Ease of Use Trumps Security Every Time
In my recent entry The Buzzkill of Google Buzz, I described how Google used their popular free email program, Gmail, to populate and spread an attempt at building a new social network overnight called “Google Buzz.” They did this by automatically adding people to your network from your contacts list (which is automatically built from anyone you email regularly).
The problem was that this exposed your contacts to one another, initially including even their email addresses (which you didn’t realize nor intend when you agreed to Google Buzz that first day it launched). And Google never asked your permission to add these people to your Buzz network.
It also shared your Google Reader documents, apparently. (I don’t use Google Reader, so I wasn’t aware of this component of the privacy invasion until later. Which only goes to show you how complex the Google network of interconnected services can come back to haunt you later on, in ways you never imagined.)
This creates all sorts of privacy problems not just for professionals, but for ordinary folks too. Imagine a new boyfriend learning that you correspond with someone from “aa.org.” Information you were going to share in due time, but now suddenly exposed.
In the comments to that post, an interesting discussion ensued which I encourage you to read. It lays out all of the problems with what happened, the ramifications, and why professionals should never rely on a free email service for any kind of professional activity.
It got me to wondering about why people flock to free email services like Hotmail, Yahoo mail and Gmail, when they almost always have an email account provided by their Internet service provider that is likely less susceptible to these kinds of issues.
I can sum it up in three words — ease of use.
Humans inherently will take the path of least resistance when it comes to getting tasks done. If the goal is the same and the risks are nearly always hypothetical, I suspect that people will opt for the easier manner to get to the goal, rather than the more complicated, yet less risky method.
People use free webmail services because they are easy to use and widely accessible. While traveling in Europe, I found webmail far more accessible and easier at the multitude of Internet cafes than trying to get out my own laptop, boot it up, access my email program, only to find the cafe is blocking a port in its firewall needed to get to my email. While I’m certain there are workarounds or other options I can explore, how much more time and effort will I have to expend researching and implementing them? In a foreign country. While on vacation. I spent an hour the other week troubleshooting a Mac/email connection problem for a user that should’ve worked, but just wasn’t. An hour. It may not seem like that much to you, but you add up enough of those hours working on such issues throughout your lifetime for hundreds of users (as I have), and it starts to take its toll. (It also clearly demonstrates that setting up email accounts through email programs isn’t always as easy as it should be.)
Meanwhile, Gmail (or Hotmail or Yahoo mail) is beckoning to me and is literally one click away. Its SSL connection makes me feel even safer (although it may have little actual impact on my Internet safety). People use these kinds of services so much because they’re dead simple and accessible almost anywhere at any time. And of course, they’re free.
Human factors research is the exploration of how people interact with the world around them, usually centered on technology or their environment. There are two especially good chapters (Dontamsetti & Narayanan, 2009; West et al., 2009) that anyone who designs technology systems that people interact with should read. These chapters describe why people make poor security decisions in specific scenarios. I would argue that humans are not intrinsically security-minded when it comes to information. It is something we have to be taught and learn (sometimes through an excruciating trial-and-error process).
This has ramifications for system designers and product managers. You’re not just designing a new information product. You’re designing a product or system that will be used by people in a wide range of casual uses and professions under dozens of use-case scenarios. People love your free product, but with such heavy use comes some basic responsibility to not take advantage of (or in marketing-speak, “leverage”) the relationship with your users.
But I suspect smart companies like Google know all of this. As a commenter insightfully pointed out, the reason they specifically rolled out Google Buzz in the manner they did was likely to instantly turn on a social network that could compete with Facebook. Google sacrificed a little user trust on the altar of product marketing. Even after their mea culpa changes, everyone who logged in that first day had to specifically opt-out, and undo all of the automatic following Google already created. Even now, the introduction to Buzz emphasizes the sharing nature of the service and requires watching a video to understand the details of the service.
It’s only when you design a product that has both ease-of-use and security do you get the best of both worlds. Services like Hushmail or s-mail are worth checking out, as they offer web-based email in a more secure environment (that yes, you may have to pay for). (But be aware, even these services can still share your email with government agencies with a subpoena.) Take nothing for granted in the online world. If Microsoft, Google or some other large company decided to purchase one of these services, their security could be compromised in an instant, faster than you can say, “product marketing.”
Ease of use is a powerful feature, and one often overlooked as the reason behind people’s security choices. It’s not going away anytime soon, either. The two are not mutually exclusive, but they occurrence together cannot place a burden upon the user in order to use, or else people will simply fall back upon their old reliable, and less secure, standby — free webmail.
For more on this topic from a therapist’s perspective: Google Buzz Alarms a Psychotherapist
Dontamsetti, M. & Narayanan, A. (2009). Impact of the human element on information security. In: Social and human elements of information security: Emerging trends and countermeasures. Gupta, Manish (Ed.); Sharman, Raj (Ed.); Hershey, PA, US: Information Science Reference/IGI Global, 27-42.
West, R., Mayhorn, C., Hardee, J., & Mendel, J. (2009). The weakest link: A psychological perspective on why users make poor security decisions. In: Social and human elements of information security: Emerging trends and countermeasures. Gupta, Manish (Ed.); Sharman, Raj (Ed.); Hershey, PA, US: Information Science Reference/IGI Global, 43-60.
Grohol, J. (2010). Ease of Use Trumps Security Every Time. Psych Central. Retrieved on April 22, 2015, from http://psychcentral.com/blog/archives/2010/02/20/ease-of-use-trumps-security-every-time/