Archive 5 min read

User Experience Is Critical

User experience is often overlooked when it comes to security and privacy. This leads to some confusing, dangerous, and challenging situations that users are forced into. Why?!?

User Experience Is Critical

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How are you doing today? I hope your week is off to a fantastic start. Now, let's see if you can follow the bouncing ball because today's topic may seem a little out there, but I swear it makes sense. So stick with me. So this weekend, I was uh trying to relax, but I was also kind of bubbling around an idea in my head and I was working on a video about Fortnite now, not a security privacy video.

Basically an old people guide to being decent at Fortnite. So you don't look totally uh good, totally embarrassed and owned in the game. Um Trust me, it makes sense. That will be coming out later because it was just fun to make. Um But while I was doing that, I was doing some research obviously and this ties back to a tech column I did in the summer around parent helping parents understand what Fortnite is.

Um And all these youtubers that I'm seeing these twitch streamers, they're all using the PC version of Fortnite. And that got me thinking, well, wait a minute, I'm playing on a console with a controller and am I at a disadvantage here because the controls are very different.

The user experience is different. The literal space is very different than having, you know, flat map everything you need to remember the the logistical point of the buttons that got me thinking about Twitter, right? Remember I said, follow the bouncing ball that got me thinking about Twitter where I've dramatically declined, like have seen my usage of Twitter decline significantly over the last little while.

And that's because of the API changes made in August where my preferred uh Twitter client, which was Tweet bought on the mac and on my I OS devices is no longer really effective because it's always behind the screen. API is gone. So if I want to stay up to date on things, especially at events where you know, that real time kind of feed is really important.

I have to use the Twitter client and you know, spoiler alert, the main Twitter official client sucks, especially compared to tweet bot. So my usage has declined. Then I got thinking about linkedin and went well, linkedin is a huge platform. I'm getting massive engagement on linkedin, but I don't use it nearly as much again because the interface is really clunky.

User experience is really, really poor, which brought me back around. I told you bouncing ball to security and privacy. So as part of my keynote for Seor earlier in the month and I'll re link that out here. One of the things I called it was passwords, right.

So we always blame users about passwords even though we gave them horrible guidance for years and years and years. But a prime example of misunderstanding of users of risk around passwords comes down to when you're typing in a password, you get that sort of asterisk or ball or star obscured, you can't see what you're typing.

There's a reason for that if you know the reason you make a lot more intelligent decisions around when you implement this design pattern. So the reason for that is to prevent shoulder surfing, if somebody was over my shoulder, looking at my device as I'm typing everything in or as I'm tapping in the password and that obscuring it prevents somebody from physically viewing it.

That's why it's there. Ok. So whole like, oh, you can't paste into password boxes. No, you should be able to copy out of them, paste into them 100% should be fine, obscuring them. Makes sense if you've got that risk of shoulder surfing, which is why Amazon implemented part of this part of this pattern where they let you check a box to see your password.

They should actually have a warning there to say, hey, check your shoulder to make sure nobody is looking or a video camera to looking to continue protect your password. But that's just one of a multitude of examples of where security and privacy is an extremely poor user experience.

And it's leading to really poor security outcomes. Facebook is another great example and I know we talk about Facebook way too much, but Facebook has a ridiculously granular and nuanced permission system and then I can set up this stream only to go to one person, right?

And I can only allow one person to see this stream. In fact, I do that relatively often for family concerns. If grandparents can't make it to something I can stream it directly just to them. And that's a nice security lockdown, but it's really tricky to use and it's not intuitive at all.

And you know, Facebook as well, we've tried to simplify it. But what they've done is put in there bias as a platform to get people to share more publicly as opposed to in the way they want. And that user experience is impacting the privacy of those users.

And we see it all the time in security and not to knock my own employer. But part of a larger challenge, anti malware is a great example. Anti malware should have almost no interface for the users because any time you prompt them, what are they going to do about it?

Is there enough information? Is there enough context for a user to take action in the event of a malware alert? Now, a security team? Absolutely, they have a different set of requirements. But if I'm just an average user typing on my machine and a malware alert comes up and says, hey, we quarantine this.

Do I really need to know unless you can link that back to a behavior to try to impact change down the line similar with user account control on windows as well as on Mac. When they ask for elevated privileges, they just pop up and say give me elevated privileges.

You need to be an admin to do this to, to do what what application is trying to gain elevated privilege. And did I as the user initiate that application launch? Um It's a lack of context and I think, you know, where I got from this, from Fortnite to Twitter to linkedin Facebook to to security in general is that user experience is an absolutely critical part of security and privacy and it's horrendously understaffed and underappreciated at this and it's leading some real significant consequences and it's an area where we need to refocus, we need to ensure that we have strong user experience and user experience versus user interface.

By the way, interface is what we kind of tap or type into or use user experience is. So to not start to finish, what is the experience of a user finding out about the product getting onto the product using it all the way to closing down your accounts in the future and things like that.

So it's the entire experience of dealing with that technology and that's where the focus needs to be the interface is a small, small piece of that. So this is an area that's underappreciated insecurity and privacy. But I think it's absolutely critical because we're trying to convey extremely complicated and nuanced decisions and concepts to users.

And we're doing them a disservice by not giving them the tools they need and not giving, presenting it in a manner that lets them make those decisions. So something to think about today, how do you handle user experience? Do you have user experience, developers on your team?

Do you consult with user experience experts? Do you even know about user experience as a discipline? How do you think it impacts your security, your privacy? Let me know online at Mark and C for those of you on the blogs in the comments down below.

And as always by email me at Mark N dot ca, hope you're set up for a fantastic Monday. I hope to talk to you online today throughout the week and see you on the show tomorrow. Have a good one.

Read next