Security and User Experience
29 Jan 2008A post entitled SmugMug's Private Pics Are Public caught my eye yesterday. The news doesn't sound too surprising, since these types of security problems aren't at all uncommon, but Don (SmugMug's CEO) is a friend of mine, and I know he takes security very seriously. (He's also fairly proactive about research; he and his team independently discovered CSRF a few years ago, without realizing it was a known problem.)
The author of the post makes a revealing comment in the opening paragraph:
I've failed to convince the site makers this vulnerability is worth fixing.
This sounds like code for:
I've failed to determine whether this is really a security problem.
Blatant attempts to bias me (the reader) usually make me question the legitimacy of the argument instead. But, I read a lot of blogs, so I'm used to a certain amount of embellishment and distortion, particularly when someone is trying to get attention. (Read anything about PDO lately?)
The heart of the issue is a distinction between privacy and security, which Don mentions in his response:
Your private photos are still private. Your secure photos are still secure. Note that there is a difference; this is an important distinction.
He also offers an incentive for those who wish to help test and improve SmugMug's security:
I’ll give $1,000 USD to anyone who can get a copy of this photo.
I think Don does have a problem, and although it might not be a security problem, it's at least as important. The author of the original post is focusing on a single option, where a user can set public to Yes or No. Immediately beside this option is an explanation:
Show this gallery on your home page?
Despite this explanation, the author believes that choosing No does much more than omit the gallery from his home page. He assumes that it prevents any unauthorized access, despite a separate option for password-protecting a gallery. (I don't fault him for this at all, thus why I think Don has a problem.)
This is a user experience problem. SmugMug lets users fine-tune their privacy and security settings, but these settings are provided as booleans, so each one can seem very absolute, particularly when using labels like public. It also requires users to use a common and very precise vocabulary regarding privacy and security, where any misunderstanding can result in undesired behavior.
I asked Jon about this, since he's a user experience guru, and he guessed that the data model was driving the interface. This seems likely, but coming up with a simple way to define a particular combination of privacy and security settings can be challenging, especially when there are so many.
Apple's Airport Utility includes an option to create a closed network, which means to join the network, a user must know the name of the network.
I usually rely on Apple to set the standard for user experience, but I'm not particularly impressed with their interface either. Doesn't it seem possible that a user might expect a closed network to be truly closed in the same way that a user might expect a private gallery to be truly private?
Knowing Don, he's already hard at work trying to come up with a better way to present these settings. Here's hoping we can all take a moment to consider how important user experience is the next time we're developing a security feature.