User stories

Abstract: How to phrase requirements in the form of user stories?

What's a User Story?

"As a <type of user>, I want <some goal> so that <some reason>."

or more specifically:

"A <type of Tor user> wants to <some feature of a Tor app> in order to <some reason related to security, privacy, etc>."

Some more good information is here:

Some of the ideas below are taken from the Tor website's team work on Personas:

Example stories

A blogger in Uganda wants to document and publish local personal stories related to the fight against anti-homosexuality legislation, but is worried about being persecuted, or having the subjects of their posts persecuted.

A journalists wants to communicate with a source using a chat/instant messaging on a web or mobile device without exposing that they are talking to the source, or having anyone log that they were talking.

A student at a high school is searching for information on this history of abortion law for a paper, but the schools internet filters block all access based on the keyword "abortion".

A researcher faces opportunistic and targeted attacks from compromised upstream service provider when using plain-text or privacy compromising protocols.

A parent faces intermittent local WiFi active threats (DNSspoof,SSLstrip,*MitM,...) in the community. Children's older devices especially vulnerable.

A person living with HIV wants to keep their medical history private while using their office's (monitored) internet connection, as they fear that disclosure will negatively impact their career.

Someone wants to blow the whistle on an unfair business practice or unsafe working conditions, but doesn't want to reveal their location.

People in abusive relationships whose internet use/history is closely monitored benefit a lot from Tails. (There is a lot of off-the-shelf keylogging/monitoring software that poses a serious risk to people in these circumstances). Using Tails allow them to seek help, plan their exit, and keep them safe from retribution.

Religious minorities who live in areas that are unfriendly to those with their beliefs need a way to learn more about and express their faith. This can be everything from atheists in Oklahoma to Orthodox Christians in Iran.

PLEASE EDIT/IMPROVE: "I don't really have the time to put it into proper writing, but I think Hidden Services (operators) should be in there. Protection of locality, against traffic analysis, poking through NAT, etc.

The Student has recently heard about Tor and would like to discover more about it. Particularly he has heard from a friend that it could be used to protect his web browsing whilst using the university campus public wifi.

The Journalist has been writing about online privacy for the past year and would like to write a feature about Tor. Although she has previously experimented with Tor's browser bundle she would like further information of how the Tor infrastructure functions and the technical details behind how it enables online anonymity.

The Researcher works for a think tank. She has been a user of Tor since December 2011 and is a strong proponent for an open web. Since finding out about Tor, Stephanie has become involved in the Tor community contributing fixes and features to the Tor code base and engaging with other Tor contributers using the mailing lists and IRC.

The Donor has read about Tor in the local newspaper and would very much like to make a donation.

The Engineer has been a Tor Relay Operator for a little over a year and has encouraged two of his colleagues to do the same.

The Activist would like to comment anonymously on the Internet and not link her personal accounts to her activism work. She would like to use Tor to achieve this.

The Dissident lives under an oppressive regime which heavily filters the internet. He is very aware of the consequences to himself and his family if he is discovered. He is hesitant to use Tor without knowledge of how it works and what its limitations are (ie. an adversary that monitors Internet connections).

A system administrator is on call for assisting the CIRT in incident investigations. She must avoid disclosing to the adversaries behind malware and system compromises that the organization has detected their activity, lest they retaliate, or switch tactics and break in other ways. She tests malware versions and monitors the activity of the compromised systems on a private network behind an anonymizing Tor gateway.

Computer security staff receive reports from international peer institutions, from law enforcement, and from counter-intelligence agencies about systems visiting potentially malicious sites. Staff gathers information from the sites to help assess how deep the adversaries got, and to devise defenses. The reporters require they avoid disclosing to the adversaries what general industry was tipped off, as well as obscure the fact that there is peer or investigator notice of the adversary activities. They use Tor for the investigation to meet those goals.

Last modified 4 years ago Last modified on Feb 28, 2014, 6:01:16 PM