When User Needs Meet Power

Abstract

There have been a great number of usability improvements put forward in user security and privacy research. However, it is not guaranteed that beneficial changes proposed in research reach practice. If an improvement is seen not to benefit the service, or to be too difficult or costly to implement, the service owner may ignore it. Equally bad for users is if powerful' stakeholders - whoever it is who has the resources and influence to make the usability change in the real world - are selective about which elements of a proposed usability improvement they are willing to implement; this risks diluting the protections that the change would have afforded for users. Here we propose a shorthand user second as user-centred' approach to preparing usability improvements to security and privacy technologies and processes. Paradoxically, this perspective promotes usability by prompting a consideration of usability improvements as a value proposition for existing systems, and consideration of how the proposed changes align with stakeholder decision-making criteria. This is as opposed to relying on an assumption of usable security and privacy as being universally beneficial - such an assumption would rely on the powerful stakeholders to appreciate the need for improvement and not dilute it in any way, in the process of transferring it into a real-world service or environment. We show how this approach may be mobilized in an adaptation of the premortem planning technique, and explore a range of case studies where usability needs were variously warped or kept intact, either with the cooperation of powerful stakeholders or without them.