The power of UX design to protect people's privacy. Examples of better basics + new frontiers for security. Given at O'Reilly Design Conference Jan 2016.

1. UX for Security:
Power of Design
Ame Elliott
@ameellio
#oreillydesign
January 22, 2016

2. I’m Ame Elliott
from Simply Secure
@ameellio
Hello.

3. DESIGNERS DEVELOPERS RESEARCHERS USERS

4. Security’s got to be
easy and intuitive
or it won’t work

5. Everyone should be
able to communicate
securely and privately

6. Everyone should be
able to communicate
securely and privately

7. Everyone should be
able to communicate
securely and privately

8. Everyone should be
able to communicate
securely and privately

9. UX for Security: The Power of Design
Introduction
Why Privacy Matters
Building Better Basics
Exploring New Frontiers
Conclusion
@ameellio #oreillydesign

10. Your online
behavior is
monitored
Image: Kajart Studio’s Tor Browser explanation
http://www.kajart.com/portfolio/tor-project-educational-animation-english/

11. Combined
with your
offline
movements
and activities,
your behavior
is tracked Image: Kajart Studio’s Tor Browser explanation
http://www.kajart.com/portfolio/tor-project-educational-animation-english/

12. Corporations and
governments watch our
behavior
http://www.kajart.com/portfolio/tor-
project-educational-animation-english/

13. Adults “agree” or “strongly
agree” that we should be
concerned about the
government’s monitoring of
phone calls and internet
communications.
http://www.pewinternet.org/2014/11/12/public-privacy-perceptions/
Adults “agree” or “strongly
agree” that consumers have lost
control over how personal
information is collected and
used by companies
91% 80%

14. Mike Monteiro, “How
Designers Destroyed the
World” by Webstock ‘13
https://vimeo.com/68470326

15. 80 million people effected by the Anthem hack, 10s of millions of children
http://www.nbcnews.com/business/personal-finance/millions-children-exposed-id-theft-through-anthem-breach-n308116
After a data breach, people
have longer lifespans than
identity theft companies

16. https://www.schneier.com/blog/archives/2015/02/samsung_televis.html
http://motherboard.vice.com/read/looking-up-symptoms-online-these-companies-are-collecting-your-data
http://www.theregister.co.uk/2015/10/19/bods_brew_ikettle_20_hack_plot_vulnerable_london_pots/
Just don’t talk in front of
your TV, look up health
info, or drink tea

17. Let’s make the
internet better

18. | +---+ +---+
| | H |--->| I |
| +---+ +---+
+---+ ^
| G | / +---+ +---+ +---+
+---+ / | F |--->| H |--->| I |
^ / +---+ +---+ +---+
/ ^
/ /
+---+ +---+ +---+ +---+ +---+
| F | | G |--->| I |--->| H | | M |
+---+ +---+ +---+ +---+ +---+
^ ^ ^
| / |
+------+ +-----------+ +------+ +---+
| TA W |<------| Bridge CA |-------->| TA X |-->| L |
+------+ +-----------+ +------+ +---+
/ ^
v v v
+------+ +------+ +---+ +---+
| TA Y | | TA Z | | J | | N |
+------+ +------+ +---+ +---+
/ /
v v v v v v
+---+ +---+ +---+ +---+ +---+ +----+
| A | | C | | O | | P | | K | | EE |
+---+ +---+ +---+ +---+ +---+ +----+
/ / /
v v v v v v v
+---+ +---+ +---+ +---+ +---+ +---+ +---+
| B | | C | | A | | B | | Q | | R | | S |
+---+ +---+ +---+ +---+ +---+ +---+ +---+
/
v v v v v v v
| +---+ +---+
| ^
| /
| /
+------+ +-----------+ +------+ +---+ +---+
| TA W |<----->| Bridge CA |<------>| TA X |-->| L |-->| M |
+------+ +-----------+ +------+ +---+ +---+
^ ^
/
/
v v v v
+------+ +------+ +---+ +---+
| TA Y | | TA Z | | J | | N |
+------+ +------+ +---+ +---+
/ / | |
/ / | |
/ / v v
v v v v +---+ +----+
+---+ +---+ +---+ +---+ | K | | EE |
| A |<--->| C | | O | | P | +---+ +----+
+---+ +---+ +---+ +---+
/ /
/ /
/ v v v
v v +---+ +---+ +---+
+---+ | Q | | R | | S |
| B | +---+ +---+ +---+
+---+ |
/ |
/ |
v v v
+---+ +---+ +---+
| E | | D | | T |
+---+ +---+ +---+
Figure 9 - Four Bridged PKIs
You don’t need to be a
cryptographer to work in
security

