The Rise Of User-Hostile Software
We need to talk about the state of modern software. Yes, those pieces of .exe
, .dmg
or .deb
binaries that come with almost every device and service out there (or maybe they even come with or for your phone). I’ve been contemplating writing this for some time, but recent events around the absolute ridiculousness of the scope of the mess we have on our collective hands, coupled with a Twitter thread from 2019 making the rounds prompted me to actually get this all out of my mind and into a blog post.
We are truly living in an era of user-hostile software, and when I say “user-hostile” I mean it as “software that doesn’t really care about the needs of the user but rather about the needs of the developer.” And this is not a problem that is bound to a specific operating system (or version thereof) or class or computers. It’s literally cross-platform, and it follows customers from home, to office, to their commute.
Both in Hacker News and Reddit discussions, people called out the fact that I am incorrectly pointing the finger at "developers." By using this word, my intention is not to single out engineers, but rather mention the group of folks that are responsible for the entire software lifecycle.
Let me give you some examples from my own experience.
- Want to use a dashcam for your car and sync the data to your local computer? You need to create an account and connect an app, even though you just want to do local sync.
- Bought a keyboard and want to change the lights on it? Better be ready to install some custom-built apps for that vendor and that vendor only.
- Want to monitor the state of your video card and closed-loop cooler, all made by the same vendor? There are two apps for that. One is digitally signed, another one is authored by
Unknown
. - Update your BIOS? Another app, by another vendor, that for some reason requires permissions to access machines on your local network.
- Controlling a number of buttons through a HID device? Another app, that always keeps refreshing the list of running processes, and no way to disable that functionality.
- Change the lights on a mouse that is not made by the same vendor that the keyboard is made by? Install another app, and while at it - you won’t be able to change the colors until you make an online account.
- Disable telemetry? Not a chance - you better be ready to have seven layers of defense in
/etc/hosts
, Pi-Hole, and a custom-built DNS + firewall + URL filter + deep packet inspector inside a server rack in the basement. I am exaggerating, of course. You only need six layers of defense to make this all work. - Want to install just one piece of software, and that’s it? You have to install an Electron-based “launcher” that will run a local outdated Node.js server and open up a bunch of ports for who knows what. No reason to just launch the executable - it has to be done through a launcher.
- Want to get data from inside a device onto your computer? Nope, it’s not a mass storage device. You need to install another app, that will be used just for this one device, to sync things. The app inconspicuously asks for location access while at it, and eats 85% of your CPU at all times, even when idle.
- If you just installed a new fan in your computer and want to control the lights, another software installation for you that is completely different from what you use to control the lights for the mouse and keyboard, since they’re obviously not made by the same vendor.
- Video driver? No problem - here you go, along with a piece of software that is basically one giant ad that sits in your tray.
- Before you can use a USB device, you need to install a custom app, that talks to some obscure remote server to confirm… something? And only then the device is functional. Good luck using it in two years when this company goes out of business and the servers are shut down.
- Browsing a site through the browser and not the app? Half of the functionality is not available, just to force the user into the app for no good reason. I just want to read a comment.
- Want to buy a cooking library tool? It’s a subscription now! So instead of paying $40 and using the same version of software for 10 years, you will spend $9.99/mo, totaling $1,198.80 over the same time span, even if you couldn’t care less about whatever new hyped blockchain functionality was added to it.
- Downloaded a calculator on your brand new tablet that comes without one built in? Surprise - for it to work you need to give it access to your contacts, location collected in the background, access to your text messages, full access to the photo library, and the rights to name your firstborn.
I am sure there are more examples that I haven’t captured here (there’s a large community for those, I hear), but this paints a pretty clear picture. No, I do not want to create an account to change my keyboard colors, and neither do I want to give some random piece of software root access to my machine on a pinky promise that it only needs it because it’s easier to write some registry key that way.
All of the examples above have one thing in common - they focus on the needs of developers instead of needs of the customers. I personally do not know anyone who asked for an online account requirement before they can use a keyboard; however, some product lead somewhere decided that it’s important to better “understand the customer” and “maximize marketing reach” through some weekly “Hey, we have a new keyboard!” newsletter. Nor did anyone ask for the ability to install a bunch of adware extensions helpfully bundled with the latest version of a DVD player software, that start messing with search results.
You can argue that all of this has existed for a very long time, back from the days of all kinds of toolbars and extensions that created multiple levels of address bar nesting in your web browser and taskbar.
However, the problem is becoming much more endemic lately, with everyone on the hunt for more data, more accounts, and a level of access to a computer that would make it seem like they’re using it as a giant bullseye for everyone on the Internet.
I intentionally did not name any names in the examples above. I am sure there are many fantastic developers that work at all those companies, and they mean well. However, as we all know - intentions don’t matter. Actions do. And right now a lot of actions show us how little regard there is for user security, privacy, and ease of use. It’s not an isolated incident - these keep popping up weekly on Hacker News.
How can this be fixed? Allow me to suggest a very simple flow chart:
It’s also possible to apply some principles here (or tenets, if you will), that can help establish long-term customer trust rather than short-term brand (or ad) gain. Maybe we do need something like a Hippocratic Oath for engineers?
So, if you are an engineer or a product manager:
- Always start with customer needs. Those are the foundation of any software product. That’s why you are building the thing.
- Don’t impose artificial limitations on the customer. That is, don’t require an account to change the keyboard LED scheme. We know it’s possible - Ducky keyboards, for example, can be entirely managed through the keyboard itself, without any software.
- Respect user choices. If someone doesn’t want to send telemetry (or any data for that matter), give them the option to not do it. At the time of writing, this blog collects anonymized data with Google Analytics. Don’t want to send it? Have your browser send a Do Not Track request and no data will leave this page. It takes an if statement to do this, not a month of engineering work.
- Think beyond the “right now”. Will your customer still be able to fully use your software and hardware in two years, after you shut down your web services?
- Stop kneecapping your experience for no reason. See “Don’t impose artificial limitations on the customer” for reference.
- Sometimes, no custom user experience is the best experience. Maybe all you needed was just a driver after all?
- Follow standards. Unless those standards have limitations that cannot be solved. Then come up with a better standard, so that we can have a standard standard. Or, you know, we could start with just using OpenRGB for light control for literally any LED that is attached to a computer.
- Follow the principle of least privilege. Your app that changes fan speeds doesn’t need local network and location access, with the customer’s Tuesday breakfast menu inspection. It just needs to be able to talk to a USB device.
- Give the choice of one-time payment. You don’t need to work for free. Just limit the user to no updates for your software (or limited number of updates). You’d be surprised for how many use cases that’s enough.
- Be ethical. This is the most straightforward - just do what is right for the customer. Don’t deceive, utilize dark patterns, or trick whoever is using your software. Get the job done and get out of the way.
I am optimistic about changes in all the problematic areas I called out. There are many developers and companies that strive to do the right thing, and customers notice. Change starts with admitting that there is a big problem, both with incentives, and identifying what truly matters. And what matters is the customer.