As designers, we have, and should embrace, the powerful opportunity to construct customizable interfaces that help restrict government access and restore user autonomy.<\/p>\n
We<\/span>are all activists now,\u201d says cybersecurity counsel Jennifer Granick in her 2017 TED Talk. \u201cAnd that means we all have something to worry about from surveillance.\u201d She goes on to explain, in detail, how the American government collects our online data \u201ceasily, cheaply, and without warrant\u201d (Granick, 2017). In 2013, Edward Snowden exposed thousands of classified NSA documents detailing the surveillance measures used on United States citizens.<\/span> As designers, we have, and should embrace, the powerful opportunity to construct customizable interfaces that help restrict government access and restore user autonomy. And yet, there is still little protection in place to stop data collection from happening through digital platforms. To incorporate surveillance protection in the current User Experience (UX) design process, we must design for user safety rather than just efficiency, change the frequently hostile language and imagery we use to represent security, and communicate directly with security experts.<\/span><\/p>\n The US government acquires our data through online services and mobile applications like Facebook, Amazon, LinkedIn, and Google. What is not so apparent is that users often willingly provide access to that information. Ame Elliott, Design Director for nonprofit security organization Simply Secure, explains that UX designers create interfaces that utilize \u201cthe path of least resistance\u201d (Elliott, 2018). LinkedIn, for example, asks new members to share their address book with just a simple click; it is far easier to hit the large \u201cshare\u201d button than find the (much less apparent) \u201cX\u201d to skip that part of the registration. \u201cThe truth is people have no interest in using applications or websites,\u201d says UX expert Paul Boag. \u201cThey are tools for a goal. [Users] want to use your website or application for the smallest amount of time\u201d (Boag, 2016). In many cases, the path of least resistance forces users to reveal personal information. And the consequences can be disastrous.<\/span><\/p>\n There is no guarantee how companies will utilize or protect collected data and that uncertainty threatens user safety. In some cases, they pair shared information with machine learning to tailor experiences. LinkedIn generates specific job postings and suggested connections for members; Facebook\u2019s algorithm caters ads and news to users based on recorded interests; Amazon utilizes user search history to better recommend products for its customers. In all of these cases, machine learning improves or, at least, streamlines user experience.<\/span><\/p>\n In March of 2018, however, <\/span>The New York Times<\/span><\/i> and <\/span>The Guardian<\/span><\/i> revealed that Cambridge Analytica \u201caccessed data of about 50 million Facebook users\u201d (McKinnon, 2018). Researcher Aleksandr Kogan designed a personality-quiz app for the social media platform that asked users for access to their profile pages. He then sent that recorded data to Cambridge Analytica to make 30 million voter targeting profiles. Facebook maintains the quiz breached none of their systems, but journalist Robinson Meyer explains, \u201cIt\u2019s almost like Facebook was a local public library lending out massive hard drives of music, but warned people not to copy any of it to their home computer\u201d (Meyer, 2018). A warning is not encrypted protection. Social media asks users to share parts of their lives online, but with the understanding that users control who views those shared moments. By following the path of least resistance and allowing a supposedly harmless quiz to access their profiles, millions of people involuntarily compromised their data. Facebook allows security measures to be outweighed by streamlined user experience.<\/span><\/p>\n Before designing for the path of least resistance, we should understand that path\u2019s real purpose. LinkedIn requests users to share their address books to help connect them with employers and opportunities, but LinkedIn is also a service that needs members. By sending out invitations to everyone in a user\u2019s address book, it reaches potential new clients who will have to register on the platform to accept the invitation. We also need to recognize what the path is bypassing. Users share their entire address books to avoid individually selecting who can view their profiles. That would be tedious and time consuming. In doing so, however, they give up control and lose autonomy over the process. Finally, we must consider the path\u2019s consequences. These can range from users inundating everyone they know with LinkedIn friend requests to giving a \u201cvoter-profiling company\u201d the data needed to target them during an upcoming election. With these considerations in mind, we can re-configure the path of least resistance to incorporate user safety, even if that just means making the \u201cX\u201d out option bigger.<\/span><\/p>\n Online security iconography and verbiage focuses so much on keeping threats out, that it forgets to let users in.<\/p>\n Security services frequently use negative language and imagery to represent their products. Ame Elliott calls this practice \u201cthe language of no\u201d and maintains that it deters potential users from installing protective software (Elliott, 2018). Cybersecurity company Symantec, for example, offers defense methods that \u201cProtect against tomorrow\u2019s attack\u201d and \u201cSharpen your responses after an attack and prevent the next one.\u201d The website\u2019s aggressive tone implies that users are responsible for security attacks because they were not \u201csharp\u201d enough to recognize obvious threats to the system. Proficio, another cybersecurity service, represents incident response with a cross-hairs icon; the US Department of Homeland Security uses a picture of a lock to link to its cybersecurity overview page. These graphics attempt to scare clients into secure behavior\u2014do not open that link, do not download that file, or attack is imminent. <\/span>Online security iconography and verbiage focuses so much on keeping threats out, that it forgets to let users in.