Accidental Data Breaches: The Role of Language and Metaphors in the Design of Delete and Erase Functions
Issues around the design of delete and erase functions in Win 10 and macOS could contribute to accidental data breaches. These include the inapropriate use of language and metaphors. Failure to update these legacy designs may result in serious violations of new data protection regulations within the EU (GDPR).
Our research will be featured at the Annual Privacy Forum 2019 in Rome, where my colleague Andreas Gutmann will present. The paper titled “Fight to be Forgotten: Exploring the Efficacy of Data Erasure in Popular Operating Systems” will be published in the conference proceedings at a later date but the accepted version is available now.
Privacy and security risks from decommissioned memory chips
The process of decommissioning memory chips (e.g. USB sticks, hard drives, and memory cards) can create risks for data protection. Researchers have repeatedly found sensitive data on devices they acquired from second-hand markets. Sometimes this data was from previous owners, other times from third persons. In some cases, highly sensitive data from vulnerable people were found, e.g. Jones et al. found videos of children at a high school in the UK on a second-hand USB stick.
Data found this way had frequently been deleted but not erased, creating the risk that any tech-savvy future owner could access it using legally available, free to download software (e.g., FTK Imager). Findings from these studies also indicate the previous owners’ intentions to erase these files and prevent future access by unauthorised individuals, and their failure to sufficiently do so. Moreover, these risks likely extend from the second-hand market to recycled memory chips — a practice encouraged under Directive 2012/19/EU on ‘waste electrical and electronic equipment’.
The implications for data security and data protection are substantial. End-users and companies alike could accidentally cause breaches of sensitive personal data of themselves or their customers. The protection of personal data is enshrined in Article 8 of the Charter of Fundamental Rights of the European Union, and the General Data Protection Regulation (GDPR) lays down rules and regulation for the protection of this fundamental right. For example, data processors could find themselves inadvertently in violation of Article 17 GDPR Right to Erasure (‘right to be forgotten’) despite their best intentions if they failed to erase a customer’s personal data — independent of whether that data was breached or not.
Language and the use of metaphors around delete and erase functions
The indication that people might fail to properly erase files from storage, despite their apparent intention to do so, is a strong sign of system failure. We’ve know for more than 20 years that unintentional user failures at a task “is often caused by the way in which [these] mechanisms are implemented, and users’ lack of knowledge”. In our case, these mechanisms are — for most users — the UI of Windows and macOS. When investigating these mechanisms, we found seemingly minor design choices that might facilitate unintentional data breaches. A few examples are shown below and are expanded upon in the full publication of our work.
A number of the issues that we identified likely stem from a conflict between the colloquial use of linguistically similar terms ‘delete’ and ‘erase’, and their very different technical meaning. In simplified terms — although the details vary based on technical nuances such as the type of memory chip and file system used — ‘delete’ is an operation in which the OS simply forgets the existence of a file, while the ‘erase’ operation actively removes the file from the system, e.g. by overwriting or flashing the binary storage. Thus, ‘deleted’ files usually remain on the memory chip until overwritten by coincidence, whereas ‘erased’ files are typically impossible to recover.
Inconsistent language within the UI of an OS, such as when deleting files from Trash in macOS 10.14 shown in Fig.1, can foster the misunderstanding that the terms ‘erase’ and ‘delete’ would denote the same technical function. UI designers commonly use metaphors to make complex and abstract functions more intuitive and comprehensible for end-users. We see similar design methods being used around these functions. For instance, placing an unwanted file into the recycle bin or trash (see Fig.1) that can be emptied, uses multiple metaphors from a home and office environment, making it easier for users to relate these complex computing processes to everyday actions. Yet, the delete and erase metaphors are somewhat problematic now, as they denote different meaning in the UI, whilst relating back to the same actions in the physical world. Designers should therefore consider integrating new metaphors that better distinguish between these two functions to reduce the risk of confusion for users.
The way forward
The evaluation of any design is always context-dependent. The design choices for the UI of delete and erase operations in Windows and macOS may have made sense at the time of their original design, but as circumstances around these designs have evolved (e.g., new legislation, new data recovery techniques and free to download software, etc.) they should be reconsidered. An important lesson we can (re-)learn from this is that designs need to be re-evaluated not only when they’re changed but also when their context changes.
As mentioned earlier, we know since more than twenty years that users’ unintentional failure at a task “is often caused by the way in which [these] mechanisms are implemented, and users’ lack of knowledge”. Reworking the UI of Windows and macOS to improve these mechanisms is one side of the coin, the other is addressing the users’ lack of knowledge.
Our paper presents a number of alternative designs, but further research is suggested to identify further shortcomings in the existing UI around deletion functionality and to implement and evaluate alternative designs. Perhaps equally important is the reconsidering of less secure default options around delete and erase functions, as well as increase awareness and in-app guidance for users.
This article is an adapter version of an article first published by Andreas Gutmann on Bentham’s Gaze, a blog by Information Security researchers at University College London.
This work has received funding from the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 675730.
This article is part of The Interaction Review, the new publication from Prototypr. If you’d like to publish your HCI research and share it with our audience of designers, contact Laura at theinteractionreview@prototypr.io
