One of my favorite user interface (UI) design adages is pretty much simplicity itself:
When you blame the users, you’ve already lost the argument.
I’m reminded of this by Google’s public reactions to a recent study revealing that almost a third of nearly 10,000 sampled Google G Suite commercial customers were unwittingly exposing sensitive corporate and/or customer data to the public Internet without access protections: “Widespread Google Groups Misconfiguration Exposes Sensitive Information” (https://www.kennasecurity.com/widespread-google-groups-misconfiguration-exposes-sensitive-information/).
Without getting into the technical details here, the underlying issues relate to the multiplicity of settings that control public access to Google Groups and their associated mailing lists. While Google defaults these to their most secure settings, the sheer quantity of misconfigured, potentially information leaking sites represents an empirical proof that a very significant number of G Suite users and administrators are not adequately understanding these settings, with resulting privacy-negative impacts.
Google’s response — in essence — has been “RTFM” (Read The F‑‑‑‑‑‑ Manual): The settings are there, if you’re not using them correctly, that’s your problem, not ours!
And while Google has posted some additional related info (e.g. on their G Suite Updates Blog), those explanations mostly stand to emphasize the relative complexity of the interface, and no changes that I’m aware of have been made to the interface in response to these concerns.
The situation is a bit reminiscent of auto manufacturers who resisted redesigning key aspects of their vehicles, even as it became ever more obvious that significant numbers of drivers were having accidents due to existing design elements.
As far as I’m concerned, the scope of the reported G Suite privacy leakage problems indicates nothing less than a privacy design failure in this instance.
Rather than trying to make excuses for an existing user interface that is clearly failing significant numbers of customers (and with G Suite, we’re talking about paying customers!), Google needs to take an immediate and hard look at the specific design aspects that are enabling these misconfiguration-based confidential information exposures.
A practical fix might not even involve major changes to the UI, and might be adequately served by mechanisms as simple as more in-your-face “pop-up” warnings to users and administrators, appearing in conjunction with additional confirmation dialogues when associated privacy-sensitive settings are being altered.
But clearly, explanatory blog posts aren’t going to cut the mustard for these kinds of problems, and I urge Google’s world-class privacy team to effectively address this situation as soon as possible.
–Lauren–