Social Engineering meets UX Engineering?
I suspect many of us have come across Social Engineering and what it can do. A quick Google search and you find all sorts of stories and content on the web about how clever manipulations enable people to gain outcomes that may not necessarily be legal or legitimate. Some people, such as Derren Brown here in the UK use social engineering as a part of their arsenal to entertain vast crowds of bemused audiences.
Generally though, social engineering tends to make it into the news when “bad things” have happened to people. I’m sure anyone who has been using the internet and email will have had some experience with a “Nigerian scam” or similar type of thing. It’s easy to be dismissive of people who fall prey to this kind of fraud – often there really is no fix for stupid but in many cases, innocent people who normally are astute and careful fall victim to the silliest of manipulations and end up losing out in some way.
I’m beginning to encounter a “new” type of engineering, similar in nature to social engineering in that it appears designed to mis-lead or obtain an outcome that the target either isn’t aware of or becomes aware but after a particular action has been completed that they probably wouldn’t have committed to had they really thought about their actions.
A popular social networking site, let’s call it ZinkedZin, has enhanced their “People You May Know” page so that as well as seeing people already with an account that you may know, you also see a few other types of people:
- People you may have exchanged an email with:
This is someone who I’ve sent an email too. They aren’t on ZinkedZin (or at least not with that email?) and clicking on the “Add to network” link sends them a (probably annoying) invite to join.
- People you have exchanged an email with, who some of your contacts also email:
In this case, this is someone I regularly communicate with via email (it’s a real life friend) and hence it is no surprise there is a link identified between me and this person. Showing the 2 shared contacts is a key point though, and I’ll come back to that shortly…
- People who are on ZinkedZin and maybe known to you:
With this person, I have shared connections (not contacts) and I can “Connect” with them, rather than add them to the network.
With the above, it is generally obvious to the user what the differences between the types of contact are, however it is almost an interpretation of semantics. “3 shared connections” is very, very similar to “3 shared contacts” so you assume it would be very easy to accidentally add someone to the network thinking you are inviting someone you know on ZinkedZin, when in reality you are probably sending them spam encouraging them to sign up.
I suspect this happens a lot when people aren’t paying 100% attention to the page in front of them (not that I’d ever condone browsing ZinkedZin when on a customer conference call for instance 😉 ) or when they are on auto-pilot. It’s especially easy to understand when you see that ZinkedZin orders the different types of contact seemingly randomly:
In the above image you can see examples of all three types of person.
How many people will admit to accidentally sending an “Add to network” invite to someone who isn’t on ZinkedZin already? I will – I’ve accidentally interpreted the “3 shared contacts” as shared connections and no doubt annoyed someone I know with spam in this way.
A large multi-national banking organisation in the UK displays two numeric values at the top of your account page when you log in to internet banking. These are Available Balance and Current Balance. I had a discussion earlier with a colleague/friend about the point of this and how it can be misleading to the end user.
In short, Current Balance is the actual monetary value you have in your account at this point in time (let’s say it is £1000 as an example.) Available Balance is the amount you could effectively make use of at this point in time, so it may be less if you have payments currently being processed between institutions (such as a credit card payment from your account) or alternatively may be more if you have an overdraft facility on your account (let’s say you have a £500 overdraft facility, meaning the available balance is £1500.)
Again, we are into the grounds of semantics here. My friend explained that when they performed a payment from their account via internet banking, it didn’t show the current balance, it showed the available balance. This could lead a user to think they have more money available than in reality if they have an overdraft in place – £1500 instead of £1000 in the above example. The suggestion that this is a subtle way to encourage users of this organisation’s internet banking to unintentionally use their overdraft facility and in turn generate more revenue for the bank is an interesting one I’d not considered before…
For me, the above are two simple examples of what I’ll call “UX Engineering”, where the UX of a platform is used to engineer some outcome, not necessarily in the interest of all concerned parties. I’m sure many people will have lots of other similar examples (please share them in the comments below) and hopefully some people will have examples where the outcome is a positive one too.
This shows the responsibility of good UX design and how it can be cleverly used, just like social engineering, to influence and guide a user to a certain outcome. An interesting point to ponder on at the end of this blog – how do you define “good” UX design? It can’t be a simple definition as it always depends on context – I’m sure the people tasked with coming up with ZinkedZin’s page were congratulated on their particularly clever approach and how it managed to acquire xxx number of new sign-ups for instance!
To you problem with zinkedZin, there's an easy fix.
You can revoke the access of ZinkedZin to you mail account (which you probably once gave when subscribing).
For gmail you can find the "revoke access function" here:
Many people have once knowingly or unknowingly granted ZinkedZin access to their email account, to import contacts or look for acquintances. If you ever notice such a request, be sure to not allow access. (on any site)
But kudos on a really interesting article. I enjoyed reading it (twice, to get all the nuances)
Thanks for the feedback Tom.
I think this started to happen when I recently got a new Android based company phone and installed the app on it - I'm guessing it has access to my mail and contacts as you suggest. Need to investigate properly to make sure it is turned off correctly and my data is private again!
Wow..."connections" vs. "contacts". Pretty deceptive, if you ask me. I had no clue that was happening.
I've heard talk of something more malicious, where thieves will set up an unrestricted wifi in a public place, and instead of connecting users to the internet, they host copies of popular websites on a private network that do nothing but capture users' login data for the thieves to use.
And like Tom said, this was a very enjoyable blog!
Yeah, it's a subtle difference but an important one.
I'd be keen to know if people have examples of where this type of engineering is used to help the user, rather than for more nefarious reasons!