Hostile Systems: A Taxonomy of Harms Articulated by Citizens Living with Socio-Economic Deprivation

There is increasing interest in how digitalisation variously impacts different socio-economic demographics’ ability to access, and realise benefits from, public services. Centring citizens’ lived experience in the identification of harms and benefits is critical for the evaluation of digital services, and more broadly for responsible innovation. Yet this poses significant challenges, particularly when engaging those living in precarious conditions. This paper reports on a study that engaged citizens living with poverty (n=76) to articulate harms arising from digitalisation in the context of an e-government social protection service. Interviews and surveys supported by speculative scenarios of ongoing changes helped surface and express citizen-centric harm characteristics within wider ecosystems before, during and after access, beyond a narrower service-lifecycle viewpoint. Drawing on the findings, we develop a taxonomy of harms and discuss how this can be utilised by HCI practitioners concerned with responsible innovation in digital welfare contexts.


INTRODUCTION
The adverse effects of e-government services have increasingly been at the centre of HCI concerns [21,[51][52][53]82].E-government delivers national and local policies through digitally-implemented public services, moving from services delivered in-person to increasingly technology-supported approaches, including "face-toscreen" modes of contact [43] which Considine et al. [25] have described as system-level bureaucracies.E-government programmes are intended to provide wider access to citizens and do this more efficiently to save money [34,35,82].However, it is recognised that citizens have not been central to their design [81] leading to digital services which fail to cater for citizens' complex lives [25,62].Underserved and under-resourced communities and citizens are at increased risk from adverse effects of e-government programmes, since they are already the most digitally-excluded [73], which is known to exacerbate social exclusion and vice versa [84].We use the term 'harms' for these adverse effects, which include everything disadvantageous to citizens such as increased time, more effort, greater financial cost, loss of reputation, extra discrimination, additional mental stress, diminished knowledge, curtailed capacity, added neglect, and loss of rights.These factors further increase concerns about unforeseen harms in both semiand fully-automated decision-making systems [21,25].Alston [4] described such 'technology-generated' interactions [25,43], where government officials are entirely replaced by technology [25], as concretising a State that is "disappearing behind a webpage and an algorithm".This highlights a compelling need for HCI to thoroughly understand what types of harms may arise in socio-technical systems used to deliver technology-generated public services, and develop methods that enable articulation of both intended benefits to citizens and harms that might occur [67].These issues have revived discussion in the HCI community around Responsible Innovation (RI) [10,54], which seeks to align research outcomes with societal benefits and values.However, RI requires some consensus about what might be desirable or undesirable and by whom, and thus also being able to identify negative effects to avoid unintended adverse impacts on citizens.To contribute to this, HCI has developed more nuanced understandings of access (e.g., [21,62,67]), calling for the need to understand and acknowledge the contextual factors and wider support networks that enable individuals and communities to realise benefits from digital services.Accordingly, a necessary part of RI is including people in the articulation of harms based on their own lived experience.
In this paper, we report on a case study where we use scenarios to engage citizens using digital services in the identification and articulation of potential harms stemming from efforts aiming to improve an existing digital system.Our case study is contextualised within a well-established 'Digital by Default' [4] social protection payment 1 UK public service called Universal Credit, provided by central government and accessed routinely by working-age adults living with poverty.These citizens, referred to as claimants by the State, have precarious lives, and any additional costs or other harms to sustain access to the digital service will adversely affect their ability to buy food and clothing, heat their homes, and stay out of debt.More specifically, we describe the process we undertook to engage with eight claimants and three advisers who assist claimants independently from central government, in preliminary interviews to understand issues claimants encounter when accessing existing e-government digital service systems and their ideas for how these could be ameliorated.We then used these insights to develop four speculative scenarios depicting different types of potential changes seeking to improve the existing digital service; and used these scenarios to engage claimants (n=76) who provided insights to help understand potential near-future harms stemming from these changes.Our findings provide in-depth insights into harms that claimants perceive that go beyond the often-mentioned harms of individual and community resource use to gain and sustain access (e.g., [23,44,67,82]), to include harms due to loss of their agency and harms that could materialise at a later time.We discuss how harms arise, flow, accumulate, and connect with wider ecologies of socio-technical systems.This paper's contributions are two-fold: 1) an empirical contribution of insights about the adverse effects stemming from potential changes to a self-service digital social protection payment system; and 2) a conceptual contribution in the form of a taxonomy of harms resulting from digital access, that other researchers can use as part of Responsible Innovation toolkits.In the next section, we present prior research in HCI exploring how harms arise through access to digital technology, the need to understand harms for responsible innovation and conclude with a discussion of scenario-based design, used in our study.

RELATED WORK 2.1 Understanding Access and Harms
Public services can be referred to as rights [16,37] which citizens can take up at their choosing to receive the beneficial outcomes.However, a legal right to something is not the same as having access.
In contrast to the traditional solely rights-based view which arises by law, custom or convention, Dijk [32] had recognised that access should include a more general goal of "improving one's position in society" such as gaining better employment, becoming more educated, and improving social relationships.Later theoretical work by Ribot and Peluso [71] redefined access as "the ability to derive benefits from things".The HCI community has been increasingly paying attention to the downsides of technological access, seeking to expand narrow definitions of what constitutes digital 'access' and its assumed benefits.Drawing on Ribot and Peluso's work, Coles-Kemp and Jensen [22] explored access as a multi-faceted endeavour concerning people's ability to materialise benefits from a digital service, comprising of a 'bundle' of material means, social relations and rights that control, mediate and sustain access once gained.In this way, Coles-Kemp and Jensen [22], alongside a number of other researchers [20,21,23] identified how having the material means and right to access a digital service can be insufficient to gain benefits from it, stressing the critical role that social networks of support and community organisations play in enabling access: benefits, reduction of harms and supporting alternate service provision to complement those provided by the State.
Pei and Crooks [67] urged HCI researchers and designers to carefully configure 'costs' (i.e.harms) and benefits in digital services design as to support interventions and efforts that can address issues of equity and social justice.The configuration of harms and benefits particularly in public services.Le Dantec [38] has noted that while governments often have a mandate to make public services equally available to all citizens, the harms and benefits stemming from digitisation of services are not uniformly distributed -with underserved and marginalised populations disproportionally affected and burdened, compared to more affluent citizens [67].Furthermore, pre-existing socio-economic disadvantages can be carried over into online settings [33], and poorly conceived, careless digital design can reinforce social injustice and exacerbates inequality [26].Indeed, Yates [91] identified how socio-economic status is one of the most reliable predictors of frequency and use of the internet, and Gonzales [44] noted how sustaining access can be more difficult for under-resourced populations.People characterised by high levels of socio-economic deprivation are often already the most digitally-excluded [6,73], and any increase in digital exclusion is known to exacerbate social exclusion and vice versa [84].Despite recognition that risks from digitisation are unevenly distributed in societies [61,67], Liva et al. [57] found that there is a knowledge gap about problematic outcomes and direct adverse effects on citizen-users.Given governments' mandate to counter socio-economic deprivation, the need for avoiding harms in social protection services, should be particularly important.Additionally, the UN has reported [79] these type of digital public services are the fastest growing across its member states during 2022 increasing the relevance of research in this area.
HCI research has examined how populations living with socioeconomic deprivation manage to access various digital services, including those living with longer-term health conditions or disabilities [8,9,11,51], new citizens in a country such as asylum seekers and migrants [22,67,68], students in education [44], and job-seekers [52,87].Two authors have discussed how those on low incomes manage access to Universal Credit: Coles-Kemp et al. [21] who examined access from a security perspective; and Morris et al. [62] who compared online with local service provision.Authors have contributed understanding of the important role that resilience [83], security [20], as well as how intermediaries [34] and other assistance [23] play in enabling underserved communities' access to digital services.Authors have also described harms stemming from digital interactions in some public services [53,80,82] and wider societal effects of digital design choices [73].Across the literature, digitisation-related harms in both commercial and public services are thought to arise from barriers to receiving assistance or social support [9, 11, 20-23, 34, 62, 83, 87], and from burdens relating to costs of obtaining, learning and sustaining use of digital services [21,22,44,62,68].In addition, studies have also noted how restrictions on information sharing [83], having to provide redundant information [51,82], and the introduction of delays [82], contribute to challenges experienced by citizens.Digitisation also appears to lead to more misunderstandings and errors in digital public service interactions [51,62], reduced trust [11,23,82], lower self-efficacy [9,52,62,73], reduced perceived fairness and accountability [52,80] and the erosion of rights and freedoms [53,62,80].Other concerns raised in the literature point to the connection between digitisation and discrimination and stigma [53,73,80], and citizens feeling increasingly distracted, confused, frustrated, addicted and overwhelmed [8,23,67,82].
While there is clearly significant research done in this area, no study to date has attempted to explore and enumerate all the types of harms that can arise in a technology-generated (remote selfservice) public service.

