Design Ethics – Encouraging responsible behaviour

I got a call from my bank, HSBC, the other morning. The call started something like this.

Rob: ‘Hi, this is Rob from HSBC. Before I can continue this conversation I need to confirm some security details with you. Can you tell me your date of birth please’.

Leisa: ‘You must be kidding Rob. I have no reason to believe that you really work for HSBC. Why on earth would I just hand over my personal information like that?’

Now, I don’t know whether Rob was just improvising, or whether this is an official HSBC script, but it is wrong, wrong, wrong. What Rob and HSBC are doing here is treating people to NOT take care with their personal information. What is this going to do for HSBC and their customers? It’s going to make them both much more likely to get stung by fraudsters, and to both lose time and money for no good reason.

Surely HSBC should be going out of their way to educate their customers NOT to hand over personal information whenever some random person calls up asking for it.

Either way, Rob was not impressed. He did have a backup plan (I give him part of the information and he confirms the rest… which is slightly better), but he took *that* tone with me for the rest of the call. You know, that ‘you’re an irritating customer’ tone. Not a great start to the day.

You know what it reminds me of? And it’s something that more and more of us are guilty of participating in – especially those of use who are designing applications that support social networks. It reminds me of this:

Facebook - Find Friends

This is the ‘find friends’ feature that we’re seeing on more and more sites (this one is taken from Facebook) where we are blithely asked to put in the full log in information for our email accounts, or our IM accounts or our other social network site accounts – and, more often than not – we do!

Now, clearly there is a big incentive to do so because these kinds of applications work well only when you’ve managed to connect with the people you know and care about, and using existing information like the contacts from your email or IM account makes this reasonably painless. The application does most of the work for you.

But do we really realise what we’re handing over when we give this log in information away? Do we realise how much we are trusting Facebook, for example, to play nicely with that information? Think of all the email and IM conversations you’ve had that are accessible using these login credentials… now think about the level of security at somewhere like, say, HM Revenue & Customs (where they recently ‘lost’ the personal information of millions of UK taxpayers), and now think whether somewhere like Facebook would have better or worse security… both now, and potentially in the future.

Sure, they *say* they’re not going to store or use that information… but are you really willing to take them at their word? Are you willing to TRUST Facebook (or any other site) that much?

We don’t really think much about this when we’re giving away our username and password, do we?

And why not? Because, just like Rob at HSBC, it’s almost as though we’re being pressured into just handing over the information otherwise we’ll get inferior service (and/or an attitude). We’re actually being trained to believe that handing over this information is the RIGHT thing to do.

Brian Suda calls this ‘Find Friends’ form an anti-pattern. He says in a recent Sitepoint article:

Another pitfall that you’ll want to avoid is sites that ask for the login details for your email account. This is a huge security hole. By handing over this information, you’re giving a random provider access to all your emails and friends, not to mention access to APIs through which they could edit and delete your information. And, as none of us want to admit, we often use the same passwords for many different services. Provide your email password to a site, and its owners can not only get into your email, but possibly your bank accounts (and a bunch of other services) as well. You should never give your password to anyone! Creating assurances of privacy lulls us into a false sense of security — it relaxes us into thinking everyone can be trusted and everything will be safe. This bad behaviour is exactly what phishers love to prey upon.

Enter design ethics. If ethics plays any part in the way that you’re designing your application or website, then this should be raising hairs on the back of your neck… you should be thinking that this is not right and that there is probably something you should be doing about this.

In fact, there are at least TWO somethings that I think we should be doing in this situation.

  1. The first is that we should be doing our best to help our customers/users/members to protect themselves. We should be educating them about the risks of handing over this kind of information and we should NOT be normalising this kind of behaviour.
  2. The second is that we should be looking for and encouraging alternatives to this ‘find friend’ functionality and we should be encouraging our clients/companies to opt for implementations that help our customers/users/members be more secure.

The kind of alternative that we should probably be looking for is something like OAuth which is an open protocol to allow secure API authentication in a simple and standard method from desktop and web applications. It is designed to help you get the information you need to give your end users a good experience without asking them to hand over personal information, like a username and password. Check out this demo of the current user experience. As far as I know, OAuth is not live on the web anywhere yet, but its cousin, OpenID is starting to be more widely adopted.

Of course, if we all had portable social networks, then that would also make things an awful lot simpler and more secure but it all seems quite a way off yet… why so far off you ask? Well…
So far, however, the drive to develop and promote these more secure alternatives is very much being driven by the more technical people on the web. There are lots of scary sounding discussions around exactly how these methods should work. Designers are, for the best part, not to be found in these conversations.

This is problematic from couple of perspectives.

