search

corona-warn-app / cwa-wishlist

Central repository to collect community feature requests and improvements. The CWA development ends on May 31, 2023. You still can warn other users until April 30, 2023. More information:
https://coronawarn.app/en/faq/#ramp_down
Apache License 2.0
105 stars 14 forks source link

Button "Gültigkeit Prüfen" on the Certificate tab is misleading about its purpose: Suggestion for a gamified UX #694

Open datenwolf opened 2 years ago

datenwolf commented 2 years ago

Current Implementation

The current presentation of the "Gültigkeit Prüfen" feature is misleading people about its actual purpose: While the actual purpose is to allow the holder of a certificate to test that it has been properly imported and will be recognized by as valid, the way most (nontechnical) people misinterpret it is that clicking this button would validate the certificate for entry into a venue according to the 2G+ rules.

impfzertifikat_app_UI_fail

It saddens me to report, that for the 5 months in which I personally hold valid vaccination certificates, not a single time they had been properly validated by scanning and subsequent cryptographic test.

However quite often tally clerks will tap on this button, assuming that the information presented thus would suffice as a check for validity.

Suggested Enhancement

First and foremost the function for the holder to test that his certificate/s have been properly important and remain valid should not be presented within the same visual frame as the presentation for validation of the certificate (QR code).

As a first stop gap I suggest to re-/move this function from the certificate presentation frame and instead make it reachable through the settings menu, at least 2 nesting levels deep (as a matter of fact, I'd even put it behind some kind of lock screen. Simply speaking, the behavior of the app's userinterface itself must adamantly communicate that these are not the "droids they're looking for".

This is a matter of psychology. The problem at hand is, that in order to properly use the verification system as it is presented right now, the users must have at least a basic level of understanding of cryptographic signature verification and also be aware of the consequences of using general purpose computers to present information i.e. that a mere, random QR code in an application looking like "the app" could just as well be a fake QR generator just generating random noise, presented in a style looking like the app.

Teaching these facts is hard. And teaching the proper way to do this through a manual is even harder. However I see potential in turning the verification process into a cooperative minigame. This will incur some technological caveats, which I'll address later.

From a game design perspective this minigame involves a "puzzle" called "the certificate verification game with 2 players to enter a venue" or just "Venue Entry Certificate Verification".

After the "Certificate Verification" "game" has started, there's always a "Cancel Verification" forfeiture button present.

Instead of outright presenting the QR code for scanning, the "game" must assert the presence of the second "player" (= tally clerk). To encourage seeking out their participation the "player" is presented with a screen that clearly indicates, that to proceed, "player 2" (= clerk) must enter the game with their "controller" (= CovPassCheck enabled device).

To this end some temporary communication channel must be established. I thought a while about the problem and between ultrasonic signals and strobing the flash LED toward the camera of the other device I think piggybacking on the existing BLE proximity beacon infrastructure would make the most sense; I'll explain my reasoning further down.

Once the presence of "player 2" (or rather a device running the CovPassCheck app nearby) has been detected the screen will actually present the QR code to scan.

IMPORTANT: The screen showing the QR code shall be styled in a way, that clearly communicates, that the certificate hasn't been properly validated yet!

Scanning the certificate with the CovPassCheck results in the transmission of a special purpose BLE proximity broadcast containing a salted hash of the certificate to pick up by the CWA. Once the CWA picks up the broadcast it visually acknowledges the reception by switching to a "reward" screen telling the user that they successfully cleared the game, together with a randomly generated alphanumeric verification reward token; the same token shall also be temporarily presented to player 2 (the tally clerk). This later token is absolutely meaningless, it does nothing. The value of these tokens lie in that they're "collectibles" that the user later on can look at with timestamps (i.e. they successfully played the game).

This is also where the "Cancel" forfeiture button comes in: Whenever the verification game is not cleared successfully it will also show up in the list of games. And there shall be no easy to reach way to clear this list; entries will expire after 2 weeks, but that's it. This is the most important part. People don't like not properly completing games, especially if they already did master the "skills" required to clear a level and their only hinderance to success lies in an uncooperative player. Yes, deep down this boils down to emotional coercion, but facts don't seem to reach people. And every venue where they're not able to properly complete the game they might give appropriate feedback or avoid it in the future.

Technical caveats

From a technical implementation perspective the use of the BLE proximity beacon infrastructure already in place for contact tracing seems to introduce the least friction. While not being absolute and perfectly detecting the presence of the very device the certificate will be scanned with, it is "good enough". Most importantly their use will not require new or additional device permissions. Requesting new permissions for existing CWA installations may raise suspicions and thus create adaptation friction.

