Bad UX

Dumb and Dumber Door Decals

Product Background

In February, I was in San Francisco visiting colleagues and decided to drop by the Metreon for a quick snack. As usual, a conference was happening just across the street at Moscone, IBM’s Think 2019, and advertisements covered most open surfaces advertising the conference.  

UX Issue

Conferences occur all the time at Moscone and advertisements routinely plaster over any available space around the center, but these door banners covering the East entrance doors of the Metreon were just not transparent enough to see through the door from the outside. Why is this a problem? 

It is a problem when individuals are traveling bi-directionally through a single set of doors and one set of travelers can’t see what, or more likely whom, is on the other side!

In just the time that it took for me to snap a couple photos, around a dozen people attempted to enter a door from the outside only to find someone directly inside attempting to exit the building. 

Outside looking in at the Metreon in San Francisco, CA.

Inside looking out at the Metreon in San Francisco, CA.

Potential Remedy

This problem could have been solved very easily by simply testing the material on a piece of glass before placing across an entire six door span in a commercial setting. That these doors were left in this situation implies that the individuals responsible for posting the signs took one look and decided they couldn’t or didn’t want to redo them. 

Cognitive Overload at Equifax

Product Background

  • Equifax is one of the big 3 credit reporting bureaus in the United States and is infamous for its 2017 data breach which exposed the personal information of ~143 million Americans. (Link) (PDF)

  • Their handling of the crisis was even worse and the ultimate security solution for most users (credit freezes) was further undermined by Equifax’s inability to generate random pin numbers that are used to unfreeze a user’s credit file. (Link) (PDF)

  • More recently, Krebs On Security discovered that Equifax had opened yet another security hole in their new MyEquifax portal allowing a malicious attacker to bypass credit freeze pins previously set by users if they can get past the initial challenge questions. (Link) (PDF)

  • To remedy this as a user, one needs to register on the site to ensure a malicious actor can’t act and unfreeze your credit without your knowledge, resetting your pin in the process.

    • As an aside, if you haven’t yet frozen your credit at all major reporting bureaus, you should spend the next 20 minutes accomplishing that task.

UX Issue

The challenge is that you will need an engineering degree in order to formulate a proper password! There are no less than 9 different password requirements that the user must pass in order to input an acceptable password. 

It is challenging enough for most users to have unique passwords for every site, it is another level of cognitive overload to force the user to take out a piece of paper to write out a password that they think matches Equifax’s validation rules. 

It is also interesting to note that many of the rules are likely not commonly occurring patterns, such as containing 9 consecutive numbers or spaces, and are therefore adding additional cognitive burden to users that wouldn’t have made those choices anyway. 

Additionally, having more rules counterintuitively makes the passwords easier to crack, because now there are fewer possible password combinations that need to be tried!

Potential Remedy

The potential remedy in this case is to have a competent IT team across the board, but that is unlikely to occur at Equifax.  

More seriously, the key takeaway from this post is that if this sign up flow were on a consumer app or any application where the company wasn’t a monopoly that forced users to register, most customers would balk at the sign up process and fail to progress further. There is a significant cognitive load placed on the user with each additional requirement added and if those requirements aren’t adding significant value to the user or their experience, they shouldn’t be there in the first place. 

While this is a potential UX issue in and of itself, if that many rules are required by your backend password registration system, you may be better off hiding some of the requirements that are infrequently violated and showing those requirements only when violated by the user, reducing the cognitive load for most of the users on the platform.

Uber Pool & Lyft Line Go Back to the Future [Bad UX]

Product Background

While I am generally a proponent of Uber Pool and Lyft Line, and I think they can get even better (as previously discussed), the display of pricing and arrival times is sometimes more disingenuous than is necessary. See prior example with Lyft and “free rides” due to the usage of gift cards.

One of the complaints I regularly hear from Uber and Lyft drivers is that they wish riders were more educated as to how shared rides worked and that they often misunderstood when they would arrive because of a lack of clarity around the number and frequency of stops.

This educational issue is exacerbated in both apps as the arrival times for shared rides are often shown as the same time as non-shared rides, when the non-shared ride option is selected.

Only when the shared ride option is selected is the full time range displayed. Unless Marty McFly and Dr. Emmett Brown are going to show up in a DeLorean, those initial arrival times are likely going to be consistently wrong.

