Launching a service in Kuwait – adjusting your user research

[My blog post was originally published on the Home Office Digital blog on the 27th of November. This is an archive, with some added information such as links and specific dates.]

Walking back to our hotel after a busy day during the EVW private beta launch in Kuwait city.
Walking back to our hotel after a busy day during the EVW private beta launch in Kuwait city.

On the 23rd of November, Monday morning, we successfully launched the Electronic Visa Waiver (EVW) service private beta in Kuwait to very little fanfare. The way a private beta should be launched.

The launch was combined with a user research field trip so we could test the system with these beta users.

I’ve been on many research trips in the past, but this user research trip was different: we were watching our users interact with our service in anger. This wasn’t a simulated scenario in a lab. It wasn’t a simulated scenario at someone’s home. This was for real.

It went smoothly. At the time of writing, 10 participants had made applications and 28 EVWs had been approved – for the individuals making the applications, and members of their families. The way we worked helped.

Planning

Like any research activity, planning is very important. It helps you identify what you want to get out of the research. It also helps you to anticipate things that might go wrong.

For our private beta in Kuwait we based our research plan on our previous user research trips to UAE and Kuwait.

We learned from previous difficulties. This time around we created guidelines for local translators to help, and being more aware of the culture, we scheduled the sessions for later in the day – between 12pm and 7pm) to make it more convenient for the users. We had iterated our user testing, and this made our launch easier.

We planned for things to go wrong – participants coming without the necessary documents, participants being delayed, technical issues.

When things went wrong, we were ready, we adapted and our users appreciated it.

Houston, can you hear me?

Communication with the participant

During the recruitment phase we put a lot of emphasis on explaining to the potential participants that they needed to have travel and accommodation booked in order to take part in our research.

Normally, you would not tell the user too much information in advance, but we decided to do this because this was a private beta launch – the user would be using the service for real.

On Thursday we were visited by Tobias Elwood, Minister at the Foreign and Commonwealth Office, and Matthew Lodge, the British Ambassador to Kuwait. Not a usual occurrence during a research session, you’ll agree.

The presence of high-ranking officials wasn’t ideal, as it put many of the participants on edge. It was a necessary part of the service launch, however, and when we explained the situation to the participants they felt more at ease.

Communication with the team

Communication between team members is important during any usability testing session. It’s even more important when your users are using your service for real, and your team members are 6,000km away.

A screenshot of the Slack messaging channel used for the launch of the EVW private beta
A screenshot of the Slack messaging channel used for the launch of the EVW private beta

During the live applications we kept in touch with our team in London via Slack. We alerted the team when the participant was about to submit the form so that the caseworkers would be ready.

This real-time communication is vital when a participant is sitting beside you in one country and the outcome of their actions is only seen in another.

It allowed us to identify issues, notify the necessary people and manage the participants’ expectations.

You’ve gotta roll with it

This user research trip was quite different from our normal work. It was a combination of user testing and service launch, meaning we needed to perform a complicated several role: part user researcher, part troubleshooter, part tester, and part childminder.

A participant using the EVW service on their smartphone. The recording was done with our DIY mobile usability testing kit.
A participant using the EVW service on their smartphone. The recording was done with our DIY mobile usability testing kit.

Some participants were mobile device users and preferred to use their smartphones, so we tested them using their phones.

As anticipated, some participants came without travel details, so we had sample travel arrangements prepared for them. In these cases we used those sessions as more formative research.

A picture of a young boy playing with post-it notes and sharpies
An unexpected, but welcome visitor.

Some participants came with their children, so we kept them occupied while their parents took part in our research.

A screenshot of an SMS from a user research participant
We kept in touch with our participants to make sure they received the EVW email notifications.

When something went wrong, we waited for a suitable moment, so we didn’t compromise the research, and then explained to the user what had happened. We then worked with them to find an answer, and ensured they left feeling satisfied.

What’s valuable is how we use what we have learned to inform the next service iteration.

