Tor + Tails UX - Identifying User Needs at CryptoRave 2018

 
This month during the geek CryptoRave in São Paulo, we invited Tails and Tor users to join a user needs session. We love to run sessions with groups of similar users so we can focus on their unique needs and experiences. Users of Tor and Tails have the common objective: they are looking to use private and secure tools, and their safety could be a concern.
 
We like to envision our community of users ultimately making the tools we build. UX is about relationships. We need to understand our users' relationship to our software. And in order to do that, we need a close relationship with our users.

Our Process

Intrigeri from Tails, started the session with a question: Can you write three frustrating problems you found using Tor or Tails? Put each problem on a separate sticky note.
 
We divided a board into three columns: Problems during installation, Problems using the first time, and Misc. We then asked users to place their sticky notes on the related columns. They quickly made a heat map of their concerns. 
 
Once all the notes were up, we could see patterns and relations between issues they were encountering on different steps on our user flow. Identifying these common problems enables us to turn them into actionable opportunities for improvement.

The Results

Regarding Tor, more than ten users posted about the velocity of the network. Despite the fact that the velocity of the network is something that has improved a lot in the last years, the general worry about the network velocity is still rolling in the air: Why is it like that? What can be done? We also heard concerns about how sometimes an unknown language will appear and also how areas of webpages may not load properly, which is something that happens more often on higher security levels in Tor Browser.

Next Steps

Managing user expectations is hard. But not doing it makes things even harder and alienates the people you are trying to help. 
 
The issues we heard at the session weren't new to us, and there have recently been drastic improvements, so that means one way to move forward is to better set user expectations and provide accessible information about why things in Tor Browser may work differently than other browsers. With Tor Browser, some slight annoyances can be attributed to the heightened privacy and security features it provides, which is what our users want. So better making that connection for our users could help improve their overall experience with our software. 
 
We're considering adding new cards to the Tor Browser onboarding (what you see when you first open the browser) to introduce how: 
  • some pages areas could be missing because those elements would compromise your privacy and likely contain trackers which could follow you across websites
  • the default language of some pages may not be your own depending on where the last hop of your traffic is exiting the network
These are very important outcomes from the session, but the best part was talking to users 1:1, without intermediaries. We established a bridge of trust. The participants felt (and were!) heard.
 
We build tools for the community. And the community helps us make our tools easier to use and safer. 
 
In the end, Intrigeri told me, "maybe we are doing the thing well. All the hot topics are already on my backlog.”
 
While it's true we may be doing well, both Tor and Tails always want to do better for our users, and with sessions like this to help, we will.
Tags
Anonymous

May 18, 2018

Permalink

Love Tails and want to help test stuff, but does anyone know where to find the signature for the iso image (alpha testing for Software Install feature) featured in the Tails blog?

If you go to tails.boum.org you will see that Tails Project *requested* users to test their alpha version of an important new feature to be incorporated in forthcoming releases of Tails. They provide a link to an ISO image but I cannot find a detached signature file at their website.

Anonymous

May 18, 2018

Permalink

Iam using Tails for reading S.M.A.R.T. . Last time i was testing with USB2-portable HDDs no problem, the same with USB3 the Disktool can't read S.M.A.R.T values?

Is this solved yet?

https://en.wikipedia.org/wiki/Comparison_of_S.M.A.R.T._tools
gnome disk : https://en.wikipedia.org/wiki/GNOME_Disks
smartmontools : https://en.wikipedia.org/wiki/Smartmontools
gparted : https://en.wikipedia.org/wiki/GParted

https://www.smartmontools.org/
2018-03-04
please report your question/ticket to their mailing-list-support.

hdd & ssd / usb(flash drive 1-2-3) & emmc(sd card) are supported

Anonymous

May 18, 2018

Permalink

Sabes a razão verdadeira por que Drump está a procurar para criar uma guerra nuclear em que todo mas umas quantas pessoas morrerão? Por que faça sua família a "advisors"? Porque isto significa estão deixados para esconder "Raven Rock Mountain Complex" de interior, o "nuclear fallout" o refúgio onde "designou os sobreviventes" vivem através da guerra nuclear venidera. Seu plano: o bilhão de "animais" morrerá, de maneira que pessoas brancas privilegiadas (o Drump família) herdará o mundo.

in a capitalist world that you have (as owner) is that you payed (you decide as boss) and a family is the freedom that money allow to so the more you have power or money the more your family obtain * a freedom (privilege) ... a nuclear weapon included.
but in what is it related to tor network ?

Anonymous

May 18, 2018

Permalink

I am so happy that you are talking to Intrigieri!

The mentioned usability issues sound right.

Another good warning for new Tails users: depending upon your hardware, when you boot your laptop, it may transmit the true machine identifier before Tails can boot and spoof it. This could help the bad guys correlate your spoofed MAC with your true MAC. In areas where evil companies like Comcast have dense networks of APs (hidden in every consumer box) which constantly broadcast "tell me your MAC" to all nearby devices, the corporations can make much money by selling this information to governments.

Another user issue for Tails: we need updated information on how to create an encrypted USB stick using Tails (the "disk" utility no longer works for this, agreed?).