Responsible Innovation
Responsible Innovation (RI) recognises that the benefits of technical innovation are accompanied by risks and downsides, and seeks to align research outcomes with societal values [10] "in the public interest" [54], focusing on increasing beneficial impacts and minimising harms.Originally developed in other disciplines and research areas, in recent years RI has gained traction in computing and HCI [46,54].RI includes the need to articulate values underpinning digital innovations and anticipate potential risks, harms and unintended consequences through the use of speculative, reflexive and inclusive methods, that promote deliberation with communities who are directly impacted by the new technology [54,55].However, realising the aspirations underpinning RI, poses significant challenges for HCI endeavours.Research has stressed the need to develop new methods to enable further understanding and prediction of how socio-economic and cultural contextual factors may shape benefits and harms stemming from digital innovations [44].While value based approaches can be a useful lens to examine technologies' intended and unintended impacts, values suffer from differences in individual perception [42], contradictions, and conflicts among stakeholders in innovation endeavours [56].Further, there is still a need to understand how arising harms may impact values [28].Additionally, Friedman et al. [42] have described how both users' and designers' goals affect technology use and Davis and Nathan [28] showed how values surface and evolve during use.In a similar vein, Waycott et al. [86] explained, harms may only "emerge" later, in the use of socio-technical systems.In this respect, Wong et al. [88] suggest how "relations and practices" around digital artefacts contribute to variability in beneficial outcomes, and thus as benefits and harms are co-constructed, they only become apparent when socio-material practices occur between actors.These considerations point towards the need to base decisions about what a responsible digital innovation may be, on more comprehensive knowledge of how and where harms arise.Thus, this includes the lived experiences and knowledge of people affected by digital innovations as to explore how these might affect them and their communities.Examining potential innovations within an existing system with current users, therefore offers a potential way to gather more detailed knowledge of what types of harms can arise.This might also reduce the concern Jirotka [54] raises about the difficulty of foreseeing how research outputs might be used or adapted by more thoroughly exploring social contexts.However, Trischler et al. [77] noted that there can be particular reluctance to take part in co-design activities for public services due to citizens' perceptions that contributions made would not be valued.Further, working with underserved and under-resources communities requires additional sensitivities as to not over-burden them [49,90], and finding ways to enable voicing and expression of meaningful contributions [3].The use of carefully configured participatory methods, including scenarios, has been suggested to overcome these challenges (e.g., [38,67]).

Scenario-Based Design
Scenario-Based Design (SBD) is a well-established HCI method where scenarios include future-oriented stories foregrounding people's experiences and goals when using (existing or imagined) systems to undertake tasks [17,72].Scenarios communicate how design concepts might be used [17], describing positive or negative experiences [72] and can be very accessible to non-designers [48].A recent scoping review of ethics across SIGCHI by Vilaza et al. [64] found that speculative scenarios are a commonly-used method for exploration of technology ethical considerations.Luria and Candy [58] developed scenarios based on interviews with experienced users, who are thus most knowledgeable of a system, and then using these scenarios with other participants to collect responses about ethical concerns.Candy noted that nearer-future plausible scenarios were more engaging, requiring less suspension of disbelief.The use of such expert-informed scenarios as prompts have been found to encourage deeper and more reflective discussions during interviews [19].However, providing scenarios to contextualise questions at the beginning of interviews can introduce biases to responses [1] requiring methodological adjustments, "especially when designing for underprivileged populations" [30] where a perceived association between the researcher and the design can suppress criticism.One way to counter this, is to present negative scenarios to highlight potential problems [12].In this study, we use these methods, and in particular speculative scenarios depicting small changes in digital services to enable citizens and users' explorations of existing and potential harms.

CASE STUDY AND METHODOLOGY
Our aim is to explore how the use of scenarios describing possible small system changes in a digital service could support citizens from lower socio-economic groups articulate how, when and where harms may arise, flow, and accrue in an exemplar existing sociotechnical system.For a "more stringent" [44] exploration, this requires selecting a current system, which is pervasive among this population and which they have gained online access to, and are familiar with, by having been regular users of for some time.Given the known overlap between this population with the most digitally excluded, there is a need for the scenarios to be a "perceptual bridge" [7] between citizens' experiences and design speculations.This is achieved through creating scenarios that are realistic and plausible enough to engage participants by basing the illustrated changes on insights gained directly from participants as experts (as in [48]).These artefacts are then used to engage this population as to encourage reflection and articulation of resultant adverse impacts, and to help identify harm characteristics of the digital system, which may be attenuated or amplified by design changes.

Case Study
We examine harms experienced by citizens experiencing marginalisation due to poverty.To select a system used pervasively by this population, we based our study around a digitised public service providing an income-related social protection payment digital public service called Universal Credit (UC), supporting almost 6 million individuals in the UK (13% of the UK's 43 million workingage adults [36]).There are strict limits on income and savings in UC's eligibility criteria with the mean monthly household entitlement ∼£820, approximately a third of UK household disposable income [66].UC is predominantly [4] accessed via the 'UC Online' with a support helpline for minor queries, and is thus a type of self-service technology-generated interaction (as [25]) which is undertaken remotely from government officials and online.The UC Online website is used to apply for the payment (called the "award"), where claimants have to provide information about earnings, savings, health conditions, and who else lives in the household.Subsequent identity verification checks and eligibility assessment may require additional information to be provided.The UC award payment is variable, recalculated each month based on earnings and any adjustments.Those who successfully receive the award must undertake subsequent regular interactions through the website, such as to check messages in the Journal, to review tasks in their "To Do List", to record job search activities, to reply to messages, and to report change of circumstances (e.g., moving home, change of household members, changes to employment).Citizens who apply (by making a claim), and those in receipt of the award payment, are conventionally referred to by the UK government collectively as claimants.UC claimants are already affected by several adverse factors making understanding of harms even more critical: 1) claimants are under-resourced due to lack of income and poverty; 2) they can suffer from stigma associated with both poverty [70] and claiming benefits [29]; 3) service access is mediated by online registration and eligibility verification [27,74]; 4) claimants are amongst those already more digitally excluded (e.g., [2,31,69,91]); 5) the government department responsible for running UC also seeks to increase employability and employment and thus reduce reliance on the service; 6) continued payment eligibility is conditional [89] on complying with many behavioural commitments (e.g., to seek better-paid work, to attend training, to report relevant information promptly); 7) many claimants are commonly subjected to payment delays, financial deductions and penalties, or payments being stopped completely despite their dependence on the income provided, due to events like claimants' mistakes or their failure to comply with commitments and overpayments by the government [76]; and 8) the service is delivered as a monetary payment making claimants a target for fraudsters [24].Recently the UK government has announced plans for greater use of automation in UC and other public services, including much wider deployment of AI [45], while continuing to maintain a state-centric focus on efficiency [18].

