Tags: antipattern

31

sparkline

Thursday, August 16th, 2018

A web of anxiety: accessibility for people with anxiety and panic disorders [Part 1] | The Paciello Group – Your Accessibility Partner (WCAG 2.0/508 audits, VPAT, usability and accessible user experience)

Enumerating the anti-patterns that cause serious user experience issues that don’t get nearly enough attention:

  • Urgency
  • Unpredictability
  • Powerlessness
  • Sensationalism

While such intrusions can be a source of irritation or even stress for many people, they may be complete showstoppers for people with anxiety or panic disorders.

I’m looking forward to reading the follow-up post.

(I was going to say I was anxiously awaiting the follow-up post but …never mind.)

Saturday, March 31st, 2018

Really Bad Design Exercises || Matthew Ström: designer & developer

This is a fun—and useful—way of improving the interview process. The Rubik’s Cube examples brought a smile to my face.

Sunday, March 29th, 2015

Native Scrolling by Anselm Hannemann

This gets nothing but agreement from me:

For altering the default scroll speed I honestly couldn’t come up with a valid use-case.

My theory is that site owners are trying to apply app-like whizz-banginess to the act of just trying to read some damn text, and so they end up screwing with the one interaction still left to the reader—scrolling.

Friday, July 26th, 2013

The slippery slope | 90 Percent Of Everything

The transcript of a terrific talk by Harry on how dark patterns are often driven by a slavish devotion to conversion rates.

Sunday, May 12th, 2013

Tuesday, January 22nd, 2013

Twitter permissions

Twitter has come in for a lot of (justifiable) criticism for changes to its API that make it somewhat developer-hostile. But it has to be said that developers don’t always behave responsibly when they’re using the API.

The classic example of this is the granting of permissions. James summed it up nicely: it’s just plain rude to ask for write-access to my Twitter account before I’ve even started to use your service. I could understand it if the service needed to post to my timeline, but most of the time these services claim that they want me to sign up via Twitter so that I can find my friends who are also using the service — that doesn’t require write access. Quite often, these requests to authenticate are accompanied by reassurances like “we’ll never tweet without your permission” …in which case, why ask for write-access in the first place?

To be fair, it used to be a lot harder to separate out read and write permissions for Twitter authentication. But now it’s actually not that bad, although it’s still not as granular as it could be.

One of the services that used to require write-access to my Twitter account was Lanyrd. I gave it permission, but only because I knew the people behind the service (a decision-making process that doesn’t scale very well). I always felt uneasy that Lanyrd had write-access to my timeline. Eventually I decided that I couldn’t in good conscience allow the lovely Lanyrd people to be an exception just because I knew where they lived. Fortunately, they concurred with my unease. They changed their log-in system so that it only requires read-access. If and when they need write-access, that’s the point at which they ask for it:

We now ask for read-only permission the first time you sign in, and only ask to upgrade to write access later on when you do something that needs it; for example following someone on Twitter from the our attendee directory.

Far too many services ask for write-access up front, without providing a justification. When asked for an explanation, I’m sure most of them would say “well, that’s how everyone else does it”, and they would, alas, be correct.

What’s worse is that users grant write-access so freely. I was somewhat shocked by the amount of tech-savvy friends who unwittingly spammed my timeline with automated tweets from a service called Twitter Counter. Their reactions ranged from sheepish to embarrassed to angry.

I urge you to go through your Twitter settings and prune any services that currently have write-access that don’t actually need it. You may be surprised by the sheer volume of apps that can post to Twitter on your behalf. Do you trust them all? Are you certain that they won’t be bought up by a different, less trustworthy company?

If a service asks me to sign up but insists on having write-access to my Twitter account, it feels like being asked out on a date while insisting I sign a pre-nuptial agreement. Not only is somewhat premature, it shows a certain lack of respect.

Not every service behaves so ungallantly. Done Not Done, 1001 Beers, and Mapalong all use Twitter for log-in, but none of them require write-access up-front.

Branch and Medium are typical examples of bad actors in this regard. The core functionality of these sites has nothing to do with posting to Twitter, but both sites want write-access so that they can potentially post to Twitter on my behalf later on. I know that I won’t ever want either service to do that. I can either trust them, or not use the service at all. Signing up without granting write-access to my Twitter account isn’t an option.

I sent some feedback to Branch and part of their response was to say the problem was with the way Twitter lumps permissions together. That used to be true, but Lanyrd’s exemplary use of Twitter for log-in makes that argument somewhat hollow.

