[Enigmail] Expect signature header proposal

Robert J. Hansen rjh at sixdemonbag.org
Tue Oct 7 18:22:28 PDT 2008 

Eitan Adler wrote:
> Secondly it is will established among most psychologists that people do
> not notice the absence of some specific object or sign even if that
> object is there on a regular basis.

I'd like to see a citation for this, please.  It seems to be an unusual
claim to make.  I think I would notice if my apartment door was missing,
or my toilet, or the buttons on the elevator, or any of many, many other
things in my daily life.

It may be the case that some certain classes of objects are prone to
being overlooked, but as a general statement about reality I just don't
see it holding true.

> Even without the header idea, which I now agree was a bad initial
> choice, the UI to enable a warning on the non-existence of a signature
> based  on sender should still exist.

Sure.  You get to be the one to support all the users who drown the
mailing list with "since I installed Enigmail, almost all of my messages
have been giving me error messages!  Help!"

You continue to obsess over the "should," and neglect the "can we and
with what tradeoffs".

> This system IMHO works a lot better than the one where we
> expect users to go against their nature.

Both systems have been roundly excoriated by people working in HCI.
They're both really bad.

True story.  My friend Peter Likarish has come up with a phenomenally
cool anti-phishing technology.  (I can't talk about it since it's
prepublication.  But it _works_.  I think in five years his technique
might well be a standard part of every browser.)

For user testing, he packaged it up into a Firefox browser extension.
Whenever the user visited a phishing site, it would put a small red
banner across the top of the content pane.  "This may be a phishing
site.  Click to dismiss this warning."

Of 25 users, _not one_ reported seeing the banner.

That's right.  Not a single one.  His 25 users were not technically
proficient, it's true, but that was a deliberate choice on his part.  He
wanted to make antiphishing technologies useful for the average user.
But not a single one saw it.

So Peter went back to the drawing board.  Now, the banner would start
off small, but would slowly grow to cover a quarter of the content pane.

Of 25 users, _not one_ reported seeing the new, creeping-growth banner.

When he asked users later what they saw, they attributed it to "a pop-up
ad" or "just another Microsoft warning".  They were aware that it
existed, but they never bothered to look at it.

When Peter told me this, I was incredulous.  Then Peter got very
frustrated and asked me if I wanted to see the video of a user who
reported not seeing the banner at all.  You can see this person's eyes
steadily moving down the screen as the banner grows.  The banner is
right there in front of them, and they don't even see it.



... Moral of the story: whenever anyone tells me "I have an idea to make
this warning clearer for newbies," my first question is "great: have you
done usability testing yet?"  Because if you haven't, then I really
can't talk about your idea.  Everyone has a way to make it clearer and
easier.  Maybe one in a thousand will actually work.

More information about the Enigmail mailing list