Approach
Our study was undertaken at the height of the COVID-19 pandemic.This did not affect our ability to include the desired participants since, by definition, they were already online and accessing UC.We used remote individual semi-structured interview and survey methods due to imposed social restrictions and a reluctance of recruited claimants to participate in group activities such as focus groups and workshops.This is caused by a lack of trust in each other due to concerns that any information shared might adversely affect their own UC award.We first undertook preliminary individual interviews with professional advisors and claimants, and created speculative scenario design artefacts, responding to issues of concern mentioned about the digitised public service.We then used these scenarios as prompts to help articulate harms during subsequent individual interviews and surveys with claimants in the data collection stage of the study.Ethical approval necessitated enhanced consideration due to claimants being considered a vulnerable population, and to ensure compliance with pandemic-related restrictions.Approval was granted by the sponsoring university.

Developing Speculative Scenarios
Preliminary semi-structured interviews with 3 advisors (all females) and 8 claimants (3 females) identified issues of concern about the digitised public service, leading to the development of speculative scenarios, which responded to these issues.The advisors worked for organisations in the sponsoring university's local community and had significant experience of advising, supporting and guiding citizens to access public services, and all had substantial knowledge of UC Online.Advisors manually signed printed copies of PDF consent forms, scanning and emailing them back to the research team.Claimant participants were recruited by sending calls for participation using tweets on Twitter and letters posted to local community organisations.All the recruited claimants completed the consent form online and were claiming UC at recruitment time.Semistructured remote interviews were undertaken firstly with the advisor participants, capturing information about their role, claimants' need for help technology/benefit access problems, difficulties providing assistance, and effects of the pandemic on assistance.These conversations contributed to defining the approach, content and language used in the preliminary interviews with claimants.The claimants (identifiers C01-C08) were asked questions about their experiences applying for UC and maintaining online claims, including whether they received help, what technology they use, their day-to-day usage and the impact of COVID-19 on their ability to access UC.
All interviews were undertaken by telephone or online using Zoom or MS Teams as each participant preferred, lasting 1-2 hours, and audio recorded.Recordings were manually transcribed subsequently.No compensation was provided to the advisors; while claimants were compensated at £10.00/hour.The transcripts were analysed using inductive reflexive thematic analysis (as Braun and Clarke [13,15]) through comprehensive complete coding to code widely [14], generating data-derived semantic codes to explore what participants expressed directly.Advisors and claimants contributed a wide range of data on experiences with UC Online, with the multiple stages of coding leading to the identification of 42 forwarding of communication and just inform citizens to log into the system or make messages between citizens and a telephone call.online social protection systems; 3. People's communication channel preferences vary ability to use channels depending on the issue, the task, and their interchangeably at will.circumstances at the time.
You:See 1. Existing legally-based appointee process is formal and absolute.
2. Explicit consent to discuss a matter on a claimant's behalf as a representative is time-limited, task-restricted and only applies to telephone calls and face-to-face appointments (not online).
3. Many citizens get help from friends, family and advisors, but this is not reflected in how the system is designed.

Asynchronous individual remote support
Providing citizen-controlled and limited highly-granular delegated access to their online Universal Credit account, to facilitate receiving advice, support and guidance by a third party.
Ad:Visor 1. Citizens need but may be unable to visit or receive face-to-face advice and support due to work, caring, health, distance, poverty, shame, movement restrictions, etc. 2. Difficulties sharing digital device screen or printed correspondence when using a telephone for both internet access and speaking with an advisor, and sometimes also to the Helpline.

Synchronous individual remote support
Camera and microphone-enabled glasses providing a collaborative real-time shared view of a citizen's digital device and paperwork, and audio communication with a remote professional advisor, wherever the citizen is most comfortable.
distinct descriptive codes (e.g., "Delays by citizens understanding and responding to Journal entries, and reporting changes, can lead to sanctions", "Difficulties sharing documents for discussion/evidence", "Citizens sometimes have to resort to using complaints processes to progress their enquiries or to get decisions made").We selected key themes and insights from the data to develop scenarios articulating design aspects which could be changed to ameliorate some harms in response to the challenges experienced by both claimants and advisors.Reflecting suggestions made by claimants, the design aspects involved the introduction of digital technologies currently not used by UC Online (e.g., instant messaging, delegated access, synchronous digital assistance).The resultant four scenarios as are summarised in Table 1.
Ad:Visor and You:See both included additional features enabling claimant to request individual remote support from independent advisors when making and maintaining a claim (synchronously by invitation of the claimant in Ad:Visor, and asynchronously where control and use of interaction with UC Online is delegated by the claimant to someone else in You:See); Pre:Peer included changes to the application process using community support activities; and Channel:Expander included changes in the communication methods between the remote claimant user and the e-government system.All deliberately involved a broader system viewpoint crossing technology boundaries to acknowledge the wider socio-technical system, and to encourage participants not to focus inadvertently only on their own frequent, almost daily, use of the UC Online web interface in isolation, which could lead to blind spots.To communicate the design changes effectively, we produced short, informal, and attractive scenario artefacts with minimal text.We also wanted to ensure that scenarios were not fully defined, retaining some ambiguities to appear less deterministic [5], as to enable initial ideas to be malleable to feedback.In line with researchers (e.g., [41,75]) who have used self-published magazine (or "zine") formats to foster dialogue with their research communities, we   2: Three-page definition of the Channel:Expander scenario utilised a similar "zine" style for the scenarios, made digitally with a "produced with a photocopier" [41] look.The scenarios included claimant characters described by brief biographical details (as in [48]) undertaking UC Online-related activities.The design changes in each scenario portray positive benefits, and we wanted to counter demand bias by including some causes of negative impacts to encourage participants to be more critical (as in [12]) and discuss harms added.To choose these prior to revealing the scenarios to our participants, we adapted a hazard identification method for HCI [85] and used this to systematically enumerate lists of problems for each scenario.We selected three less immediately obvious problems to include in each scenario document.These were presented as possible causes of problems, and not harmful consequences.A by-product of the systematic hazard identification assessments was the generation of a longer list of other undesirable events which were used later to further validate the themes identified in the data analysis.The scenarios were reviewed by two members of the research team, then by two independent external experienced researchers, with alterations made after each review.The finalised scenarios are reproduced in the paper's associated data repository, and at smaller scale in Figures 1-4.Each comprises three pages: the first page describes the key issues experienced by claimants including an open-ended question as to how these issues could be addressed; the second page provides a visual representation of claimants in the existing digital system using the changed activity; and on the last page, three example causes of what might lead to things going wrong.Thus each scenario articulates anticipated positive impacts on the second page and suggests potential causes of negative impacts on the third page.These scenarios, developed from 11 participants' data, were then used in the study's main interviews and surveys with claimants to help expose what and how harms arise i.e. the system's harm characteristics.To foreground citizens' viewpoints, participation was restricted to citizens who were either current or previous UC claimants using UC Online i.e. people who already had access to the system.UC eligibility criteria meant all participants were working-age adults on low incomes and negligible wealth.The claimants who had taken part in the preliminary interviews (C01-08) used to define the scenarios, were invited to take part but C08 dropped out, with another three (C09-11) recruited by public posters at railway stations, using the same briefing, on-boarding and online consent methods.To obtain perspectives from a wider pool of claimants, we also ran an online survey, completed by 66 different claimants (total interviews and surveys n=76).Survey participants (C12-77) were recruited using another round of posters and direct mail to community groups, and through the Prolific research study portal using a pre-screening survey to identify people who used UC Online.Survey respondents completed the consent form online. Table 2 summarises the interview and survey participants.This table's data showing mean duration of award demonstrates considerable experience of UC Online in the population sample, even though many made their first claim during the pandemic (Figure 5a). Figure 5 also illustrates that compared with the interview participants, survey participants were less likely to be long-term sick/disabled, but more likely working, a carer, female and younger.
The interviews and surveys used the same scenarios.The shared questions about each scenario included positive (e.g., "What is good about the proposal?',"How would this be of use to you"), negative (e.g., "Do the three things shown that might go wrong concern you?If so, why?", "What else could go wrong or cause problems?")and neutral (e.g., "What was your initial reaction to this idea when you first saw it?)questions about the changes.The semi-structured interviews also provided scope for requesting clarification and for  Interview participants were provided in advance with the four scenarios (as PDFs, text-only descriptions and video walkthroughs to preview if desired) which they all engaged with to some extent.The interviews were undertaken by telephone or online, audiorecorded for subsequent manual transcription, lasting between 2 and 3 hours in total, including the scenario previews, interview briefing, interview and debrief.Participants were compensated for their involvement at a rate of £10.00/hour.The survey was made available as an online Google Form linking to each scenario's files (as the interviews).To encourage broader feedback, which can occur more naturally in semi-structured interviews, the survey included an additional final question: "Is there anything else you would like to add, good or bad about UC online, or your own technology ideas?".Survey participants received compensation for their involvement based on the survey platform's time estimate and recommended rate of £7.50/hour; responses were downloaded as textual data.Interview transcripts and survey responses were anonymised prior to data analysis, by removing any identifiable individual names, locations or organisations.

