Designing Meaningful Security and Privacy Experiences (Part II)

Larissa

[This is the second of a two-part post from Mozilla’s User Experience team on their look at privacy and security. You can view the first post here.]

Usability and security/privacy often seem to be at odds in the product creation process; designers are wary of these features because they fear interruptions to the user’s flow, while security/privacy advocates believe that the user isn’t safe when we oversimplify or strip down the protections and warnings they want to put in place.

Part of the tension stems from a shared assumption that our users don’t care about security or privacy. We can certainly marshal evidence to support this claim: for example, most users thoughtlessly click through alarming messages, use passwords that are insecure, and don’t hesitate to share personal information online. But, after various opportunities to engage with people through research and workshops, I believe that “user apathy” isn’t the conclusion we should draw from these behaviors.

The desire to feel/be safe is a fundamental quality of being human. But when it comes to technology, most people feel that they have so little control over their security and privacy, that, in the words of someone I interviewed, they ” just cross [their] fingers and hope nothing bad will happen.” New cyber-threats seem to emerge every day, each more ominous and abstract, until it becomes impossible for the average user to know how to reliably protect against them. Besides, people feel powerless in an ecosystem where companies routinely ask them to hand over their personal information in exchange for services. Maybe most importantly, most security and privacy choices that users are presented with are overwhelming and complex, dealing the final blow to a user’s sense of agency. (Additional insights from my Mozcamp Asia workshop.)

Mozcamp-Asia-Workshop

Participants at a security and privacy workshop at Mozcamp Singapore share “postcards” with Mozilla, telling us how we can help improve our user experience

Ultimately, I believe people need to two things to engage meaningfully with security and privacy; they must find trustworthy entities that help them feel safe online, and they must have true control over their choices.

To address these intertwined needs in our products, I came up with the following four imperatives — user experience requirements that must be met for a product to be successful:

  1. Earn and Keep My Trust
  2. Respect My Time and Task
  3. Help Me Make a Thoughtful Decision
  4. Offer Control Without Harming Me

(You can learn more about each of these imperatives from my brownbag.)

These imperatives are already shaping our design and user messaging in projects such as the Mixed Content Block and Click-to-Play Plugins (in a coming design). They’ve also helped me frame strategic discussions on various Firefox OS and Firefox features, such as App Permissions and Firefox Health Report. I hope they will continue to bridge the relationship between user experience and security/privacy, not only at Mozilla but in other organizations.

I started working on this framework for “meaningful security and privacy” to show that usability and security/privacy are necessary co-requisites to creating a good product.

When a product is truly secure, people have a better experience because they can use it confidently without fear or suspicion. When security choices are conveyed in a usable manner, people feel safer because they understand the consequences of their actions.

Security and privacy are deeply-held principles within Mozilla, and we often apply them from a policy or feature standpoint. I hope these design imperatives show that we can make an even greater impact on the Web by consciously incorporating them into our user experience.

This content reposted from the inaugural edition of the Mozilla UX Quarterly.