We will use these learnings for next week when we continue with our research and continue to improve the service.

Let’s share

Do you have a different approach or thoughts on what we’re doing? We’re open to further improvements in how we approach digital transformation and would love to get your thoughts, inputs and experience in the Comments section below or via twitter.

W3C public-privacy thread

uT8ì4XY0R È42R0X0Z8UT U5 ÓíS0T é867ZYÕXU2R08S43 1ó Z74 uT8Z43 À0Z8UTY Ì4T4X0R ÂYY4S1Ró 8T Õ0X8Y UT õô È424S14X õûáÂXZ82R4 õúDÀU UT4 Y70RR 14 Yí1942Z43 ZU 0X18ZX0Xó 8TZ4X54X4T24 i8Z7 78Y VX8ì02óC 50S8RóC 7US4 UX 2UXX4YVUT34T24C TUX ZU 0ZZ02QY íVUT 78Y 7UTUíX 0T3 X4VíZ0Z8UTD Íì4XóUT4 70Y Z74 X867Z ZU Z74 VXUZ42Z8UT U5 Z74 R0i 0608TYZ Yí27 8TZ4X54X4T24 UX 0ZZ02QYD

Concerns about Dept. of Education’s “Primary Online Database”

Digital Rights Ireland Simon McGarr speaks about the Dept. of Education Primary Online Database by Bernard Tyers on Mixcloud

The recording can be downloaded for reference.

Simon McGarr from Digital Rights Ireland speaks on Drive Time, Irish national radio, about the privacy, and misuse of data concerns with the Department of Educations’ proposed Primary Online Database programme to collect sensitive, and nonsensitive data about primary school children until at least their 30th birthday.

Simon has written about it already, and has created an online form where parents can express their concerns.

The proposed database has been covered in Irish media.

Installing Trisquel GNU/Linux on a MacBook Pro

If you try to install Trisquel 7.0 1)Trisquel Operating System website: https://trisquel.info/en on a MacBook Pro using Virtual Box 3)Virtual Box website: https://www.virtualbox.org/, you’ll run into a problem.

When you configure the VM, and go to start it, you’ll get the following error:

This kernel requires the following features not present on the CPU: pae.
Unable to boot – please use a kernel appropriate for your CPU.

Error with Trisquel on a VirtualBox VM

This is due to Trisquel kernel requiring PAE 2)Physical Address Extension wikipedia article: https://en.wikipedia.org/wiki/Physical_Address_Extension, to be enabled.

The solution is to enable it in settings –

Settings->System->Processor

Trisquel running on Virtual Box VM - System VirtualBox Manager

This option “Extended features: Enable PAE/NX” must be enabled. Restart the VM and you can continue installing Trisquel GNU/Linux.

References   [ + ]

1. Trisquel Operating System website: https://trisquel.info/en
2. Physical Address Extension wikipedia article: https://en.wikipedia.org/wiki/Physical_Address_Extension
3. Virtual Box website: https://www.virtualbox.org/

Digital Rights Ireland comment on Ireland’s state sanctioned phone and e-mail tapping laws

Digital Rights Ireland Simon McGarr speaks to Today FM about Ireland’s phone and e-mail tapping laws by Bernard Tyers on Mixcloud

Digital Rights Ireland’s Simon McGarr has written a good post with thoughts on the FISA-style secret court hearings.

It looks like the law falls short of covering “Information society services” such as Google, Facebook, and Twitter. Those International services that are based in Ireland, and would run for the hills if it were to cover them.

I’d suggest also reading the original Irish Times article by Karlin Lillington which broke the story.

Mainstream Internet comes to Tor – who’s next?

A couple of years ago I started a list of organisations I thought should run Tor relays or exit nodes.

I found it again this weekend.