User Experience - 2018

In the same ride from OAK Airport to SFO Airport, upon initial request we see the following.:

Notes - Rides were selected at different times and Express Pool is a different product than Lyft Line, although the result is the same if looking at normal Uber Poll.

Uber has also since fixed this issue, see 2019 update below.

Lyft - December 3, 2018

  • Non-Share Ride Selected (Lyft)

    • Non-Share Arrival Time Displayed - 8:43am

    • Shared Arrival Time Displayed - 8:48am

    • Difference - 5 Min

  • Shared Ride Selected (Lyft Line)

    • Non-Share Arrival Time Displayed - 8:44am

    • Shared Arrival Time Displayed - 8:49-8:57am

    • Difference - 13min

Uber - December 3, 2018

  • Non-Share Ride Selected (Uber X)

    • Non-Share Arrival Time Displayed - 7:17pm

    • Shared Arrival Time Displayed - 7:18pm

    • Difference - 1 Min

  • Shared Ride Selected (Uber Express Pool)

    • Non-Share Arrival Time Displayed - 7:17pm

    • Shared Arrival Time Displayed - 7:18-7:37pm

    • Difference - 20 Min

User Experience Update for 2019

Uber has actually fixed this in their latest version of the application for Android, displaying time ranges instead of the earlier times.

Lyft continues to hide the Shared time range when a regular Lyft is requested.

LinkedIn's Utilization of Small Print as a Shield for Bad Behavior [Bad UX]

Product Background

  • While a significant violation of the Product Manager’s Hippocratic Oath, companies regularly shield bad behavior behind small type, Terms of Service updates sent at midnight on Fridays, and unclear or outright false information.

  • It is unfair to the user to both assume that they can completely understand the information presented to them and therefore make an informed choice or even care enough to spend time to do so.

  • While LinkedIn has a history of disregarding user’s privacy and disrespecting data fair use, they have quietly rolled out 3rd party ad retargeting based on LinkedIn contact and profile data without adequately asking for consent or informing users of the ramifications.

    • Last Week - LinkedIn violated data protection by using 18M email addresses of non-members to buy targeted ads on Facebook (Link, PDF)

    • 2015 - History of LinkedIn Dark Patterns (Link, PDF)

    • 2014 - LinkedIn Feature Exposes Email Addresses (Link, PDF)

  • A (poorly structured) argument against this post is whether LinkedIn’s behavior is any worse than any other company. While I would argue they are a significant offender, most other technology companies are similarly bad actors, but that doesn’t support lesser condemnation of LinkedIn, it simply supports condemnation of the behavior and industry as a whole.

User Experience & Detailed Discussion

  • Upon a recent login to LinkedIn, I received the following notification, alongside what I would assume to be millions of other users.

  • Let’s break this update down piece by piece:

    • As it appeared initially to the user, all of the information from “Information you’ve shared with other companies” down to If you select “Agree” was hidden from the user, and was only revealed after clicking the carrot. This is a dark pattern to start.

    • Allow LinkedIn to keep showing you relevant jobs and ads.

      • This is nefarious because if LinkedIn is already doing it, why do they need my approval again? If they need my approval, then they must be doing something different. This sentence preys on users continuing to agree to what has occurred in the past.

      • In addition, it also implies that if you don’t agree, you may not be shown relevant jobs in the future, which most users wouldn’t like. However, this is not precisely what is occurring, it is just that LinkedIn won’t use additional data to make those recommendations more relevant, not that the recommendations won’t be relevant at all. These are two very different things.

    • Information You’ve Shared With Other Companies

      • “When You show interest (Like…” - The like here implies that there may be other ways in which I may show interest to a company and that I am agreeing to potentially unlimited, undetermined ways by agreeing to this. I could theoretically click on the link provided but there is no guarantee that I’ll find the information there.

      • “When you visit their websites, some companies may use tools (like cookies)…” - Again there is the implication that there may be other ways that companies use and that I am agreeing to whatever those are, which LinkedIn has no control over and how they will use/misuse my information.

      • “Also, if you provided consent directly to a company you trust to use your data for ad relevant, LinkedIn may rely on that consent when showing you ads.” - This translates to “If any company that has a direct incentive to obtain your consent to show you targeted ads is somehow able to obtain that consent, through whatever means or dark pattern they can, then LinkedIn will blindly trust that 1 or 0 signaling your consent and show you ads even if you click decline here that are more heavily personalized and targeted, which will have higher cost structures and will make us additional revenue.

