Using color scheme to signal security/privacy exposure.

Intro (tl;dr)

In a quick impromptu meeting with @ned about branding, user education, UI/UX, etc, we came up with a potentially really new way of educating our users and simultaneously helping them understand who we are and what we care about without forcing them to understand nitty-gritty details of privacy and security. This started as we were looking at how apps and companies convey this to their users to see if we could learn something from them.

It turns out, we think we need to do something completely new, because what is currently done isn’t enough.

The basic idea is that we dynamically change the color scheme of the UI based on how much information the user is exposing to the world, gradually from dark to light. Dark meaning not exposing much, while light meaning the opposite.

The Problem

How does an application convey to the end user the security/privacy stance it holds? Most of them (all of them) basically tell the user they’re secure/private, then hopefully provide documentation on how they rationalize the ability to boast this feature with technical implementations and such. The end user is thus required to trust these assertions, defer to a technically savvy person that these assertions are true, or become technically savvy enough to evaluate them by themselves. Realistically, the distribution of these groups is drastically descending in proportion to the way I’ve just listed them. Most people just trust the branding, and wait to hear of an exploit or report that they’ve been duped.

It is quite difficult to quickly and easily show (in a thorough manner) a technically ignorant user the level of security/privacy of an app they are using.

Potential Solution

As mentioned in the intro, we simply change the color scheme as a function of how much information the user exposes, from dark to light. This performs multiple functions simultaneously:

• First off, they immediately understand the weight of various options with respect to their overall exposure without having to understand why or how.
• This also provides the immediately context of their current session with the app they are using so they can properly access how they would like to behave with those they are interacting with.
• It clearly shows we care about their ability to think about these things, and act according to their personal judgement and not what we think they should be doing.
• The level of trust they put into us is extended, but as always, the amount of trust they’re required to give us is minimized. We don’t hold your data, but it’s our job to provide the tools you need to properly reason about holding it yourself.

Our app is complicated, this space is complicated, understanding how to navigate it is complicated. Implementing this will be complicated, but it is worth it, imo.

How We Do It

The Website

This can start with our website, which would immediately inform the user what we care about, while simultaneously teaching them how much information they’re (probably) exposing about themselves when they visit websites. When you visit a website through your browser, you give up a tremendous amount of information about yourself automatically (see http://webkay.robinlinus.com/ for an example of your current session). Imagine if our website read this information, and changed the color scheme from dark to light based on the amount of personal information it captured, and then informed them of small changes they could make to protect themselves. They could then see the website dynamically change as they decrease their exposure.

This becomes a teaching tool to anyone who wants to learn how to protect yourself on the internet, and it HAS NOTHING TO DO WITH OUR APP, BUT EVERYTHING TO DO WITH WHO WE ARE. There is nothing that I am aware of that uses a visualization in such a way as a teaching tool, and this experiences teaches the broader audience that we care about security and privacy without just saying it like every other secure app does.

If I were to personally come across a communication app that taught me how to better conduct myself through simple visualizations when I just first visited their webpage, you’d be damn sure I’d be more interested in their product.

The App

So we’ve convinced the user on the webpage that we care about their security/privacy, and showed them some things on how to better understand browser sessions and the information they pass around. Now how does that transfer into the app? It transfers through the simple, visual experience of understanding what settings you have has a direct and serious consequence on how much someone can find out about you.

As you’ve seen in the previous townhall, we’re working a lot on the profile settings and UX of personal identity within Status. An important feature to many who use Status is that it doesn’t require a phone number to get an account and start using it. As you add profile features to your account from the start, you increase the surface area of information about yourself, which can be reflected by the color scheme. Dark being the (hopefully future built-in) anonymous user account, to light reflecting a fully fleshed out profile with picture/ENS username/wallet exposed profile.

As people join via various accounts they hold within Status, this dynamic color scheme will immediately inform them of the relative security/privacy profile they are currently using. This could help them realize they’re using a profile in the wrong context, and that they need to switch. There are countless “user stories” one can come up with here.

Thoughts

If we can pull this off, I feel as though we could create an entire new standard on how to convey to users the security/privacy tradeoffs they make with respect to the choices they make. It will be difficult, because quantifying all this and implementing it is non-trivial.

I’d love to hear your thoughts and opinions/dissents/problems/kudos/etc

I’m in total agreement with this approach.

Education, color, simplicity, seems to be what Swarm City’s design seems to be about… reposting the vid from multiple status channels:

We also talked in Prague about potentially looking at ourselves as Educators above all else.

I’m definitely in favour, especially of starting with the website. @noman @samthomson how hard do you think it’d be to pull something like that off?

Love this

This is a great beginning for brand as interface. Ideally, we want to first build a foundation in the visual language so it can be consistent and flow across all our offerings and the behaviour is recognised by users. It also works nicely with our brand name ‘Status’ giving you a direct ‘status’ of your security and privacy.

This references our wireframe example from Vienna here but would be nice with the integration of colour gradients. We should consider the effects of this on all products (if applicable) and build accordingly and consistently.

