-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Design of securedrop-client UI #89
Comments
Related to #102 (for debate in UX meeting) but not actually a prototype. This is one view of what the SecureDrop client could eventually look like (if inspired by a generic messaging client): Everything is up for debate, currently just brainstorming. Dropping some implementation thoughts over in #88 |
Thanks for the gorgeous mock-up, @redshiftzero, and for pushing the envelope on what a client could look like. The kinds of questions the IM-style workflow raises for me include:
It seems like the interaction modeled here would be very convenient after a triage/1:n assignment workflow. That workflow might be similar to what's shown here but have a dedicated UI to quickly assess whether a source is worthwhile. Just some early thoughts, definitely looking forward to discussing with our users. :) |
Leaving some notes here after a chat with @redshiftzero and @kushaldas today.
|
@heartsucker on these points:
|
I think when it's clear that sources are drive-by then they should be deleted from the server once the documents are handled. In addition, I think that sites will want to delete large submissions to free up disk space. Otherwise, I don't think there's a major issue in keeping sources around. Indeed, removing them entirely will prevent them from being to log in again with their existing codename. To the other points re: the proper delete/sync behavior, I think journalists do expect that if they have the rights to delete, and they delete a message or source, that this is reflected everywhere. This is the behavior of the Journalist Interface currently, and it's also the behavior of applications like Semaphor. With that said, it does seem important (based on chats with a few users) to ALSO have some kind of "save" feature so that they can save a particularly interesting document even if they are deleted on the server. This is something that can be done right now in the SVS, so preserving that behavior is important. What about something like this where there is a "cold storage" feature (I am not a designer and this is not design advice... but you get the idea): Note that this is also now a minimal version of the client without any of the not-currently-possible fancy features (org name displayed on SD, emojis, icons for journalists, journalist-to-journalist comms) and this one can be implemented only using functionality possible via the API in freedomofpress/securedrop#3619 |
"I am not a designer" posts amazing design ಠ_ಠ |
But really, yes, that sounds like it would do the things i think think it should do. A+++ would implement. |
Haha thanks @heartsucker. So one thing I don't like about my mockup above is the "cold storage" abstraction, I feel like people would get it but it doesn't seem totally natural, so I wonder if there is a clearer way to do this... |
@huertanix I'm particularly curious what you think about this, let me know if you have an idea on the "cold storage" concept 😇 |
Yeah agree on that. Maybe just call it "archive"? That seems intuitive enough. (Anyway, waiting on real UX people to tell us what ta do) |
just chiming in here to say that looks amazing, @redshiftzero 😃 |
@redshiftzero This mockup looks very good; Very familiar application elements, intuitive layout. On cold storage, I'm not sure I immediately understand it. Is this the equivalent of a personal stash that would, in the current SecureDrop system, be a bunch of encrypted files in a Tails journalist drive's persistent storage? Or the removal of the files/conversations from the local machine while still keeping them on the server? Side note that these guidelines from Gnome may be helpful in figuring out some design decisions around the fine details like notifications, button layout, etc: https://developer.gnome.org/hig/stable/. |
@huertanix The interactive wireframes at https://eloquence.github.io/workstation-messaging/ (see #102 for background) may help to elucidate how "cold storage" (called "archival" in the wireframes) could work in practice. Click the menu, select "Mark for Archival" and then "Delete". Basically, this feature would ensure that the locally stored copy is not deleted from disk when a source is deleted. I'm still not convinced that's truly an intuitive approach, but it's a tricky problem: we do want to support keeping local copies, while generally keeping the workflow as simple as possible. Alternative suggestions to explore would be most welcome! |
@eloquence Thanks for the example. Archive and cold storage don't really tell me where the archive will actually live. There's some verbiage on the message when choosing to delete that explains where it gets deleted and where it doesn't, which is good. I think something that may be worth considering is something closer to a webmail/cloud-esque set of expectations; e.g. removing the idea of a local copy completely from the design. Of course there would still be a local copy, technically. Gmail and Tinkercad download a copy of a message or 3D file from a server to a browser, but they're examples of an interface that doesn't need to bring attention to that, while still offering an option to export a thing as an archive file if the user wants to hang on to a copy. Would there happen to be any feedback available from recent user interviews around how long journalists keep source histories around for, or how they deal with deleting older source histories? This may help inform what some of their expectations around this are. |
