通过

security versus usability

  • 项目

This morning, I noticed that we got some feedback from an unhappy Entourage user that says:

How DARE you prevent, by DEFAULT, the ability to see images in my email program!?!?!?! I just forked out good money for Office 2004 thinking that there would be improvements - and instead I find some LUDITE has made a decision that should be left up to the user - I do not NEED to have my email "secured" from images - I LIKE the images appearing automatically - LIKE THEY DID BEFORE in the previous version of Entourage - in fact I'm switching back.

THANKS FOR NOTHING!! Use your brains to improve a product - not diminish it.

It's feedback like this which makes me amused at the assertion that I got via email a couple of months ago that we only set up the anonymous product feedback so that we'd get fawning we <3 Microsoft feedback.

Usability doesn't exist in a vacuum. My life would certainly be easier, but a lot less interesting, if it did. When I study usability and try to make improvements, I have to deal with the real world, which means that we don't get to provide you with the perfect user experience. We have to make trade-offs. We don't have unlimited resources. We don't have a perfect technological solution to everything. And we have to deal with security concerns.

Entourage 2004 has a couple of security features that has a detrimental effect on the short-term user experience. By default, Entourage doesn't automatically download any image that is sent to you via email. You can change that through the Preferences menu (Entourage -> Preferences -> Security -> Automatically download ...), but that doesn't get you every image that is sent to you. That only gets you images that is sent to you by people who are listed in your Entourage address book. If you get email with pictures from someone who isn't in your Entourage address book, you have to manually click that 'Download images...' link in the email message.

This feature makes some of our users quite upset, as you can see from the above feedback. And I've already admitted that it has a detrimental effect on the short-term user experience. So why haven't I shouted at anyone who will listen until we change it? This is one of the more difficult trade-offs that we have to make: security versus usability. For Entourage users, the most usable thing to do would be to automatically download every image, so that you see the email that you expect to see and don't have to notice that there are missing images and then move your hand to the mouse (if it's not already there) and click the link.

The problem is one of security. Think about the spam that you get, or those spoofed messages from banks (real or not) that want you to enter lots of your personal details on some random faked website. If Entourage automatically downloaded images from those messages, their servers would get a lot of information about you. For example, their server will record your IP address, which gives them a fair amount of information about your physical location. There's a lot of other information that they'll get automatically, which gives them lots of information to use to spam or phish you in the future.

We made the decision to relinquish some of our short-term usability to enhance security. We tried to mitigate the usability effects of this decision. You can set the pref to automatically download images from people in your address book. This isn't a perfect solution, either: my address book has entries for Alaska Airlines, Hyatt Hotels, and my father. (Dad doesn't need to be in my address book. His is one of the few telephone numbers that I can actually recite at will, unlike (for example) my own home number.) I don't like having extra entries in my address book, but it's the best solution that we have to the problem of spam, phishing, and maintaining security.

Making software is a series of trade-offs. This is just one example of one type of trade-off. Creating solutions to these problems is what makes my job interesting.

Comments

  • Anonymous
    July 24, 2006
    Hi Nadyne,
    that bit of feedback sounds to be a pretty over the top :). Perhaps you should refer him/her to your blog entry as you've done a pretty good job explaining the trade off.

    cheers!
  • Anonymous
    July 24, 2006
    It's not that over-the-top.  The user is obviously pretty frustrated, and they're telling us about it.  

    I can't point the user to this entry because s/he didn't give us their contact details.  We allow anonymous feedback so that people can feel free to tell us what they really feel, and this user seems to have taken advantage of that and not pulled punches.  
  • Anonymous
    July 25, 2006
    The comment has been removed
  • Anonymous
    July 26, 2006
    Can you explain what security issue diplaying an image in an email client causes on Mac OS X?
  • Anonymous
    July 26, 2006
    Our lead planner just mentioned this article to me about image spam:
    http://www.usatoday.com/tech/news/2006-07-23-sneaky-spam_x.htm

    Security isn't measured only in terms of physical computer security or safety from viruses.  Security also includes helping the user to avoid phishing attempts or fraudulent sellers (such as all of that spam for ultra-cheap perscriptions).  
  • Anonymous
    July 26, 2006
    The comment has been removed
  • Anonymous
    July 27, 2006
    The comment has been removed
  • Anonymous
    July 27, 2006
    The comment has been removed
  • Anonymous
    July 28, 2006
    If you're having a problem classifying it as 'crippling' Entourage, how about saying, you've just made it 'inferior' compared to other email clients then.
  • Anonymous
    July 28, 2006
    Each email client makes a decision how to handle the situation.  Entourage is not the only email client that makes this particular decision.  With the recent rise of image spam (as referenced in the story I linked earlier), our method means that our users aren't automatically downloading a lot of junkmail that takes up a lot of bandwidth for yet more V!agra spam.

    Being that you hate everything that is Microsoft, you deem our solution 'inferior'.  Others don't subscribe to your particular brand of unthinking vitriol.  There are other email clients out there that aren't made by Microsoft, and you're free to use them and keep on feeding your weird little anti-Microsoft superiority complex.
  • Anonymous
    July 28, 2006
    The comment has been removed
  • Anonymous
    July 28, 2006
    Asam - I hate to break it to you, but Office:Mac isn't coming out before Windows Office 12. 

    Oh, and really ... you don't need to submit your comments multiple times. 
  • Anonymous
    July 29, 2006
    The comment has been removed
  • Anonymous
    July 29, 2006
    Oh, and I value your opinion here, just that every woman I've talked to so far on the matter, just doesn't get it, they'll talk a bit about it, but then that's it, they get bored with it.
  • Anonymous
    July 31, 2006
    You're not honestly asking me to spend the next few hours reading over a web board the week before WWDC, are you?  

    There's absolutely no way that I'm going to have enough time for something like that, not right now.  Next week is WWDC, then I'm taking a week off, and then I'll be heads-down working on Magnesium with a side of OOPSLA preparations.  Check with me in early November, and then I might have the time to make an informed opinion.  
  • Anonymous
    July 31, 2006
    The comment has been removed
  • Anonymous
    July 31, 2006
    "Asam - I hate to break it to you, but Office:Mac isn't coming out before Windows Office 12. "

    Why not btw? Hasn't Office Mac always come out with new features before the Windows version? Is Windows Office coming before or after Vista? It would need to come out before Vista to mnaintain backward compatibility at least with XP, no?
  • Anonymous
    July 31, 2006
    We do have Mac-only features in Office:Mac, such as the notebook view in Word and the Project Center in Entourage.

    Our customers are very interested in compatibility with the corresponding Windows application.  To maintain that compatibility, we release after the Windows version.  
  • Anonymous
    August 04, 2006
    Just to be precise here, this security feature of Entourage does not block every image that people send. It does not block graphics files of any type that you send either as an attachment (in any type of email, plain text or HTML) nor as inserted inline in an HTML message. It only blocks images sent as src:image links with URLs to web sites, which Entourage itself cannot even do except via Word 2004 (Send To -> Mail Recipient (As HTML), and some other email clients (Thunderbird, Outlook) can do. These are almost always commercial sales messages (spam and otherwise).
  • Anonymous
    February 26, 2007
    Secret questions are one way that sites try to increase their usability when users forget their passwords. Are they effective at meeting that goal?