  1. Firstly – if anyone is going to be able to drive the uptake of something like OpenID or OAuth, then it is going to be UX people, the people who are designing the experiences and making recommendations about what constitutes a good experience. Unfortunately, too often by the time the techies get a look in, all the functional decisions have been made and it’s too late to retrofit what would potentially be a much better solution for our end users. We have a responsibility to know about these things and to promote them.
  2. Secondly – from a user experience perspective, there are a lot of challenges to be found in OpenID and OAuth, primarily because you need to educate people about what is going on and also because you are typically moving them through quite a complex flow – including from one site or application to another and then back again. At the moment, the user experience of OpenID and OAuth are far from ideal, but rather than using this as a reason not to work with them, we should be seeing this as an opportunity to engage with these design problems and to use our experience and expertise to help get the user experience as good as it can be.

At any rate – looking after the security of our end users is now very much a part of the responsibility of the designer – whether it is through helping to educate those end users not to hand over information irresponsibly, or by guiding our clients/companies to use methods that better protect our end users. We need to be engaging in these discussions and helping to guide them both from the perspective of the businesses we’re working with as well as in the ongoing technical discussions about how these technologies work.

I think we have a responsibility to help protect our end user, even from themselves. To ignore this responsibility is unethical.

Exposing a stupid internet scammer

I know this is a little off topic, but I feel compelled to write up this experience so that I can hopefully prevent someone from giving money to this horrible internet scammer… it makes me sad that there are people behaving like this, but that’s the nature of the human race I guess. Most of us are good, honest, trustworthy people … and then there are people like this.

So, we’re in the market for a second hand car at the moment. We’ve been looking on Gumtree lately and the other day we found what looked like the perfect car for us – it was a 2004 VOLKSWAGEN POLO 1.4 Twist 5dr Automatic in excellent condition with not too many miles on it, gorgeous looking photos, and a very decent price tag of £2600.

Unusually, the advertisement did not include a phone number, so we sent an enquiry off via the email form and waited to hear back.

It didn’t take long before we received an email back from ‘TK’ at [email protected] who told us the following story:

First of all I have to tell you that the vehicle is in good condition, has no technical damage at all, no scratches or dents, no hidden defects, no smoking. It’s fun and robust to drive. Technical inspection and emissions testing is passed and stamped as well.
It has title of ownership, cleared of any obligations or fees and comes with all the documents you need to register it. The reason I am selling the car is because I really have to not because I don’t like it anymore.

I have worked in UK for the last 2 years and I’ve purchased the car there. My company wanted me back home, so currently I’m in Rome, Italy. I’ve bring the car home with me. I decided that is better to sell it because I don `t use it anymore (the wheel is on right side and is very difficult for me to drive it in Italy) and it `s a pitty to keep such a car and not to use it.

I realize that is a cheap price for such a car but my special situation makes me do things that I wouldn’t do in normal circumstances.

The price I am looking for my car is £2,600 including the shipping costs,insurance and handling (delivery to EUROPE).

You will not have to pay additional taxes for this.

The car has MOT, Road tax until next year. Also has full service history and it is hpi cleared.

Please feel free to email me with any questions you may have.

Thank you

Yeah, I know… you can see the red lights flashing already, can’t you… but we *really* wanted to buy this car and wanted it not to be a scam, so we wrote back and asked what he had planned to do re: shipping the car… of course, he had it all worked out, this is what he said:


I would like to use a shipping company for this deal, the process is very easy and I have just bought a 2006 Jeep Grand Cherokee and this is why I know how it works.

This company will handle the delivery of the car and also they will handle all the registration papers. If we will use it you will have 5 days to inspect the car before you decide to buy it.

I will pay delivery! The delivery time will be arround 3-4 days and the car will be delivered at your home address. In this time you will receive the tracking number of the transaction so you can use it to check the status on the company website.

Let me explain you the whole proccess:

First I will need your details, full name and address. As soon as I get the info from you I will take the car and go to the shipping company to transfer it in their custody. I will pay all the shipping charges. After the car is in their custody they will send you a confirmation and also payment instructions. They work as an escrow service and will hold the payment during the 5 days period for inspection. After the payment is confirmed to them, they will get the car to your home address and will also give you the documents of registration and the car will be left in your custody, in this period you can inspect the car, take it to a service for inspection and drive test it. After the 5 days period is over the shipping company will come to you and if you decided to keep the car you will transfer the documents on your name and after the car is registered on your name they will release the payment to me. If you decide not to buy the car they will get the car back and will send you a full refund of the payment.

Please e-mail me with your decision and also your full name and address!!

My phone no. is: 0039 3284-011-602, I am available in the morning before 10 AM, in the afternoon I am at work so will get back to you by email.

Thank you

Thomas Kent

I’m no psychology student, but I think that young Thomas has really put some effort into understanding how to build rapport and to build a sense of trust – gradually letting us know more information about him (his name, his phone no. etc), creating a shared experience through telling us he’s just bought a car this way etc.

Still… it all sounds a bit too good to be true, doesn’t it? That’s what we were thinking, but yet we were still hopeful. We asked him for more details about this shipping company, and he responds quickly with:

The company is Trans Cargo Ltd, their website is

Let me know if you decide to go with the purchase and I wait your reply with your full name and address I could take the car to the shipping company Monday.


