This report on DSO's Intervention 2 was written by Chandi Tome, co-founder of Lakehub in Kisumu, Kenya, and DSO community member.

DSO Intervention 2

Notable confidence amongst participants

Kisumu, Majengo and Kaimosi, 16th to 18th of June

Once again, the DDD and Mozilla Kisumu teams conducted yet another intervention for the DSO participants in Kisumu and Vihiga. This time, for logistical purposes, we split Vihiga into 2 locations, attending to participants in Majengo and Kaimosi. Leading the intervention were Joash Mango, Alex Amollo, Jack Olang’o, Michael Otieno, Bonface Ochieng and Chandi Tome. Based on our previous experience at Intervention 1, we aimed to teach participants a bit more about online accounts, why strong passwords matter so much, how our smartphones get apps and store information, and take them through a WiFi field trip.

Spoiler alert: in all the 3 interventions in Kisumu, Majengo and Kaimosi, we did not conduct a WiFi field trip. As soon as the participants settled in for the sessions, they pulled out their phones and asked for the event WiFi connection password. This could be attributed to Intervention 1; most of the participants were clearly excited about connecting and using WiFi for the first time — they seem not to have forgotten the valuable lesson.

(Read about the first intervention here.)

Social Media Accounts such as Facebook

We first set out to understand whether participants understood what accounts are and whether they had any. Indeed, having a smartphone probably means owning an email account (that is usually mandatory to set up and use most smartphones), but this appears not to have been first on the minds of some of the participants. Nonetheless, many of the participants showed a good deal of knowledge on what accounts are why they have them.

We conducted a series of spectrograms where participants were expected to demonstrate their stand on some of the statements posed. For example, when we stated, “People should have many accounts online,” there was almost unanimous agreement that it should not be the case. It is noteworthy to point out that statement such as these are meant to provoke thought and elicit discussions, just as this particular one did. Participants engaged in spirited conversations and debates on why they “should have many accounts online” and why “it’s not right to have many accounts online”.

This then gave birth to another discussion that ended up in people listing the accounts they have. Social media websites such as Facebook and Instagram seem to be the most popular and readily acknowledged accounts that people use online. While participants continued talking about the other accounts they may have created and are probably using, the list extended to accounts such as MPESA and bank accounts.

Perhaps, as a note, could we declare that in this day and age, and for as long as you have a smartphone, it is almost obvious that we already have many online accounts?

Another spectrogram that yielded interesting results is when the participants were posed with the statement, “Only close friends on social media can see what you do online.” Many participants tend to agree with this statement. Moreso because it raises issues of privacy and a sense of personal security. “There is no way a stranger should be able to see what I do on Facebook, it just doesn't feel right,” one Kisumu participant affirmed with the rest of the participants seemingly in agreement.

But why is this an interesting observation?

We posed another statement, “Information we use to create our accounts should be private.” Many had no idea what this meant. As each of the workshops carried on, it became clear that many first time smartphone users do not take the issue of creating accounts seriously and that most do not have a clear idea at how much risk they are if they did not fully protect the information with which they opened their account.

In this respect, we could argue that there is a disconnect between the intention to retain a specific online persona to specific people and the actual action of creating profiles on respective platforms. They are equally important in that they both are tied to privacy and security, but the participants appear not to be able to see the connection.

So that brings us to the question: what are passwords and why do they matter so much?

We asked participants to create accounts on platforms that they hadn't had a presence before then asked them to share the password they used by writing it down on a piece of paper alongside the platform (account) they created. We then randomly pulled out the pieces of paper notes and listed each password on the whiteboard for everyone else to guess to whom each password potentially belonged to.

When the audience began taking guesses on the passwords that were on the board, it became apparent that most people use very obvious information as their password. Some passwords were in the form of the easily recognizable Kenya National Identity Card (typically 8 figures, date of birth; e.g. 22061993, symbolic of a person born on 22nd June 1993) and others were perhaps more obvious and even more easily recognizable as Kenyan phone numbers, usually in the format 0712345678. Some chose names of loved ones or people close to them like their children and spouses. There were a bit more complex ones like the name of a person’s football club alongside the jersey number of the favourite striker — something in the form of Liverpool28.

It is therefore not a surprise that when we began the password-guessing activity, we were able to successfully guess the creators of up to 80% of the passwords listed.

Participants were shocked at the realization of how weak their passwords were following the discussion on the dangers of a weak online privacy and security. We discussed impersonation and sabotage among other dangers they face.

Bummer: Two participants in Vihiga reported that they shared their MPESA Pin with their loved ones, but would never share their Facebook passwords with the same people.

The DSO team later demonstrated ways in which we can create strong passwords that are very difficult to guess and encouraged each participant to go ahead and change their passwords as soon as they had the opportunity. We also emphasized the importance of protecting one’s own privacy online and account security.

If we can learn anything from these observations, first-time smartphone users...

  1. ...do not understand the value of online privacy.
  2. ...are able to understand how a memorable password contributes to weak password generation.
  3. ...can appreciate that privacy and security of accounts could impact the setup of their DFS accounts.

View Comments