I have an app that lets people delete their accounts. It very clearly in big letters says "THIS IS IRREVERSIBLE". The button is hidden deep in their profile. I get emails, every single day, saying "I accidentally deleted my account, could you please restore it?". It literally drives me crazy.
People don’t read. Period. They’ll just click anything.
One approach I take is to make the user type something before taking the destructive action. Make them type IRREVERSIBLY DELETE MY ACCOUNT!, in all caps, with punctuation.
Another option is to have a 30 second timer where users have to sit on that screen and wait until you enable the delete button.
I’m sure many here would call these “dark patterns”, but these tricks have saved me so many painful support tickets over the years it’s not even funny.
> Due to an unfortunate sequence of events, I accidentally made the project’s repository private for a moment. And GitHub cascade-deleted our community that took 10 years to build.
> There’s a confirmation box. It’s designed to stop users in a situation like mine from doing something stupid. It tells you that “You will permanently lose all stars and watchers of this repository.”
If it happens to experienced developers, imagine the laymen. Humans are just fallible, I guess.
Github does it wrong. This is the sort of situation that calls for a type-name-to act approach. It ensures that you're acting on the object you think you're acting on.
The developer was on automatic because he had just been working with another repo and the two repo names were similar, so the type to confirm didn't prevent the mistake. The blog post suggests other changes GitHub could make.
"If you make something idiot-proof, someone will just make a better idiot."
I think there's a literal psychological disease in American culture, where if you fuck up, then someone else was to blame for not preventing you from doing it. I think we just need less of that (not more of that) to force people to understand that they need to be considering the effects of their actions before they do them.
Accident investigations intentionally do not apply blame. Humans are fallible. We make mistakes. If one human makes a mistake, others will too.
The author of the httpie blog post does not apply blame. In fact, he goes out of his way to explain his error, then suggests changes that would have prevented his mistake, to hopefully save others from the same mistake.
So we can blame humans as you seem to want to do, or we can accept human behavior and design our systems to be more forgiving.
cdelsolar at the top of this thread wrote that "I get emails, every single day" and that "It literally drives me crazy."
So what should cdelsolar do? Blame all the humans accidentally deleting their accounts, or find a way to design around it?
> Accident investigations intentionally do not apply blame.
Yeah they do and pilot error is very common:
> During 2004 in the United States, pilot error was listed as the primary cause of 78.6% of fatal general aviation accidents, and as the primary cause of 75.5% of general aviation accidents overall.[27] For scheduled air transport, pilot error typically accounts for just over half of worldwide accidents with a known cause
They can try to address that through training, certification, recertification and updates to manuals and checklists, but at some point some level of human failure is going to be inevitable. And with UI/UX like this there isn't much ability to do that, since people don't get certified on using GitHub.
Meanwhile, it is going to be very difficult to break people who are stuck on "autopilot" and just aren't reading anything out of it vi any kinds of dialogs or messages. Gonna delete 8,000,000 stars on this project? Good. Oh wait. Whoops. I'd like to see if the change to the UX to show that information has made any actual measurable impact on the accidental deletion incidents that GH sees.
There isn't any good substitute for just learning early that if you are going to delete something you need to stop, think, read and wait a second before hitting that button. Trying to fashion a world where people can navigate it successfully on completely thoughtless autopilot all the time isn't possible.
Also, that blog post is irritating because "Lesson #1" should have been for the author to STOP AND THINK when deleting or presented with a scary modal dialog box that actions were going to be permanent. My reading of that blog post is that the author didn't actually accept any blame, didn't see any need to change any of their behavior and shifted it all onto GH. It is equivalent to a non-apology-apology.
Modern accident investigators avoid the words "pilot error", as the scope of their work is to determine the cause of an accident, rather than to apportion blame.
And from the NTSB:
The NTSB does not assign fault or blame for an accident or incident; rather, NTSB investigations are factfinding proceedings with no adverse parties and are not conducted for the purpose of determining the rights, liabilities, or blame of any person or entity."
> should have been for the author to STOP AND THINK when deleting
I've been doing system administration and programming since the early 90s. One of the first things I learned from a grey beard at the time was after typing a destructive command, take my hands away from the keyboard and read back what I just typed before pressing enter. It was a great lesson and has saved me from a lot of mistakes.
