Bitcoin me! 1JDDn6cHgzqsRtgQJZwhToJPAX4oYZg19T

If that “sentence” makes any sense to you – you’re not a muggle. Muggles (for want of a better epithet) don’t want to invest a lot of time into things which don’t fit with their mental model of how the world works.

Without getting into a philosophical discussion on what money is and how value is generated – let’s look at how Bitcoin works in practice.

Failing to Design is Designing to Fail

Bitcoin is doomed to fail. Pick a reason why.

• Governments will ban it.
• A proprietary alternative will spring up.
• An EMP will destroy enough Internet infrastructure to seriously disrupt it.
• Naughty hackers will commit massive fraud.
• Normal people will be too confused to even start consider it.

All are a possibility. The most likely is ignorance and apathy generate by crappy execution on lack of focus on the normal user.

PayPal

Before it became big and a bit crap, PayPal started off with a very simple idea.

1. Send money to an email address.
2. Receive money sent to your email address.

Pretty damn simple. If I have money in a PayPal account, I can send it to alice@example.com .
Alice receives an email saying she now has money in her PayPal account (and if she didn’t have one previously, an account has been created).

Now, there are caveats, and charges, and edge cases, and multiple points of failure. But the idea is simple.

How Bitcoin Works In Practice

1. Install software onto your PC.
2. Configure it.
3. Find some way to convert cash into BitCoins.
4. Copy and paste long, incomprehensible random strings, with no user-friendly error detection.
5. Use the software to send coins with no out-of-band communication for confirmation.

Now, each of those points in of itself isn’t insurmountable. But taken together they present a rather formidable challenge. With PayPal, Google Checkout, or regular bank transfer, the flow is

1. Get recipient’s ID (either an email or a short string of number)
2. Create an instruction via web, mobile, voice, SMS, or in person.
3. Recipient receives confirmation.

I’ve left off the “set up” stage because most people already have at least one method of payment at their disposal. Even if they don’t, setting up a PayPal account is trivial compared to setting up Bitcoin.

Designing For Humans

Bitcoin, at the moment, isn’t designed for normal people. It’s designed for geeks like me. And even I can’t be bothered to set it up.

But if Bitcoin – or any other currency – wants to fulfil its destiny and revolutionise “money”, it needs to be easy for normal people to understand and use.

In the book, Norman rails against the usability flaws which seek to undermine our comfort and sanity. Everything from lightswitches which never seem to have a consistent state, to to alarm clocks with impossible to figure out controls. It really is a must read for anyone who cares about usability – on computers or in the real world.

I travel a lot for business – and occasionally for pleasure – so I get to experience some of the maddening issues which Norman describes fairly regularly. Nowhere is this more apparent than hotel rooms.

Hotels From Hell

I’m not talking cockroach infested flea pits with constant building works and mouldy bathrooms – although I’ve seen a fair few of those – but irritations which confuse, confound and exasperate a weary traveller. TVs with seemingly no volume control. Light switches which operate lamps on the other side of the room. Door locks which require an engineering degree to operate. Thermostats which either leave the room freezing or baking.
All pretty trivial, yes – but of immense frustration to a jet-lagged guest who just wants to turn the lights off and sleep in a warm room.

Bathroom Blunders

The area which seems to cause me the most confusion is the bathroom. We’ve all experienced the shock of using someone else’s shower and having them patiently explain what the trick is of turning it on – or getting it to spurt out hot water… but not too hot. Hotels, sadly, rarely come with a guide to using their facilities.

I want to point out an “interesting” usability flaw I noticed on a recent trip to Paris.

Hot Cold Confusion

What would you expect this tap to do?

The blue / cold symbol is over the spigot – surely that means activating the tap will pour cold water?

However, our experience indicates that turning a tap to the left brings forth hot water – that’s the convention in my country. Is it the same in France?

There are no arrows to indicate how turning the tap will affect temperature.

We could experiment – but most people don’t want to waste time with that. They just want a clear indication of what a piece of equipment will do.

So, we have an impasse.
The law of proximity would indicate that two things next to one and other have a relationship. The cold symbol is next to the tap – therefore the tap will run cold.

The law of experience tells us that turning a tap to the left gives hot water.

There is no way to reason this out. We have to go through an annoying – and possibly painful – experiment to see how this mundane piece of equipment works.

Lessons

The lessons for computer and real-world usability should be clear. Don’t make the user think. Don’t mess with their expectations. Don’t overload conventional actions with your specific action. Try to see every aspect of your project as though you were a brand new user who is unskilled in the ways of your project and of your culture.

