Journalist/Source Codename ambiguity is potentially confusing #4096
Comments
|
I'm curious if we can still reconstruct the reasoning for the use of the term "codename" instead of "passphrase" in the Source Interface. The 7 word phrase bears little resemblance to what most people would think of as a name. If the only point is to communicate that there is no way to recover it, my sense is that this could be done differently. |
|
"Passphrase" sounds like password euro-ized, to me; "Codename" in no way infers an authentication experience. My hunch is that journalists and sources would communicate about the story the source sends, not about passphrases. Why would the journalist ever cite a codename to their source? |
I feel it's an appropriately widely used term nowadays, and technically more accurate than "password", so that's the substitute I'd lean towards from the source's point of view. "Codename" to me suggests a name that actually is intended to be used to identify me to the news organization ("Hi, it's me again, benign artichoke"), but in fact what we call the codename in the source interface is a passphrase intended to be kept secret from everyone but myself.
Hypothetical sequence of events:
Admittedly a bit of a stretch. Still I feel a bit of residual unease about the ambiguity in combination with the mysterious "Refresh codename" button. I think the more likely scenario is just that journalists may be afraid to touch the "Refresh codename" feature altogether, because it feels scary if you think that it potentially impacts the source's ability to log in. Either way I'd like to get a better sense of journalists' mental model of what "codename" refers to in different parts of SecureDrop. |
|
As a minor note, @bumbleblue and I talked about the codename refresh button. It seems like it's a feature that doesn't need to exist IMO and might just be more confusing and cause more trouble than it's worth. |
|
Yeah, @eloquence and I were just chatting about it the other day, too. I think it exists to serve a threat model need. We don't know if anybody wants to or has used it much, tbh. It has been added to the list of "things to ask users about" in future testing sessions. Generally in security, I feel "threat modeling" makes too fast a transition into defining actual user needs—when sometimes it can be more like "a security wonk thinks this might be useful when a normal human would never think to do 'x' in 'y' situation," and/or the feature implementation is done too oddly to be discoverable or to feel useful to users. Curious if @bumbleblue has ever thought that, or if I'm just reaching too hard with the "my black is better than your black!" hypothesis. |
|
Update:
|
SecureDrop uses the term codename in two very different ways:
The potential for confusion between these two codenames is increased by the fact that Sources can cycle codenames upon first generation, and journalists can cycle codenames as many times as they want without any effect on the source.
A source <-> journalist interaction where a journalist discloses the "codename" to the source, or offers to refresh it on their behalf, in an attempt to resolve communication problems is at least conceivable. On the flip side, journalists may be reluctant to use the "refresh codename" feature if they don't understand what the effect on the source is going to be.
User Research Evidence
As of yet, we have no evidence from interviews regarding this question. Since we want to collect evidence concerning the journalist user value of the "Refresh codename" feature in the Journalist Interface, that would be a good time to ask if journalists/admins understand the difference between the two codenames, or if it has been a cause of confusion in the past.
The very different uses of the term have been an occasional cause of confusion for new team members, which by itself is insufficient justification to change the terminology.
The text was updated successfully, but these errors were encountered: