Versions Compared

Old Version 11

changes.mady.by.user Unknown User (ndsheth@mit.edu)

Saved on

compared with

New Version Current

changes.mady.by.user Unknown User (steb@mit.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Corrected links that should have been relative instead of absolute.

Prototype

Briefing

 You You and the facilitator, Stephen Jones, are collaborating on a potentially revolution revolutionary user interface project. As you would not want secret information about your project to leak out to competing 6.813 students, you must be very careful about any conversations you have with Stephen, whether in person or online. Stephen provides you a phone with a Secure Messaging application to allow you to communicate securely with him when you need to discuss sensitive topics.

...

  • You are using SecureMessage because you care deeply about sending and receiving sensitive messages securely
  • This is a phone application and is designed to act similarly to other mobile chat/texting applications
  • Think out loud and let us know how comfortable you are performing these tasks given your need for security

Tasks

Task 1

The facilitator, Stephen Jones, hands you a new phone. Log into the Secure Messaging application, and add Stephen (who is physically standing next to you) as a Secure Contact. Confirm that he in your list of Contacts with whom you can communicate securely

Task 2

Stephen leaves the room. After a few hours, you receive notification of a new message. Go to your message inbox, determine who the message is from, and read the message. Since you are comfortable with whom you are communicating, you decide to reply to the message.

...

Stephen has added Rob Miller to the chat. Since you trust Stephen, accept Rob as a chat participant. Review Rob's message, then add Rob as a new secure contact.

Task 4

Stephen receives You receive word that Rob Miller is actually a 6.813 student looking to steal great project ideas. Since it is an imposter, you must remove Rob Miller as a contact. In addition, you want to remove all trace of communication with the imposter so remove all messages received from Rob Miller.

...

  • Was very quick opening contacts and clicking the add contact button; found them easily
  • Remarked we may want to show a picture of a QR code instead of just saying "QR code" for clarity
  • Was quick to hit identity when sharing contact information
  • Clicked on name to open chat
  • Surprised that when adding Rob, GUI elements turned red
    • "looks sketch" -- "does not look secure at all"
  • Adding Rob to contacts was "so easy" compared to adding someone in personunmigrated-wiki-markup
  • "Worried if I delete \I delete [Rob\] first then I can't delete messages"
    • Was happy to see the open there on delete all messages when removing contact

...

  • Add a 3rd category of icon, a user who's a contact but not 'trusted' -- yellow icon would be a good indicator of this
  • Allow inviting people to chat to make everything make sense
  • Make it clear it's possible to wipe messages w/o deleting
  • Make the 'wipe all messages' checkbox more obvious as to it's purpose--it's not a 'confirm action' checkbox, which it may be mistaken for by an inattentive user
  • Make it clearer that the lock icon AND name icons AND names above messages in conversations are clickable when in chat by tying them together somehow, so user isn't trying overly hard to aim on the lock only

Iteration 2

Changes

  • A distinction between verified and unverified contacts was added. Contacts added by QR code are automatically marked as verified while others are not. This allowed users to add contacts with out fully trusting their identities.
    • Unverified contacts/messages were marked in orange and verified in green.
  • A button for inviting a user to a chat was added.
  • The 'delete all messages' checkbox text was changed to "Also remove all records of communication with this user?" to indicate that it was an additional action.

User 1

Observations During Trial

  • Was under the impression that users added to a chat would be able to view past messages in that chat.
  • Thought that the chat icon (1 silhouette for individual chats, 2 for group) would include one silhouette per person in the conversation and each silhouette's color would match each user's trust level.

User Comments

  • Change the color of the back of the screen to match the current "security" of the chat.
  • Don't make messages from unverified contacts stand out so much (they were highlighted in orange).
    • The user noted that she would probably mark all of her contacts as verified so that the application wouldn't bug her (which would defeat the purpose of verified v. unverified contacts).
    • She suggested that the lock icons stay orange but that the background for messages from unverified users should be a neutral color.
  • In contrast to a previous user, she wanted to keep the ability to add contacts easily (that is, not requiring that all contacts be added by QR code).
    • She suggested that contacts should be verifiable by QR Code. If she has a contact and later meets the person face to face, she wanted to be able to verify the person by taking a picture of their QR code.
  • Change the "Identity" section to "Me".

User 2

Observations During Trial

  • The user appeared confused about the meaning of "verified".
  • Tried to wipe messages from a contact by editing the contact.
  • Then tried to wipe the messages through the settings page.

User Comments

  • Make the function of the plus button on the chat window (add user to chat) more obvious.
  • Add a way to easily return to the message browsing screen (back button).
  • Add actions to messages (allow users to copy, forward, etc.).

User 3

Observations During Trial

  • When adding a contact, this user didn't know what QR code meant.
  • Wanted the ability to to defer an "add to chat" request to discuss it.
  • Was confused about the distinction between adding a user to a chat and to the contacts.
  • Felt that red (on unknown messages/user) indicated "angry" (not untrusted).
  • Didn't understand the significance of orange messages/contacts (unverified contacts).
  • Didn't understand the difference between verified and unverified contacts.
  • The user took a while to realize that he would need to click on the username above Rob's message to add him as a known contact.
    • He initially thought that he would need to go out and find Rob.

User Comments

  • "I have decided that I have no security interest at all."
    • The user didn't feel the need to distinguish between verified and unverified users and didn't like the overhead.
  • The user noted that the username above messages would appear more clickable if it looked like a link.

Overall Observations

  • The method for wiping messages is not obvious. In reality, this may not be a problem as this task is extremely rare. However, one possible solution is to add a "Erase messages from user" option to each user's "User Actions" menu.
  • The distinction between verified and unverified is confusing for some users. Making it less intrusive and adding help text may prevent some of this confusion.
  • All of the users hesitated slightly when switching to the identity section when sharing their identity. Changing this to a "Me" section should help.