Above all, remember that some of your users are likely to be jet-lagged and just want the simplest, easiest way to perform an action.

You can buy The Design of Everyday Things from all good bookshops.

One of the things I love to do is add images to my contacts. It gives me a visual cue when I’m scrolling through looking for a person, it prompts my memory when I see the face of a friend calling me, and it helps me remember what people look like.

As you can see, I’m pretty good at keeping everyone’s photo on my phone up to date.

Which Conditions Are Appropriate?

Google’s interface for uploading images has some rather confusing conditions attached to it…

“Do not upload pictures containing celebrities, nudity, artwork or copyrighted images.”

What? Those are some strange terms and conditions to have attached to a contact image. I’m not sure if they’re copy-and-pasted from another app – or if they’re intentional. Let’s take a look at each one.

• “Celebrities”.  If I’ve got a friend who is a celebrity – why can’t I have her image as her contact picture?
• “Nudity”.  It’s my phone.  I am not going to offend myself if I see a nude picture of a friend that I’ve uploaded.  This is before we get in to what defines nudity.
• “Artwork”. This is just bizarre.  If a street artist has drawn a caricature, I can’t upload it?  I can’t use a company logo to indicate where my contact works?
• “Copyrighted images”. Again – what? I own the copyright on images I’ve taken.  I may have permission to reuse a copyrighted image.  I may even be justified in using a copyrighted image for my personal use.  I suspect they mean “images to which you don’t have permission from the copyright holder to use for this purpose”.  But even that doesn’t cover the Fair Dealing provisions of many copyright laws.

If you try to use an image which is already on the web, you get this curious message.

“Remember, using others’ images on the web without their permission may be bad manners or – even worse – copyright infringement.”

This is an odd statement.  A mixture of folksy advice and legal warnings.  I don’t see how personal use of a thumbnail from even the most copyright laden of images could be construed as infringement.  As for “bad manners” – is it really Google’s role to advise me on etiquette?

People Don’t Read – But Copy Editing Matters

It’s been well known fact for over 13 years that users don’t read.  That’s especially true if the text is small and grey – as it is in these examples.

But if you do want to impart vital information, you need to employ a skilled writer to help you craft your message.  You need to understand what it is you’re trying to say, why you’re saying it and what you expect your users to understand.

In this case, Google has a very muddled and confusing set of conditions which seem illogical and users – if they read them at all – are likely to ignore them.

I wracked my brains thinking about how they could have gotten in there before I realised it was a long-dormant friend who had changed their name and avatar.

But, in thinking about how a spammer could infiltrate one’s timeline, I think I came up with a fairly bullet-proof method to spam Twitter users.

I present this as an exercise in devious thinking – and also to show how our assumptions about security can play against us. Remember, hacking and impersonation are likely to be illegal in your jurisdiction.  This information is designed to help you understand how security weaknesses can occur.

Being Evil

Imagine you are a nasty, evil Twitter spammer. Your own mother wouldn’t spit on you if you were on fire – that’s how mean you are. Here’s what you do.

1. Obtain a user’s password.  Admittedly, this is the hardest part of the process. You might use a dictionary attack, use the same password they use to log in to another site, or somehow steal it.
2. Log on to Twitter.
3. Go to “Connections” and see which services they have connected to using OAuth.  For the purposes of this experiment, let’s assume they use Example.com.
4. Go to Example.com and OAuth yourself with Twitter using your mark’s credentials.
5. Here’s where the ordinary spammer falls down.  The ordinary spammer will start sending out messages from the mark’s account.  That’s not the aim of this weakness.
6. From the mark’s account, through Example.com, make your victim follow one of your spam accounts.  An account which exists solely to show adverts to your victim.

Your victim now sees your adverts for pills, poker and porn in their timeline.  With any luck, they’ll just assume that one of their true friends is promoting your illicit wares.

Counter Attack

Most victims will assume that they accidentally followed your spam account – or that one of their friends has been hacked.

Worst case scenario, they unfollow your spam account.

So you just make them follow you again! Remember, you are still OAuth’d to Example.com. You can make them follow as many of your spam accounts as you think you can get away with.

At this point, the intelligent victim will think that their account may be compromised and change their password.

It doesn’t matter! Because you have used OAuth, password changes don’t affect you.  You can continue make them follow as many of your spam accounts as you think you can get away with.

