End to End Trust and the Trust User Experience
Thursday April 23, 2009
Jeffrey Friedberg
In his recent blog post, Scott Charney described End to End Trust, a vision for a safer, more trusted Internet. Core to the proposal of End to End Trust is the creation of a “trusted stack,” where security is rooted in hardware and where each element in the stack (hardware, software, data and people) can be authenticated in appropriate circumstances. An important portion of the trusted stack is where the user interfaces with the system which requires special consideration. It’s where the user must make key trust decisions like: “Is this really my bank site? Should I install this software? Should I share my sensitive data?”
Currently, the trust user experience (TUX) that is presented can be confusing to some users. For example, they may be perplexed by the guidance provided or unfamiliar with the semantics of the security indicators. Many just click through these critical check points without fully understanding the implications.
TUX vision and scope
Many consumers are uncomfortable having to make the trust decisions that are put in front of them. They would much rather just continue listening to music, buying products on the web, or chatting with friends. The vision for consumers is to increase their safety without distracting them from enjoying their digital lifestyle.
Poor TUX does not just affect consumers. It affects enterprises as well. It can lead to setting up the wrong configuration by an administrator. Instead of one record being compromised, it could be millions. Another issue businesses face is connecting with their customers. Users are told to be very suspicious of email and to not click on links. This forces some businesses to create “walled gardens” on the web just to have a conversation. The vision for businesses is to help them better connect with their customers and to honor the trust promises they make.
How bad can it get?
Making a mistake here could expose the user to range of harms. At one extreme, installing rogue software could turn their system into a remotely controlled “bot” which can be used to send spam, enable identity theft or attack other computers. At the other extreme, choosing the wrong sharing model on a social networking site could expose embarrassing photos to the wrong people, resulting in a damaged reputation and even job loss.
More than just UI
TUX is much more than just the user interface (UI) that is presented. It includes the underlying architecture of the system and the mental model the user has in their head. When designing and evaluating a TUX, all three elements need to be considered. Improving the UI will only take you so far. In some cases, changes to the underlying architecture will need to be made. Likewise, it is important to assess whether the user is likely to form the appropriate mental model for the task and take steps to create better alignment.
Whenever possible, it is best to address trust in the architecture to avoid needing to ask the user in the first place. No TUX is good TUX. However, when the user needs to get involved, the goal is “trust at a glance.” It’s unrealistic to think users will manually inspect a certificate or read every line of a privacy statement. We must find ways to increase the user’s confidence they are making a good trust decision while reducing their need to do all the leg work.
Creating great TUX is hard
Users come in with different goals, expectations, and experience. There may also be cultural differences in the way they interpret trust. When it comes to creating great TUX, “one size” unfortunately does not fit all. We need to understand what will really help a user when they are in the hot seat. In some cases, providing clearer guidance may help. In other cases, it’s a design issue and new, less complex controls need to be provided.
Form factor can also be an issue. While desktop systems typical have large displays to present a TUX, handheld devices like mobile phones have very little screen real estate available. Simply scaling down the TUX does not work. Different approaches need to be taken.
Another challenge to highlight is habituation. For various reasons, many users have given up trying to fully understand the risks and have formed the habit of just clicking “Next, Next, Next” (when was the last time you read an end user license agreement?). It’s important to find ways to catch the user’s attention and guide their behavior to a safer outcome when it’s really needed.
Some users would rather not deal with the risk analysis and would like to simply “call a friend” or “poll the audience.” As in the real world, consulting outside advice from people, communities, and tools you trust can play a significant role in making better trust decisions (and can reduce anxiety). The ability to conveniently tap this information is often missing in the TUX that is presented. Establishing a common framework for providing reputation feeds could help users connect with advisors they trust.
The path to better TUX
TUX is a nascent discipline that draws from multiple domains (e.g. security, privacy, usability, accessibility, psychology and anthropology to name a few). Across the industry and academia, a number of TUX-related efforts are in play. For example, in 2007 we assembled a TUX Advisory Board of passionate experts from across the company to help product teams with their critical TUX and to hone and validate best practices. Microsoft Research has been a key partner. On the education front, some schools now offer study in this field (e.g. Carnegie Mellon University has a whole laboratory devoted to usable privacy and security).
As we and others investigate and mature this discipline, it’s important to leverage the great work that has already been done and to find ways to collaborate. The End to End trust discussion is one such forum for engaging in that dialog.
Our ability to make good trust decisions starts with a trustworthy system. As the End to End trust vision states, we need to build in trust from the bottom up (i.e. a trusted stack) -- and it will take a global village to harden critical infrastructure components like the Internet. Identifying and deploying common metaphors for establishing trust relationships and making trust decisions will help reduce the learning curve for users and enhance the overall safety of consumers and enterprises. It’s critical we continue to improve TUX, the last two feet of End to End trust.