Organisations who should run Tor nodes (exit or relay):

(ordered by likelihood of it happening)

  • Mozilla
  • EFF
  • Amnesty International
  • Privacy International
  • Reuters (for their journalists and correspondents and for provision of news services)
  • LibreOffice (they provide open source content creation tools)
  • Internet hosting companies (Gandi.net, Greenhost)
  • national government of Iceland, Switzerland, the Netherlands, Ireland (Ireland is now Europe’s user data protection base for Facebook, Twitter, and Google)
  • Télécoms Sans Frontières (TSF)
  • Twitter
  • Reddit
  • all hackerspaces who’s members are able to contribute to the running
  • Apple
  • Dell
  • IETF
  • the United Nations (or some part of..)
  • the European Parliament (or some part of..)
  • MIT, Stanford (universities who have a history in the advancement of the Internet and technology)
  • Google
  • Youtube
  • mobile phone network operators (Vodafone, 3, o2)
  • Internet Service Providers (BeISP in UK, XS4ALL in Netherlands and others)
  • British Broadcasting Corporation (for provision of news services in countries where access to news restricted)

Scores on the doors

I guessed one correctly. Not a good result.

Mozilla

Mozilla have announced they will run relay nodes as part of “Polaris”, their new privacy initiative.

It is a collaboration between Mozilla 1)Mozilla privacy blog announcing launch, the Tor Project 2)Tor Project blog post announcing launch&lt and the Centre for Democracy and technology.

This news is fantastic. It truly is. Such a large, and user-focused Internet entity putting it’s resources behind Tor middle relay nodes is great news. I would have expected Mozilla to fund and operate exit nodes as this is the main difficulty for small or single entities. Running exit nodes can attract the wrath of legal departments, law enforcement agencies and ISPs. Still, give them credit.

The dark horse

But I totally missed the other major name.

I did not expect Facebook to be (the first?) the major Internet service to be present on the Tor network 3)Facebook announcement made on Facebook.com, never mind launch a hidden service 4)BBC article covering Facebook Tor service, with an associated SSL cert.

And then my friend Alec Muffet caused me a few weeks of head scratching and repeated “what nows?” when he tweeted:

It seemed to totally go against the “BUT FACEBOOK IS TRACKING ME AND WANTS TO KNOW MY EVRY THOUGHT” argument. And yes, that thought had crossed my mind.

It also confused a lot of people when they thought, “BUT I HAVE TO LOG INTO FACEBK SO I LOOSE MY ANONYMITY!”.

In the case of Facebook, unless you created an account which does not use your real name and does not have any photos of you uploaded, you weren’t anonymous.

What accessing Facebook as a hidden service inside the Tor network does do is hide your actual location. This may not be beneficial to some users, but will be very beneficial for others.

Why did Facebook do it?

I have some guesses and they can all be summed up by: to give access to their website to as many potential users as possible.

Go back to Nokia’s awesome 22 year old mission statement (first thought of by Ove Strandberg) “Connecting people”. The Nokia slogan “effectively portrays the company’s mission, which is to connect people without barrier and distance” 5)famouslogos.net description of the Nokia slogan.

Facebook want to make their service available to as many people as they can.

DuckDuckGo

DuckDuckGo, the “privacy enhancing” search engine, is available as a Tor Hidden service.

It would be good to know if they also run exit relays.

Wikimedia

The other big name on the Internet that has been running Tor network middle relays is Wikimedia.

It would be very interesting to see them launch a hidden service. I think this could have a similar affect, in terms of access to information, as Facebook could have for enabling people to connect.

Who else?

As a result of their place in the publiction and handling of the Snowden files, I want to see the Guardian newspaper running a hidden service, or at least exit nodes.

Over the weekend I read an interesting article about the “right” relationship between technology companies and journalism ((Guardian article by Emily Bell, written by Emily Bell. She made a good comment:

“….at news organisations the central organising principle is usually to produce something with social impact first ahead of utility or profit”.

I agree, which is why I think The Guardian should look at making their content available as a Tor Hidden Service. It would produce something with social impact and provide utility.

Who do you want to see creating a Tor Hidden Service, or running relay nodes?

