Permissions. Understood.

27 February 2015

This is part follow up to The challenge for web developers in 2015, part inspired by Francis Irving’s The advert wars.

Better patterns for helping users understand software permissions feels like an imperative; somewhere a lot more technical, design and research thinking should be directed.

By permissions I mean ‘what bits of software are allowed to do with data and input/outputs’, and the mechanism by which a user is informed of those things.

It’s a hard problem that is getting harder and more important:

We have more private data on the web. We have more devices and organisations to move data between. We have devices and web technologies that can do a lot more than they could a couple of years ago. As the number of digital organisations and the number of personal/home things with IP addresses increases it will only get harder, and there is not yet a convincing set of permission patterns for any of it.

We need interaction patterns that enable knowing permission (to steal a phase from Francis’ post on online advertising and privacy)

This is a hard UX problem because it probably requires making overall interactions harder or jerkyer or inconsistent so that someone understands what is happening to their data or what sensors are being activated on their devices.

The most-used patterns we have for explaining what a bit of software is allowed to do, that of Facebook and Google Play store apps, are full of the sort of anti-patterns you get when the custodian of the UI for permissions can gain from you interpreting them in a particular way.

On the Google Play website for example, the permissions of apps are not shown on the page, and not by default, and are not even in the HTML - they are loaded into a popup via a link that does a javascript POST to retrieve the information, so are not obvious and not indexed by search engines. They are then presented in a scrolling box, so you can’t see all the permissions. Why would you implement it like that if you wanted to achive understanding, if you wanted to know that someone had understood?

My guess is that most people currently don’t understand and don’t care that they don’t understand; but I think this is an area that needs some future-proofing - the consequences of not knowingly understanding might sneak up on us one day.

One answer might be new organisations that monitor permissions of software, data and digital organisations on our behalf? Forward thinking consumer rights organisations could start scraping public permissions data and tracking the changes with publicly verifiable cucumber tests for data (this is also seemingly non-trivial for the Google Play example due to the javascript + POST requirement).

Another is more research into what interfaces help people understand what is happening to their stuff, regardless of if they currently know how important their stuff is, while still remaining useable. Sounds like a good definition of a wicked problem.

photograph of a sketch showing a page requesting lots of permissions, including 'unlock your house' and 'sell your car'