Data and Analysis
We gathered 10.5 hrs recordings from the 10 interviews: mean (M) duration 63 mins, standard deviation (SD) 10, providing transcripts: M 4,260 words, SD 1,610.In contrast, the 66 survey responses were much shorter: M 484 words, SD 295.These word counts exclude the questions, demographic data responses and, also for the interviews, the preamble, consent check, researcher's other words including the debriefing and closure.The overall data corpus comprised 57% from interviews and 43% from surveys.Interview and survey textual data were imported to NVivo, one text file per participant.
To prepare for analysis, the data was selectively pre-coded [14] to identify consequences resulting from the design changes (both negative and positive).Identified extracts were cross-checked by researchers before closely reading the data and making notes for familiarisation.We then conducted inductive reflexive thematic analysis (as Braun and Clarke [13,15]) on the extracts.While coding progressed, the initial data-derived and researcher-derived codes were updated, merged, split and new codes created providing the most meaningful interpretation of the data.Example low-level codes included "confusion and or misunderstanding", "increased responsibility", "become dependent or reliant on the tool", "money stolen", "surveilled", and "sanctioned" which were then gathered into the themes discussed in the Findings.There was no distinction made between data from the interview transcripts versus the survey responses, and we do not report code counts or coverage, since we were attempting to identify as many different harms, and not quantify either the rate of occurrence in the data nor likelihood of each harm to materialise in the system.The coding was checked for consistency in two quality-check stages.The analysis resulted in four main themes; each theme included data from both interview transcripts and survey responses indicating there was sufficient information power [60] in the data from the interviews alone.The survey data did however provide further examples to contribute to our findings and insights.To check whether any harms had been overlooked, we undertook a final stage of validation using triangulation (Mackay [59]), by applying the themes and sub-themes in a deductive analysis of all the consequences enumerated systematically by the earlier hazard analysis of the four scenarios.The hazard analysis data were found to fit within a subset of the themes and sub-themes, implying consistency.

FINDINGS
Our findings reflect the financial nature of UC award payments, describing how claimants have to speculate about uncertain future orientated harms, as well as account for current harms, to determine whether they will profit or not from the benefits of design changes.Below we explore four themes.First, Expenditure of Citizens' Resources describing how citizens may have to expend additional resources including greater time and effort as well as financial costs, increased monitoring and checking, dealing with the consequences of communication confusions and misunderstandings, maintaining data, fixing things that break or stop working, and taking on additional responsibilities for other claimants.Second, Loss of Citizens' Agency encapsulating loss of individual agency due to the involvement of other actors leading to reduced or complete removal of control, less transparency, more dispersed accountability, greater dependency and reliance on technology and other people, becoming disconnected and disengaged, reduced insight of when failures occur, and decreased capabilities.Third, Accrual of Risk by Citizens to capture deferred potential harms leading to worry and anxiety, and if the uncertainties materialise leading to loss of personal reputation and reputational effects on other citizens such as by loss of confidence in the system, losses due to obsolescence and abuse of claimants' information, identities and money by others including financial loss and surveillance.Fourth, Impacts on UC Payments to Citizens which comprises service-specific harms: in this case the delivery of payments for the service UC.To introduce each theme, we provide an example vignette from a claimant about one of the scenarios.

Expenditure of Citizens' Resources
Participants' responses to our scenarios showed how citizens may have to incur a further depletion of their own resources to benefit from the various types of design changes in the scenarios, over and above what is needed for current access to the existing system.This includes their own time, effort and money, and that of their support networks.Use of resources and abilities to realise benefits was articulated in relation to gaining access, day-to-day operation, and periodic upkeep.For example, C05 described their concern about additional efforts involved to understand, learn and use Ad:Visor, the camera and microphone-enabled glasses worn by a claimant to provide a collaborative real-time shared view of the claimant's device and documents by a remotely located advisor (Figure 4): ". ..if people aren't great at using, like being able to put their phone on loudspeaker while also looking at the website, or don't have a computer, then [Ad:Visor] might also be too hard as well. . .um so the glasses themselves need mobile data, so what happens when it runs out? um like who tops it up, who tells them how to top it up?" (C05) 4.1.1Initially Gaining Access.Three of our scenarios, Ad:Visor, Pre:Peer and You:See, explored the potential to integrate wider community support in the existing system.However, claimants who themselves had already gained access to UC Online recognised that there could be additional initial up-front burdens incurred to be able to take advantage of the changes described.From their perspective, if people had previously struggled to gain access to UC Online but eventually succeeded, any changes which added technological complexity could be too much to overcome, or as suggested in relation to the additional hardware included in Ad:Visor (the enhanced glasses), "it might be easier for them to not use it" (C33).Some participants were concerned there might be one-off preparatory financial costs (e.g., telephone/travel to meet community in Pre:Peer, hardware in Ad:Visor), and nine mentioned the up-front effort to understand how to use changes, or effort imposed on others to explain it.Furthermore, C23 and C72 both suggested that not everyone is necessarily socially connected enough to find the kind of support envisaged in the scenarios at an individual (immediate family or friends) or community level.In sum, the well-meaning changes proposed in scenarios were perceived as requiring additional entry skills, knowledge, and financial costs to gain access, which would affect some people's ability to adopt them and thus benefit at all.