At this point, the really intelligent victim will go through their OAuth connections to look for something suspicious.  They won’t find it.  Remember steps 3 and 4?  You are OAuth’d to a service that your victim trusts.

Because of the way Twitter displays OAuth information, there’s no way for a victim to know when a service was last authorised.

Twitter OAuth Connections

There is no information other than the first time the OAuth was set up.  No last accessed date, no IP addresses, nothing useful.

When following an account, the victim gets no notification of what has happened, when it has happened or how it has happened.  There is no way of them knowing which of their OAuth’d connections have been compromised, nor when it happened.

Their only safe option is to revoke every single OAuth connection.  Then reauthorise.  A time consuming and annoying prospect.

Conclusion

I hope I’ve demonstrated two things.

Firstly, there’s more to spam then just sending out messages.  Forcing someone to read a message is just as annoying.

Secondly, our understanding of security and usability haven’t quite caught up with the new tools which are available to us.  OAuth is still better than giving your password to an untrusted site – but without essential usability changes, a compromised account is a lot more dangerous than the user would suspect.

This “attack” still relies on a victim having their original password compromised.  That’s not a trivial matter.  But security is like sexual health – it only takes one little accident…

This sort of knowledge is common in life – but is fatal in computing and design. Take the following tweet I received.

Mawkins

(Mark Hawkins)

@edent @dabr you folks aware ampersands / &s don't seem to work as part of hashtag links?

On 24-2-2010 16:27:19 from TweetDeck in reply to Terence Eden

The complaint was that #tfm&a should be rendered as #tfm&a not #tfm&a.

Everyone knows that’s how hashtags work!

On Twitter’s website, find the page which discusses hashtag syntax. Find where they explain how they should be styled.

You can’t.

And thus implicit knowledge is born. Dabr only looks at letters and numbers in a hashtag. It assumes that any other character is the end of the tag.

Dabr's Hashtag

Without official guidance – implicit knowledge develops.

Has Dabr Got It Wrong?

No. I don’t think so. Take a look at how Twitter on the web renders hashtags…

Twitter's Web Site

…and on the mobile.

Twitter Mobile

So Where Does Render The Full Tag?

Several applications don’t render tags in the same way as Twitter. Take a look at SocialScope

SocialScope Hashtags

Tweetie2

I’ll upload more screenshots if I find examples of “badly behaved” hashtags.  Please let me know if you find any.

What Does Twitter Say?

Twitter has one page devoted to hashtags.  It is a support page for hashtags.  This explains to people what hashtags are.  There’s no detail on valid characters, maximum length, or any of the things which might be useful for a developer or designer.

Edit 2010-02-25

David Dorward has pointed out that there is an official resource. On the Twitter Engineering blog – which isn’t linked to from the developer site – there is a page discussing hashtags and how to validate them. You’ll notice that they are rather circumspect on what should constitute a hashtag.

Conclusion

Standards and guidelines allow developers to create compatible applications.

Without explicit recommendations, developers will diverge as widely as possible.  Twitter – and everyone with an interest in compatibility and usability – needs to ensure that the knowledge they impart is explicit.

Letting people make it up as they go along leads to confusion.

It’s one of my gripes with Linux.  If you’re editing a configuration file, you are relying on yourself to sanity check your input – often without knowing what the limits are.

Take these two different examples.

In a text file, we might have:

#Maximum Widgets to fidget
maxW_to-F = 0

Whereas a GUI would show

How many Widgets do you want to fidget?
1235

Even if you don’t know the rules behind Widget fidgetting (must be a prime number lower than 7), the GUI won’t let you choose a value that you can’t select. The GUI doesn’t prevent you setting an innapropriate value – just an illegal one. Your config file, however, could be set to any crazy value that a user type – often resulting in “unpredictable” results.

#Maximum Widgets to fidget
maxW_to-F = seventeen

It’s with this in mind that I’ve made the following change to Dabr – the mobile Twitter client.

To Auth or Not To Auth? That Is The Question

Twitter’s API has bug / peculiarity (reported to their discussion board) which causes Dabr to log a user out. Let me explain the steps

• User 1 (@private) has set her tweets to “protected”.
• This means no one can see @private’s tweet unless she allows them.
• @private has not allowed User 2 (@edent) to view her tweets.  She is protect from his view.
• @edent clicks to view @private’s profile.
• @edent can see that @private has 42 friends, 17 followers and 3 favourites.

