For designers, several requirements on (secure) messaging applications emerge from our data: support for both (small) private and (large) public groups, the avoidance of phone numbers or other personally identifiable information and the ability of administrators to control messages and participation in groups. In particular, there is a clear distinction in security requirements for different types of groups: anonymity in large groups, confidentiality up to forward secrecy in small groups. In addition, going beyond strictly messaging, several features such as polls and live location sharing emerged as key enablers for participants. Participants also expressed a strong desire to be able to have control over their messages after sending them, such as on-demand remote message deletion. However, we caution against taking this list of requirements as a blueprint. First, our data only covers interviews with 11 participants. Second, these feature requests are informed by what existing technologies provide and thus do not necessarily represent the horizon of what is possible or desirable. Third, as we discuss above, the security guarantees provided by some of the employed tactics, particularly remote message deletion, are limited. Fourth, our data presents information security as a negotiated, conflict-laden and changing practice, suggesting that a universal solution may not exist. Topic guide used for semi-structured interviews with individuals who have been involved in the Anti-Extradition Law protests in Hong Kong (HK). While structured around five key topics, it includes prompts, examples and follow-on questions to guide the interview. The aim of this topic is to establish existing communication patterns in HK, beyond the protests, before focusing on the protest context in subsequent topics. • Preferred mode of communication in HK? • Popular online platforms in HK? • Why do you think they are popular in HK? • Why use these online platforms? • Benefits/disadvantages? • Use of large group chats/forums in HK? • Why? Why not? • The use of online platforms by HK authorities in everyday communications? • Concerns about online communication switch-off? Likelihood? • What would be the concern? • Who would be concerned? Protesters? Why? • How would a switch off affect the protests? • Concerns about infiltration of specific applications? • To what extent do people speak more openly on one app over the other? Specific applications? Why? • Concerns about information shared? Why? Examples? • Concerns about information received? Why? Examples? Topic 4: Notions of security within online/offline networks during the Anti-ELAB protests This topic focuses on how networks -online and offline -are shaped by different notions of security. • To what extent do people know participants in their group chats/forums? • How do these groups map onto offline groupings? • How are people added and removed from networks? Platform specific? Group chat/forum specific? Specific processes of authentication? • To what extent do online and offline onboarding map onto each other? • What are the main disruptive factors within online networks? • Concerns about being seen to be present in protest related chat groups? Why? Examples? • Wider networks: what repercussions might protesters fear? Affecting themselves, their family, their friends etc.? • Who might they fear repercussions from? Topic 5: Designing secure communication platforms for high-risk environments As a "wrap-up", this topic explores future directions in the design of secure communication technology for high-risk contexts. • What should designers of secure communication platforms design for based on your experience with these protests? Why? The security blanket of the chat world: An analytic evaluation and a user study of Telegram Obstacles to the adoption of secure communication tools Mesh messaging in large-scale protests: Breaking Bridgefy. Cryptology ePrint Archive The information security digital divide between information security managers and users Virtual uprisings: On the interaction of new social media, traditional media coverage and urban space during the 'Arab Spring Forensic analysis of Telegram Messenger on Android smartphones FCJ-196 Let's first get things done! On division of labour and techno-political practices of delegation in times of crisis On WhatsApp, rumours, lynchings, and the Indian government PrivBox: Verifiable decentralized reputation system for online marketplaces Revisiting leadership in information and communication technology (ICT)-enabled activism: A study of Egypt's grassroots human rights groups Hong Kong protests drive surge in Telegram chat app The logic of connective action: Digital media and the personalization of contentious politics Semi-structured interviewing in social movement research. Methods of social movement research 16 Anonymous and publicly linkable reputation systems Bulletproof' China-backed doxxing site attacks Hong Kong's democracy activists We tested a messaging app used by Hong Kong protesters that works without an internet connection Hong Kong leader invokes emergency powers to ban masks during protests Networks of outrage and hope: Social movements in the Internet age Constructing grounded theory Group signatures chuang: Welcome to the frontlines: Beyond violence and nonviolence On postcompromise security Accessing a new land: Designing for a social conceptualisation of access In a new land: mobile phones, amplified pressures and reduced capabilities Networks of dissent: Emergent forms in media based collective action. Critical studies in media communication Riposte: An anonymous messaging system handling millions of users Dissent: accountable anonymous group messaging Efficient postcompromise security beyond one group Defensive technology use by political activists during the Sudanese revolution In encryption we don't trust: the effect of end-to-end encryption to the masses on user perception Critical perspectives on social media and protest: Between control and emancipation. Rowman & Littlefield Twitter's place in the tussle: how old power struggles play out on a new stage. Media Can Johnny build a protocol? co-ordinating developer and user intentions for privacy-enhanced secure messaging protocols Occupymedia!: The Occupy movement and social media in crisis capitalism Mastering the semi-structured interview and beyond: From research design to analysis and publication A new approach to modelling centralised reputation systems