Ongoing
Day-to-Day Operation.The proposed changes in the scenarios also helped articulate socio-material harms that could be incurred in day-to-day use of the changes after access to them has been gained.These include time and effort of doing clerical tasks, detriments to health and, for some, the additional burdens of supporting others, which could offset the intended beneficial improvements.Participants naturally weighed these pros and cons, reflecting that some of the changes represented in the scenarios (e.g., involving other people in Pre:Peer) might be "a bit of a hassle" (C14) or "more labour for the same result" (C76).In the Channel:Expander scenario, which included other communication methods to redirect and enhance SMS/email messages, operational concerns centred around burdens of monitoring notifications and checking messages' content.Some noted message duplication might lead to confusion, and an increase in quantity may mean some messages being ignored.There was also a concern about any extra usagebased financial costs, such as needing to be online more often (e.g., to interact with advisors in You:See and Ad:Visor, or with other claimants in Pre:Peer).The exploration of community support in Pre:Peer (where a UC application is prepared in advance but not submitted until needed) drew attention to participants' uneasiness about the ways the proposed changes might require additional effort from other people who already provide assistance, or lead to wasting those people's time.Related to these concerns about harms imposed on others in their support networks and, in response to two scenarios (You:See and Pre:Peer), three participants could foresee additional burdens if they themselves provided this community support to others: "people who were given that responsibility may not really want it" (C04) with concern about "being held responsible if mistakes are made" (C57).Participants also identified how the involvement of more people, such as in You:See and Pre:Peer, and use of more communication channels (e.g., chat apps, post) such as in Channel:Expander, would require greater continual effort to monitor whether anyone was trying to steal data or commit fraud.
There was a concern these matters would lead to ongoing current operational "worry" (C02) about whether resulting damages (e.g., identity fraud) may be occurring that they had failed to recognise or prevent.
4.1.3Periodic Upkeep of Assets.Our participants recognised additional harms related to keeping the system changes working, separate to day-to-day operational activities (4.1.2above).Upkeep activities are performed to preserve assets e.g., ensuring the accuracy of data, and fixing breakdown/loss.For example, the Pre:Peer scenario included gathering information and evidence necessary to make a claim over a period of time, but participants recognised data accuracy could deteriorate before use (to make a claim at a later date).Participants believed this would add a mental burden to check data, and then effort to correct the data.It was also recognised some data update requirements (to report any change of circumstances in UC Online) coincide with traumatic life events like "breaking up with your partner or moving house" (C34) which could make it more difficult to do the upkeep.An added harm would be feeling an obligation to maintain data, because by not doing so and submitting incorrect information, this could be seen by the State as fraudulent e.g., "get you in trouble" (C70).Participants noted that with additional community support, such as shown in Pre:Peer, claimants may need to do more upkeep themselves as an administrative overhead, checking information added and decisions made by others to counter misunderstandings of their situation.Similarly, Channel:Expander which included multi-lingual support, was seen as requiring more effort to check validity, given participants' perception that these technologies lack accuracy.For any physical hardware (e.g., the adapted glasses in Ad:Visor), five participants questioned durability and reliability, and therefore what was needed to keep it working, and liability for physical breakage or damage e.g., "who would pay the bill?" (C74).

Loss of Citizens' Agency
Participants observed that changes portrayed in the scenarios which affect the scope and nature of access could erode citizens' own agency, countering some of the intended benefits and advantages of the changes.Participants explained how loss of agency would be manifested as loss of control, independence, and capability, affecting interactions with the changes, the existing system, and more widely in their lives.A data extract related to this theme by C28 describes how claimants might lose knowledge about accessing UC Online to maintain their claim with You:See, in which a claimant can delegate access to their UC Online account to a third party (Figure 3): "The [claimant] who has the account would not know anything that was happening [in UC Online] and wouldn't know how to use the service themselves should they need to." (C28) 4.2.1 Giving Away Control.Participants identified circumstances resulting from the changes described in the scenarios which would cause disempowerment such as reduced or complete loss of control including unclear accountability.Participants were concerned about the involvement of other people, organisations and systems in Ad:Visor, Pre:Peer and You:See.They thought claimants could become dependent upon the capacity, capability, reliability, accuracy, and honesty of others, which also requires trusting them.For example, if someone else was using UC Online on a claimant's behalf (as in the You:See scenario) to respond to a Journal message: "have they went and done it there and then, they might not and they might just say to you they have" (C11).The You:See scenario, which depicts delegated access, prompted some participants to wonder if loss of control might reduce claimants' ability to also detect problems: "they don't know how to" (C31), and therefore be less able to rectify problems (C39).While none of the scenarios provided any clarity about accountability, being held responsible was raised repeatedly by participants.As an illustration, when reflecting on the three example problem causes in Ad:Visor (e.g., delivery period delays the welfare benefits advisor speaking with a citizen, the device captures and transmits pictures/sounds of other people nearby), participants described how "things like this could punish the claimant for things out of their control" (C54) "even though it wasn't your fault" (C62) such as if the communication technology was disrupted during a time-sensitive appointment.

Ceding Independence.
Participants identified other potentially harmful consequences causing a loss of independence including reliance, and becoming disconnected, side-lined, and disengaged.Almost half of the participants had concerns in this subtheme, such as becoming reliant on the additional digital technology depicted in all the scenarios.They considered that where there is a need (due to imposed UC commitments) to be prompt and responsive, such as to submit requested information, becoming dependent on additional systems was problematic.For example, a breakdown of the system portrayed in the You:See scenario where someone else acts for the claimant online, may mean that information is lost or not delivered (C30).Furthermore, any increased separation between a claimant and UC Online introduced by additional digital technology was considered detrimental.For example, in Channel:Expander which illustrates how some interactions could be undertaken directly by messaging between the claimant and the UC system rather than logging into UC Online, this may mean the monthly payment statements or To Do List are not checked as often.Similarly in delegated access (Pre:Peer), the claimant may never log in themselves: "you might not see some of the activities on your account and journal" (C07).Participants thought that this disengagement from direct interaction with UC Online could lead to claimants not knowing the status of their claims or what they need to do, both of which are only displayed in UC Online, and this could affect claimants' ability to adhere to all the imposed UC commitments.

Reduction in Capability.
Participants recognised how engaging with the internet and UC Online can beneficially contribute to learning new skills and knowledge.Therefore, the changes described by the scenarios could lead to the reverse, loss of capabilities: de-skilling, failing to gain new knowledge and losing existing knowledge.For example when considering You:See scenario, which enables a form of delegated third-party support, many considered this might also mean that claimants would not need to use online technology themselves at all (C38) and thus lose out on this skill.Another participant mentioned that by using online systems yourself "you kind of learn to read through forms" (C07), which was considered a skill useful for other government interactions, and might thus never be learned by some claimants.Some participants believed that using translation/interpretation features (as described in the message forwarding of Channel:Expander), would detract from gaining valuable language skills by not directly reading and communicating with UC Online in either the original English or Welsh.Participants noted these loss of capabilities may not be noticed until there is a relevant need, such as to get assistance with something unusual or unexpected with their UC claim or personal circumstances.As one example of this loss of capability, participants thought the use of different channels of interaction (as depicted in Channel:Expander where messages could replace some of the UC Online website's functionalities) could result in claimants not ever logging on to read their Journal and eventually not knowing "how to" log on to the website (C31) such as by losing or forgetting authentication credentials or the website address.Participants explained this might prevent people ever learning about their social protection payment rights or UC.

