USENIX Privacy Enginnering and Respect 2023
Looking Beyond Permission Prompts
The modern web platform offers developers capabilities that are too risky to expose by default. We've collectively punted responsibility for that decision to users, relying almost entirely on prompt UIs. But as we scale the web with new capabilities, prompt UIs reveal their limitations. If we're to take the idea of user involvement seriously, we must make their control over the platform's feature set meaningful. We must balance information disclosure with ease of use, non-interruption with control, and consider both well-intentioned and malicious actors.
In this talk, we will walk through the challenges the Web platform faces and current limitations of permission prompts. We will share lessons learned from intervening on existing prompts to reduce annoyance, changing Chrome's permission prompts and how we've been working with browser engineers to design the capability with user intention in mind. Finally, we will share some novel UI patterns to nudge developers to provide more context for meaningful decisions.
Conference | Slides | Video
Effective Communication of Security Advice | Purplecon 2018 (keynote), NZITF 2018 (keynote)
References | Worksheet | Slides | Video
For everyday people, security advice is confusing, boring, and ever changing. In response, we’ve developed what essentially are superstitious habits — theatrical, security-flavoured actions that we repeat in hopes of protecting ourselves from “the hackers”.
There are two big problems here. First, how do we effectively communicate relevant security advice to non-experts? And secondly, is that advice even persuasive enough to encourage real behavioural change? What kind of advice should we be conveying, and to whom?
In this talk we cover why everyday people don’t follow security advice. To help us come up with some solutions, we introduce concepts from behavioural design, psychology and medicine. And I put the theory to the test by trialling some unconventional ways of communicating security to the masses.
O'Reilly Velocity San Jose 2018
Design for Security
Today, the internet owns our lives. Every website and app we touch knows us: our personal information, our inane ramblings, our deepest secrets. Security has never been more crucial, yet it’s a rare topic outside of ISM teams and hackers. And through the design lens, it’s completely missing.
This is a mistake.
There’s a misconception that security is a niche for masterminds. In the real world, most security breaches don’t come from 0days or neat hacks. In fact, most errors are human—simple scams that have worked since society began.
This is where design fills a missed opportunity. Good user experience design is necessary for good security. We can craft paths of least resistance that match paths of most security. We can educate our users on what is good practice and what is security theater. We can build secure flows that are usable, not obstructive or annoying.
The Ideal Styling Language | CSSConfAu 2016
We know the problems with CSS: It’s hard to maintain. It’s hard to scale. There’s no scope. The cascade is as indiscriminate as it is unrelenting. And we’ve been trying to fix it for the past 10 years, with SaSS, ITCSS, CSS Modules, and so on. These wonderful pre- and post- processors are tackling the unwelcome symptoms of CSS. So let’s get straight to the point — what would the Ideal Styling Language look like?
What does atomic design look like in our Ideal Styling Language? How do we style interactions, rather than visual aesthetics separate from animations? Will it be functional, or object-oriented? How much DOM information do we include? How do we select elements in the DOM when the DOM itself is changing? How do we do this in a performant manner?
Finally, how realistic would this Ideal Styling Language be to implement? If it’s not realistic, what does this Ideal Styling Language tell us about how we should be writing CSS now?
It’s going to be a fun, interesting, and enlightening thought exercise. Just wait and see.
Conference | Slides | Video