In the case of Branch, Medium, and many other services, Twitter authentication is the only way to sign up and start using the service. Using a username and password isn’t an option. On the face of it, requiring Twitter for authentication doesn’t sound all that different to requiring an email address for authentication. But demanding write-access to Twitter is the equivalent of demanding the ability to send emails from your email address.

The way that so many services unnecessarily ask for write-access to Twitter—and the way that so many users unquestioningly grant it—reminds me of the password anti-pattern all over again. Because this rude behaviour is so prevalent, it has now become the norm. If we want this situation to change, we need to demand more respect.

The next time that a service demands unwarranted write-access to your Twitter account, refuse to grant it. Then tell the people behind that service why you’re refusing to sign up.

And please take a moment to go through the services you’ve already authorised.

Monday, October 1st, 2012

CSSquirrel : The Savage Beatings Anti-Pattern

CSSquirrel shares my feelings on the email notification anti-pattern.

Tuesday, September 11th, 2012

The email notification anti-pattern: a response

Quite quickly after I wrote my email to Findings about their email notification anti-pattern, I got a response back from Lauren Leto:

Give it to us. I applaud you shouting at us from a rooftop. I also hate defaulting to all notifications and agree that it was a douchebag startup move but can assure it was one made accidentally - a horrible oversight that the entire team feels bad about and will work to amend for you and the rest of our users.

We try to be a site for the common user - nothing like Facebook taking cheap shots wherever they can. I hope we haven’t forever turned you off from our site. Relaunches are hard and mistakes were made but nothing like this will happen again.

Apart from the use of the passive voice (“mistakes were made” rather than “we made mistakes”), that’s a pretty damn good response. She didn’t try to defend or justify the behaviour. That’s good.

She also asked if there was anything they could do to make it up to me. I asked if I could publish their response here. “Yeah, feel free to post”, she said.

I think it’s important that situations like this get documented. It could be especially useful for new start-ups who might be thinking about indulging in a bit of “growth hacking” (spit!) under the impression that this kind of behaviour is acceptable just because other start-ups—like Findings—implemented the email notification anti-pattern.

As Lauren said:

I think every startup manages to mess up one of these at some point in their life, either willingly or unwillingly. A clear listing of all offenses could be useful to everyone.

That’s where Harry’s Dark Patterns wiki comes in:

The purpose of this pattern library is to “name and shame” Dark Patterns and the companies that use them.

  • For consumers, forewarned is fore-armed.
  • For brand-owners, the bad-press associated with being named as an offender should discourage usage.
  • For designers, this site provides ammunition to refuse unethical requests by our clients / bosses. (e.g. “I won’t implement opt-out defaults for the insurance upsells because that practice is considered unethical and it will get you unwanted bad press.”)

The email notification anti-pattern isn’t yet listed on the wiki. I’ll see if I can get Harry to add it.

The email notification anti-pattern

Dear Findings,

I see you have introduced some new email notifications. I have also noticed (via my newly-overstuffed inbox) that by default, these new email notifications are checked.

WHAT THE FSCK WERE YOU THINKING‽

Sorry. Sorry. I lost my temper for a moment there. And the question is rhetorical because I think I know exactly what you were thinking …“traction”, “retention”, “engagement”, yadda yadda.

I realise that many other sites also do this. That does not make it right. In fact, given the sites that already do this include such pillars of empathy as Facebook, I would say that this kind of behaviour probably has a one-to-one correlation with the douchebaggery of the site in question.

You’re better than this.

Stop. Think. Spare a thought for those of us who don’t suddenly—from one day to the next—want our inboxes spammed by emails we never opted into.

Didn’t anybody stop to think about just how intrusive this would be?

Also, doesn’t this flood of new emails directly contradict this section of your privacy policy?:

As part of the Services, you may occasionally receive email and other communications from us, such as communications relating to your Account. Communications relating to your Account will only be sent for purposes important to the Services, such as password recovery.

Contrary to appearances, I don’t want to be completely negative, so I’ve got a constructive suggestion.

How about this:

If you’re about to introduce new email notifications, and all my existing notification settings are set to “off”, perhaps you could set the new notifications to “off” as well?

Sound good?

All the best,

Jeremy

Tuesday, February 28th, 2012

Time to Kill Off Captchas: Scientific American

Yes, yes, yes! This article does an excellent job of explaining what Captchas are attempting to do and why, therefore, they are so utterly shit.

Tuesday, November 15th, 2011

The mobile web splash screen antipattern [Legends of the Sun Pig - Martin Sutherland’s Blog]

Excellent points, eloquently delivered, on why sites shouldn’t be shoving their native Apps in the face of people who just arrived at their website on a mobile device.

Putting up a splash screen is like McDonalds putting a bouncer on the door, and telling customers who just parked their car and want to enter the restaurant that they should use the drive-through instead.