Thank you, great food for thought. Our FAQ states:
The sample privacy policy states:
I don't think these recommendations are consistently followed; the limited user research we have done includes quotes like "I think we haven't been going through old submissions and deleting them" but also "Periodically I would delete them when the submissions were dealt with." I think we should be very clear why those recommendations exist, i.e. what threats they mitigate against, and how we want to deal with those threats in the new SecureDrop Workstation architecture. (CC @emkll). From my understanding of the threat model, the following approach may make sense:
This approach would enable a near-term/mid-term/long-term distinction for how to deal with content:
The software could express those concepts through subtle reminders ("This source is more than a year old. You may want to consider moving it to cold storage.") Does that sound potentially like a workable approach? Regardless, the more I think about it, the less I think the idea of a per-workstation archive integrated in the client as in the current prototype/mock-ups makes sense. There would be synchronization problems that are difficult to surmount (some users ending up with incomplete archives), visibility issues (who has a copy of this document?), and mental model issues (what's server-side/local?). |
I see there being three distinct ways of categorizing the data availability:
The concern here is access to decrypted submissions or communicating with a source, leading to potential source identification. This could be achieved via obtaining source passphrase, rogue journalist or malicious actor by compromising the app server, acquiring either journalist or admin credentials, or obtaining access to the workstation. To reduce the likelihood, we could:
To reduce the impact, we could:
Local storage feature would increase the impact if:
The local storage approach would make a journalist more likely to delete submissions on the server, but increase the amount of sensitive data stored and accessible to the workstation. To reduce the amount of submissions that are stored locally (perhaps after a story was published, the documents are no longer needed, but want to be preserved), we could introduce some form of archival storage. Disable source accountsI think disabling/deleting source login should occur automatically after a fixed period of source inactivity, which we communicate, to reduce confusion (or triggered by the source). I think this is an area where the most user feedback is needed to better understand source and journalist requirements. Local storageDeleting files from the server immediately will mean that it's possible only one workstation has the submission:
Archival storageI think we might also want to consider another option, sending documents to archival storage:
|
I think the disappearing sources idea is a good one, this came up a while back over in: freedomofpress/securedrop#2068 where there are some thoughts about whether this should be configurable (probably yes). Regarding the archive/cold storage flow, thanks for feedback all, the concept is definitely confusing and adds significant complexity. What about we abandon this and just do the following:
This simplifies the implementation significantly and makes for a clear experience. Then we can focus more engineering effort on the export flow, e.g. the UI that will probably need to enable options like:
|
this is very old, so closing - this is now in progress in individual followup issues in https://github.com/freedomofpress/securedrop-client and https://github.com/freedomofpress/securedrop-ux |
This a brainstorming issue for ideas for the design of the
securedrop-client
program (a broader view is described in #88) that will have a UI for journalist users of the Qubes Workstation.Conversation view
One approach that might be intuitive for users is a conversation based view like Signal Desktop (Image from the Signal Blog):
where the left panel would show the sources, and eventually group conversations (one source with n journalists or n journalists discussing some topic without a source involved). The right panel would show messages and replies ordered by time, with submissions displayed in a similar manner as attachments in Signal Desktop (e.g. with icons that map to the file extension). Clicking on the submission file would open the file in the disposable VM.
File view
Another approach is a file-based view, basically a simplified File Manager, which again has sources in a panel on the left, and on the right the files associated with that source, including the messages and replies to the source.
These ideas (and many more other possible designs) would lend themselves well to early prototype user testing and feedback like this (kudos to @ei8fdb for sharing this link with me) that can occur with few prerequisites (e.g. you don't need a working Qubes Workstation to do the user testing).
The text was updated successfully, but these errors were encountered: