USENIX Privacy Enginnering and Respect 2023

Looking Beyond Permission Prompts

The modern web platform offers developers capabilities that are too risky to expose by default. We've collectively punted responsibility for that decision to users, relying almost entirely on prompt UIs. But as we scale the web with new capabilities, prompt UIs reveal their limitations. If we're to take the idea of user involvement seriously, we must make their control over the platform's feature set meaningful. We must balance information disclosure with ease of use, non-interruption with control, and consider both well-intentioned and malicious actors.

In this talk, we will walk through the challenges the Web platform faces and current limitations of permission prompts. We will share lessons learned from intervening on existing prompts to reduce annoyance, changing Chrome's permission prompts and how we've been working with browser engineers to design the capability with user intention in mind. Finally, we will share some novel UI patterns to nudge developers to provide more context for meaningful decisions.

Conference | Slides | Video

A slide from my talk showing a cascade of permission prompts
A slide from my talk showing an annoying pop-up

Web Directions Summit 2019

Design for Security

A photograph of me speaking at Web Directions Summit in Sydney, November 2019
A photograph of me speaking at Web Directions Summit in Sydney, November 2019

LCA 2019 Security and Privacy Miniconf

Design for Security (Miniconf keynote)

A photograph of me speaking at LinuxConf Australasia 2019
A photograph of me speaking at LinuxConf Australasia 2019

Effective Communication of Security Advice | Purplecon 2018 (keynote), NZITF 2018 (keynote)

References | Worksheet | Slides | Video

For everyday people, security advice is confusing, boring, and ever changing. In response, we’ve developed what essentially are superstitious habits — theatrical, security-flavoured actions that we repeat in hopes of protecting ourselves from “the hackers”.

There are two big problems here. First, how do we effectively communicate relevant security advice to non-experts? And secondly, is that advice even persuasive enough to encourage real behavioural change? What kind of advice should we be conveying, and to whom?

In this talk we cover why everyday people don’t follow security advice. To help us come up with some solutions, we introduce concepts from behavioural design, psychology and medicine. And I put the theory to the test by trialling some unconventional ways of communicating security to the masses.

A photograph of the entrance to O'Reilly Velocity in San Jose
A photograph of me speaking at O'Reilly Velocity in 2018

O'Reilly Velocity San Jose 2018

Design for Security

Today, the internet owns our lives. Every website and app we touch knows us: our personal information, our inane ramblings, our deepest secrets. Security has never been more crucial, yet it’s a rare topic outside of ISM teams and hackers. And through the design lens, it’s completely missing.

This is a mistake.

There’s a misconception that security is a niche for masterminds. In the real world, most security breaches don’t come from 0days or neat hacks. In fact, most errors are human—simple scams that have worked since society began.

This is where design fills a missed opportunity. Good user experience design is necessary for good security. We can craft paths of least resistance that match paths of most security. We can educate our users on what is good practice and what is security theater. We can build secure flows that are usable, not obstructive or annoying.

Slides | Video

UXNZ 2017

Design for Security

Conference | Slides | Video

BSides Wellington 2017

Design for Security

Slides | Video

The Ideal Styling Language | CSSConfAu 2016

We know the problems with CSS: It’s hard to maintain. It’s hard to scale. There’s no scope. The cascade is as indiscriminate as it is unrelenting. And we’ve been trying to fix it for the past 10 years, with SaSS, ITCSS, CSS Modules, and so on. These wonderful pre- and post- processors are tackling the unwelcome symptoms of CSS. So let’s get straight to the point — what would the Ideal Styling Language look like?

What does atomic design look like in our Ideal Styling Language? How do we style interactions, rather than visual aesthetics separate from animations? Will it be functional, or object-oriented? How much DOM information do we include? How do we select elements in the DOM when the DOM itself is changing? How do we do this in a performant manner?

Finally, how realistic would this Ideal Styling Language be to implement? If it’s not realistic, what does this Ideal Styling Language tell us about how we should be writing CSS now?

It’s going to be a fun, interesting, and enlightening thought exercise. Just wait and see.

Conference | Slides | Video

Refactor 2016

Feminism is a Ramp

A photograph of the audience at Refactor in 2016
A photograph of me speaking at Refactor in 2016

Conference | Transcript

National Digital Forum 2014

Passions into Reality

Conference | Video