About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.

Security and User Experience

A post entitled SmugMug's Private Pics Are Public caught my eye yesterday. The news doesn't sound too surprising, since these types of security problems aren't at all uncommon, but Don (SmugMug's CEO) is a friend of mine, and I know he takes security very seriously. (He's also fairly proactive about research; he and his team independently discovered CSRF a few years ago, without realizing it was a known problem.)

The author of the post makes a revealing comment in the opening paragraph:

I've failed to convince the site makers this vulnerability is worth fixing.

This sounds like code for:

I've failed to determine whether this is really a security problem.

Blatant attempts to bias me (the reader) usually make me question the legitimacy of the argument instead. But, I read a lot of blogs, so I'm used to a certain amount of embellishment and distortion, particularly when someone is trying to get attention. (Read anything about PDO lately?)

The heart of the issue is a distinction between privacy and security, which Don mentions in his response:

Your private photos are still private. Your secure photos are still secure. Note that there is a difference; this is an important distinction.

He also offers an incentive for those who wish to help test and improve SmugMug's security:

I’ll give $1,000 USD to anyone who can get a copy of this photo.

I think Don does have a problem, and although it might not be a security problem, it's at least as important. The author of the original post is focusing on a single option, where a user can set public to Yes or No. Immediately beside this option is an explanation:

Show this gallery on your home page?

Despite this explanation, the author believes that choosing No does much more than omit the gallery from his home page. He assumes that it prevents any unauthorized access, despite a separate option for password-protecting a gallery. (I don't fault him for this at all, thus why I think Don has a problem.)

This is a user experience problem. SmugMug lets users fine-tune their privacy and security settings, but these settings are provided as booleans, so each one can seem very absolute, particularly when using labels like public. It also requires users to use a common and very precise vocabulary regarding privacy and security, where any misunderstanding can result in undesired behavior.

I asked Jon about this, since he's a user experience guru, and he guessed that the data model was driving the interface. This seems likely, but coming up with a simple way to define a particular combination of privacy and security settings can be challenging, especially when there are so many.

Apple's Airport Utility includes an option to create a closed network, which means to join the network, a user must know the name of the network.

I usually rely on Apple to set the standard for user experience, but I'm not particularly impressed with their interface either. Doesn't it seem possible that a user might expect a closed network to be truly closed in the same way that a user might expect a private gallery to be truly private?

Knowing Don, he's already hard at work trying to come up with a better way to present these settings. Here's hoping we can all take a moment to consider how important user experience is the next time we're developing a security feature.

About this post

Security and User Experience was posted on Tue, 29 Jan 2008. If you liked it, follow me on Twitter or share:


1.steve said:

Public should mean "anyone can view this," and private should mean "no one but myself (or people I permit) can view this." I know this not only because I am familiar with the definitions of the words themselves, but I am also a web user as well, and this is what these words have come to mean on websites, particularly social networking sites and their profiles.

What you are missing here is that this IS a security issue. SmugMug is misleading users (unintentionally, of course) with their user interface. If there are a sizable number of users who think they can protect sensitive data from prying eyes with a click of a button, but in reality, the data is still available to anybody, then that is a security issue. Protecting your users' sensitive data, whether it be personal photos, videos, contacts, source code, etc., is one of the most important areas for websites to focus security on.

Tue, 29 Jan 2008 at 23:41:16 GMT Link

2.Mikael said:

Wow, I rarely comment on blogs but you Chris should know better. This is clearly a problem. Generating a random key when a gallery is created and putting it in the URI is simple:



The URI is just as easy to copy, paste and share but it is not predictable.

I know they can't change this overnight but saying it's not a problem is just dumb.

Wed, 30 Jan 2008 at 09:22:48 GMT Link

3.Chris Shiflett said:

Steve, I agree with you, especially regarding how private has a particular meaning to most users.

I'm not sure I would consider SmugMug's problem a security problem, but I am trying to focus on what I feel is a more important point. If we focus on whether to label this a security problem, we might miss the root cause of the problem, user experience.

Mikael, your tone suggests that you think you passionately disagree with me, but you fail to substantiate that in any way. In fact, the only substance in your argument is that there is a problem, but to my knowledge, no one involved in this discussion has suggested otherwise.

Take care not to make vacuous, obvious statements in order to support a contrarian tone. You should know better. :-)

Wed, 30 Jan 2008 at 19:30:12 GMT Link

4.till said:

The security issue he describes is about the general ability to iterate over IDs of pictures (in urls) - and by this way discovering private photos.

Now I could be wrong, but I that is exactly why Flickr has a distinct hash on each picture which even "depends" on the picture's size.

I don't see how you can make it a user experience thing, when this clearly doesn't work as advertised. I'm sorry for Smugmug, but it sounds like their "system" has a fundamental flaw in it. So instead of changing labels around, maybe someone should help them fix it. :)

Mon, 04 Feb 2008 at 14:13:08 GMT Link

5.Jon Tan said:

In principle, Chris' analysis is right. It's important to separate the UX issue from the outright security ones. Leaving URLs, and other possible development flaws aside, the issue that initially emerged here is of of user experience, or user expectations.

The definitions of security and privacy as Don has described are not necessarily congruent with the understanding of users. Add to that what seems like a genuine desire to give users finely granulated control over their content, and what you end up with is a degree of confusion. If that confusion leads to users choosing privacy/security settings that they didn't intend, it is a UX issue.

Without delving further in to the checks and balances within the interface, it's impossible to say how secure the user experience is. However, even with the extra form labels, there is obviously an issue of clarity, and perhaps one of decision validation. User testing would provide empirical evidence of any flaws, and allow better design decisions. If the finely granulated settings need to persist, then my recommendation would be revisiting a user centered design process as well as fixing the entirely separate programatical security problems, if they exist.

If nothing else, this example serves to demonstrate that user experience design is critical to security when users gate keep their own content.

Tue, 05 Feb 2008 at 15:13:22 GMT Link

6.Blair Keen said:

I agree with Jon - "user experience design is critical to security" especially when that security hinges on the Users' ability to correctly interpret language and apply this understanding to their personal security settings.

I wonder if their design team actually did any Usability/User Experience testing at all, and whether any confusion arose which was ignored? Pretty easy problem to overcome these days with the advent of tooltips?!

Thankfully, knowing how to communicate effectively with your visitors using language that avoids security mishaps has been largely embraced by the design community over the 3 years since Stephen posted this article.

Is Facebook a good example of good user experience design with its privacy settings?

Sat, 12 Mar 2011 at 10:18:31 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.