A traveler’s woes with user experiences

I recently moved overseas. As someone who loves user experiences, I want to share a couple of experiences I’ve had online since the move.

Security Measures.

A way to determine if fraudulent activity is occurring is to use geo-ip lookup. We often make the user fill in more forms because of this implementation decision. These forms ask personal identifying information in hopes valid answers allow users through. What I found is they enable phishing scams the opportunity to research answers to security questions the application surfaces. Many sites continue to ask these questions, despite coming from either an IP in my country or one at the end of the VPN in California.

Speak to me.

Just because my IP originates from another country, one can’t assume I speak that country’s language. Implementing i18n is hard for a lot of reasons. The design reasons should not increase the difficulty for users to figure out how to change languages. A combination of using ‘Accept-Language’ http headers and client side navigator.language || navigator.userLanguage; get us assumptions about the user, but how much of that is what is intended?

Content Delivery.

I’ve found many websites, from homedepot.com and apple.com have pages hosted on Akamai or other solutions that simply return a generic HTTP 403 page with no resolution for users. All CDN’s allow for HTTP code responses, and it is important that people understand the site isn’t available overseas, or offer a better solution than a black and white unbranded mess saying they aren’t authorized. Especially if that user wants to pay for your products and services. Make sure you CDN actually delivers branded experiences in foreign lands.

Tunnel of Love.

I setup a private VPN service via Amazon Web Services to avoid much of these problems and it seems to be the best hacky solution for now. In an idea world this would be the same internet experience as the one at home. A side effect of doing this is that some sites make more lax assumptions about who I am when the VPN terminates in the USA. This seems like the wrong way to approach security, but as a user I’m thankful to have defeated the beast.

We can do better.

One way to remember return customers is to implement multiple cryptographic key exchanges and store public keys in the user’s browser. The server can present one or many key to the client, allowing it to very trust and skip the need to ask frivolous and easily defeated forms. In the age where so much personal information is available online, security questions are much weaker lines of defense than in the past. We need to make security a software developer’s problem over a customer’s problem in order to build trust. After all, customers trust us to save their personal information, and that is a task we should respect with much diligence. Customers play a great role in protecting their information, and by no means would I suggest throwing out what we have learned already in doing this work. I simply offer we should do more up front to trust our own application delivery mechanisms before thrusting those failures onto people who are eager to get around those defenses to get their work done.

I want to believe in 2017 we have this language issue well solved, both over HTTP headers and browser support. That makes solving the problem easier, but doesn’t shoot a silver bullet into the app.

  • What percentages of your customers are multilingual?
  • Does your company conduct surveys to discover what languages to prioritize?
  • Does the visual treatments in the application offer new customers above-the-fold solution for language selection?
  • Do language selection treatments get out of the way for return users?
  • Does it remember that a returning customer changed the previously used language to another selection?

Let’s all strive to deliver consistent experiences, regardless of location, as much as our geographic and operating environment allows. Build trusting relationships with people using our applications by securely recognizing them on return visits, and validating their trust by demonstrating consistent delivery of branding and security measures.

What experiences have you had that threw your trust in a company into question when traveling?