<\/p>\n We can change the \u201clanguage of no\u201d to the \u201clanguage of yes.\u201d \u201cYou don\u2019t need to be a cryptographer to work in security\u2026You don\u2019t need to be technical,\u201d says Elliott (2018). Indeed, designers are integral to the cybersecurity field because it seems so technical and unapproachable. And just because security involves technology does not mean our designs have to be technical or cryptic. We have the opportunity to help create products and services that encourage users to secure their data without resorting to scare tactics. TunnelBear, for instance, is a virtual private network that uses fun and friendly imagery to explain its functionalities. Images show the mascot, a cartoon bear, physically blocking users\u2019 faces to protect them from online surveillance. \u201cBrowse privately with a bear,\u201d the website reads. \u201cIt\u2019s easy to enjoy a more open Internet.\u201d The language is humorous, with no mention of \u201cattacks\u201d or \u201cthreats\u201d to the system. TunnelBear makes security approachable and inviting, a practice we can and should utilize more frequently.<\/span><\/p>\n Our expertise and research can help prevent security experts from making assumptions about users\u2019 behaviors.<\/p>\n In order to make cybersecurity understandable, however, we must first communicate directly with security experts. According to Sara \u201cScout\u201d Sinclair Brody, the Executive Director of Simply Secure, \u201cNeither security nor usability are binary properties. There\u2019s a lot of grey area when it comes to whether something is secure or insecure\u201d (Sinclair Brody, 2016). She explains that security experts ask, \u201cIs this the most secure solution possible?\u201d while designers ask, \u201cIs this secure enough for my user, while not being restrictive?\u201d (Sinclair Brody, 2016). It is, therefore, critical that we know how security experts are incorporating users and their needs into product development. As designers, we conduct interviews to understand how users want to move through an interface and then create personas. <\/span>Our expertise and research can help prevent security experts from making assumptions about users\u2019 behaviors.<\/p>\n Likewise, security experts can help make our solutions \u201cas secure as possible\u201d to ensure that we protect the users for whom we are designing. We need to understand security jargon to properly translate that information for non-expert consumers. We should be asking security experts questions to facilitate collaboration between our two fields. Sinclair Brody (2016) explains that designers must know to which security threats our shared project is most vulnerable and how its software will protect against those threats. We can then consider how users put themselves at risk and design personas that reflect those specific actions. This has already been put into practice by security and usability designer Gus Andrews, who created personas with a range of privacy concerns and potentially risky behaviors. He intended for them to \u201ccommunicate user needs\u201d to security experts in the terms those experts provided (Andrews, 2015). By utilizing personas like Andrew\u2019s and continuing conversations with security experts, our designs will keep users secure without restricting their experience or following the path of least resistance.<\/span><\/p>\n We can avoid creating for the path of least resistance by determining the path\u2019s real purpose, what it is bypassing, and the full extent of its consequences.<\/p>\n As the US government continues to collect citizens\u2019 data without warrant\u2014as LinkedIn uses the path of least resistance to remove autonomy, as Facebook \u201cquizzes\u201d convey data to voter-profiling companies without permission\u2014we must integrate surveillance protection in our user experience designs. <\/span>We can avoid creating for the path of least resistance by determining the path\u2019s real purpose, what it is bypassing, and the full extent of its consequences. Additionally, we can improve users\u2019 relationships with cybersecurity services by incorporating positive language and imagery, while also communicating directly with security experts on joint projects. In implementing these changes, we will create a safer, more pleasant online environment for users, thereby optimizing users\u2019 experiences. Designers not only have the opportunity to alter the way people perceive cybersecurity, but the responsibility to invest our user-centric methods in protecting the public from surveillance.<\/span><\/p>\n References<\/b><\/p>\n Andrews, G. (2015, April 14). User Personas for Privacy and Security. Retrieved from <\/span>https:\/\/medium.com\/@gusandrews\/user-personas-for-privacy-and-security-a8b35ae5a63b<\/span><\/a><\/p>\n Boag, P. (2017, July 19). Users always choose the path of least resistance. Retrieved from <\/span>https:\/\/boagworld.com\/marketing\/users-will-always-choose-the-easiest-option-so-if-we-want-a-competitive-advantage-we-must-focus-on-simplicity\/<\/span><\/a><\/p>\n Elliot, A. (2017, February 28). <\/span>Pre-Work Talk Berlin 02\/2017 – Designing for Trust.<\/span><\/i> Retrieved <\/span>from <\/span>https:\/\/www.youtube.com\/watch?v=lOt_mc9FRDg&list=PLgKQebNo0trgNxpfvAF2u6KkybOeJju8l&index=5<\/span><\/a><\/p>\n Granick, J. (2017, April). How the US Government Spies on People Who Protest – Including <\/span>You. \u00a0<\/span>TED. <\/span><\/i>Retrieved from <\/span>https:\/\/www.ted.com\/talks\/jennifer_granick_how_the_us_government_spies_on_people_who_protest_including_you<\/span><\/a><\/p>\n Meyer, R. (2018, March 20). The Cambridge Analytica Scandal, in 3 Paragraphs. <\/span>The Atlantic. <\/span><\/i>Retrieved from <\/span>https:\/\/www.theatlantic.com\/technology\/archive\/2018\/03\/the-cambridge-analytica-scandal-in-three-paragraphs\/556046\/<\/span><\/a><\/p>\n McKinnon, J. D. (2018, March 20). FTC Probing Facebook Over Data Use by Cambridge <\/span>Analytica. <\/span>The Wall Street Journal. <\/span><\/i>Retrieved from <\/span>https:\/\/www.wsj.com\/articles\/ftc-probing-facebook-over-data-use-by-cambridge-analytica-1521561803<\/span><\/a><\/p>\n