All tags /
Secure messaging, file sharing, email, and more are resistant to third-party surveillance. We take a human-centered approach to evaluate threat models and forms of surveillance
Our research on New Yorkers’ use of mobile messaging offers actionable insights into how to design secure communication tools for a mass audience.
People who think about computer security for a living sometimes cringe when they read about the subject in the popular press. Security is a complex and nuanced topic, and it’s easy to make assertions that don’t hold up to careful scrutiny. One basic-but-unintuitive principle is that security is not a binary property: in the absence of other context, it’s hard to definitively say that a particular system or piece of software is “secure” or “insecure”.
This list of questions about the security features of software can help UX professionals collaborate with security experts.
Web browsers are utility software; they are designed to work for all people. Not only must their features meet the needs of average members of a population, they must also work for people with special needs. As Firefox says on its mobile accessibility features page, the browser has been "designed to meet the needs of the broadest population possible," but "sometimes that is not enough." In particular, software that is built for everyone can too often leave people with specific security or privacy needs at risk.
With support from the Open Technology Fund Secure Usability and Accessibility Lab, UX Designers, User Researchers, Digital Security Trainers and OSS tool builders gathered at RightsCon 2023 for the Human Rights Centered Design convening. We held critical discussions about the challenges and opportunities that sharing user insights could bring to how OSS tools for human rights needs are built in ways that are more context sensitive and specific, and share these insights here
Most of the time, honest conversations about sensitive topics happen between people who have known each other a long time, who've worked together, who've built up a foundation of trust. They don't happen when some unknown people cold-email you and ask to make a one-hour appointment with you – right?
Doing data handling with privacy and security in mind means spending some time to identify different threats, culminating in a threat model, and coming up with strategies that fit the particular threat model. We’ve compiled some best practices for both risk assessment and security strategies.
Building trustworthy technology requires more than technical expertise. Interaction design, service design, brand strategy, and writing are needed.
Web browsers are utility software; they are designed to work for all people. Not only must their features meet the needs of average members of a population, they must also work for people with special needs. As Firefox says on its mobile accessibility features page, the browser has been "designed to meet the needs of the broadest population possible," but "sometimes that is not enough." In particular, software that is built for everyone can too often leave people with specific security or privacy needs at risk.
This list of questions about the security features of software can help UX professionals collaborate with security experts.
Building great software requires understanding what users want and need. If you’re building privacy-preserving software, this includes understanding the privacy threats that your users face. One of the participants in Ame’s NYC study. When Ame set out to talk to people in the New York City neighborhoods of Brownsville and Harlem about their experiences with mobile messaging, she wanted to amplify voices that are frequently underrepresented in the software community.
On Monday I had the pleasure of speaking at a Workshop on Cryptographic Agility and Interoperability held at the National Academies by the Forum on Cyber Resilience. The assembled group of academics, policy-makers, and practitioners touched on a variety of problems around the practical application of cryptography in production software. The main focus was on the challenges and benefits associated with cryptosystems that can be updated or swapped out over time (and thus exhibit “agility”).
This look at UX design decisions from WhatsApp’s 2016 end-to-end encryption update shares lessons for designers and developers.
Messaging with friends and colleagues is rewarding – but sharing contact information is awkward. Many people want to preserve their privacy by carefully controlling who gets their contact information, and choose not to broadcast their email address or phone number via a public Facebook or Twitter profile. Instead, they choose to strategically share their contact info. It's awkward to navigate the social and UX challenges in this sharing. Looking at how WeChat and LinkedIn handle this problem exposes two different kinds of awkwardness: mechanics of sharing and social agreement about what permissions you get as a result.
Our research on New Yorkers’ use of mobile messaging offers actionable insights into how to design secure communication tools for a mass audience.
Recent attacks by Daesh in Turkey, Egypt, Lebanon, and Paris have fanned the flames of an ongoing debate about software that is resistant to surveillance. It seems that some participants in that debate are trying to use these attacks as an excuse to drum up fear around end-to-end encryption. They argue that these events tell us that the general citizenry shouldn’t have access to strong privacy-preserving tools. A lot of people are saying a lot of smart things on the subject, but I want to briefly outline a couple ways in which this call for limiting encryption is problematic.
We prefer to use open-source software as a matter of principle. We believe that putting software code in the open is the best way for the public to build trust in it. You might find it curious, then, that we choose to foster communication and community through a tool like Slack, which is closed-source. (Note: you can request to join our Slack channel by sending a request to slack@simplysecure.org.) Many software teams that build privacy-preserving tools host similar spaces dedicated to communication with volunteers and users.
Thinking of design as not only a product but a process can help complex products stay secure as they evolve.
Researchers who want to evaluate software interfaces have a number of tools at their disposal. One option for identifying obvious and significant problems is an expert review, which is often used to catch low-hanging fruit before performing any kind of user testing. Expert reviews employ usability heuristics, which systematically explore potential problems with a piece of software by applying patterns for good design. With some guidance from UX-research veteran Susan Farrell, we recently performed expert reviews of a few open source tools for encrypting communications.
Last week I went to the SOUPS conference in Ottawa. As a first-time attendee, it was a good opportunity to connect with some members of the academic usable-security community. One of the highlights was keynote speaker Valerie Steeves. Steeves, sharing findings from her Young Canadians in a Wired World research, reported results of an in-depth study of 5,436 Canadians in Grades 4-11. Based on a survey and in-person discussions, she shared sobering findings that kids’ expectations of online privacy are not being met.