Anonymous

May 19, 2018

Permalink

tor + ricochet = should be far interesting !
tor + cryptocat = ?
tor + onionshare = ?
it is a matter of confidence and i still wait the comparison 2018 between safe app from EFF !
i love ricochet and i try promote it as i can.
i do not use tail ... should i ?
i have difficulties about promoting Tor & safe protocol which pgp.
EFF did still not publish the result of its work ... and the users of Tail still complain about the lack of support & advices (one language : us/uk = bad).

> [Tails users] still complain about the lack of support & advices (one language : us/uk = bad).

Not true. Tails has several language interfaces, including German, Spanish, Portugese, Farsi, French, Italian, and its website has mostly been translated into those languages as well. When you boot tails you see a "greeter screen", which allows you to choose a language other than English.

> i do not use tail ... should i ?

You should probably try it out.

Anonymous

May 19, 2018

Permalink

In my opinion the velocity of the tor network is not the only problem,
but also that an increasing number of sites ban tor exit nodes (and you can not reach the site).

You should get Tails 3.7 ISO from tails.boum.org, verify the detached signature, burn the image to R/O DVD, boot that, then use the running Tails to install.

Actually it is better to install to removable media (e.g. external hard drive) using the provided script. Then you can use another provided script to create a partition where you can store content between sessions. It would probably be safer, however, to only use the DVD with no persistence when you are on-line, and only store documents on encrypted USB media when you go off-line. I have found that this sytem is far more workable than it might sound, and well worth the extra time to do things.

These precautions may not save you from spies if your BIOS has been infected.

You can search for a very recent and excellent article by Micah Lee on his work on detecting "evil maid" attacks on a "honeypot" laptop he uses when traveling.

Anonymous

May 19, 2018

Permalink

8 stuck notes/letters = TorBirdy

with a 9th note yet to be stuck = new note (version) !

Please update the Tor Blog with news of the latest TorBirdy and include the majestic bird.

Anonymous

May 20, 2018

Permalink

Love Tails but they need to remover uBlock Origin since it's a UX-cum-fingerprinting disaster, enable the Firefox tracking protection filter list instead.

Anonymous

May 20, 2018

Permalink

Hey I have used tor for several months now and I understand that it is slower than using "normal" internet, but this last week I noticed that it was REALLY slow, I can't barelly open any site at all... is anyone else having an issue like this?

No slowdown for me, but odd PKI cert issues.

If you can use a phone safely you can report your experiences to effl.org and ask EFF to revive a program they had some years ago in which people could use a Raspberry Pi (with an SD card provided by EFF) to test for censorship and throttling. I hope they revive this in time for the June kickin of the repeal of net neutrality.

Anonymous

May 26, 2018

Permalink

I too am having trouble accessing any sites due TORs slowness. At the moment it is not fit for purpose and can not be relied upon.

Anonymous

May 26, 2018

Permalink

I've been using Tor for about 10 years or so, and to this day the biggest usability problem for me is sites blocking exit nodes. Some sites have embraced hidden services, and many have found alternatives to IP blacklisting, but on the whole I think the problem has gotten worse over the last decade. Cloudflare is a big part of it, but at least they will grant access after filling out a captcha, which I can live with.

The solution? The Startpage proxy is very helpful, but even that gets blocked sometimes, and also something more transparent would be better. Ideally I can envision a TB extension that creates a peer-to-peer network of Tor users (via hidden services) for anonymously transparently fetching (possibly cached) pages over clearnet, but with restrictions that make it safe for anyone to be a proxy. E.g. no POST requests, no XmlHttpRequest or WebSockets, only connect to (over clearnet) sites/domains that the proxying user himself has visited before, perhaps only URLs that are indexable (robots.txt), obviously don't send the proxying user's own cookies when proxying for another user, etc. I.e. once I myself have visited example.com (either proxied through this extension, or I got an "access denied" page), I then become a clearnet proxy for other Tor users trying to visit example.com when their extension detects that the regular exit node is blocked by the site. Alternatively specific domains could be white listed on a case-by-case basis, e.g. most e-commerce sites, Cloudflare/Akamai protected sites.

It wouldn't be fully transparent like Tor, and it probably wouldn't work on interactive sites, but if you just want to see a product on Walmart.com without getting "access denied" then it would be a huge help for usability.

Of course, I realize a browser extension like this would be a huge undertaking and TP is already limited on resources, so I doubt it would ever become a reality.

Anonymous

May 31, 2018

Permalink

I tried Tails and it's very good. I discovered one problem, maybe it's a thing which is configurable. The Tor browser don't let open me direct .onion links. Over .onion.casa i can open the links, but this way i can't log in on serveral sites in the darknet. Then I installed the normal tor browser aditionaly but i can't get it to run.
Is there a way to access .onion links direktly?

Tails is a wonderful tool and I hope it can continue despite government pressures.

I've never had any difficulty surfing to onion addresses using Tails, but assuming you are using Tails 3.7 (the current version as I write) try Applications -> System Tools -> Whisperback.
This will give you a form you can fill out and then email (via an onion!) to the Tails team. The form guides you in how to report your issue. It would be good to give the exact onion address so that they can try to see for themselves the problem you experienced. It is possible to encrypt Whisperback reports if you have posted a GPG public key to a keyserver.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

7 + 13 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.