Guess what? I still occasionally make mistakes. Because I'm human.
So another thing I learned was to make any shells on production systems be visually distinct. All my production machines have a red shell prompt. That's saved me from even more mistakes than reading back commands. And it protects more than just me, but anyone else who logs into those machines. (Yes, ideally, no one is ever logging into a production machine.)
The problem with "STOP AND THINK" is that it requires every person to learn that lesson individually. Meanwhile, if you accept that human behavior is what it is and design around it, you can save many people from mistakes in the first place.
There's a saying: do you want to be right or do you want to win? Personally, I want to win (i.e. be effective). Winning means accepting humans are fallible and doing my best to design systems for them instead of holding them at fault in cases where a better design would have prevented the mistake.
> The probable cause of the crash was "the pilot's failure to maintain control of the airplane during a descent over water at night, which was a result of spatial disorientation".
At some point there's not much else to do. Pilot exceeded their training and flew into the water. You could try to prevent that with more and more autopilots and warnings, but at some point pilots have to be able to fly the thing on manual and need to have the actual training for the conditions. I doubt the modern NTSB would be able to say anything better.
The prompts that you have setup also won't stop you from doing a `sudo shutdown -r now` in production quickly one day on autopilot (and typing sudo doesn't help much at all because it is now so common and you probably do that on preprod as well). STOP AND THINK is still going to be the best tool in your toolbox.
And in addition to having been a system administration since the early 90s (and worked at Amazon for 5 years) I'm also a cave diver. There's a variety of different methods in cave/technical diving to avoid breathing the wrong gas at the wrong depth. The best one is probably just to simply label all your bottles with your MOD, always analyze your gas and have a gas analysis sticker on the tank that matches the MOD sticker, then to always go through gas switching procedure with your buddy and validate MOD and analysis sticker every time you do a gas switch (even if you think you're not carrying any gas that is outside of the range where you're diving that day). Alternatives like different colored regulators or carrying gas on different sides run into trouble with exceptional procedures when regulators fail or tanks wind up getting dropped and picked up and put on the wrong side. You can then wind up following "correct" gas switching procedure at the gas switch time and still die. The best solution anyone has come up with has just been to always verify gas contents before sticking it into your mouth -- stop and think every single time. Adding anything else is generally creating more of an overcomplication that causes more additional secondary problems than it solves.
> a better design would have prevented the mistake.
You still need to show that a "better" design actually does stop the mistakes. Does having the stars and forks listed in the message really do that much or do people who are autopilot not reading still just hit submit? Has anyone really measured that?
I do not share your unbridled optimism that the perfect UI/UX design is out there which solves all problems and has no unintended consequences, and one of the unintended consequences I think is social which is that we learn to expect that if we screwed up that someone else should have stopped us.
And I learned that early growing up on systems where deletion was largely permanent and people didn't have backups (although I did get paid some money in high school to manually undelete files on an Apple floppy disk that someone else had nuked by accident), so I learned to think through permanent actions early. And I didn't learn to blame someone else for my own failure. I leveraged that at Amazon and ran all kinds of nasty commands in prod on a daily basis and never destroyed the company (all of that was done in the service of standardizing the configuration management of the systems and in the long run reducing the amount that prod needed to be touched, but early Amazon had a chicken-and-egg problem with a massive production deployment and no good standardization).
Another good example is the Union Street I5 exit in Seattle:
There's nothing much more to be done about the UI/UX of that exit. People are already driving past signs tell them to slow down to 20mph and they're driving at freeway speeds straight at a large concrete wall with no sense of self preservation. You could argue that there should be flashing lights which turn on when people are coming in too hot, but the 11foot8 bridge channel shows just how useless that is (and in Seattle they dropped the speed limits down to 25 mph without any road diets and added those radar speed limit signs that everyone just ignores now, so don't bother suggesting something like that). They aren't going to be able to do anything about reengineering that exit because its stuck in the middle of Downtown Seattle and they'd need to demolish too many structures. IMO, the problem there is that people are actually too used to being able to take exits at highway speeds without slowing down and can't recognize an exit where they can't--better "UI/UX" everywhere else causes problems where you can't retrofit it in. Any accident analysis that goes beyond individual driver responsibility should just lead to lax testing and certification standards and no recertification at all, and the way we treat driving as a Right and not a privilege.