      • Finally, highlighting the Accept & Continue button in blue, which is the default action color for users on the site, abuses user trust in LinkedIn and pushes users towards that selection by default, likely increasing conversion rates.

    • Most users likely will not understand that this one click will allow their data to be used across LinkedIn’s entire retargeting ad network. The gravity of that situation is not proportional to the copy or visuals of the dialogue.

LinkedIn Ad Opt In.png

Detailed Discussion Continued

Upon further digging through their latest privacy policy (Link, PDF in case of Revisions) and LinkedIn’s additional primer on 3rd Party Ad Targeting (Link, PDF in case of Revisions) as of this post, there are a number of additional data points that are collected that users may not realize. While the below are by no means exhaustive of the data items I believe are being misused, they illustrate the complexity and effort required to understand how a users data is used, and how most users have no idea.

LinkedIn (and others) also do a poor job, either intentionally or unintentionally, describing the interactions of data points that they collect. As a result, while they may be following the letter of their privacy policy, they may be doing so either by omitting the scenarios where data is combined, or describing them poorly.

In the below examples, text from the policy is italicized, while my comments are just below:

  • Different Services & Device Tracking - Logging Sites after LinkedIn Visit

    • Section 1.4 - Cookies, Web Beacons & Other Similar Technologies

      • As further described in our Cookie Policy, we use cookies and similar technologies (e.g., web beacons, pixels, ad tags and device identifiers) to recognize you and/or your device(s) on, off and across different Services and devices.

      • Fair enough, but what does across different Services and Devices mean? Let’s go to section 1.5

    • Section 1.5 - Your Device & Location

      • When you visit or leave our Services (including our plugins or cookies or similar technology on the sites of others), we receive the URL of both the site you came from and the one you go to next. We also get information about your IP address, proxy server, operating system, web browser and add-ons, device identifier and features, and/or ISP or your mobile carrier. If you use our Services from a mobile device, that device will send us data about your location based on your phone settings. We will ask you to opt-in before we use GPS or other tools to identify your precise location.

      • I would hazard a guess that most users don’t understand that the site they go to after LinkedIn is also logged by LinkedIn. It is fairly standard practice to log which pages users are on before exiting, but I’ve rarely seen the logging of pages after exiting an application.

  • 3rd Party Advertising

    • Section 2.4 - Advertising

      • We do not share your personal data with any third-party advertisers or ad networks for their advertising except for: (i) hashed or device identifiers (to the extent they are personal data in some countries); (ii) with your separate permission (e.g., lead generation form) or (iii) data already visible to any users of the Services (e.g. profile). However, if you view or click on an ad on or off our site or apps, the ad provider will get a signal that someone visited the page that displayed the ad, and they may through the use of mechanisms such as cookies determine it is you. Advertising partners can associate personal data collected by the advertiser directly from you with our cookies and similar technologies. In such instances, we seek to contractually require such advertising partners to obtain your explicit, opt-in consent before doing so.

      • Potentially my favorite section in here, with key bits underlined.

      • We do not share your personal data with any third-party advertisers or ad networks for their advertising except

        • So LinkedIn doesn’t share my personal information with 3rd party advertisers, except that it does exactly that thing.

      • Advertising partners can associate personal data collected by the advertiser directly from you with our cookies and similar technologies. In such instances, we seek to contractually require such advertising partners to obtain your explicit, opt-in consent before doing so.

        • LinkedIn seeks to obtain that consent, but it is not clear whether they will allow targeting even if they do not obtain proof from the advertiser of explicit, opt-in consent.

    • How Businesses & Websites Can Use Third-Party Data for Advertising on LinkedIn

      • There is an additional and entirely separate page on Third Party data usage (the second link in the intro paragraph above and here), the text of which is not included in the primary privacy policy.

      • This policy essentially allows LinkedIn to serve retargeted ads across its entire network as well as across 3rd party sites with which it has a retargeting partnership.

      • While this is similar to other retargeting relationships/providers, what is not clear is what unique situations LinkedIn may be able to exploit due to the network information effects that LinkedIn is the recipient of.

      • For example, if a colleague uploads my email via the LinkedIn address book feature, is that email used for retargeting even though I never consenting to that being a retargeting data point? I would assume it is likely the case, but this scenario is not detailed implicitly or explicitly in these documents to my knowledge.