UX research in a zero-knowledge B2B company: balancing insights and ethics

Illustration inspired by Massimo Vignelli’s iconic NY subway design system

I’ve recently read an article about the Special challenges of UX in B2B that inspired me to share my experience as a UX Researcher in Tresorit, a company that offers B2B products in a zero-knowledge environment.

Zero-knowledge companies operate on the principle that they should have minimal knowledge of the data their customers store or manage. This approach enhances security and privacy, making these companies attractive to customers with high security needs. However, this same principle creates a significant barrier for our UX research team, whose goal is to gather insights on user behavior, preferences, and challenges.

The conflict: insights vs. privacy

When you’d like to know more, but you have zero-knowledge…

Tresorit is dedicated to safeguarding product usage data to the extent that internal teams cannot have insights about customers’ files, not even knowing whether it is a document or an image.

For this reason, understanding how users interact with our products becomes quite challenging. The difficulty arises when we need to ask sensitive questions to understand how users manage their confidential data. Security-conscious users are often, quite understandably, reluctant to share information openly, fearing that any disclosure could compromise their security.

One common strategy in UX research is the foot-in-the-door technique, where researchers begin with small, non-intrusive questions and gradually move to more detailed inquiries. This method can build trust and make participants more willing to share information. However, in zero-knowledge environments, even this technique can fall short. Customers may perceive any request for information as a potential conflict with the company’s value proposition, regardless of how gradually it is introduced.

The ethical dilemma for us on one hand, is that we must remain compliant with strict privacy and security protocols, ensuring that no customer data is compromised. On the other hand, we need detailed insights to inform business decisions and improve our products.

Remaining compliant means using tools and methodologies that respect customer privacy to the highest degree. This compliance can slow down the research process, as common methods of data collection may be off-limits.

Furthermore, we might need to rely on indirect data, such as anonymized usage patterns, which may not provide the depth of insight required for nuanced understanding and makes it difficult to optimize the product based on usage insights. This can result in putting more emphasis on qualitative research in decision making.

In the next section, I’ll focus on failed attempts and difficulties that come with the extreme security consciousness, but I don’t want you to feel that it’s a mission impossible. My aim is to raise awareness of the potential obstacles.

Completing missing metrics with surveys

When you have limited access to usage data, you try your best to find other methods you can cook with. In our case, we tried to gather missing quantitative data with good old surveys that sometimes are effective in our environment, sometimes they’re not.

Let me tell you the story of a survey that didn’t work out and what we’ve learnt from it.

We tried to understand how customers collaborate with external clients and partners in Tresorit. Our goal with the survey was to uncover trends within our target group of Tresorit users. After multiple emails, reminders and the involvement of our email marketing team, we only received 15 answers out of 937 contacts.

In the past, we shared a survey with a similar sample size and received around 200 responses. The difference was the sensitivity of questions, the previous survey contained high-level questions, whereas the latter survey included questions about volatility and content management between our customers and their clients.

In this case, we had to rely on user interviews solely to have a deeper understanding about external collaboration with Tresorit. Interviews make it possible to build rapport and provide a comfortable environment for the subjects that helps them to talk more openly, although quantifying qualitative data needs consideration to ensure that the essence of the qualitative data is not lost in the process.

Juggling compliance and business needs

Having previously worked on a nation-wide banking and finances application, I was familiar with the challenges of maintaining compliance in research processes. However, entering the zero-knowledge B2B environment introduced me to a whole new set of hurdles.

Illustration inspired by Massimo Vignelli’s iconic NY subway design system

Administrative obstacles that may rain on your research plan

During the discovery phase of a product concept, we followed the steps of the Discovery discipline by Rémi Guyot & Tristan Charvillat. One of the stages suggested looking for group reactions of the value proposition, so we decided to organize a focus group session to trigger discussions and observe reactions.

We carefully selected several Tresorit customers with the help of the customer success team for a focus group session but unfortunately, we bumped into administrative obstacles. We’ve found out that the legal documentation, administration and the required coordination with other teams for such an event would have slowed down our ongoing research so much that we had to postpone it.

The administrative obstacles included a profound legal documentation of signing an extensive NDA with all participants and our internal signatories. In addition, involving employees from different companies would have exposed them to each other’s customer status and business needs, posing a risk to their business strategies. This proved to be cumbersome and ultimately unfeasible.

Protect customer data with all your power

Making sure that customer data is stored securely sounds like a no-brainer but handling data in a company with extreme data security and privacy focus is another level.

We maintain a close ongoing collaboration with our legal department to make sure our workflows are compliant. We have established together the following rules on how we must process customer data:

• Personal data (e.g. email, account number, etc.) and direct videos can never be shared on company-wide communication channels, only on a need-to-know basis with an end-to-end encrypted share link.
• Datasets can be accessed by only those who have company authorized access to the relevant tool.
• The data (e.g. interview recordings, usability test recordings) collected by the UXR team must be stored in Tresorit.
• Only the UXR team has FULL access to the data. The access given to any confidential material goes upon request from the UXR team.
• According to our internal data-retention policy, the data retention period is limited to 5 years starting from the Tresorit creation time of each file.
• Once the retention period for a specific dataset expires, the UXR team is responsible for deleting the data.

Complex SaaS reviews

Not only is the way we work strictly regulated, but the tools we use are also under the microscope of information security. When I started to work at Tresorit, I soon realized that the most commonly used UX tools are not compliant with the company’s principles. Some tools failed our internal SaaS review because of various privacy concerns:

• A tool has been denied because it would have processed Tresorit’s and our customers’ data for its own purposes by feeding the data into AI learning algorithms for use in Marketing and Sales.
• Another reason for rejection was that we’d have to get our customers’ consent for the tool’s activities too, and their activities don’t align well with the values Tresorit stands for.
• When practices regarding who is the data controller and processor are not clear based on the documentation, it’s also a disqualifying factor.
• Last but not least, providing only the bare minimum regarding data security can be also a reason for rejection.
  - E.g. if the tool only supports email-based 2FA for User Verification, (which is probably because that was the easiest to implement)
  - or SSO-based login is behind the enterprise-wall.

I find it important to highlight that Tresorit’s principles don’t approve of the usage of AI features with customer data. From an information security standpoint, feeding customer data into AI models is considered jeopardous, and it’s also questionable from a legal viewpoint. In the midst of AI revolution when most products and services are aimed at developing AI features, the question arises: how can we keep up with the AI trend and maintain or even improve our processes?

Well, this question is for the future and for our information security team, so I’m leaving it open, but as an employee of a company with zero-knowledge policy I’m curious to see how such companies will adapt, stay up-to-date and compliant at the same time. (Is it even possible, I wonder?)

Conclusion

UX research in zero-knowledge companies is fraught with challenges, but it is not insurmountable. By prioritizing ethical considerations and being innovative in research methodologies, we can still gather valuable insights without compromising user trust. In the end, the goal is to create products that meet users’ needs while maintaining the highest standards of security and privacy. As Carl Jung said: “Protection and security are only valuable if they do not cramp life excessively.”