On the other hand so far there's a comparatively small pre existing installation base of the CovPassCheck app; requestion permissions upon installation is considered normal, so a lot less friction.

Also proper privacy keeping functionality already is implemented for the BLE prox beacons.

The technical challenge lies in implementing the 3-way handshake required for implementing the game as proposed above.

Expected Benefits

While on a technological level it'd suffice to properly train users to validate certs with the CovPassCheck app, in my personal experience all my attempts to teach people about the process and what certain aspects of the CWA and CPC can and can not do, turned out to be fruitless.

By gamifying the validation protocol to be exercised by the users of the CWA and CPC I expect a vastly increased adoption of proper certificate validation procedures.

Internal Tracking ID: EXPOSUREAPP-10703

Ein-Tim commented 2 years ago

Most importantly their use will not require new or additional device permissions. Requesting new permissions for existing CWA installations may raise suspicions and thus create adaptation friction.

This is not true, actually. CWA does not ask for permission to access Bluetooth currently, as sending out and scanning for BLE beacons from other devices is done by the Exposure Notification Framework, the underlying API implemented into iOS and Android. So the user would indeed have to grand CWA access to Bluetooth with this change.

datenwolf commented 2 years ago

So the user would indeed have to grand CWA access to Bluetooth with this change.

Ah, I wasn't aware of this. Hmmm… I'll need to meditate about that.

dsarkar commented 2 years ago

@datenwolf Thanks for your proposal. Internal Tracking ID: EXPOSUREAPP-10703

  1. Regarding:

    IMPORTANT: The screen showing the QR code shall be styled in a way, that clearly communicates, that the certificate hasn't been properly validated yet!

See sentence above the QR code.

  1. Actually, in the certificates screen (tab) this button is nit shown on the active certificate.

Best wishes, DS

Corona-Warn-App Open Source Team

datenwolf commented 2 years ago

See sentence above the QR code.

This "sentence above the QR code" may be considered a user manual. Users "don't get it". In every instance I experienced where tally clerks did just look at the QR code, or pressed the button I explicitly made them aware about this very writing on top of the QR code. This element of the UI doesn't work and fails to serve its purpose!

datenwolf commented 2 years ago

2. Actually, in the certificates screen (tab) this button is nit shown on the active certificate.

Another day, it happened again: As of today my employer implements a stricter checking scheme on their premises; or so they thought. Because apparently staff who're doing the certificate verification seem to have been instructed to "validate" the certificates by 1. tapping on the QR code, then 2. press the "Gültigkeit Prüfen" button.

My employer is a University focused on health care and life sciences. I tried to explain the situation to the staff. I again pointed out that text. To little effect.

This text is a manual. Manuals can be ignored or (willingly) misunderstood.

I see no other way to enforce proper validation of electronically stored vaccination certificates, than to put a very strict and rigid workflow in place, that clearly communicates to both sides (clerk and patron) that a proper validation happened. And if it didn't happen I see no other way than guilt tripping people about that.

Yes, I'm fully aware that this wouldn't be applicable to certificate hardcopies, but:

  1. their use is rather rare.
  2. enforcing adherence to the process to certificates presented electronically will lower the threshold to also following the process with on paper certificates to almost 0.

So the user would indeed have to grand CWA access to Bluetooth with this change.

Ah, I wasn't aware of this. Hmmm… I'll need to meditate about that.

Having a good night's sleep on the topic, I think that asking for additional permissions is perfectly acceptable. Just in a positive way advertise it as what it is: A means to ensure proper adherence to the verification process to give the patron a proper feedback that the venues they visit do their due diligence.

I wonder if we could up with some way to integrate the check with {n,e}PA; just tapping the ID card on an NFC reader won't give you any of the information required to actually check the identity. Anyone any ideas on that? Of course with strong privacy designed into it.

moabits commented 2 years ago

+1 I also think the button is very misleading as a UX element. I would suggest renaming the feature "Travel Acceptance Check" or similar. In any case, "Validity" should not be used to avoid confusion.

However, I oppose the suggested changes regarding gamification that would make the verification harder.

Ein-Tim commented 2 years ago

The button will be renamed to "Reisegültigkeit prüfen" in the next release see PRs:

moabits commented 2 years ago

I'd suggest to also rename the english version, which currently still is "Check Validity".

Ein-Tim commented 2 years ago

@moabits

I'm sure this will be done via a translation update PR soon.

datenwolf commented 2 years ago

I just came this Tweet about this wonderful showcase of a similar UX problem, and why adding instructive text to a UI hardly works (in this case it's a payment terminal, where the user must hit a certain button, before attempting to do payment): https://twitter.com/jcolman/status/1470439435988840451