Sunday, November 21st, 2010

Pattern praise

Two months ago, I called Twitter out on their insistence that developers use OAuth when authorising with Twitter while they themselves continued to use the password anti-pattern when they wanted to peek into third-party address books.

I’m happy to report that Twitter have since fixed this. If you go to the Find Friends portion of the “Who To Follow” section, you’ll now be greeted with links that lead to correct authentication with LinkedIn, Gmail, Yahoo and Hotmail.

Thanks, Twitteroonies!

Meanwhile, Flickr recently launched their own “Who to Follow” functionality. There is nary a password request in sight: they’ve implemented correct authentication right out of the gate for Yahoo, Gmail, Hotmail and Facebook.

Thanks, Flickroonies!

See? I’m not always bitching’n’moaning.

Thursday, September 9th, 2010

OAuthypocrisy and the Passwordpocalypse

The OAuthcalypse is upon us. Since August 31st, all third-party Twitter services must use OAuth to authenticate. This is a good thing; a very good thing. Before that date, services were allowed to use the password anti-pattern to log you in.

Twitter has put its foot down and declared that the password anti-pattern will no longer be tolerated. Hurrah!

What a shame then, that Twitter is being utterly hypocritical. On their Find Friends page, they encourage you to:

Scan your email address book or contacts to discover which of your friends are already using Twitter.

They do this using the password anti-pattern. You are asked for your Gmail password even though the Google Contacts API would allow Twitter to connect to Gmail using proper authentication …exactly what Twitter is insisting third-parties use when they want to access Twitter’s data.

Twitter asks for your Yahoo Mail password even though the Yahoo Contacts API would allow them access to your address book using OAuth.

Twitter asks for AOL passwords (now there’s an audience that we shouldn’t be teaching to give their passwords away) but even AOL has an API with proper authentication.

Twitter does connect to LinkedIn correctly. That’s one out of four.

There are two solutions to this state of affairs. Either Twitter decides to do the right thing and switch over to using APIs and authentication for Gmail, Yahoo and AOL …or else Gmail, Yahoo and AOL follow Twitter’s example and disallow the password anti-pattern for scraping address books.

Twitter should not be encouraging Gmail users, Yahoo users and AOL users to divulge their passwords but at the same time, Gmail, Yahoo and AOL should be taking steps to ensure that such profligate behaviour is not rewarded.

Twitter has done the right thing with third-party services wishing to access its data. Now let’s see if the third-party services currently being abused by Twitter will follow this example.

Update: There are some very encouraging responses from Twitter. Ryan Sarver says:

all good points and I think there are already plans to fix it

And Josh Elman concurs:

yes - great points and something we hope to migrate very soon

Tuesday, December 29th, 2009

Web 2.0 Suicide Machine - Meet your Real Neighbours again! - Sign out forever!

A quick way of leaving Facebook, Twitter, Linked In and MySpace. It uses the password anti-pattern but after using this, I guess you won't be needing that password again.

Wednesday, May 27th, 2009

Twitter Status - Phishing scam

And this, boys and girls, is why the password anti-pattern is bad, m'kay?

Saturday, February 14th, 2009

Don't Give Your Account Passwords Away, a Mission on PMOG

A PMOG mission where players learn about the password anti-pattern.

Sunday, January 4th, 2009

Twitter Status - Don't Click That Link!

Twitter's promotion of the password anti-pattern bites them on the ass.

Friday, January 2nd, 2009

Antipatterns for sale

Twply is a straightforward little Twitter app that sends @replies to email. It uses the password anti-pattern. Oh, but don’t worry. It states quite clearly on the site that Your password is safe with us. No worries!

Twply is up for sale …sold. That means all those passwords are available to the highest bidder ($1200 in this case).

Sleep tight, Twply users. May you wake to a better day.

Monday, November 24th, 2008

Thursday, September 25th, 2008

Anti-pattern recognition

A new site called My Name Is E launched for beta testing today. Eager geeks rushed to sign up for the contact aggregation service. The second step of the process involved handing over your Twitter username and password. This request was dutifully obeyed by the eager geeks.

.

This is a classic example of the password anti-pattern. And this time it bit the willing victims on the ass. My Name Is E used the credentials to log in to Twitter as that person and post a spammy message from their account.

This is identity theft. It’s not as extreme as having your credit card used or having somebody get in to your email account but it’s still an unrequested violation of personal details. I’m very interested in hearing how the willing victims felt when they saw the message appear on Twitter with their own name and their own avatar next to it. I imagine adjectives like “outraged” and “shocked” would describe the initial reaction but I wonder if “embarrassed” would be far behind.

