[This is the first of a two-part post from Mozilla's User Experience Research team on their look at privacy and security.]
Mozilla’s User Experience Research team recently connected with the Identity team for Project Hydra. Project Hydra is an exploratory research project in which we interviewed participants in their homes to better understand what Identity means to them – both “offline” and online, and how these concepts overlap.
For people like Sara,* online security and privacy are lingering worries she never actually gets around to doing something about:
“I really should start doing it [passwords] differently. It’s just the frustrating factor. If I start using random digits and numbers [all the time], then I’d have to totally rely on one spreadsheet… I try and keep everything in my head as much as I possibly can.”
In fact, we learned through a series of interviews that for “mainstream” users like Sara, topics of privacy and security are uncomfortable and often actively ignored in daily life. In addition, users compartmentalize security and privacy, detaching them from how they view themselves and their activities online.
This has big implications for Mozilla. For one, security and privacy are not differentiators in most users’ minds because they are focused elsewhere. Users have strong opinions about wanting to be safe, but pointedly addressing the issue with them brings up strong negative emotions. As Ben Adida, Director of Identity at Mozilla, puts it, “Security is extremely important, but it is not the selling point.”
So how do we help users be safe but remain positive? Project Hydra addressed several ways we could do so after deep analysis and synthesis of the qualitative data.
- Online security is confusing (even among experts)! Start with baby steps instead of trying to tackle the entire problem at once. Fit good security and privacy practices in to users’ current tasks versus asking them to learn and negotiate complex technical jargon or alter the task they are on. Persona, Mozilla’s identity system for the web, is a good example of this.
- Users feel helpless. They feel security breaches are going to happen no matter what they do. If and when they decide to act, recognize the vulnerable emotions that come up when thinking about security and privacy. In the heat of the interaction, choosing user-centered language and design principles to reinforce Mozilla will help them to be safe (versus feeling even more confused or scared). Larissa Co on our User Experience team has some great examples of this with her work on “Meaningful Security and Privacy,” which will be explored in the second post.
- Security and privacy are abstract concepts. How do I know I am safe? Users cannot manage what they cannot see. Visualize and synthesize online behavior by developing systems that can analyze, connect, and anticipate activity. The possibility here is users can then holistically approach security and privacy needs versus via a piecemeal approach. Collusion is an example of how Mozilla is helping users to visualize their own behavior online.
- Cell phones make people feel particularly vulnerable. Users are more afraid and take more actions to physically protect their cell phones than other devices. Because people feel their mobile phone requires better security, focusing here may set expectations for higher security on other devices.
Mozilla’s Manifesto is being updated to say, “Individuals’ security and privacy on the Internet are fundamental and cannot be treated as optional.” To make this statement a reality and create outstanding products, it’s vital we understand security and privacy from an individual user’s perspective.
*named changed for confidentiality; participants consented to use of their words and photos