Usable Web Privacy and Security
Lorrie Cranor from Carnegie Mellon University did the afternoon keynote on “Usable Web Privacy and Security”.
One approach is to make security invisible. Another approach is to make it understandable or to train the users. The user should probably only be asked to intervene if they have information that the software developer doesn’t have. Moreover, the user should be asked a question, not confronted with a dilemma.
An interesting proposal was to rely completely on the “we will send you your password if you give us your email address in case you have forgotten it” approach, and to just assume that users will have forgotten it, especially for not-so-often-visited sites.
Lorrie made some very pointed remarks and had great examples that showed how un-intuitive and overly subtle many of the symbols and metaphors for security are: “why do you sign email with a key rather than a pen”? For most users, “spam” and “cookie” are empty words – and they don’t signal potential danger: are you afraid of cookies?!
Overall, she seemed to be very much on target with her comments about making sure that people can actually use security features and tools.