So far, this is the same behaviour on Twitter’s website as it is through their API.  Here’s the difference

Web

• @edent tries to see @private’s followers and can see their names, profile pictures etc.
• @edent can also see @private’s friends
• @edent cannot see @private’s favourites (or even how many favourites she has)

API

• @edent tries to see @private’s followers, friends or favourites
• Because @edent isn’t allowed to see @private’s info, the API returns 401 Authorisation Required.

This is where things get tricky. Dabr sees the 401 and concludes that the user has invalid credentials.  It then, as a security measure, clears the user’s cookie and logs them out.

This may be a little harsh, but HTTP 401 essentially says that the authorisation has failed.

Fixing It

There are 3 ways that this could be fixed

1. Twitter could rationalise the API to allow access to the same content that a web user gets.
2. Twitter could return a different status code.
3. Dabr needs fixing.

So, how do we get Dabr not to log out when it receives a 401 only under these specific circumstances?

Looking at the code, we can see that Dabr simply sees the HTTP response code.  To fix it we’ll need to pass extra parameters, check where the code was called from, investigate all the edge cases, add more logic to the system, futz around breaking things, etc… etc…

What a pain in the…

Or

Don’t let users do things they can’t do.

If a user can’t see the information – why do we even let them try to see the information?  Why can’t we just get rid of the link?

This is what a user currently sees:

Old Style

We’ve established that they can’t view followers, friends and favourites.  So we can get rid of those links (but not the information).

New Style

(Incidentally, I’ve changed the order of the links.  I’ve tried to group together similar items.  Followers, friends, favourites and lists go together. Then DM. Finally, follow, block, report spam.)

Now a user cannot click through to an unwanted error message.

Or

There is another way round this.  With “Direct Messages” we could do the same thing – simply remove the link if you’re not able to send that user a DM.

Instead, we’ve taken the approach of displaying a suitable error message.

Direct Message Warning

The advantage of this is that the user gets an explanation as to why they are unable to complete an action.

Your Thought?

Which do you prefer? Being unable to click on a link (with no explanation) or clicking on a link only to be given a warning message?

For a service which started out operating by SMS, Twitter takes a surprisingly unenlightened view of mobile. It’s main mobile service – http://m.twitter.com/ – is almost completely devoid of useful features. That’s one of the main impetuses behind the development of Dabr. Their latest mobile site – http://mobile.twitter.com/ – is really only suitable for the tiny minority of people who have smartphones.

So, understandably, many people use 3rd party sites like Dabr. They are now faced with a dilemma – give an untrusted site their username and password or try to use OAuth on the mobile.

A few weeks ago came the announcement that OAuth was finally ready for mobile… Was it? No. Once again a “mobile friendly” site designed with masses of JavaScript and guaranteed not to work with the majority of phones on the market.

Here’s how mobile OAuth looks on a variety of popular mobile phones.

BlackBerry

BlackBerry Twitter OAuth

While this looks pretty enough, it doesn’t work. The buttons aren’t clickable. I’ve tried with and without JavaScript. No matter where I click, nothing happens.

Android

The Android’s User-Agent isn’t detected by Twitter as being a mobile phone. While it’s true that the browser is very capable – the OAuth screen is a lot more usable when it’s in mobile mode.

Android Twitter OAuth

So, it works, but it doesn’t look nice.

N95

The N95 makes a good test phone because it’s popular. Probably more popular than the iPhone.

N95 Twitter OAuth

N95 Twitter OAuth

It’s not pretty – but at least it works.

Others

The Sharp GX-10 is my default test phone. One of the first phones with a colour HTML browser. If your site can work on this phone, it will work on any phone. There are no screenshot capabilities for this phone – but rest assured, it does not work.

The three phones I’ve demo’d above are very popular modern phones – AKA the minority. If they don’t work well, what chance for the people using older phones?

Useless! How hard can it be? All it needs is a username field, a password field and a button. That’s just about the most basic page imaginable. It should be child’s play to make it work on mobile.

This was first raised in March 2009 on Twitter’s issues list. It’s currently the most popular bug.

So, we’re stuck in a dire situation. Third-Party mobile sites get access to Twitter users’ passwords because Twitter are unable or unwilling to develop a simple OAuth form. It would be fascinating to know how many of Twitter’s security breaches are down to corrupt or insecure 3rd party sites which leak passwords.

I received a rather worrying email from Twitter.  Apparently they thought my password had been compromised and needed to be reset.