Keeping a low profile? Technology, risk and privacy among undocumented immigrants An identity-based key-exchange protocol Crypto and empire: the contradictions of counter-surveillance advocacy. Media Social media and trust during the Gezi protests in Turkey Hong Kong protesters use new flashmob strategy to avoid arrest Co-ordinating developers and high-risk users of privacy-enhanced secure messaging protocols Security Standardisation Research -4th International Conference, SSR Ethnography: Principles in Practice. Routledge Social media and social movements: Facebook and an online guatemalan justice movement that moved offline Code saturation versus meaning saturation: how many interviews are enough? For ethnography Be water, my friend: Hong Kong's 2019 antiextradition protests Democracy's fourth wave?: digital media and the Arab Spring Hong Kong is exporting its protest techniques around the world no one can hack my mind": Comparing Expert and Non-Expert Security Practices Onions in the crosshairs: When the man really is out to get you On the CCA (in)security of MTProto When the civic turn turns digital: Designing safe and secure refugee resettlement It takes a village: Understanding the collective security efficacy of employee groups Crypto for the People Creating the collective: social media, the Occupy movement and its constitution as a collective actor Formal Verification for Real-World Cryptographic Protocols and Implementations. Theses, INRIA Paris Hong Kong protestors using mesh messaging app china can't block: Usage up 3685% Be water: Technologies in the leaderless anti-elab movement in hong kong HMQV: A high-performance secure Diffie-Hellman protocol NSO Group / Q Cyber Technologies: Over one hundred new abuse cases Solidarity in the Anti-Extradition Bill movement in Hong Kong Internet, citizen self-mobilisation, and social movement organisations in environmental collective action campaigns: Two Hong Kong cases Media, social mobilisation and mass protests in post-colonial Hong Kong: The power of a critical event Digital media activities and mode of participation in a protest campaign: A study of the Umbrella Movement Social media and protest attitudes during movement abeyance: A study of Hong Kong university students Hong Kong's summer of uprising Privacy and activism in the transgender community Confidante: Usable encrypted email: A case study with lawyers and journalists Life360: Life360 Political turbulence: How social media shape collective action Investigating the computer security practices and needs of journalists Individual versus organizational computer security and privacy concerns in journalism Report: Arab Gulf states are surveiling, imprisoning, and silencing activists for social media posts Social media materialities and protest: Critical reflections Hong Kong protests, faces become weapons Mobile witnessing on WhatsApp: Vigilante virality and the anatomy of mob lynching. South Asian Popular Culture How cryptography lets down marginalized communities Mundane internet tools, the risk of exclusion, and reflexive movements-Occupy Wall Street and political uses of digital networked technologies don't leave campus': Parents are now using tracking apps to watch their kids at college Supporting privacy in decentralized additive reputation systems WhatsApp to Bridgefy, what Hong Kong taught India's leaderless protesters Using hierarchical categories in qualitative data analysis. Computer-aided qualitative data analysis: Theory, methods, and practice pp How to leak a secret New forms of youth activism -Hong Kong's Anti-Extradition Bill movement in the local-nationalglobal nexus The coding manual for qualitative researchers When SIGNAL hits the fan: On the usability and security of state-of-the-art secure mobile messaging SCMP: Hong Kong national security law full text Security for the high-risk user: separate and unequal The political power of social media: Technology, the public sphere, and political change Signal: Delete messages and alerts Computer security and privacy for refugees in the united states Online organization of an offline protest: From social to traditional media and back The journey to Tahrir: revolution, protest, and social change in Egypt Messaging Layer Security (mls Security analysis of the Telegram IM Hong Kong protesters use 'chat groups' to organise rebellion Telegram: Scheduled messages, reminders, custom cloud themes and more privacy Search filters, anonymous admins, channel comments and more The Stand News: In Hong Kong, authorities arrest the administrator of a Telegram protest groupand force him to hand over a list of its members From 'be water'to 'be fire': nascent smart mob and networked protests in Hong Kong Anatomy of protest in the digital era: A network analysis of Twitter and Occupy Wall Street Reclaiming, proclaiming, and maintaining collective identity in the #yosoy132 movement in Mexico: an examination of digital frontstage and backstage activism through social media and instant messaging platforms The banality of WhatsApp: On the everyday politics of backstage activism in Mexico and Spain The coming colonization of Hong Kong cyberspace: government responses to the use of new technologies by the umbrella movement Social media and the decision to participate in political protest: Observations from Tahrir Square Mobile social networking applications and the 2012 Occupy Nigeria protest Political talk on mobile instant messaging services: a comparative analysis of Germany, Italy, and the UK. Information Internet and social movement action repertoires: Opportunities and limitations. Information A survey of the privacy preferences and practices of Iranian users of Telegram Action needed! helping users find and complete the authentication ceremony in signal Is that you, alice? a usability study of the authentication ceremony of secure messaging applications we hold each other accountable": Unpacking how social groups approach cybersecurity and privacy together Open homes, free rides: the people helping Hong Kong's protesters AnonRep: Towards tracking-resistant anonymous reputation WhatsApp political discussion, conventional participation and activism: exploring direct, indirect and generational effects We thank the participants for speaking to us and the gatekeepers for their assistance in establishing contact with participants. The research of Mareková was supported by the EPSRC and the UK Government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/P009301/1).