Accrual of Risks by Citizens
Not all harms articulated by the participants were impacts which occur immediately.Participants also projected their thoughts into the future and discussed adverse prospective harms, which might materialise at another time, ranging from the almost certain to the very unlikely.These related to multiple reputational effects in the future, digital technology obsolescence over time, and personal abuses against claimants where the effects occur later.Related to this theme, C06 articulated harm which could arise in the future due to use of the changes in the Channel:Expander scenario, which describes multi-modal bi-directional collection, format conversion and forwarding of communication messages between claimants and UC Online systems, replacing the limited one-directional and non-functional system-to-claimant notifications (Figure 2), and prompted by the scenario's mention of using WhatsApp: "I think there could be some financial risks or you know issues related to fraud in the long term.But I don't think like social media platforms as an effective method in limiting fraud because it's more open to fraud in the long term." (C06)

Affects on Reputation.
The changes proposed in the scenarios helped expose three types of possible reputation loss: an individual's own reputation in the eyes of the State, their reputation perceived by other citizens, and reputation of the UC system itself.
Participants were concerned the State may be suspicious of citizens' reasons for using any form of wider support, as explored especially in Pre:Peer and You:See.Also, from their existing experiences of UC Online, new changes which may lead to additional mistakes, errors, delays and failing to meet commitments could make claimants look dishonest (C01) to the State, even risking accusations of fraud.Participants liked how the current system's Journal creates a record of messages, instructions, and decisions, and wondered if changes might detract from this (e.g., in Channel:Expander, system messages being read by claimants in apps rather than in the UC Online's Journal log).It was also noted that lack of records (by activities occurring external to UC Online) could make it harder for claimants to demonstrate their compliance and honesty (C17).In terms of claimants' personal reputation perceived by other citizens, it was recognised that some of the changes described (such as the community interactions in Pre:Peer) might make it more apparent to others (due to the involvement of more people and possible unauthorised sharing of information) that someone was receiving State support, which could lead to discrimination or further social stigmatisation e.g., "some people have a really bad opinion of those that claim" (C39).More broadly, participants were concerned that if proposed changes in scenarios were "deemed unreliable" (C61), the whole UC system's reputation would be damaged by awareness of new (change-related) problems, leading to a negative social impact.
In their view, people might be deterred from adopting the proposed changes, or people might be put off using the UC service at all.

Exposure to
Obsolescence.Participants also voiced concerns about the obsolescence of digital features proposed in scenarios, such as their future degradation/failure, being retired, being abandoned, breaking accidentally, or failing through lack of maintenance by others.One example was a concern about how access to the community-supported features in Pre:Peer might cease if it was provided by a third party organisation, perhaps through lack of use, insufficient funding, or inadequate take-up.Participants' experience of using technologies like those presented in the scenarios meant they recognised that using additional features increased reliance on the technology, and thus if something stopped working (e.g., message format conversion as shown in Channel:Expander, submission of the prepared claim in Pre:Peer), there would be worries, even panic.Concerns about obsolescence were also related to potential wasted effort learning/using the changes (gaining access and operation described in 4.1), requiring claimants to revert to using the unchanged existing system, which may result in loss of data and require rework.

4.3.3
Opportunities for Future Abuse.Participants raised concerns over risks involving misuse of claimants' information, identities, and money.Increased storage, transmission and greater access to personal data by others implied in all the scenarios sparked many concerns in connection with surveillance, fraud, financial loss, identity theft, unauthorised personal data access or use (by third parties and the State itself).Participants also speculated whether the nature of changes would enable the technology to be used against them.For example, they considered that audio and video features depicted in the Ad:Visor scenario could be used by the State to undertake greater monitoring of their lives, since it enables a remote helper to observe what a claimant is looking at using a camera.Many noted the potential of becoming more exposed to malicious actions by third parties.In the Channel:Expander scenario, for example, the increased use and forwarding of messages through other apps and communication methods could increase opportunities to receive scam messages.With the delegated access outlined in You:See, several participants were also concerned about losing money if bank account details used for the award payment were changed maliciously by someone else without permission.
Participants provided further examples of how unauthorised people might access their UC accounts, identity details, and other personal data through the features proposed in scenarios, including how these might make it easier for other "people fraudulently claiming [UC in your name]" (C56).

Impacts on UC Payments to Citizens
The nature of the existing UC Online system as a mechanism to deliver social protection payments led participants to also identify effects on this service delivery of the regular UC payments as direct harms, differentiating them from the previous findings related to gaining access to UC Online initially, sustaining access and later effects.These UC payment harms were described as more directly impacting claimants' immediate lives.For example, data from C24 describes the urgency when needing to make a UC claim and how delays might be created by errors or mistakes in information through the changes outlined in the Pre:Peer scenario, describing a series of guided physical and digital community-supported activities to prepare for making a claim for UC which is submitted at a later date (Figure 1): "I'm very concerned about [Pre:Peer], because if there is a mistake, it's really troublesome.All the people who can apply [for UC] are in a hurry and need money." Participants noted how anything new that might hinder communication could lead to further processing delays, or mistakes which take time to address, and therefore may interrupt payments, which occur on a fixed schedule e.g., "it's going to make me miss out" (C15).Possible payment delays, changes in payment regularity and payments being stopped were mentioned by participants, across all scenarios.Participants considered that if interruptions occur during the application stage "people would [be] left without any support and would not get the UC" (C30).Separate to interruptions of payments, numerous participants had direct experience of deductions from their regular vital payments arising from UC-related sanctions, overpayments, and loans, and were wary of any changes that might lead to more payment deductions.Some potential mechanisms which could lead to these effects were suggested: greater complexity could result in some people infringing commitments leading to financial sanctions being imposed e.g., "because of the sanctions, it's best to keep things simple" (C27); increased messaging leading to some important ones being ignored or overlooked (as explored in Channel:Expander); and more involvement of other parties (in Ad:Visor and You:See) resulting in claimants missing important instructions.Finally, a number of accompanying effects caused by payment interruptions and deductions were mentioned by participants.Given the precarity of claimants' situations, people are "short of money" (C24), "struggle to make ends meet" (C29) and risk "further hardship" (C66).The scenarios led participants to reflect about the lives of other claimants, describing how many people are already worried about money and getting into debt.They noted that anything having an adverse impact on the regular payments will affect clearing household bills and other financial commitments.
The potential severity of this was foregrounded by stark warnings participants offered of the effects on claimants' families and other household members: "if someone has young kids they won't always be able to keep them safe" (C59) and "[if] it doesn't work, that could be the difference between someone eating or being evicted because their claim is delayed" (C70).