Reset Your Twitter Password

After checking to see if it was valid, I went and changed my password.  Any site which relied on a cookie to post to Twitter would have been blocked out. Ha! Gotcha, suckers!

The OAuth Problem

OAuth tokens are not revoked when the master password is changed.

OAuth is a great idea – rather than give your username and password to any random site, you log on to Twitter and tell them that you authorise the refering site.  The site gets an OAuth token and never gets to see your password.  Great! Right? Not really.

Let’s consider the following scenario.

Alice has a Twitter username and password.

Bob runs a Twitter site.

Alice visits Bob’s site.  Alice is security conscious and uses OAuth.

Eve somehow discovers Alice’s password.

Eve also visits Bob’s site and uses OAuth.

Alice gets suspicious about strange activity on her account and changes her password.

Because Bob’s site uses OAuth, it does not require either Alice or Eve to re-enter Alice’s password.

In this scenario, Alice has to visit Twitter’s OAuth Connections page and revoke access to all the sites she has previously connected to.  Alice has no way of knowing when each site was last accessed.  She also doesn’t know which site Eve is using.

Twitter's OAuth Page

The Problem

Changing a password should – in the minds of most people – mean that you need to re-enter your password even if you have previously authenticated yourself.

In this scenario, changing the password does not revoke access to malicious users who have previously used your credentials.

Twitter should revoke all OAuth tokens when a user’s password is changed. It is the only way to ensure that stolen credentials cannot continue to be used after a user has changed their password.

Addendum

As I’ve made clear in the comments – this isn’t a vulnerability within OAuth per se.  It’s a usability issue which has strong security implications.

I spoke to Eran Hammer-Lahav (listed as OAuth’s advisory contact) who said:

If you suspect someone stole your password, you should revoke any tokens you did not personally authorized. But there is no reason to revoke tokens just because you are changing password.

While I appreciate this as the official line from those in the know, it does nothing to prevent a user who uses the same sites as you.  For example, I can see on every tweet that you use Dabr.  Therefore, I can safely OAuth myself as you on Dabr.  You’ll change your password, but you won’t revoke Dabr’s token because you personally authorised it.

Continuing The Conversation

Heise Online provides comentary in German (English version)

El Reg has a feature about Twitter and OAuth.

There’s also an interesting discussion over at Hacker News.

The Guardian’s Saturday edition strikes me as a long form version of Private Eye, but written by those who would never use a sentence where a paragraph would suffice.  Full of long rambling articles about the truly trivial and incomprehensible.

After the Guardian’s excellent reporting on Trafigura, I decided to help their coffers and circulation figures by purchasing a copy of their paper – breaking ten years of abstinence from paper-based news.  As I’ve reviewed their website, I thought I’d review their paper from the point of view of one who is deeply familiar with online media but unfamiliar with print.

What A Lot Of Paper

Background

In 1998 I bought my last newspaper.  My parents always had newspapers at the weekend and – due to a stock of vouchers given away in Freshers’ Week – I assumed I’d follow in their footsteps.  In halls I was one of the lucky few with a permanent Internet connection.  Every morning started with a scan of http://news.bbc.co.uk/, a browse through USENET and one or two international newspapers’ nascent websites.  I haven’t bought a paper since.

Nowadays upon waking, my Blackberry has already downloaded the headlines from the BBC, Guardian and a hundred different news sources all, seemingly, for free.  Why would I buy a newspaper?

The Paper

The first thing that struck me was the user interface.  Actually, scratch that, the first thing that struck me was the price. £1.90! Nearly two quid.  For someone unaccustomed to paying for news, that’s quite a tall order.  I gather that the weekly paper is “only” £1 an issue.  For £1.90 I was expecting quite a lot.  I don’t think I found value for money.

User Interface

So, the user interface.  I remember a kerfuffle a while ago about the Guardian moving to a Berliner format. Supposedly easier to hold and read.  Utter nonsense. To even try to read this paper on a commuter train would be a recipe for disaster. Huge unwieldy pages and, to add insult to injury, no staple in the middle!  Even though I was placidly sitting on my sofa, pages kept falling out!  Perhaps reading a newspaper is a skill that has atrophied in me – but having to continually shift my grasp on the sheets was a chore.  A simple staple through the middle would make for a much more pleasant reading experience.

