security versus usability

This morning, I noticed that we got some feedback from an unhappy Entourage user that says:

How DARE you prevent, by DEFAULT, the ability to see images in my email program!?!?!?! I just forked out good money for Office 2004 thinking that there would be improvements - and instead I find some LUDITE has made a decision that should be left up to the user - I do not NEED to have my email "secured" from images - I LIKE the images appearing automatically - LIKE THEY DID BEFORE in the previous version of Entourage - in fact I'm switching back.

THANKS FOR NOTHING!! Use your brains to improve a product - not diminish it.

It's feedback like this which makes me amused at the assertion that I got via email a couple of months ago that we only set up the anonymous product feedback so that we'd get fawning we <3 Microsoft feedback.

Usability doesn't exist in a vacuum. My life would certainly be easier, but a lot less interesting, if it did. When I study usability and try to make improvements, I have to deal with the real world, which means that we don't get to provide you with the perfect user experience. We have to make trade-offs. We don't have unlimited resources. We don't have a perfect technological solution to everything. And we have to deal with security concerns.

Entourage 2004 has a couple of security features that has a detrimental effect on the short-term user experience. By default, Entourage doesn't automatically download any image that is sent to you via email. You can change that through the Preferences menu (Entourage -> Preferences -> Security -> Automatically download ...), but that doesn't get you every image that is sent to you. That only gets you images that is sent to you by people who are listed in your Entourage address book. If you get email with pictures from someone who isn't in your Entourage address book, you have to manually click that 'Download images...' link in the email message.

This feature makes some of our users quite upset, as you can see from the above feedback. And I've already admitted that it has a detrimental effect on the short-term user experience. So why haven't I shouted at anyone who will listen until we change it? This is one of the more difficult trade-offs that we have to make: security versus usability. For Entourage users, the most usable thing to do would be to automatically download every image, so that you see the email that you expect to see and don't have to notice that there are missing images and then move your hand to the mouse (if it's not already there) and click the link.

The problem is one of security. Think about the spam that you get, or those spoofed messages from banks (real or not) that want you to enter lots of your personal details on some random faked website. If Entourage automatically downloaded images from those messages, their servers would get a lot of information about you. For example, their server will record your IP address, which gives them a fair amount of information about your physical location. There's a lot of other information that they'll get automatically, which gives them lots of information to use to spam or phish you in the future.

We made the decision to relinquish some of our short-term usability to enhance security. We tried to mitigate the usability effects of this decision. You can set the pref to automatically download images from people in your address book. This isn't a perfect solution, either: my address book has entries for Alaska Airlines, Hyatt Hotels, and my father. (Dad doesn't need to be in my address book. His is one of the few telephone numbers that I can actually recite at will, unlike (for example) my own home number.) I don't like having extra entries in my address book, but it's the best solution that we have to the problem of spam, phishing, and maintaining security.

Making software is a series of trade-offs. This is just one example of one type of trade-off. Creating solutions to these problems is what makes my job interesting.