DISCUSSION
Pei and Crooks [67] wrote about the necessity of "configuring both costs and benefits together" during design to confront inequity when undertaking community research.Their work examined access to technology in person at a community literature centre in USA.We have explored this further to support responsible innovation in the different context of social protection public services in which the interactions with the State are technology-generated, being both self-service and remotely accessed.Our case study utilised a transactional digitised public service, UC Online, which provides access to payments to support living costs, and is thus a necessary and essential means of survival for the population group we engaged with, who use it pervasively.Furthermore, as the service is 'Digital by Default', citizens have little choice but to use the online system.This study provides an insight into the experiences of those who might otherwise not use such transactional systems, or even the internet, being amongst the most digitally and socially excluded.Our study's population of working-age people living with socio-economic deprivation, who are under-served and underresourced, includes those employed, under-employed and those unable to work due to disability or long-term health conditions, rather than other studies which examined more specific groups, for example refugees, migrants and asylum seekers (e.g., [22,68]) or solely job seekers (e.g., [52,87]).A concern we had at the outset of the study was whether day-to-day use of UC Online by the participants could have led to a normalisation and acceptance of some harms that already occur through the use of the existing system, thus reducing the ability to articulate harms.Yet, the findings indicate a more critical consideration of the system.We found the use of scenarios depicting changes successfully provided a bridge [7] between the now and possible near-future design changes, and we noted how the scenarios encouraged reflection and articulation about the potential for further harms to arise.UC Online proved to be already a hostile system where multifarious harms can and do materialise, many of which can have significant adverse effects on people's lives.In contrast with prior work discussed below, our case study has explored online remote self-service access to one digitised public service in considerable detail.The approach has been used to attempt to shed light and enable claimants to enumerate all the different types of harms that can occur, bringing these together as a comprehensive categorisation, as well as providing data about the particular case study itself.

Articulated Harms in the Context of Previous Literature
In line with other studies, our participants recognised the potential for expenditure of resources such as initial startup (based on Pei and Crooks' term [67]) harms to gain access, indicating the importance of minimising the initial hurdle of design changes over and above what was already required.Unlike Pei and Crooks' exploration, in our online remote context, claimants had already gained access to UC Online but access was fragile and, not-withstanding the well-meaning nature of the changes described in the scenarios, there seemed to be a common view that any changes could make some matters worse.In comparison with other related work, our participants provided particularly broad and deep insights into further resource depletion after gaining access, should the changes be implemented.In our findings we contribute to a greater understanding of the struggles at play in "maintaining access" (defined by Ribot and Peluso [71]).Gonzales [44] had reported this "technology maintenance" with university students in USA, but our work with remote online claimants led us to divide this "maintaining access" into what we identified as two distinct types.Our bifurcation of 'maintenance', between what we term 'operation' and 'upkeep', is based on the traditional separation between procedural operations and asset maintenance (such as used in descriptions of software development lifecycles [47]).The two aspects entail quite different types of harms.The first type: operation harms occur routinely such as in UC reading and replying to messages or submitting requested information like job search activity, comprising typical normal daily usage activities and normal fixes/corrections, and being habitual warrant particular attention to identify them.
The second type are undertaken periodically: upkeep harms such as checking and correcting data or award-affecting decisions, and caused by the need to sustain availability of all the various system components identified in each scenario when needed for as long as intended.This second type might be put off by delaying doing them, but doing so can lead to other types of negative impacts materialising (e.g., loss of access, increased errors, future obsolescence), requiring additional consideration when balancing the harms and benefits of making changes.The findings resulting from exploring the scenarios also exposed potential claimant-to-claimant harm mechanisms.In contrast to harms arising from mismatches in understanding between the State and citizens about their lives such as described by Voida et al. [82] (who interviewed civil servants who processed online claims for a system in California, USA, rather than claimants in our study) or how some harms can be transferred from the State to the wider community such as described by Considine et al. [25]'s systemlevel bureaucracies, our study identified how harms can be similarly transferred to other claimants.These take on a support role for another claimant, like Coles-Kemp and Jensen [22]'s description of people who gain control over access to information, in a study about newcomers to Sweden.Being day-to-day activities, such claimantto-claimant support would constitute an operational harm.Yet, participants also revealed a related upkeep harm: dealing with the consequences of additional confusion and misunderstandings resulting from this wider involvement of other people.
Eubanks described a precondition test for designers [39] which prompts checking whether a given technology increases selfdetermination and agency of the populations who are meant to benefit from it.Notably participants in our study reported loss of agency as a harm to claimants resulting from envisaged changes to the system that would provide additional assistance to claimants (e.g., individual or community support, or even improved or diversified channels of communication).Whereas the benefits of such mediation and social support have been examined by others (e.g., food assistance outreach workers in USA by Dombrowski et al. [35]), our study of a UK online remote service has revealed the potential negative impacts to people.This included perceptions of reduced control, especially which if combined with unclear accountability for ensuring compliance with commitments, was deemed to have particularly severe effect on claimants.In work on mobile phone access to state-provided digital services in Sweden, Coles-Kemp and Jensen [22] described a need for enabling access to benefits by "networks of people", and our study has additionally highlighted how accountability placed on the individual claimant through the digital system by the State also fails to recognise interactions with these wider ecologies of socio-technical systems.The importance of self-efficacy and agency (as Morris at al [62] who compared access to UC Online with semi-digitised local food banks in the UK) was noted by participants, but our participants were also concerned with losing their independence, weakening their direct interaction and thus relationship with UC, such as through some forms of additional intermediarisation.In a key point, loss of agency can lead to harms materialising completely outwith any broad boundary of the service and its ecosystem; this is like Ehsan at al [38]'s description of how algorithmic harms, in a study about adults older than our working-age participants in an education system, can occur beyond the system.The harms we identified occur not just in wider society (e.g., as digital design marginalisation described by Sin et al. [73]) but also on other areas of people's lives.For example, effects were identified which could harm claimants' own knowledge and skill capabilities, which may be useful elsewhere in their lives (e.g., to access other unrelated e-government systems).
The temporal nature of harms also arose.While the speculative scenarios described near-future changes, participants recognised the potential for harms arising further into the future, which constituted an accrual of risk that might be neglected when only considering current harms.These possible future harms were much more extensive than commonly considered harms relating to malicious use of personal data.Participants were concerned with their own and the digital system's reputation, risking further marginalisation (as in Sin et al. [73]) of already digitally excluded groups.Concerns in this case study over potential damages of their own personal reputation in the eyes of the State, may be connected to the UK's significant focus on "individual responsibility" (noted by Alston [4]) which systems like UC embody through conditionality requirements.Participants thought impacts affecting the system as a result of changes might put the cost of gaining and sustaining access to the system beyond a tolerable threshold [22,39] thus even leading other citizens to choose not to apply for the social protection payment.In our findings, there were some concerns about future obsolescence of the imagined new features and changes described in the scenarios, especially when these may have been provided by third parties rather than the State.In different circumstances, Pei and Crooks [67] had discussed obsolescence of hardware which are or become incapable of supporting the required activities due to slowness, lack of memory, lack of processing power or being broken, but our claimant participants highlighted how this obsolescence can also occur in software, and in data/information.This emphasises a need in RI for researchers to develop harm mitigations strategies that are sustainable and can be adapted to future changes (e.g., open integration standards, reversibility of changes, and transportability of data).The scenarios included the increased involvement of other actors which also adds future potential harms and an increased reliance on trust requiring, like Barros Pena et al. [9] describe in a commercial context, a move from protection to collaboration.Yet, our participants demonstrated much wider concerns of future harms than failures of trust between claimants and other non-State actors introduced by design changes to mitigate other harms.Risks of malicious abuse towards claimants included concerns over potential use of design changes in the system against them, such as other citizens attempting to defraud claimants (like explored by Heath and Coles-Kemp [50] investigation of digital identity in essential digitised services) in contrast to the State's focus on fraud against the government [63], or State surveillance of citizens.Overall, these insights on the temporal nature of some harms contribute to a recognition of how claimants have to make a personal investment to access system changes, taking on additional risks of future harms themselves, emphasising the need to ensure harms are considered not only while maintaining a claim, but continuing after the claim award has ceased (in the case of UC, access to UC Online is immediately terminated by the State).This points to the need for harm analysis to span the whole human-centric lived experience lifecycle: before access, gaining access, during access and after access.
Finally we must recognise how some harms are particular to the policies being 'materialised' and delivered by the digitised public service examined i.e. they are service specific.We consider these distinct to other types of harm because they impact adversely on the purpose of the policy.This is a form of digital design marginalisation (Sin et al. [73]), but in this case the particular societal issue being addressed is the public service policy.Consequential accompanying harms impact citizen's lives by the way the harms affect award payments, reducing household income.These, mirror some of the effects of UC which Alston [4] described, such as increased use of food banks and other charitable support, and children perceiving joining gangs as "the only way out of destitution".

