Some thoughts on PGPMailer

Here are a few thoughts on the PGPMailer, a contact for websites.

From reading the documentation, it looks like it uses GnuPG to encrypt the message on the server, before it sends it to the recipient (the contact form owner).

A couple of options for the contact form –

Issue: User awareness of security

If the contact form owner wants to communicate to the sender that their message will be sent securely this message could be added.

Option 1

pgpwebmailer-1

Option 2

pgpwebmailer-2

When I sent a test message to Samir, he replied with an encrypted mail. Since I did not have his public key, my mail client was unable to decrypt it –

Inbox_—_ei8fdb__227_messages__144_unread_

Issue: Recipient not knowing public key

If the contact form owner is going to send an encrypted reply, the sender may need to be informed about this so they can find the public key of the contact form owner.

Option 3

pgpwebmailer-with-pubkey-3

I hope this helps.

Facebook’s emotional contagion experiment

In my personal opinion Facebook’s experiment on emotional contagion was unethical. That is a bad thing.

The results they found are very interesting, and seem to go against recent findings in studies carried out in the U.S. 1)Cyberpsychology, Behavior, and Social Networking and Germany 2)Envy on Facebook: A Hidden Threat to Users’ Life Satisfaction?. That is a good thing.

For me, the big issue here is not about Facebook manipulating users, although this is also troubling.

It seems, since Facebook paid for, carried out and analysed the data they did not require ethical approval. I don’t think that is acceptable, but that is a different argument.

The argument here is about informed consent. From everything I have read today Facebook, did not ask for informed consent from participants who took part in this study.

Informed consent

In terms of healthcare informed consent is “a process for getting permission before conducting a healthcare intervention on a person” 3)Wikipedia article.

In terms of UX 4)Wikipedia article on user experience, or HCI 5)Human-computer Interaction encyclopedia article, when carrying out some research where humans come into contact with technology, the people who are involved must be informed in some way in order for the research to be deemed ethical.

Requesting informed consent usually involves the researcher; a) notifying the participant that some research is being carried out, b) asking the participant to confirm that the purpose of the data gathering and how the data will be used has been explained to them and thet they are happy to continue. 6)Chp. 7 “Data gathering”, page 224. Rogers, Y; Sharp, H; Preece, J; (2012) Interaction Design – Beyond Human-Computer Interaction

It is also good practice to make it clear to the participant that they are free to withdraw from taking part, at any moment and that, if this happens, the data generated will be deleted and not used in the study.

Facebook’s defence on the matter of informed consent has been to state users provided informed consent by agreeing to Facebook’s data usage policy. Personally, I have never read this document, I would expect a large number of people have never read the document either.

Taken directly from the Facebook Data Usage policy 7)Facebook Data Usage Policy, this is what you have agreed Facebook can do with your posts, messages, photos, etc:

How we use the information we receive
We use the information we receive about you […]. […] we may use the information we receive about you:

– as part of our efforts to keep Facebook products, services and integrations safe and secure;
– to protect Facebook’s or others’ rights or property;
– to provide you with location features and services, […];
– to measure or understand the effectiveness of ads you and others see, […];
– to make suggestions to you and other users on Facebook, such as […]; and
for internal operations, including troubleshooting, data analysis, testing, research and service improvement.

[The emphasis on the last line is mine]

Using the defence of ”oh the users have given their consent by agreeing to the terms and conditions of the site” is not acceptable. There is plenty of research carried out to show users do not read user agreements, Ts and Cs. Seeing as usage agreements can change regularly this is an even thinner defence.

Playing devil’s advocate for a moment, I do also think the negative reaction has been partly fuelled by Facebook’s unhealthy…opinion of privacy.

I read a very interesting article on The Faculty Lounge 8)How an IRB Could Have Legitimately Approved the Facebook Experiment—and Why that May Be a Good Thing, written from the point of view of an academic involved in research and ethics.

