Plane was the concept we found to describe the locations of our ethnography. The idea of logical planes lead us to consider that planes were not locations but modes of existence of the vuln EFAIL and ultimately this lead us to reconsider the uniformity of what we follows (vulns). The questions of locations of the ethnography became less relevant but at the same time the uniformity of what we tried to describe too. The planes were in that sense an indicator that EFAIL was a multiplicity. Each plane was coalescing and constructing a version or instance of EFAIL (organizing people, practices, ideas around the vuln (and therefore making a certain version or instance of it). We decided to toss the idea of planes and instead to refer to instances refering to the vuln itself.
Perhaps our first attention and focus on field-sites and our spatial ethnographic imagination are the direct cause of our difficulty to grasp the multiplicity of the EFAIL instances we eventually identified. In a way, facing the dead-end of spatiality helped us to see a more complex and diverse object (the numerous EFAIL instances).
In our experience, the difficulty we had to think in spatial terms about our object and our ethnography, helped us to eventually identify the multiplicity of EFAIL instances. In other words, the four vignettes we defined firstly as sites of ethnography revealed to be four instances of what we were observing.
Hence, the processes we are observing includes not only a multiplicity of heterogeneous spaces but also various types of manifestations of EFAIL with their specific temporalities.
This essay shows that the EFAIL disclosure took many forms at different times: Like a proton in a high energy physics experiment, the impact of disclosure created different simultaneous strains transforming what the researchers discovered into various versions of EFAIL: it morphed into an urgent threat for journalists and activists, a communication fiasco severely criticized, another reason to abandon OpenPGP adding to a two-decade old polemics about the standard, a series of technical issues to define and to fix separately, a series of remedies to negotiate and assess, an academic paper, a myriad of discourses about what should be a respectful and ethical vulnerability management as well as a CVE number, a logo and a domain name.
However, tracing these metamorphoses of the EFAIL vulnerabilities only tells the half of the stories. Indeed, other disclosures took place behind the scene: the researchers contacted vendors ad developers months before the public disclosure. They also contacted the EFF and other concerned “infosec” groups including the USENIX committee and journalists prior to Schinzel’s tweet.
Like in any ethnographic research, we were not able to follow every step and discussion related to EFAIL that took place behind the scenes. Perhaps nobody could grasp the complete processes, not even the EFAIL researchers themselves. Nevertheless, we can observed how the EFAIL vulnerabilities acted in the world to materialize themselves through the activation of different, but sometimes intersecting planes. In the research process, the different planes became more definite only when we could determine what was the properties of the particular manifestation of EFAIL we were observing. Each of these planes debated what EFAIL was, using different discursive registers and coalescing different participants and audiences together. Yet, these four planes remained all closely related to the EFAIL vulnerabilities discovered by Schinzel and his team. Thus, following the trajectories of vulnerabilities – their many disclosures and their impacts in the infosec arena – allows us to witness the making and unmaking of computer security without defining a priori our ethnographic research to few expert groups or sites of deliberation.