One good thing though.  The linear nature of the paper meant that I was forced to read stories I would otherwise have skipped were I on the web.  A newspaper is presented like a book; you read each page in turn.  You’re perfectly free to skip over a story – but I found myself reading at least the first paragraph of each story.  On the web, I pick and choose. I never have to read a story about childcare, sport, Scottish politics etc.  It was refreshing to get a wider view than my usual self-selected reading.

Adverts

Naively, I thought that there wouldn’t be much advertising.  We’re continually told that there has been a collapse in the advertising market. I assumed my couple of quid would pay for the majority of this paper.  There was advertising on nearly every page. Some pages had nothing but advertising!

What struck me was the sheer randomness of the adverts.  When reading an article about the Lost City of Atlantis online, I’d expect to see adverts for cheap holidays to Greece, SCUBA gear – maybe even a computer game.  In the paper, it’s Abbey mortgages and Moben kitchens.  The adverts are randomly placed, unrelated to the text and somehow, highly intrusive.  One section of the magazine has a full page advert disguised to look like a normal article.  Yes, it says “Advertising Feature” at the top of he page – but it’s otherwise presented as another piece of journalism.

It is even bundled with separate advertising sections. Little leaflets drip out of every page littering the floor.  They’re the equivalent of pop-up ads and just as annoying.

Reviews

There seem to be three separate sections which do reviews.  The main paper reviews classical music, theatre and TV, the Guide does games, clubs, websites, theatre and television. Then there’s a whole section called “Review”!.  Why split over three different bits?  Why are some reviews barely a paragraph and yet others are A-Level essays pontificating on the deeper meaning of art.

Blogs

There are some articles which, to my eye, are little more than blog posts.  Nick Duerden writes about taking his daughter to see Disney Princesses on Ice. Apparently girls like sparkly things.  Who knew?

David Hare has also written an interminable essays in the magazine.  While I’m sure that it’s of great interest and importance for his readers, I resent having paid for such… Well.. flotsam.

These articles are not news – they’re just blog entries.  Only, for some reason, I’m expected to pay for their ramblings.  There are plenty of better written and more interesting articles being posted every day on blogs round the world.  I suspect that’s the idea behind The Blog Paper.  I’m as guilty as anyone of writing self indulgent tosh on my blog.  Entries which are of no interest to anyone other than me.  But I don’t expect anyone to pay for them.  I don’t bundle my writing in with my work.  “Hey, boss, I’ll finish that report you’re paying me for – and I’ll throw in an essay about how my wife doesn’t understand me!”

What it really highlights is that opinion pieces aren’t news.  They’re not even journalism except in the most litteral sense of the word.  They are barely a step about “Have Your Say” sections of news websites.  Indeed, the Guardian’s own Comment is Free section shows that anyone can write a similar article.  Tellingly, the comments in CiF show the utter contempt most readers have for opinion pieces.

Sport

I hate sport.  One reason why I am usually loath to buy a paper is massive sport sections. I was feeling guilty about buying the Guardian only to recycle the sports section unread.  Evidentially, Guardian readers, like me, were last to be picked at PE. The sports pages are mercifully short (16 pages) and fitted neatly into my recycling bin.

Etc.

What A Jumble

There’s just so much that’s confusing about the Guardian in paper form.  So many different, overlapping sections.  Different shapes, sizes, grades of paper.  Long rambling articles, tightly focused analysis, full page pictures, full page adverts, a list of every comedy club in Britain, a review of an obscure restaurant in the middle of nowhere.  Don’t get me started on the pathetic “Free Gift” which is meant to entice me like a child to a bland breakfast cereal,

What does the Guardian want to be?  Is it news? Is it “lifestyle”? Is it review? Is it academic essays? Is it everything jammed into one ill-fitting format because “That’s what newspapers are”?

It’s a format that in incomprehensible to anyone under the age of 30.  It’s an insular little work with only one page given over to readers’ comments.

Demographics

My moaning comes down to a question of demographics.  There is only one slice of the population which matters. Me.  No one else.  It’s hideously ego-centric to think this way but I do. Why can’t I buy the Guardian without the sports section? With an expanded technology section? Charlie Brooker on the front page and David Hare banished from view?

Well, on the web, I can.  This paper in physical form has to please everybody. An unenviable job and one I suspect is impossible.

My Conclusion

Love The Guardian – Hate The Paper.

I’m sure I’m depressingly close to their target audience – but whole swathes of the paper are lost on me.  I love reading the Guardian’s news online and on my mobile.  So why do I hate the paper version so much?