The author essentially states that an ethics review board would have approved Facebook’s research. She does challenge details around the lack of requirement for ethics reviews for private companies as opposed to academic institutions, the extent of actual research carried out by the 2 academics who co-authored the paper with the Facebook employee, and informed consent.

One of the academic institutions involved, Cornell said there was no need for ethical approval as the data being analysed was from a pre-existing dataset. This seems to be illogical since the manipulation of the users newsfeeds must have been carried out after the experiment started. Unless manipulation was being carried out on a regular basis.

I mentioned this is an argument about informed consent, but maybe the bigger argument is about ethics approval in general for private companies. Quoting the article:

Many have expressed outrage that any IRB could approve this study, and there has been speculation about the possible grounds the IRB might have given. The Atlantic suggests that the “experiment is almost certainly legal. In the company’s current terms of service, Facebook users relinquish the use of their data for ‘data analysis, testing, [and] research.’” But once a study is under an IRB’s jurisdiction, the IRB is obligated to apply the standards of informed consent set out in the federal regulations, which go well, well beyond a one-time click-through consent to unspecified “research.” Facebook’s own terms of service are simply not relevant. Not directly, anyway.

[Again, my emphasis on the last 2 lines]

Here Prof. Meyer seems to say that Facebook’s mechanism of “one-time click-through consent” does not constitute informed consent. However since they are a private company, the are not bound by the same rules as an academic institution.

Effects of the research

Seeing as Facebook doesn’t know exactly the psychological status of those who took part, they cannot know if the overly negative or positive affect it has caused. Amy Bucher a psychologist has written an excellent article 9)Facebook’s Informed Consent Problem on the effects this could have had.

It is a pity the results were arrived at by these means. Doing research into subjects that can create negative outcomes about privacy, security, emotion is necessary, particularly when bad actors won’t care/take ethics into account. My interest in usable security research comes across these issues regularly.

To the issue of users news feed manipulation. A few thoughts:

– my opinion would be the majority of Facebook users were, until now, not aware the contents of their news feed was being controlled.
– as a result users could not have given their informed consent in the first place as they did not know manipulation was being carried out.
– does the public know that newspapers have certain opinions and policies on news and have certain ways they will report the news?
– is Facebook’s manipulation of users news feeds similar to a newspapers editorial policy?
– the defence of regular A/B testing of Facebook’s news feed algorithm can’t be used as a defence either, unless their ultimate goal is to affect the psychological status of their users
– the public doesn’t know how the manipulation is happening

References   [ + ]

WIRED UK: Information graphic on UK government data sharing

WIRED information graphic shoeing government data sharing

This information graphic was included in an Idea’s Bank article 1)article on Wired UK website titled “Mark Walport: Government must make the case for you to share” talking covering the UK’s impressive results on data sharing.

It was also published in the WIRED UK edition along with the article 2)article from the WIRED printed edition> “Infoporn: UK government tops tables for open data access”.

While I diasgree with parts of the article, the information graphic successfully communicates the information well.

More thoughts later.

Twitter doesn’t like toe-pr0n

This evening I tried to send a tweet saying:

“Understanding cryptography for my non-crypto brain ain’t easy. Thankfully I’ve got lots of Sharpies. #security #ux”

I tried to attach this photo –

Crypto photo tweet - with the offending toe
Twitter blocked me from uploading this image because (I am assuming) there was “naked skin” in frame. That or they think my toe is ugly.

I received “unknown error” 4 times. Initially I thought it was due to image size, it was ~ 3MB. So I scaled it down to ~500KB and tried again. It still didn’t work.

Eventually, I thought – they’re not blocking it due to my naked toe, are they?

So I tried again, this time cropping out the offending naked, bodily appendage.

Surprise, surprise, it worked!

So, Twitter are blocking naked skin, even disconnected big toes. That’s going a bit overboard, eh Twitter? There is no sense in censoring that.

much skin
such toe
wow
very censor
so naked

Recording usability tests with Screenflow

This is the first post in a series on hardware and software to carry out usability tests on a small budget, so call DIY usability testing.

