At-risk users are people who experience elevated digital security, privacy, and safety threats because of what they do, who they are, where they are, or who they are with. In this systematization work, we present a framework for reasoning about at-risk users based on a wide-ranging meta-analysis of 85 papers. Across the varied populations that we examined (e.g., children, activists, women in developing regions), we identified 10 unifying contextual risk factors-such as oppression or stigmatization and access to a sensitive resource-which augment or amplify digital-safety threats and their resulting harms. We also identified technical and non-technical practices that at-risk users adopt to attempt to protect themselves from digital-safety threats. We use this framework to discuss barriers that limit at-risk users' ability or willingness to take protective actions. We believe that the security, privacy, and human-computer interaction research and practitioner communities can use our framework to identify and shape research investments to benefit at-risk users, and to guide technology design to better support at-risk users.
RQ1: Contextual risk factors. What factors-such as aperson's relationships, personal circumstances, or situation in society-contribute to digital-safety threats for at-risk users? RQ2: Interactions. How do these contextual risk factors interact to elevate the risk or severity of digitalsafety threats for at-risk users? RQ3: Protective practices. What protective practices are common across at-risk users when attempting to address their digital-safety needs? RQ4: Barriers. What barriers do at-risk users encounter in protecting themselves from digital-safety threats?Based on an analysis across 31 distinct population categories (e.g., activists, refugees, children), we identified 10 contextual risk factors that cross-cut at-risk populations, yielding a clearly-defined set of circumstances that the digital-safety community can consider in research, design, and development to support at-risk users. We also found that at-risk users currently rely on varied, often ad-hoc protective practices, ranging from leaning on social connections, to distancing themselves from technology, to relying on a patchwork of technical strategies to try to minimize risks and harms. Our atrisk framework is comprised of these contextual risk factors and protective practices. We use our framework to discuss barriers that limit or prevent at-risk users from enacting digital protections, and show how competing priorities, a lack of digital safety awareness, and broken technology assumptions compound the challenges at-risk users face.We advocate for the digital-safety community to consider at-risk users' needs in risk modeling and design. Our framework provides a blueprint for addressing these issues through research, 1 education support, and technology development, to 1 While ethical best practices for engaging in at-risk user research are critical-e.g., in order to avoid further harming research participantsdefining these best p...
