photo of statues talking

Most of the time, honest conversations about sensitive topics happen between people who have known each other a long time, who’ve worked together, who’ve built up a foundation of trust. They don’t happen when some unknown people cold-email you and ask to make a one-hour appointment with you – right?

Setting up a sensitive interview

At Simply Secure, we often find ourselves in the challenging position of needing to ask people we’ve just met about sensitive topics. Most recently, we’ve been working on a year-long project exploring the topic of power dynamics in the funder-grantee relationship. We set out to ask organizations about their funding experience – on behalf of the organization that, in many cases, holds the key to their survival. How could we have an honest conversation about a topic as core, and as fraught, as funding?

We did have one advantage going in: as a neutral third party, we were in a better position than a staff member from the funder to get honest answers from organizations. However, as a completely unknown quantity, we were at a disadvantage: nobody knew us well enough to trust us with sensitive information. We needed to build trust, and fast.

Our tactic was to lean on our expertise in two pretty different fields: security and design research. We used careful security practices to ensure confidentiality and privacy in our interviews, and made sure to make these practices were transparent to our interviewees. And we used design research techniques to set the tone for an open conversation.

Lessons from security: Identifying a threat model and mitigating the risks

The concept of a “threat model” is key to designing effective security: in order to make something safer for somebody, you need to proactively defend against the most likely threats to that person in their context. The threat model for our participants was centered around attribution of feedback, meaning that keeping their participation in the research private from both the funder and other participants was critical.

To accommodate this threat model, we used a variety of techniques. We took notes only on paper, and did most of our synthesis on paper in person in our Berlin office. We used encrypted email and other encrypted messaging. We used animal pseudonyms (Narwhal, Wombat, etc.) when contacting participants, when entering appointments into our Google calendar, and when discussing the interviews on our internal Slack. All documents that linked pseudonyms to actual identities were kept on a single encrypted drive in a safe in our office.

Just as important as the actual techniques we used was the fact that we told participants about them. We always led with a sentence like, “it’s very important to us that the funder doesn’t know we talked to you or what you said, so we’re taking these precautions.” We prepared a sheet giving examples of our practices for anonymizing quotations in our report. The fact that we had correctly identified our participants’ threat model and were taking steps to address it went a long way towards helping us gain their trust. In many cases, participants didn’t seem particularly interested in the specifics of our security practices; just knowing that we understood their threat model and had a thought-through set of practices was enough for them.

Lessons from design research

Design research is different from many other kinds of qualitative research in that it has an exploratory, human-centered focus. Rather than a list of questions to ask, we came to each interview with a list of topic areas to explore together. We wanted to ask about a few core areas: the organization’s history with the funder, their perception of the funder, and the process of applying for and receiving funding. But every interview was different: sometimes we ended up talking a lot about personal relationships, sometimes we ended up focusing more on financial reporting.

We told participants this at the very beginning of each interview. We told them that we were hoping to have a conversation, not an interrogation. We told them that we wanted to learn their story, whether or not it was “average” or “representative.” We told them that it was our responsibility to redirect the conversation if necessary, and that they should just talk.

Because our interviews were flexible rather than rigid, participants could tell that we were listening. If they brought up a pain point, rather than moving on to the next question, we asked them to dive into it. If they seemed particularly preoccupied with a certain aspect of the funding experience, we asked them more about it. Being listened to as an individual, rather than being shepherded through a one-size-fits-all process, helped each participant realize that we wanted and needed to hear their story, a story literally nobody else could tell.

We also made sure to thank participants as specifically as possible. “Thanks for your time” is generic; “thanks for opening our eyes to the unique situation in your country” shows that we heard their story.

We are grateful for the trust that every participant placed in us, and we hope our final report reflects this. If you find yourself in a position where you need to build trust in a complex or sensitive research situation, feel free to reach out to us; we’re happy to share more insights from both security and design.

Photo Credit: William Murphy