Designing for security and privacy

Agenda Tests Tests Project questions? Project questions? Design lecture Design lecture Assignments Assignments

What next? So you know usability is important… So you know usability is important… And many systems lack usability… And many systems lack usability… So, how do you create a good one? So, how do you create a good one? Its hard! Its hard! –But we can certainly do better than we are doing now!

Design Understand current practices and needs Understand current practices and needs Follow heuristics and guidelines Follow heuristics and guidelines Avoid pitfalls Avoid pitfalls Prototype, evaluate, and iterate Prototype, evaluate, and iterate

Mental Model reminder Users conception of what the software is doing should match with what the software actually does. Users conception of what the software is doing should match with what the software actually does. Interface What user thinks is happening What is really happening

Designation vs. Admonition Security by designation Security by designation –When a user designates an action, take appropriate security related actions Security by admonition Security by admonition –Provide notifications that the user looks at and takes appropriate action from –Display a warning when the user tries to do something dangerous Question: when could we use designation today? When can we not use designation?

General usability guidelines Affordances Affordances Visibility Visibility Mapping Mapping Feedback Feedback Constraints Constraints Error prevention Error prevention Error recovery Error recovery Aesthetics & minimalist design Aesthetics & minimalist design Consistency Consistency Flexibility Flexibility

Yee guidelines (Ch. 13) Match the most comfortable way to do tasks with the least granting of authority Match the most comfortable way to do tasks with the least granting of authority Grant authority to others in accordance with user actions indicating consent Grant authority to others in accordance with user actions indicating consent Offer the user ways to reduce others’ authority Offer the user ways to reduce others’ authority Maintain awareness of others’ authority Maintain awareness of others’ authority Maintain accurate awareness of user’s own authority Maintain accurate awareness of user’s own authority Protect user’s channels to agents that manipulate authority Protect user’s channels to agents that manipulate authority Enable user to express safe security policies in terms that fit the task Enable user to express safe security policies in terms that fit the task Draw distinctions among objects and actions along boundaries relevant to the task Draw distinctions among objects and actions along boundaries relevant to the task Present objects using distinguishable, truthful appearances Present objects using distinguishable, truthful appearances Indicate consequences of decisions Indicate consequences of decisions How do these relate to general usability guidelines?

Trust Design Guidelines 1. Ensure good ease of use. 2. Use attractive design. 3. Create a professional image – avoid spelling mistakes and other simple errors. 4. Don’t mix advertising and content – avoid sales pitches and banner advertisements. 5. Convey a “real-world” look and feel – for example, with use of high- quality photographs of real places and people. 6. Maximize the consistency, familiarity, or predictability of an interaction both in terms of process and visually. 7. Include seals of approval such as TRUSTe. 8. Provide explanations, justifying the advice or information given. 9. Include independent peer evaluation such as references from past and current users and independent message boards. 10. Provide clearly stated security and privacy statements, and also rights to compensation and returns. 11. Include alternative views, including good links to independent sites with the same business area. 12. Include background information such as indicators of expertise and patterns of past performance. 13. Clearly assign responsibilities (to the vendor and the customer). 14. Ensure that communication remains open and responsive, and offer order tracking or an alternative means of getting in touch. 15. Offer a personalized service that takes account of each client’s needs and preferences and reflects its social identity.

Web bloopers 2. Confusing classifications. Content categories seem arbitrary or nonsensical. 4.Conflicting content. Information in different parts of site disagrees. 5.Outdated content. Content on site is out-of-date, but not clearly marked as archival. 6. Missing or useless content. Information users need to accomplish goals is missing. 9.Requiring unneeded data. Making users provide non-essential information. 10.Pointless choice. Offering or requiring meaningless choices. 19.Lost in space: Current page not indicated. Page doesn’t clearly show where user is. 30.Mysterious controls. Operation of controls is unclear due to poor labeling, poor layout, or uniqueness of controls. 31.Baffling search controls. Search options require knowledge of computer or industry-insider concepts. 41.Too much text. Overly-verbose instructions, messages, or link-labels. 47.Typos and grammos: Sloppy writing. Failing to check and fix text before going live. Jeff Johnson, …also GUI Bloopers

Privacy Pitfalls Understanding Privacy Implications Understanding Privacy Implications –Obscuring potential information flow (1) –Obscuring actual information flow (2) Socially Meaningful Action Socially Meaningful Action –Emphasizing configuration over action (3) –Lacking coarse-grained control (4) –Inhibiting established practice (5) Any others you want to suggest? Can privacy-insensitive systems still be successful?

Example: Faces Specify who can see what and when Specify who can see what and when Mobile interface for in-situ feedback Mobile interface for in-situ feedback Design activities: Design activities: –Literature review –Interviewed 12 local residents, surveyed 130 people –Iterated through series of low-fidelity prototypes Findings: Findings: –Primary determinant of privacy preferences is who (inquirer) –disclosure situation is also important

Faces cont. Different disclosure preferences for different inquirers Different disclosure preferences for different inquirers Optionally add situation parameter Optionally add situation parameter Each disclosure preference can be associated with a face Each disclosure preference can be associated with a face “If this inquirer wants info when I’m in this situation, show her this face” “If this inquirer wants info when I’m in this situation, show her this face”

Problems with Faces What pitfalls did this violate? What pitfalls did this violate? Which ones did it avoid? Which ones did it avoid? So what was critical failure? So what was critical failure? Why didn’t they figure this out earlier? Why didn’t they figure this out earlier?

Chameleon Evolved through prototyping Evolved through prototyping What is good about the design? What is good about the design? What is potentially problematic? What is potentially problematic?

Your assignment Designs Designs –What were the problems? General usability or specific to security or privacy? –How did you come up with solution? Which is your favorite? Which is your favorite?