A Harms Taxonomy
Our thematic analysis sought to reveal as many different types of harms as possible, and through review and revision the final themes generated naturally described different categorisations through our attempts to understand patterns in the data.This then provides a taxonomy of citizen-centric harms.Other researchers in HCI have described harms stemming from digital access, but did not attempt to identify these comprehensively.For example Pei and Crooks [67] suggested that their "three categories of costs. . .are not exhaustive but reflect what we encountered".We reviewed our own themes against prior work, by deductive thematic analysis of related findings identified in HCI literature about different socio-technical systems referred to by this paper which describe harms of various sorts (twenty papers: [8, 9, 11, 20-23, 34, 44, 51-53, 62, 67, 68, 73, 80, 82, 83, 87]).This was to identify whether other researchers had reported technology harms outside the themes and sub-themes found in our own study, which are not specific to each paper's service purpose.This review helped to choose labels and to draft more general descriptors of the categories.This review also indicated the taxonomy is general enough to encompass these other studies' findings.For example, applying the taxonomy to Coles-Kemp and Jensen's paper [22]: newcomers have to "keep up" with technology developments to gain initial digital access in the context of resettlement, is a startup harm in our taxonomy; newcomers keeping on top of various apps to manage their resettlements or helping a family member are examples of operation harms; and newcomers revealing information is a reputation harm; and becoming dependent on someone for knowledge and guidance is an independence harm.As another example, applying the taxonomy to Pei and Crooks [67], we have already noted how some of the types of harms in our analysis match Pei and Crooks' startup and maintenance types.Whereas Pei and Crooks separated out "affective" harms (e.g., feelings of distraction, addiction) from their "startup and maintenance" we have included these within our own operation category since they materialise "day-to-day" in use.From these applications of our taxonomy we have concluded that in addition to the knowledge presented about our specific case study, there is a potential for use of the harm themes by other researchers, leading us to provide these as a more general taxonomy of harms (Table 3).Our proposed taxonomy successfully spans the types of harms revealed by prior work, while recognising, and drawing attention to, how some harms are specific to the purpose of a particular system, in our case an income supporting policy being delivered self-service digitised social protection payment public service.
HCI researchers can use the taxonomy to guide their design choices such that benefits outweigh harms, taking into account the full service delivery ecosystem, including temporally before and after access.While we believe our taxonomy is comprehensive, it does not negate the need for discovering rich data about the particular harms of each sub-category that may arise in each system, and system specific harms, with the involvement of the users affected.Additionally, we believe our taxonomy will be useful to guide researchers to develop speculative scenarios and using the categories and sub-categories as a frame [13] for deductive thematic analysis of harm data.

Limitations, wider impacts and future work
Our study explored the potential for harms to affect low-resourced individuals in poverty through an examination of design changes.We have identified two key limitations.Firstly we conducted this research on a single UK e-government system used by workingage adults, albeit one used by millions of UK citizens, and future work should examine similar systems in other jurisdictions, as well as other digitally-delivered e-government services and lowresource populations.Secondly the findings have highlighted a need to understand how to account for potential future harms, when undertaking an evaluation of harms and benefits.The authors are also currently using the output from this paper's study to codesign and trial with claimants a prototype citizen-centric lowharm design change which better acknowledges claimants' wider support networks to use and benefit from UC Online.The authors are also aware these techniques could be used, contrary to our aims, to identify ways to impose harms on people on purpose, say for commercial gain or for political reasons to penalise a particular community.Service Specific: Inherently related to the policy intent of the particular service, and accompanying consequential effects on individuals/communities, when the intent is reduced, delayed or not achieved

CONCLUSION
We successfully engaged with a group of socio-economically deprived citizens to understand how harms affecting them in an existing e-government social protection payment system and ideas that might ameliorate these.Using these ideas we developed four speculative scenarios depicting future changes, spanning a range of design changes to the digital system: synchronous and asynchronous individual remote support, community support, and methods of communication.These were used to define speculative scenarios to engage again with a larger group to understand how harms arise, flow and accumulate as the result of these small changes.Our participants articulated immediate harms, including harms occurring from loss of agency relating to loss of control, independence and capability but also highlighted the need to account for prospective harms related to reputation, obsolescence and abuse, together with a recognition of harms specific to the delivered public service.This method provided a deep understanding of potential near future harms, contributing to a much better understanding of the capabilities of a system to cause harms, how these are connected to wider ecologies of socio-technical systems, and insights into the design of such e-government systems to avoid these harms.We developed a taxonomy of harms for use by other researchers to contribute to the analysis of harms and responsible innovation.

Figure 1 :
Figure 1: Three-page definition of the Pre:Peer scenario

Figure
Figure 2: Three-page definition of the Channel:Expander scenario

Figure 3 :
Figure 3: Three-page definition of the You:See scenario

Figure 5 :
Figure 5: Comparison of interview and survey participants' a) Characteristics; and b) Age profiles

Table 1 :
Descriptions of the four speculative design changes to the system Creating log-in details and getting the required information is not always easy and errors lead to delays.2. The sooner a claim for Universal Credit can be made when needed, the sooner the first payment will be.3. Identity verification has to be undertaken again from scratch with each new Universal Credit claim.

Table 2 :
Comparison of interview and survey participants' demographics and UC experience

Table 3 :
Taxonomy of harms The initial resources required to gain access over and above the existing harms, including financial, skills, knowledge, time and effort Operation: Resources required to undertake day-to-day normal use, including time and effort of doing clerical tasks, keeping track, providing supporting to others, and related physical/mental harms Upkeep: Periodic use of resources to maintain the effectiveness, efficiency and accuracy, including data, software and hardware maintenance, correcting errors and fixing breakdown and damage Disempowerment of an individual due to involvement of other people, organisations and systems, including reduced or complete loss of influence, inability to dictate direction or behaviour, and changes to accountability Independence: Becoming dependent, reliant, disconnected, side-lined or disengaged by the introduction of other people, organisations and technology into the system Capability: Loss of existing knowledge and skill capabilities, loss of trust, loss of self-efficacy, and reduced or removal of opportunities to learn/develop new capabilities, now or in the future Damage to an individual as perceived by other citizens and as perceived by the state and other parties, and reputation of the systems where this would affect other individuals/communities Obsolescence: Deterioration and failure, for example due to others' lack of maintenance, insufficient resources, damage, deprecation or retirement; also effort wasted if threshold to gain access is not achieved Abuse: Misuse of citizen information, identities and money, including surveillance, fraud, financial loss, identity theft, unauthorised personal data access or use by third parties and the state itself