References   [ + ]

1. Mozilla privacy blog announcing launch
2. Tor Project blog post announcing launch&lt
3. Facebook announcement made on Facebook.com, never mind launch a hidden service ((BBC article covering Facebook Tor service
4. BBC article covering Facebook Tor service, with an associated SSL cert.

And then my friend Alec Muffet caused me a few weeks of head scratching and repeated “what nows?” when he tweeted:

It seemed to totally go against the “BUT FACEBOOK IS TRACKING ME AND WANTS TO KNOW MY EVRY THOUGHT” argument. And yes, that thought had crossed my mind.

It also confused a lot of people when they thought, “BUT I HAVE TO LOG INTO FACEBK SO I LOOSE MY ANONYMITY!”.

In the case of Facebook, unless you created an account which does not use your real name and does not have any photos of you uploaded, you weren’t anonymous.

What accessing Facebook as a hidden service inside the Tor network does do is hide your actual location. This may not be beneficial to some users, but will be very beneficial for others.

Why did Facebook do it?

I have some guesses and they can all be summed up by: to give access to their website to as many potential users as possible.

Go back to Nokia’s awesome 22 year old mission statement (first thought of by Ove Strandberg) “Connecting people”. The Nokia slogan “effectively portrays the company’s mission, which is to connect people without barrier and distance” ((famouslogos.net description of the Nokia slogan

5. famouslogos.net description of the Nokia slogan.

Facebook want to make their service available to as many people as they can.

DuckDuckGo

DuckDuckGo, the “privacy enhancing” search engine, is available as a Tor Hidden service.

It would be good to know if they also run exit relays.

Wikimedia

The other big name on the Internet that has been running Tor network middle relays is Wikimedia.

It would be very interesting to see them launch a hidden service. I think this could have a similar affect, in terms of access to information, as Facebook could have for enabling people to connect.

Who else?

As a result of their place in the publiction and handling of the Snowden files, I want to see the Guardian newspaper running a hidden service, or at least exit nodes.

Over the weekend I read an interesting article about the “right” relationship between technology companies and journalism ((Guardian article by Emily Bell

Open Rights Group London: Myles Jackman – Criminalisation of Extreme Pornography talk

ORG London October meeting: Myles Jackman – Criminalisation of Extreme Pornography (releveled) by Bernard Tyers on Mixcloud

This is my recording of the Open Rights Group London October talk on the criminalisation of extreme pornography. The talk was a fascinating of the criminalising of sexual material.

Myles Jackman – @ObscenityLawyer – will be talking about how criminalising possession of extreme pornography victimises sexual minorities. We have seen recent cases of young people being prosecuted for owning and sharing images of themselves.

Myles will highlight how the laws around possession of sexual images are (mis)used by the police.

My notes on today’s BBC Radio 4 Digital Human episode on “risk”.

Digital Human: Risk (Series 6 Episode 1) by Bernard Tyers on Mixcloud

Today’s Digital Human 1)BBC Radio 4 Digital Human Programme with Aleks Krotoski covered human perception of risk in the “online age”.

“Our brains are still running security software designed to protect us against lions, tigers and bears and we haven’t run an update for about 200,000 years. Aleks Krotoski explores how well it works when faced with the risks of the digital world.”

It was a very interesting programme. They also didn’t mention the words “threat modelling” once. 🙂