19. You do need to be
human-centered &
empathetic

20. https://www.flickr.com/photos/christopherbrown/10135180454
Be a systems thinker,
finding the gaps in service
design

21. The key UX challenge for
privacy & security is
appropriate complexity

22. PGP Keys: https://www.usenix.org/legacy/events/sec99/full_papers/whitten/whitten_html/pgp5.gif
Enigmail images: https://www.enigmail.net/documentation/keyman.php
PGP email encryption
exposes complexity

23. https://itunes.apple.com/us/app/signal-private-messenger/id874139669
Signal from Open
Whisper Systems hide
complexity

24. UX for Security: The Power of Design
Introduction
Why Privacy Matters
Building Better Basics
Exploring New Frontiers
Conclusion
@ameellio #oreillydesign

25. M-Lab: Improving
network monitoring &
threat detection
http://www.measurementlab.net/visualizations

26. How might we …
help more people
understand systems
& threats?

27. Conveying
trustworthiness:
More than lock icons
http://dangrover.com/blog/2014/12/01/chinese-mobile-app-ui-trends.html

28. How might we …
convey more nuanced
messaging status with a
limited visual vocabulary?

29. Ashley Madison: Leaky
sign-in
http://www.troyhunt.com/2015/07/your-affairs-were-never-discrete-ashley.html

30. How might we …
treat login as an experience
flow, not copywriting?

31. Designing for behavior
change: always accept,
always ignore
http://www.securityforrealpeople.com/2014/10/the-high-price-of-free-wifi-your-eldest.ht

32. How might we …
motivate behavior
change to more secure
behaviors?

33. Instead of scolding error
messages, Slack uses
humor to build trust

34. How might we …
create actionable alerts
that increase feelings of
confidence?

35. UX for Security: The Power of Design
Introduction
Why Privacy Matters
Building Better Basics
Exploring New Frontiers
Conclusion
@ameellio #oreillydesign

36. 36
http://www.theregister.co.uk/2015/10/19/bods_brew_ikettle_20_hack_plot_vulnerable_london_pots/
iKettle hack proves wifi
vulnerability #IoT
#securityfail

37. How might we …
empower product
designers to make good
security decisions?

38. 38
Profile management off
the screen: Netflix vs Nest
https://www.flickr.com/photos/nest/6264860345/

39. How might we …
help people understand
when their profile data is
being accessed?

40. https://www.google.com/landing/2step/

41. Opportunity: Two-factor
authentication (2FA)
https://www.turnon2fa.com/

42. Mind the gaps between
apps & between apps &
operating system

43. How might we …
create smooth
seams between apps ?

44. UX for Security: The Power of Design
Introduction
Why Privacy Matters
Building Better Basics
Exploring New Frontiers
Conclusion
@ameellio #oreillydesign

45. Let’s make the
internet better

46. Privacy matters

47. Build better basics
http://www.troyhunt.com/2015/07/your-affairs-were-never-discrete-ashley.html

48. Explore new frontiers

49. How might we …
create smooth
seams between
experiences?

50. Get involved with Simply Secure
Follow @simplysecureorg on Twitter
Email slack@simplysecure.org to request access to our Slack
(UX, security, privacy)
Share your work
Become a peer reviewer or mentor: 2-3 hours a month
@ameellio

51. Thank You
Ame Elliott
@ameellio
ame@simplysecure.org