The “auto-tweeting feature[sic]” was removed within hours in response to the overwhelming negative reaction, as demonstrated on Get Satisfaction. What’s ironic, in the Alanis Morissette definition of the word, is that the Get Satisfaction page features a “share” tab that includes a link to “Twitter this.” Click it. Go on.

Needless to say, I disapprove of what My Name Is E did. But I don’t lay the blame entirely at their feet. Frankly, I’m really disappointed that so many people who really ought to know better were so quick to hand over their Twitter password to any site other than Twitter.

I blame Facebook.

I don’t mean that facetiously. I really do blame Facebook. I also blame Digg. And LinkedIn. And Plaxo. And Twitter.

All of those sites—and many others—actively, sometimes aggressively, use the password anti-pattern. Together they have created a pervasive atmosphere in which it is now completely acceptable for even seasoned geeks to throw their passwords ‘round like car keys at a dodgy ’70s party.

I’ve been banging on about the password anti-password for what feels like ages now. I keep saying that it’s teaching users how to be phished. After a particularly dispiriting discussion of OAuth on the iPhone, Simon went one further and put it in the past tense.

I fear that Simon may be right. But I’m not going to give up hope just yet. Now that Google, Yahoo and Hotmail all have OAuth-style contacts APIs, I think the tide could still be turned.

Mind you, Twitter’s continuing lack of an OAuth-based API is nothing short of shameful, as acknowledged by Blaine in his comment here:

OAuth came out of my worry that if the Twitter API became popular, we’d be spreading passwords all around the web. OAuth took longer to finish than it took for the Twitter API to become popular, and as a result many Twitter users’ passwords are scattered pretty carelessly around the web. This is a terrible situation, and one we as responsible web developers should work to prevent.

So while Twitter positively encourages the password anti-pattern (by example and by design), the situation is very different now for Google, Yahoo and Microsoft. Access to those web-based email services are used as justification for the majority of instances of the password anti-pattern. Now that they all offer alternatives, the only reason for abusers (like Digg and LinkedIn) not to switch from the password anti-pattern to using the official APIs is development time and priority.

Those are valid reasons for not immediately making the switch so I understand that not everybody scrambled to implement, say, the Google Contacts API in the week it came out. But it was released in March. It is now September. Surely that’s long enough for even a low priority task to get implemented?

I realise that I sound very negative in my finger-pointing here so I’d like to give credit where credit is due. Back in March, I listed a chart of web sites who were using the password anti-pattern but who I hoped would switch over. Shame on me for not including Flickr in the list because they were the first to follow Dopplr’s lead and scrap the anti-pattern in favour of a seamless import feature. Shame on me also for putting Last.fm at the bottom of the list. As part of their recent redesign, they too scrapped the anti-pattern. Good for them!

At the top of my list of sites I expected to ditch the anti-pattern was Pownce. Alas, they’re still not all the way there (Yahoo import is working correctly, GMail and AOL isn’t). But after some petulant grandstanding on my part, I have been assured that they are working on it.

I know I should care more about the big abusers like LinkedIn and Facebook than the little guys like Slideshare and Pownce. But it’s precisely because I love Pownce so, so much that it upsets me to see them get such an important thing so wrong when they get everything else so, so right.

Y’see, I’ve been thinking of putting my money where my mouth is. I should really plant a flag in the sand and set a date in the not-too-distant future (like maybe early next year) beyond which I will simply refuse to use any site that implements the password anti-pattern …and delete any existing accounts.

Now, I wouldn’t mind doing this for LinkedIn, Digg or Facebook (I’ve already done it for Plaxo). I wouldn’t miss those sites. I don’t have any strong attachment to those sites. But I have a very strong attachment to Pownce and I would miss it very, very much if I were to delete my account there.

I’d also have to delete my Twitter account, which would probably feel like losing a limb. It’s not that I feel a strong emotional attachment to Twitter—using Twitter often feels like being in an abusive relationship with a Fail Whale—but it’s so pervasive that it would be like swearing off using email, or chat, or the telephone.

Besides, what difference would this grandstanding of mine do? I’m just one measly account. But if other people were to join me …well, perhaps that might affect the speed and priority of abandoning the password anti-pattern.

I could set up a Wiki, or something similar; somewhere where others could add their voice to the call to remove the password anti-pattern. It needn’t be wholly negative either: it could double up as a place for listing useful resources for developers who want to implement OAuth-style APIs.

So I have a few questions for you:

  1. Is this a good idea or am I tripping?
  2. Would you abandon sites that refuse to ditch the password anti-pattern?
  3. Do you know of any good, easy to implement Wiki software?