User Control, Consent, AutonomyRelated Prototypes: MC Onboarding / Avatar Onboarding / Lemonade Stand
Through trying to answer research questions around creepiness and comprehension of a Continuous Authentication system, we discovered both are closely intertwined with a user's feeling of control.
We attempted to determine the level of detailed information about the system users want to know during onboarding. Users either needed or could tolerate a range of communications, from detailed descriptions to more condensed mentions of it, as long as they felt they were in control of their participation at any given time.
01.UI should show privacy control options
Show context of use and data collection in action
"Check boxes help me know that I have to acknowledge and accept what I'm agreeing to…"MC Onboarding
02.Leverage existing security mental models
Falling back to an existing authentication method is comforting to users, and enhances the experience as it reinforces their current mental model
People preferred the Weak - Medium - Strong scale when choosing what sensor data to share with the app. It reinforces their mental models of authentication during password creation. Here we are using it to show that the more data provided, the stronger the profile is.
Many people immediately associated the various step ups with captchas and assumed the step up was to determine if the user is a human or a bot. Although this may reinforce a fallacy of it being Turing test focused, the user does immediately associate it with security. Messaging around how it is unique to them as a person could better educate them about the identifying security aspects around it.
"I do like that there's a human element (2FA) that I have more control… you'd have to have access to an email or some type of code."Customer Journey Study
03.Educate and Re-educate
Show users the impact of their decisions when onboarding to the service.
Profile strength bar helps incentivize data being shared. A low resolution one like this example does not give bad actors any details about which factors are weak, while also providing the user with a metric for how safe their profile is.
"I'd try different combinations until the bar indicates strong."Avatar Game
01.People trust their own devices
People feel more comfortable when facial data is captured on their own device, not a merchant's POS system.
[On capturing facial data on phone] "There's a degree of control, gives me a little more comfort"Lemonade Stand"If this was on my own device it would have been better"Lemonade Stand"I don't want my face videoed all the time, I'm more comfortable with camera usage on my phone than my computer."Lemonade Stand
"Weird to have the store take a photo of me."Coffee Shop "It scares me when I see my face on screen."Coffee Shop
02.Allow users to opt-out
Data gathering without opting in is uncomfortable.
"This feels like something's wrong. This is so in my face."Lemonade Stand "I'd find it strange if it's collecting data in the background. I won't sign up unless I knew how it was working…""Small Merchant Checkout "I would want it [autofill] if I opted in to it, not that they just do it."Customer Journey Study
"No matter how often we say we're creeped out by technology, we tend to acclimate quickly if it delivers what we want before we want it. This is particularly true of context-aware technology. Just consider how little anyone seems to mind now that the Google Maps app mines your Gmail. Today, Google Maps is studded with your location searches, events you've arranged with friends, and landmarks you've chatted about. It's delightful, and it took hold faster than the goosebumps could. The utility seems so obvious, your consent has simply been assumed."Wired, 2015
01.Provide control over data
Users should always have the option to control the type of data collected.
Control given at onboarding is easily ignored. Users need to have a place where they can always go change settings.
"From the point of view of being able to have control over your purchases and your activity online, autofilling without opt-in does not feel good."Customer Journey Study
02.Show user's profile
Provide control over the profile generation process.
Give users an option to delete the profile.
"What do you know about me, Mastercard?"Customer Journey Study
03.Avoid dark patterns
Data sharing can be incentivized, but care must be taken to not design a coercive experience.
"A child could do this by accident, as if they're playing a game."Avatar Game