Wow. So now we get to call him Tom. And he kindly provides us with a website address. Note the rather odd URL though… the experience continues to be dodgy as you head through to examine the website… sure, the design is pretty average, but lots of companies are. The thing that *really* got me was that the text on the website was just utterly opaque, it made absolutely NO sense. I could not see that this ‘company’ was in the business of shipping cars and managing transactions as our ‘friend’ Tom had described.

Nonetheless, we emailed Tom and told him we were going to proceed and Tom emailed us later the following day to tell us that he’d been to the shipping company to give them the car and paid the 500 euro fee, and asked us to let him know when we heard from the shipping company. He gave us a ‘tracking number’ that we could apparently use to track the transaction on TransCargo’s website.

And we did hear from the shipping company within minutes of hearing from Tom. It was a reasonably designed up HTML email that said:

Welcome to TransCargo Ltd,

Current status: Payment pending

Through this e-mail we have the pleasure to inform you that the merchandise has been left in our custody. The seller has paid for shipping.

Our Company is the European market leader in global express and international mail services. TransCargo reduces risks associated with Internet transactions by acting as a licensed, trusted, neutral third party for on-line transactions. The seller leaves the merchandise into TransCargo custody.

The merchandise will remain in TransCargo custody until the buyer provides the payment information to TransCargo. The payment will be made through a Wire Transfer Service. Once the funds are verified by TransCargo, the merchandise will be shipped directly to your address, shipping time – 3 working days. You will have a 5 days period for inspection. The payment will be hold by TransCargo during the 5 days inspection


Thomas Kent

Via Barzilai Salvatore 115

Rome, 00173


Ship to/buyer:

Leisa Reichelt

Our address

United Kingdom

Package Details:


Shipping Fees: *500.00


Billing Information for the Shipment:

Payment Method: Mastercard XXXX-2008

Total: All currencies in EURO **500.00

Shipment Information:


Service: Door Arrival

Delivery Time: 3 days

Shipment ID: 0QA08472T7

You can track your merchandise directly by accessing this link:

Next step to be taken: The buyer must send the payment to TransCargo Ltd., Payment Department, for verification.

Full amount to be paid: £2,600.

Payment has to be done via Bank Account Wire Transfer.

Trans Cargo Payment Department Bank Account:

Name: Bolnerg Maurizio

Iban: ES89 2038 3364 5830 0053 0851


After the payment has been done you have to send us the scanned receipt of the transfer from the bank so we can verify the funds.

The e-mail with the payment details should be as specific as possible, to allow us to verify that the payment has been made.Please send us the payment information in this email address: [email protected]

Once the funds are verified by TransCargo, the merchandise will be shipped directly to your address, shipping time – 3 working days.

To ask for a refund, simply reply to this notification and enter in the subject line: Refund request for transaction number: 0QA08472T7We’d like to thank you once again for being part of the community that has helped make TransCargo Ltd the best-known Shipping Company.


Trade Financial Department

More dodgy stuff – check out the name of the bank account we were supposed to transfer into… what’s that about? Also, where’s the tracking number that Tom told us about? Why isn’t the shipping company telling us about the tracking number (not to mention that it didn’t work on the website anyways).

So, then we got into some more real world investigations. We checked the company number and that all matched up, but then we tried to call the phone numbers on the company website and had no luck getting through to them. We then tried directory assistance and they couldn’t locate the company. We did end up getting through to someone who worked in the building that this company supposedly operated out of and ultimately ended up talking to the accountants of the *real* TransCargo shipping company who are in fact a chemicals shipping company and who don’t do any business in Italy. Apparently this wasn’t the first time they’d received a phone call along these lines, but the previous calls had been from people wondering where their car was… people who had clearly handed over the money to the ‘shipping’ company.

So, despite the fact that Tom continued to chase us for updates on what we happening with the ‘shipping company’ we had to decide that perhaps this car wasn’t for us… because it was pretty clear that there *was* no such car.

We’ve contacted the police – on the general number they told us to go to the station and they’ll ‘log it’ – they’re not going to follow it up because they get so many of these kinds of reports and because there might be a potential jurisdiction issue if this Tom guy is actually in Rome (I wouldn’t mind betting he’s somewhere in the UK myself). I emailed the cyberfraud people about a week ago to see if they were interested and haven’t heard back from them. I continue to report these postings to GumTree (as he keeps posting a new advertisement every couple of days, and I’m still looking for a car to buy), and I’m about to email off the details to Yahoo to see if they want to do something about this guy using a Yahoo email address for evil purposes… and, of course, now I’m posting this and hoping that the next person he tries to scam will Google and hopefully see this and not go through with it… anything else I can do to be a good internet citizen, do you think?

Meanwhile, I’m just going to take a moment to be kind of melancholy about the fact that every now and then humankind does let you down, and makes the internet that kind of scary and untrustworthy place that we try so hard to stop it from being… and then I’m going to remember that the vast majority of us out there are good and choose to dwell on that instead.