These posts are mainly for people in the censorship circumvention technology community 1)Open ITP Circumvention Tech Summit and those who build privacy and security software.

They have certain needs around maintaining participant privacy, small budgets, ad-hoc testing, and geographically dispersed user groups.

I am starting with Screenflow as it is my chosen software tool. There are plenty others, and I’ll get around to them one by one.

When I have written about each tool, I’ll then give examples of the usability testing scenarios you may find yourself in.

What is it?

Screenflow 2)Screenflow product page at Telestream website is an excellent application released by Telestream 3)Telestream website. It runs on OS X only but there is a 30 day trial version 4)30 day trial for Screenflow available.

It is my choice of video recording application as it is very versatile, reasonably low cost ($99), and has very helpful support people.

What can I record with it?

It is a Mac OS X application, and most Apple laptops come with an internal camera and microphone.

Screenflow can record video from 1) the internal camera, 2) any USB cameras, audio from 1) the internal microphone, 2) any USB audio devices, and 3) the audio from the computer generated sound (eg video on Youtube, Skype audio, etc).

The configuration of the recording is done with a simple recording screen shown below.

Screenflow recording setup
This screenshot shows the interface for configuring the recording inputs.

Here is an example recording:

How do I edit the video?

Once you have recorded some video and audio, Screenflow presents the sources to you on a simple time based editing interface. There are a lot of tutorial videos 5)Screenflow tutorial videos on Telestream website to help you edit video with Screenflow.

Screenshot of Screenflow showing the editing interface

Since you are using it for usability tests, you’ll have only 2, 3 video feeds and maybe 1 or 2 audio feeds.

The real power of Screenflow is being able to record the screen as well as USB video feeds as well. I’ll go into more detail about this in another post when I focus on doing mobile usability testing.

I don’t use Mac OS X

That’s OK, not everyone does. I use it because it is the best tool available for the job I do. Stay tuned for other options for Linux and Windows.

References   [ + ]

Suggested (small) change for EFF’s HTTPS Everywhere UI

The EFF 1)Electronic Frontier Foundation and the Tor Project 4)Tor Project have developed a very useful add-on for web browsers, called HTTPS Everywhere 2)HTTPS Everywhere on eff.org.

What is HTTPS Everywhere and what does it do?

It is a web browser (Firefox, Chrome, and Opera) extension that encrypts your communications with many major websites, making your browsing more secure 3)Description of HTTPS Everywhere on eff.org. Using HTTPS with websites, your Internet usage is much safer.

HTTPS Everywhere works as follows:

  1. a user types “HTTP://www.hsbc.co.uk” into their browser address bar
  2. HTTPS Everywhere automatically checks if it knows of a HTTPS addres for this site (This comes from a list it has verified)
  3. if there is a secure site available it redirects the users traffic to it
  4. the users Internet usage is now secure and private
  5. if there is not a secure site available, then it allows the user to continue to the insecure site

HTTPS Everywhere advanced options: SSL Observatory

HTTPS Everywhere has a “decentralized SSL Observatory”. This detects and warns users about security vulnerabilities, such as fake HTTPS security as the users browses the Web. It is available in the preferences.

Current SSL Observatory interface

Currently the advanced options look like this:

EFF HTTPS Everywhere Advanced Options
This is a screengrab of the EFF’s HTTPS Everywhere Options showing the original advanced options

I think these advanced options are slightly confusing, in terms of how the user interface is layed out.

There are two options with explanations:
1. Submit and check certificates signed by non-standard root CAs
2. Submit and check certificates for non-public DNS names

Each have a check box as shown. The current UI shows the explanation outside the boundary of each option.

This can lead to confusion for the user as s/he may not see the association between the explanation and the option.

Suggested SSL Observatory interface

A better way to represent this would be to reverse the order and weight of the option and the explanation, and bound them inside the option box as shown below.

Displaying it like this communicates that the explantion and the checkbox are connected. The explanation is also in smaller font, as it is secondary, the text at the checkbox is the action.

