[tor-project] Security slider usability testing results

Arthur D. Edelstein arthuredelstein at gmail.com
Tue Mar 14 20:31:43 UTC 2017 

Part of the problem I think is it's really a safety/usability tradeoff
slider. So high safety is low usability and vice versa.

Not sure how to best express the tradeoff succinctly. Maybe there's a
metaphor -- motorcycle, car, tank?

On Tue, Mar 14, 2017 at 12:10 PM Linda Naeun Lee <linda at torproject.org>
wrote:

> On 2017-03-13 16:13, Carolin Zöbelein wrote:
> > Hi,
> >
> > I also want to add some points :).
> >
> > 1. "Safer", "Safest" sounds really strange form me. Already this words
> > suggest "There is no much difference between us". For me, if I read
> > this, I have not really an idea what I can expect. But that's me :)
> > You need names which sounds more differently.
>
> I agree with you, but may argue that it's more descriptive than  "low,
> medium, and high."
> >
> > 2. I can understand that it's not clear what is the different between
> > "Safer" and "Safest" in the explanations. If people don't know what
> > HTTPS is (and a lot of people don't understand it, sadly), they don't
> > understand the difference between the two options.
> > And if people have no idea "how the internet works" or better "how the
> > content of a website works", they, of course, also don't understand the
> > difference of the other items of the explanations.
> > => They have no idea what they are doing if they change between "Safer"
> > and "Safest". But "Safest" sounds "super secure" so it has to be
> > something for paranoid people :)
>
> Nice to hear one person's opinion. We'll definitely look into making the
> copy better. But we think it's an improvement from the old one and will
> go ahead with it with the intent to redo it later.
>
> > I do not really know how you can make it better.
> > Perhaps with a very simply and small example between the two options.
> > Something which can be explained in a short sentence or whatever (e.g.
> > a small icon/image/symbol/animation/.gif etc., people like visual
> > illustrations :).
> > Like: If you choose option A and you visit a site which uses B (e.g.
> > java script) this C could happened
>
> I think an explanation and a visual are great ideas!
>
> > 3. What means "Standard"?
> > The first impression, only after reading the word "standard":
> > TorBrowser=Firefox?
>
> People were worried that "low" was the default setting, and asking why
> the default security level for a browser was "low." So we decided to
> switch it to standard, something, something else.
>
> > The second, after reading the explanation: What kind of features are
> > enabled? What does that mean? Is it secure, now? Yes or no?
> >
> > The word "features" is very nebulous. In particular if I read the item:
> > Orfox + features enabled = sounds secure
> > website + features enable = sounds insecure
> > => Sounds inconsistent. "I'm confused!"
>
> Agreed, but we were writing to a general audience that wouldn't
> understand more details than that. The point of the text is to
> communicate just enough information to make a setting decision, not to
> educate people. I'll make sure this isn't confusing or distracting,
> though.
>
> Thanks for the feedback!
>
> > Bye,
> > Carolin
> >
> > Am Freitag, den 10.03.2017, 10:40 -0600 schrieb Linda Naeun Lee:
> >> On 2017-03-09 17:26, Paul Syverson wrote:
> >> > Interesting, apologies if this is
> >> > trivial/already-considered-and-bad/etc
> >>
> >> No apologies! Thank you for your feedback.
> >>
> >> > How about settings with names something like
> >> > Mostly Harmless
> >> > Basic
> >> > Minimal
> >>
> >> We did iterate through the copy, but this is appreciated since the
> >> feedback says we should probably look into things more.
> >>
> >> I like your suggestions because they don't associate safety with the
> >> settings (which isn't false, but it's not something that we can
> >> guarantee people). The more correct thing might be to tell them
> >> about