My notes from the programme

  • What’s the riskiest thing you’ll do today?
    • Cycle on the street? Clicking on the attachment?
  • Scientiest says our risk perception system works, “we’re still here!”
    • The problem is it has developed over time, when the risks we had to deal with were much simpler: lions, tigers bears in the dark
    • We have an “inconvienent mind” when it comes to more modern complex risks
    • Because of this, we are getting some risks wrong
    • Our brains’ run the same security software against all risks we come into contact with
      • it hasn’t been updated for over 200,000 years
  • How does our brain handle more modern risks, and
  • Programme introduces “Jersey Lifts”
    • young people give and receive lifts home from a night out, for free (money does change hands…) while living on the island of Jersey
    • most people would not pick strangers up and give them lifts
    • people post they are giving lifts/or that they need a lift on facebook/the website
    • one girl mentions she prefers to get lifts from friends as opposed to taxi drivers
      • that’s the first problem with our risk perception: our decisions are not always rational
    • If the girl is giving a lift to only her friends on the island, whats wrong with that?
      • She is posting her number, availability and location to a public forum of people she couldn’t possibly know
    • Jersey Lifts operates on a “cognitive trick” humans have used offline
      • the girl only gives lifts to people who she already knows directly, or has a “friend” in common
      • the girl contradicts herself by saying she having given a lift to “a friend of a friend”, and this is good as it “increases the connections between young people on the island”
        • she uses this criteria as a was of rationalising that she can then get a benefit of knowing mroe people, and so increase her chances of getting a lift when she needs one
  • Risks have characteristics that make it feel more or less scary
    • “Natural” risks feel less “scary” than human made risk
    • Risk that is imposed on us feel less “scary” than risk we have chosen voluntarily
  • Our level of trust makes us feel more or less afraid
    • It is a powerful risk perception factor to a social animal like us humans
    • Offline if we feel we need to trust someone, we will gauge that trust by finding a common connection and ask them
    • If we don’t have a common connection, we will still trust them, but only based on the information we know about them, what we heard about them, or what we’ve seen them do
    • We trade in social capital which we would have earned by being part of organisations; boy scouts, church groups
      • if someone from your church group asked you for a lift, would you give it to them? (Probably, since you were part of a common entity…)
      • Jersey Lifts exists in a microcosm, small organisation
      • The journalist mentions she has received lifts in microcosms (Isle of Skye) where she was able to introduce an element of consequence (person can’t get away easily) which she has used to accept to take that risk, and make her decision easier
          • Jersey is so small, so if someone did something bad, they would be negatively affected in terms of social capital
          • The girl is taking a calculated risk
            • people “do lifts” in 2 or 3s
            • “It’s a mutual relationship”

        Her Mum doesn’t like her giving lifts, but doesn’t have a problem with her receiving lifts…?