Without the action, the explanation is misleading.

I have also changed the wording of the second explanation to explain the meaning of “secret” – secret in this case means, inside a company, uknown to the public.

EFF HTTPS Everywhere Advanced Options
This is a screengrab of the EFF’s HTTPS Everywhere Options showing the changes suggested for the advanced options.

I hope that’s helpful. Any feedback, please leave it in the comments.

[Update] I made a mistake: HTTPS Everywhere is configured with a list of verified HTTPS addresses for websites. SC (in the comments) very quickly picked me up on it. Thanks.

References   [ + ]

Thank you Zora from IPEVO. Problem fixed!

I’ve written about the problems when using the IPEVO P2V camera and Screenflow version 4.5 (20888).

The nice people from IPEVO got in touch and sent us out a new camera in super wuick time. Great customer service!

Recording video with P2V camera and Screenflow

As can be seen below, when we record the videofeed from the P2V camera and the desktop of the computer, with Screenflow it now works. Thanks Zora.

We love IPEVO! from Bernard Tyers on Vimeo.

What changed? What was the problem?

(This is personal opinion. It might not help you.)

In order to find out what has changed between the old camera and the new replacement, I used the USB Probe utility in the OS X Developer Tools.

USB Probe allows you to investigate the technical details of whatever USB devices are connected to the computer.

There are a lot of differences between our old camera, and the replacement we were sent. In my opinion the information below are the main differences that will allow you indentify if you have the same problem.

The “old” camera


Device Descriptor (from USB Probe)
Descriptor Version Number: 0x0200
Device Class: 239 (Miscellaneous)
Device Subclass: 2 (Common Class)
Device Protocol: 1 (Interface Association)
Device MaxPacketSize: 64
Device VendorID/ProductID: 0x1778/0x0204 (unknown vendor)
Device Version Number: 0x1012

Number of Configurations: 1
.
.
.
Configuration Descriptor
Length (and contents): 905

The “new” camera


Device Descriptor
Descriptor Version Number: 0x0200
Device Class: 239 (Miscellaneous)
Device Subclass: 2 (Common Class)
Device Protocol: 1 (Interface Association)
Device MaxPacketSize: 64
Device VendorID/ProductID: 0x1778/0x0208 (unknown vendor)
Device Version Number: 0x1128

.
.
.
Configuration Descriptor
Length (and contents): 665

I can confirm using Screenflow 4.5 (2088), OS X 10.9 (currently up to 10.9.3) and an IPEVO P2V (Device Version Number: 0x1128) you can record the camera feed, and the screen of the computer.

So, thanks to the great people in IPEVO. You’ve really helped. Now we can do usability tests again with our mobile testing kit.

If you’re looking for a great external camera at a great price for usability testing, I highly recommend the IPEVO P2V.

Wiio’s laws of human communication

Professor Osmo Antero Wiio 1)Osmo Antero Wiio article on Wikipedia was a professor of economics at the University of Helsinki, and also a member of the Finnish parliament.

He is best remembered for “Wiio’s law” 2)Wiio’s Law article on Wikipedia which states that “Communication usually fails, except by accident”.

The full set of laws is as follows:

1. Communication usually fails, except by accident.
— If communication can fail, it will
— If communication cannot fail, it still most usually fails
— If communication seems to succeed in the intended way, there’s a misunderstanding
— If you are content with your message, communication certainly fails

2. If a message can be interpreted in several ways, it will be interpreted in a manner that maximizes the damage.

3. There is always someone who knows better than you what you meant with your message.

4. The more we communicate, the worse communication succeeds.
— The more we communicate, the faster misunderstandings propagate

5. In mass communication, the important thing is not how things are but how they seem to be.

6. The importance of a news item is inversely proportional to the square of the distance.

7. The more important the situation is, the more probably you forget an essential thing that you remembered a moment ago.

While these laws are funny, they’re useful when designing computer based communications tools for humans.

References   [ + ]