The web allows us to see how many people click on each story. See who reads, how long they read for, what they read next, where they came from and where they go to.  I suspect if you were to put the newspaper fully online, it would become clear that some sections of the paper survive through inertia alone.  Can anyone really be interested in Mark Lawson blethering on about people who don’t speak like what they ought to? Or Lucy Mangan’s meanderings on “Are You There God? It’s Me, Margret”?  They are there to fill space.  Their sole purpose is to reaquaint me with the joke behind Polly Filler and her ilk.

Anyone who has read Flat Earth News cannot fail to recognise that the newspaper industry is in crisis. Journalists are too stretched, deadlines are too tight and money is in short supply.  How can newspapers be saved?

Well, there are easy solutions. Stop writing articles for space filling reasons. Retrain the “journalist” who wrote about celebrity trends in the “noughties” and get them to write about news. Recognise that – if you’re committed to a finite space resource like paper – you have to trim the fat, not the meat.  A review of a book does not need to be a undergraduate essay on the author and contain a huge photo of her and her dogs. By contrast, a review of a computer game, club, or bar needs to be more than a puff-piece paragraph.  See what your readers want – make a paper that they can use.

Is an article on Russia taking state control of all TV channels really worth a tenth of the space as an article by Alan Rusbridger where he tells us that Google, Wikipedia, Twitter and Comment is Free are pretty cool?

Above all, kill the quaint.  Tradition is no more than monkey folklore.

What reading The Guardian in paper form has taught me is that the web allows me to easily ignore the turgid or vapid – paper is less forgiving.

But there, of course, I’ve argued against the existance of Private Eye’s hidden gems.  Perhaps someone, somewhere is desperate for an obituary of David Troostwyk and I am an ignorant philistine.

I will continue to read the Guardian; but I won’t be buying it again.  While its journalism and newsgathering are excellent, for £1.90 I expect not to have to throw half of it away, unread and unloved.

Here’s how to make a successful downloads platform:

1. Make it easy for your customers to buy things.
2. …er….
3. Nope. That’s pretty much it.

So, here’s the front page of the Ovi Store.

Count the errors

Here’s every error I can find on the above the fold page…

1. Incomplete titles. “Star Trek Noki”? Surely “Nokia”? Looks sloppy and unprofessional.
2. Poor descriptions. “Ringtones In Cinemas Now!”? Ringtones aren’t in cinemas. Is that one ringtone or several I’ll be downloading? If you don’t tell me what it is I’m getting, why would I download it?
3. Ratings. Why would you put unrated (or rated zero) content at the front of the store? You want your killer apps there.
4. Search. Why do I need to click through to search? There should be a text field and button there, not a link.
5. Colour differentiation. Using white and then light grey doesn’t help customers easily scan across the page. A darker shade would help.
6. Menu bar. Is there an order to it? Is there a reason it splits haphazardly over three lines? The longer the menu – the less space for content. As it is, it’s a pretty poor use of space.
7. No Nokia branding. I know they’re trying to promote Ovi as a brand – but no one knows about it yet. The use of the Nokia logo would really help customers trust the store.

…and breathe…

Let’s assume we’re reckless enough to click on “Star Trek Noki”. What do we find?

Oh dear...

Let’s take this from the top. Don’t forget, this is the Nokia Ovi Store’s FIRST link. This is what they really want you to buy.

1. Where’s the description? What exactly am I buying? It turns out, this is the product placement tune in the new Star Trek film. Some descriptive text would help. I thought it was going to be the film’s theme tune!
2. The description – such as it is – appears half way down the page. Why do I have to scroll to see what I’m getting?
3. Photos? Why do I need photos of a ringtone? Why are there “more” photos when there’s only the one?
4. The product photo is, essentially, black. A bit of colour to liven up the page wouldn’t hurt.
5. The review – why isn’t it in English?
6. Are the related links Games, Videos, Ringtones? Some context would help.

I clicked on download and got a blank page. Once I refreshed the page, the download started.

Huh?

Files should be named. It makes it easier for the user to find in their filesystem, it looks more professional when downloading.

So, I play the file and what do I get

Real professional lookin'

Add some fracking ID3 tags! It makes it easier for the user, it looks more professional and it costs the supplier nothing!

Gah! Fine. Ok. I’ll go back to the store and grab something else. I click back and am presented with this monstrosity.

Where do we go from here?

Nothing. Not even a page telling me how to get back. How is this meant to encourage me to buy more? This page should thank me for downloading. It should encourage me to buy more. In this case, I’d expect to see more Star Trek merchandise that Nokia want to sell to me.