  • Our brain is a survival machine, it is to get us through the day
    • the brain is hardwired to respond with instinct first and conscience objective reasoning second
      • you have a fight or flight response
      • historically this is a good response (think about meeting a snake and instead of running away, you “considered” it. This dangerous response would be “bitten and poisoned out of the gene pool”)
  • Risk is the chance that something bad could happen
    • risk is the probabilty of..
    • something bad being the outcome.
      • “the probability that something bad will happen to us”
  • When we cross the road, we don’t think about the road death statistics (i.e. use our rational thought processes), we do it “when it feels right” (i.e. our instinctive responses)
    • Emotions on judging that risk are contextual; they depend on the circumstances;
      • what would we do if we were crossing the road with a child
  • We are told there are so many unknown risks
    • risks to children scare us more than any risk to adults
      • The media exaggerate the Internet and its risks to children due to this
      • “the risk to children is played up WAY greater than it is, at least statistically in the US. In part because of this instictive, excessive emotional fear we have of any risk, that threatens our kids”
    • There is still a big public, moral panick agenda from the media about the Internet
      • They’ve associated all manner of bad things with the Internet
      • “The Internet does bad things to children, irrespective of who they are or how they use it”
        • Research was carried out with children to understand their usage of the Internet
    • Risk is not the same as harm
      • Crossing the road is risky, but does not mean they will be knocked down.
      • Humans try to apply those real world risks to the online world
        • Most children won’t come to harm when they use the Internet
        • “Even when kids see bad things, like pornpgraphy, they are not necessairly harmed”
      • The researcher wants to answer, 1) what are the conditions that lead to kids using the Internet in risky ways, and 2) what are the conditions that then might lead that to them being put at harm, 3) what are the protections needed in each case
        • The answers may be education of the child or regulation of the Internet (not always the same)
    • Our fears of humans being corrupt is amplified online
      • Threats online are slightly different as the Internet obscures a lot of the ways humans make judgements about trust online and online we are having to work them out. The Internet changes so often, that we have to continuously work out new ways to deal with them; the ways to trust that we use to gauge risk.
    • Risk depends on the point of view
      • Jersey lifts from the point of view of the person giving the lift is different than a taxi driver who has “more to loose”
      • Money does change hands on the Jersey Lifts service; maybe this is the most risky thing of all
      • It has been proven that the most risk comes from those inside your social group, so in fact the Jersey Lifts service, “focusing” on your friends, is more risky; even a gamble
  • The suggestion that using your real name online for an online profile, for example on Facebook, is better for other users to trust your profile
    • We’ve always been scared of strangers
    • Our 200,000 approx. year old  security software in our heads is coming up against the same risks, just in different contexts; judging risk online is more difficult as we have to take into account so many more pieces of data
    • Our security software is very much out of date when we come up against totally new risks
  • Abstract risks are harder for our brains to make correct decisions
    • e.g. climate change
    • viruses that can travel around the world
    • Our instinctual risk perception system is coming up against more complex risks that require reason and logic, and that is not how we react
    • If a risk “feels” like it isn’t going to happen to me, then it doesn’t matter what the facts say abstractly
    • If the abstract risk is harder to see that it applies to you then you are less worried
  • The place where we encounter the most abstract risk, is online
    • Someone with OCD and chronic fatigue syndrome talks about his fear of online security
      • They wiped their PC, and reinstalled their OS at least 3 times a week in the hope that it would give him the confidence to use it for the things he wanted without his anxiety taking over
      • His OCD started with a typical fear of contamination; taps, toilet, etc
        • the fear of computer viruses was a continuation of the fear of contamination
      • He was afraid of risks online
        • His mind was working overtime worrying about people doing bad things, and this was debilitating
      • He knows the fears are feasible but are not likely to happen
  • “White-hat hacker” mention of AUVs and drones
    • Most people can’t concieve that devices in their pockets would leak their personal information
    • They can’t concieve a drone in the sky could be intercepting the data from people’s phones
    • Jersey Lifts can put a face on the person giving/taking the lift:  the known unknown
    • The unseen drone hovering intercepting information: the unknown unknown
    • It’s easy to conceptualise physical risks (car crash) but not abstract risk (being hacked)
  • When risks are more abstract and require more thought; we get them wrong
    • When there is no emotional element; humans often forget about them
  • Society is unaware of a huge risk: the risk of getting risk wrong
    • i.e. that our perceptions don’t match the facts
    • Post Septermber 11 bombing
      • Humans looked to take control of their travel and their safety and so they chose to travel by car/road
      • In the 6 months post sept11, between 500 and 2000 people died in road traffic accidents
  • Taking risks actually is good for humans, it propels us forward
    • The key thing with risk is not that how we choose to manage the risk not if we do or don’t engage with it
    • This applies online as much as offline
  • If we become risk adverse; children will not become resilient online; and they will not meet other people whjo share the same interests
    • They will loose their self control, we make them more risk adverse, and at danger
      • when you cross the road yourself, you become self-sustaining
    • All of the security and public safety work in the physical world over the past 100 years has been to protect humans, and allow them be self-reliable
      • We are not doing this online and so we risk making children less self-reliant
      • We are not using our common-sense like we have been doing it in the offline world
    • “We cant be expected to think of every risk that can exploit us, but we have the knowledge that we can be exploited, and we can demand protection” (questionable)
    • Ambrose Beerson “The brain is only the organ with which we think, we think.”
      • We are subjective, but let’s try and be more rational by building policies and structures that save us from getting in to trouble when our emotions take over decision making
    • The girl doing Jersey Lifts rationalises how she decides on to give lifts to
      • Jersey Lifts tries to digitally verify identites in order to keep herself safe
  • Drones and spy software don’t fit into any compartments in our human minds (not true..but difficult)

References   [ + ]