VPN users with security concerns: What they need


Bitmask is the LEAP Encryption Access Project’s VPN client, available for Android.

When OpenITP’s Secure User Practices project (SUP) approached the LEAP team about doing UX work on their tools, LEAP came back with a fifteen-page writeup of all the known usability issues for their virtual private network (VPN) client, Bitmask. Some of these issues were known bugs. Some were features the team thought they should build. Some were questions about what should be worked on. And some turned out not to be UX-related at all. The question then was, where to start? SUP’s first step was to triage these issues, sorting them into types and making recommendations for which should be addressed first.

SUP identified specific questions about priorities for development which could be addressed through a survey of users or through user testing. Over the six days of the 2015 Circumvention Tech Festival in Valencia, Spain, SUP researcher Gus Andrews conducted eight user/expert interviews about VPN usage in eighteen countries, and two user tests of the Bitmask Android client. The results of these interviews and tests are below.

Additional information, specifically about VPN use in Iran, is forthcoming in a report by ASL19 on their large-scale survey of technology use there. (ASL19’s information will definitely be more reliable and up-to-date on the situation in Iran than the single report from Iran listed here; that interviewee cautioned that his information is some years out of date. VPN usage has since become significantly more risky for Iranians. His interview is included here primarily for contrast with other countries, and in order to prioritize the development of certain features.)


Interviews suggested the following priorities among the features which LEAP is considering for development. (See the appendix at the end for a count of votes for or against the feature.)

Should LEAP bundle its mail client with the Bitmask VPN?

Users liked this idea (though they didn’t feel strongly about it). The fact that they use multiple email addresses suggests a secure email client might be of interest to them.

Should LEAP work on making in-session switches between gateways more seamless?

This is a feature users will make use of, as much for speed as for protection.

Should LEAP work to hide the fact that a user is setting up a VPN account?

This is a high priority in Iran. Users in countries with developing technical surveillance abilities (Africa, Latin America) would like to have it. It is not seen as a priority in China. Most other users (and governments) don’t care; setting up a VPN is a relatively common practice for business or accessing entertainment content, and that provides plausible deniability for those using it primarily for free speech.

Should LEAP prioritize and make prominent the ability for users to look at certificates?

Even highly-technical users — even VPN providers! — rarely look at certificates. This should be left deeper in the interface.

Additionally, user testing turned up a number of show-stopping issues which the LEAP development team has already begun to tackle. These issues kept users from successfully making a connection using Bitmask, and/or led users to say they would uninstall the app. A Bitmask developer’s report on what he is doing to address those concerns appears in the second appendix at the end of this post.

Continue Reading »

Why the command line is not usable

A command line interface is like a door with no handles.

A command line interface is like a door with no handles.

A number of FLOSS tools require users to do work at the command line in order to set them up or operate them. With Linux and its applications, this is often expected. Very few Windows, Apple, or even Android applications expect anyone to do this anymore.

Expecting this of end users is problematic (as I’ve explored to some extent before), and is likely to lead to very minimal spread and adoption of a piece of software.

Recently, I have been speaking with the Tahoe-LAFS project about improving the usability of their secure, decentralized file hosting system. They told me an OSX package was newly available. Oh, excellent, I thought. They can be a candidate for the expert UX review sweep we’re about to do. Under the guidance of a Nielsen Norman Group researcher, we would walk through the discovery, install, setup, and basic functions of a small suite of FLOSS security tools.

The Tahoe-LAFS team gave me a link to a recent functional build. I downloaded the package, ran the standard Mac installer, and clicked on the resulting app. It gave me the error message “You can’t open the application “tahoe” because it may be damaged or incomplete.”

I went back to their devs. It’s broken, I told them. Can I have a new package?

Oh, they said. You just have to run it at the command line.

At this point, it looked like the expert review for Tahoe-LAFS was off, and I was going to have to report that the app had showstopping failures. Mac users are at least marginally used to double-clicking packages to install them (and these days, the iTunes store means they often don’t even need to do that). Any user, no matter how advanced, is likely to take a system message saying an app is “damaged or incomplete” at face value. Even an expert user would be unlikely to try to work the app at the command line at that point; forget about asking your average nurse, retail clerk, or office manager to do so. All that aside, I didn’t have any interface to evaluate.

Then one of their developers sent me a video of the Tahoe-LAFS setup process, and I saw an opportunity to do a review comparing what I saw to standards for usability.

And as it turns out, this is may also be more generally helpful to explain to FLOSS developers why the command line isn’t just “not ‘shiny‘” or “not dumbed down like a GUI” — it actually cognitively disables users.

Here is my annotation of the Tahoe-LAFS setup video. NOTE: Have the YouTube “Annotations” feature active, or you won’t see the usability comments and none of this will make much sense.

Continue Reading »

CTF IconLocal: Rough sketches

Location 3 - HughIMG_20150306_165133At the Circumvention Tech Festival in Valencia in early March, we held an IconLocal — an event to develop graphics as a community, in the style of the Noun Project. Digital security trainers (and trainers of trainers) who have worked in Africa, the Middle East, Eastern Europe, Latin America, and Russia joined forces with software developers and graphic designers for a day of developing graphics to communicate vital security and privacy concepts to software users.





We began the day with a round of introductions, a review of previous proposals for privacy and security icons, and an exploration of the challenges of developing useful icons. Trainers then shared the concepts which they felt were most challenging to communicate to users, and the metaphors which they used to communicate them. Here are the lists of challenging concepts, accompanied by useful metaphors (see right).


Continue Reading »

Ebola: What you can do to help

I am an ardent participant in NYC’s West African dance classes. They have kept me healthy in both body and mind for over ten years now, seeing me through major transitions and hard times, bringing me and hundreds of others joy every week.

So an international news feed shouting about ebola spiraling out of control in Liberia, Guinea, and Sierra Leone is more than just a distant terror that makes me fret and argue for stopping flights between those countries and mine. These are people who are familiar to me, their bodies transcribing a beautiful arc in space and flight that has been mine, too, and I am heartbroken to think of them cut down:

Continue Reading »

Everyone Come to HOPE!

UPDATE: Looking for a HOPE conference schedule where you can see workshop times alongside talk times? You’re in luck, I made one: HOPE X Schedule Grid

Yep, it’s time once again for the Hackers On Planet Earth conference, Friday July 18–Sunday July 20 at the Hotel Pennsylvania in New York City. And it’s time for my biennial post urging you to attend, because HOPE is full of wonderful things.

Corset Lore performs again at HOPE's chiptune concert.

Corset Lore will perform again at HOPE’s chiptune concert. (Photo by Marjorie Becker.)

“But I’m not a hacker!” you may say. Shh shh shh shh shhhh. It’s ok. I have never been more confident in saying you very definitely want to be at HOPE. Even if you feel like your technical skills are so poor that the Supreme Court has more of a social-media life than you. HOPE is a place to learn more and play with technology. You definitely want to come to HOPE.


Reason #1: The NSA.

You’re still confused about how it is they know so much about you. You’re wondering what you need to be worried about, and what you can stop worrying about. Let me tell you: going to HOPE for the past ten years gave me advance warning about this whole mess, and a lot of understanding of how, when, and why tracking happens.

This year, because there’s pretty much nobody left who DOESN’T care about surveillance, we have a tremendous number of talks where you can learn about threats to journalism, alternatives to phones that spy on you, tools to avoid tracking by corporations, ways to avoid location tracking, and how we can learn more about government spying programs. If you’re really wondering whether you should be worrying about the government, Quinn Norton’s talk on real-world enemies like bosses and angry exes should be of particular interest.

Continue Reading »