Contrast this with the N-Gage download from the N-Gage site.

Much better

Once my download is completed, I get sent back to a nice page which lets me continue enjoying the store.  Nokia have this technology for Ovi – but not in the Ovi Store. Bizarre.

Last, but not least – registration. I know that Nokia has to have a registration process – they don’t have an MNO’s advantage of seeing a customer’s phone number. They also don’t have an associated account which they can reuse – like Google or Apple.

Oh… No… Wait… They do. I’ve registered for a Nokia account, an Ovi account and a Mosh account. I don’t seem to be able to use any of them with Ovi Store. NIH syndrome?

To be fair, the sign up process isn’t too bad. Apple could learn a lot from it.

A pretty good sign up screen

The only criticisms I have are the “Mobile Number” field should be masked so the user can only enter numbers. I also think that a captcha is a bit of an overkill on a mobile site.

Good to see that the example number is from Ofcom’s reserved range.

Overall, this is a step backwards for Nokia. Mosh and the original Ovi were quite good. This is just a mess.  By my count, there are at least 25 basic mistakes just from going to the front page and downloading a ringtone.

25 mistakes in 3 clicks.

[Disclaimer. In the interests of fairness, I work for Vodafone. Specifically looking after Vodafone live! a direct competitor to Ovi. The thoughts expressed in this post are my own and not those of my employer. I have nothing against Nokia; I kick up as much of a fuss about Apple and BlackBerry too!]

The first – and last – Apple product I owned was a blueberry iMac.

I think it may have had an early version of OS X on it. It was fun enough, but I eventually replaced the OS with YellowDog.

Now I find myself in possession of a 16GB iPhone 3G. Nice! Or so I thought.

For various dull reasons, the iPhone is an unlocked Portuguese model. It was simplicity itself to set it to UK English and add my APN details etc. That’s where the fun & simplicity stopped.

I thought I’d try the fabled AppStore. Download a few free apps and the like – and thus the nightmare of “The-One-True-Apple-Way” descended on me.

First of all, all the apps were priced in €. I would have thought me manually setting the phone to UK & having a UK SIM in there & being on a UK network would have convinced Apple to price things in £. Not so.

When I tried to download a *free* app I was told to enter my iTunes account information. This was problematic for two reasons
1) It was a free app. On every other device I’ve ever owned I can click on a free app and install it without giving away so much as an email address.
2) I don’t have an iTunes account. As far as I can determine, there’s no way to obtain one from the phone.

This is meant to be a super-duper converged smartphone but apparently it can’t even handle a simple sign up process.

It turns out that the only way to get an iTunes account is to install the iTunes software. Again, this is problematic.
1) Not everyone has – or wants – a computer. Apple has drastically cut its user base for no reason as far as I can see.
2) Not everyone who has a computer has sole use of it. You might not be able to install iTunes on your work computer. If you & your family share a computer, how does iTunes handle multiple accounts?
3) How do you get the software? There’s no CD in the box, the iPhone doesn’t show up as a USB hard disk, so the software can’t stored on there like the Huawei/Vodafone 810.

So, off to the website to download iTunes.
It’s nearly 70MB! How the 40% of people without broadband are meant to grab this I have no idea.

The installation process was another of Apple’s famed usability triumphs…

I can’t choose my native language – “English (British)”. I can’t even trust it not to break Outlook.

It spent ~20 minutes installing the software, agreeing to two separate EULAs, only to be greeted by this screen.

So much for my language preferences.

Oh well, let’s ignore that. Let’s sign up for an account.

Oh.

All the settings on my computer are set to UK, iTunes is set to English. My physical location is in the UK but I go through a proxy in Germany.

Would it be beyond the wit of Apple’s usability guru’s to add a “Choose Your Country” option? Apparently so.

It also turns out that Apple insist that their products look like OS X apps even when they run on Windows XP. Great, yet another interface language to learn. I’m sure that Apple’s products are the most amazing in the world – but this looks out of place on my system. Why should I have to mould myself to Apple? Shouldn’t they work for my needs? No, silly grasshopper, The-One-True-Apple-Way has one path that all must adhere to or face certain death.

At this point, I got bored. If was a paying customer, I’d be on the verge of returning the device.

I’m obviously missing the gene that makes me fall in love with Apple products. Or is the rabid Apple fanboism just an elaborate hoax? Come on guys, let me in on the joke…

May be I’ll try again tomorrow.