I think this is a pivotal ingredient in the brand design system and hopefully the product team feels the same.

I think that is an interesting and cool idea! I’m generally positive about it, but I think I want to bring a few points to think about.

(1) won’t this put a suspicion on a person who is using the app if someone will see the dark UI? like if he is using it he has something to hide. it can be overlooked by someone nearby or on a screenshot (especially on Desktop) or anything like that.

(2) users might have preferences in having light or dark themes (even dependent on the light conditions around: on a sunny days light themes are more readable, in the dark room, a light theme is painful). that might affect what a person is doing in some unpredictable ways (I’m not talking about bad ways particularly, just unpredictable).

Again, otherwise, it is important to educate people, I’m just curious about these points.

I like where this is going, making the entire interface an extension of your identity! I’m worried though that in execution this idea might run into some issues, some of which Igor already pointed out. Some time ago we did user testing back at Opera to better inform ourselves on the design language behind incognito/private mode. The result was, users overwhelmingly felt that switching to a dark theme for private mode guilt shamed them into thinking they’re doing something shady and enforcing the anxiety to turn it off, to use it briefly and out of sight from other people. That this entire dark private mode is a proxy for browsing porn or other stuff they deemed not socially acceptable. So we dialled it down and instead left the dark mode as an aesthetic only choice without any ties to privacy whatsoever. Can’t help but advise caution and a lot of user testing before deciding on this idea.

Another point I’d like to make, there’s no middle ground between the 100% light and dark, we won’t be using grey text on grey backgrounds because that stuff simply doesn’t provide contrast, is an accessibility nightmare and is IMHO hella ugly So however it works, the UI will be more of a binary 0-1 choice.
But don’t let that stop you from prototyping and testing, I’m super curious to see this designed.

Agreed with Maciej. This sounds like an elegant way but only until you dive deeper into it.

Working on the identities at Status now, outlined some thoughts here (have to share the WIP since this conversation is already happening here, yet the work is not finished yet as it is more complex than it seems) Identities in Status. Work Package #1 - CodiMD

Nice work, andrei
any reason you chose to work on hackMD rather than notes.status ? (not to be picky but we are trying to build a searchable repo for docs)

Thanks for pointing it out, changed the link!

I think it - that a user could always have a status of their security - is a great direction to move in, how exactly it should be present to the user is worth going back and forth on. Both in terms of UI and UX.
Changing the UI too severely (whole background colour) might confuse the user, detract from design, and maybe affect colour blind people and similar.
I could envisage a fixed bar across the top of the screen, which could become semi opaque as the user scrolled so as not to obscure content. Not sure if should use colour, icons, etc to convey their status though.
Either way. Sounds good

@cryptowanderer Yes, starting on the websites makes sense, and totally possible which sites do you have in mind? would this be for both logged in users and guests? As @petty links with the webkay.robinlus.com site, even guest visitors could benefit from some security feedback.

Side point, worth considering the connotations of colour in different regions; for example here in east asia red is for all things awesome whereas in western cultures it makes sense to signify danger with it.

I love the discussion here so far. I’m not a designer or professional in UX/UI. There is something here, and I understand that getting it right is difficult.

Good thing we’re a smart group of people with various skillsets to figure it out!

It is definitely true that doing the entire UI removes possibilities of themes (and they’re all the rage now-a-days).

I will push back against the binary part though. It has to be relayed that security/privacy is a fluid thing, with decisions making various sized differences, which should be reflected with color.

This is important, but is almost impossible to nail down in the first iteration. That being said, it should be constantly monitored to be improved, like the localization of the app for different regions.

I would also argue that as the general public learns and understands how much of their data is being gathered and leveraged for personal gain, the stigma of using “incognito like modes” will move away from nefarious activity and more towards informed internet user.

When things like that were introduced, naivety and ignorance about how the internet worked and how corporations maid money was much more unknown to the public, so it seems modes like that only had a few use cases.

I would like to help shepherd that awareness.

This blog post about a lightning wallet app was brought to my attention in regards to UX choices and user security… it’s relevant:Lightning Labs Blog - The Official Blog of Lightning Labs

+1 for doing more to help users understand their privacy and security.

As a reference this PDF from Google about introducing new security indicators in the browser is quite interesting: Rethinking Connection Security Indicators.

The browser indicators are a great reference and starting point because of the years of learning/teaching. The browser distills concepts of security, cryptography, privacy, and more into a single icon that has widespread global implementation and understanding.

Abstract:

We propose a new set of browser security indicators, based on user research and an understanding of the design chal- lenges faced by browsers. To motivate the need for new security indicators, we critique existing browser security in- dicators and survey 1,329 people about Google Chrome’s indicators. We then evaluate forty icons and seven com- plementary strings by surveying thousands of respondents about their perceptions of the candidates. Ultimately, we select and propose three indicators. Our proposed indica- tors have been adopted by Google Chrome, and we hope to motivate others to update their security indicators as well.

Also highlights the important role of research in validating these types of changes.
UXR!