> >> the reduced functionality, with a hint to the fact that these
> >> measures
> >> might protect you.
> >>
> >> Avoiding negative things (like things stop working and users don't
> >> know
> >> why) are much much much more important than including positive thing
> >> (like making them feel proactive about their security). The former
> >> loses
> >> users, the latter is a temporary high at best.
> >>
> >> > This avoids the direct statement of comparison in the name, so
> >> > might
> >> > preclude people avoiding a safer setting they might otherwise
> >> > choose
> >> > 'cause it sounds too paranoid. but still shold be clear what order
> >> > they're in.
> >>
> >> I agree. I actually like the progression of standard > something >
> >> basic. But that's only my opinion; don't know how users would feel.
> >>
> >> > (I was going to suggest "Safe" for the highest one, but cringe at
> >> > ever
> >> > actually saying that simpliciter. Plus I'm a big Douglas Adams
> >> > fan. Actually I was also going to suggest "Undici" because, like
> >> > Starbucks, we could name our largest size with the same big number
> >> > regardless of whether that still corresponds to any units---except
> >> > we've got security that goes to _eleven_. OK tired. Need to go
> >> > home.)
> >>
> >> Hmm! This inspires me to work on the copy again. Thanks!
> >>
> >> Cheers,
> >> Linda
> >>
> >> > aloha,
> >> > Paul
> >> >
> >> >
> >> > On Thu, Mar 09, 2017 at 04:57:54PM -0600, Linda Naeun Lee wrote:
> >> > > Hi all:
> >> > >
> >> > > The results of the security slider usability testing is here:
> >> > > https://docs.google.com/document/d/1Wr4e9OftQaIyvU-p2pN9JcdLsOAl9
> >> > > Z87hg4XWW8O4uk/edit?usp=sharing
> >> > >
> >> > > In short, users seemed to choose the setting that would be right
> >> > > for
> >> > > them,
> >> > > functionality wise, even if they didn’t have good security
> >> > > understanding or
> >> > > mild misconceptions. UI should account for multiple ways of
> >> > > interaction.
> >> > >
> >> > > Some people said interesting things. Highlights include:
> >> > > -(the "safest" setting has bad connotations) P12: “I’m not sure,
> >> > > I
> >> > > don’t
> >> > > think I’ll be doing anything that would require that amount of
> >> > > safety.
> >> > > *giggles*”
> >> > > -(people making emotional decisions)P13: “I would probably choose
> >> > > the
> >> > > “safe”
> >> > > setting, there's the potential for more content being blocked on
> >> > > the
> >> > > safest
> >> > > setting, and I'm the kind of dum-dum who's willing to take my
> >> > > chances.”
> >> > > -(not understanding on-the-wire vs machine security defenses)
> >> > > P14: “I
> >> > > would
> >> > > choose the standard setting- I’m just going off of the experience
> >> > > I’ve
> >> > > had
> >> > > on the website I currently visit. I have Norton and feel like
> >> > > that
> >> > > keeps my
> >> > > computer pretty safe.”
> >> > >
> >> > > Cheers,
> >> > > Linda
> >> > >
> >> > > P.S.:  I've been working on a more understandable security slider
> >> > > for
> >> > > a
> >> > > couple months now; documentation here:
> >> > > https://trac.torproject.org/projects/tor/wiki/doc/UX/OrfoxSecurit
> >> > > ySlider
> >> > >
> >> > > --
> >> > > Current Key: https://pgp.mit.edu/pks/lookup?search=lindanaeunlee
> >> > > GPG Fingerprint: FA0A C9BE 2881 B347 9F4F C0D7 BE70 F826 5ED2
> >> > > 8FA2
> >> > > _______________________________________________
> >> > > tor-project mailing list
> >> > > tor-project at lists.torproject.org
> >> > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
> >> > >
> >>
> >>
>
> --
> Current Key: https://pgp.mit.edu/pks/lookup?search=lindanaeunlee
> GPG Fingerprint: FA0A C9BE 2881 B347 9F4F C0D7 BE70 F826 5ED2 8FA2
> _______________________________________________
> tor-project mailing list
> tor-project at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-project/attachments/20170314/76869443/attachment-0001.html>

More information about the tor-project mailing list