And going back to IT Operations, the problem that I have with blameless portmortems (or whatever less dramatic term is in favor these days) is that most often the blame should fall on management and that lets them off the hook. The standard form for dealing with post-incident analysis should include a field for what decisions of management and what business prioritization led to the incident. Yeah, we shouldn't be blaming engineers most of the time (although given something along the lines of a bell curve in competency, there have to exist operational engineers who should just be encouraged to find other jobs one way or another), but the way to stop doing that shouldn't necessarily to stop entirely, but to be a bit more accurate about why these failures are happening. Although to be fair, perfect operations or perfect security is neither desirable or attainable by any organization. But again that points to the fact that perfect UX/UI to avoid incidents is not going to be attainable (in general "perfect" anything is not attainable -- its up there with drug-free societies and worlds without any abortion).
We're taking past each other. I'm not saying we can make the world perfectly safe and that humans are never at fault.
Rather, that after a mistake or accident it's not helpful to blame. I'll just quote from OSHA:
"The prevention of another future incident is the purpose of incident investigation, not to lay blame or find who’s at fault. The investigation should identify the causes of the incident so that controls can be put in place to prevent the same incident from happening again. [...] For the incident investigation to be effective, management must have a plan in place for implementing the corrective actions and making system improvements."
You can blame those drivers for not reading the speed limit all day long, but that doesn't prevent future accidents. That off ramp is poorly designed. That it can't be fixed today for reasons is besides the point. There's still obvious lessons to take away from it when designing new off ramps. One obvious lesson is that signs are not an effective way to slow people down.
I've personally known people who strongly exhibit these symptoms. There is no accountability (and no "good faith" arguments) for such people and I notice a seemingly similar pattern of thought in the linked blog post. Some excerpts which seem to intentionally shift blame:
> It’s a peculiarity of GitHub, to put it mildly, that making a repo private permanently deletes all watchers and stars.
> GitHub’s conceptual model treats users and organizations as very similar entities when it comes to profiles and repos.
> The problem is that the box looks exactly the same for repos with no commits and stars and for repos with a decade-long history and 55k stargazers and watchers.
I could go on. Anyway, just trying to offer another voice in agreement. Also, that particular call-out of "psychological disease" is especially notable to me for personal reasons. (Not that I'm intending to diagnose this specific blogger; just that the tone of the blog post indeed seems to be blame-shifting, which is a characteristic behavior of those with NPD.)
All those stories about people suing for a million dollar settlement probably doesn't help. And the entire unscrupulous lawyer class that enables it (seriously don't they have a bar association in America?!).
A human can literally drive all the way home from work and not remember doing so. You are surprised such an animal can fill out a text field and click some buttons?
I'm a professional developer and all that, I recently accidentally formatted my phone (and screamed to my stupidity). In twrp there is a "wipe" section that's used to well, wipe the phone, or optionally wipe the cache. I went in sure it was to wipe the cache, it clearly stated it would erase stuff, i still did.
Expecting humans to change will lead to frustration. Humans won't change. You have to construct your process around the way humans actually behave, not the way you wish they would or think they should. Apply lessons from accident investigations.
I think for big orgs there could be a two-man rule system like they use in minuteman missile control, two designated members have to both agree to delete a repo or anything seriously irreversible.
This is what dev focused tools like github or vercel do, make you type the name of the resource you're going to delete, and press the delete button (disabled until you correctly type)
Reading in auto mode and skipping is easy, writing not so much
ArgoCD also requires you to type in the name before you delete something. I've found that this has the added benefit of pushing people towards shorter names.
I have seen instances where the wrong pod or whatever was deleted, because someone nuked "foo-api" instead of "foo-ui" or something, but it's significantly harder to footgun yourself this way.
I actually experienced a full outage caused by an infra engineer accidentally deleting our production ArgoCD app, don't ask how but it seems like someone will always manage to stumble through whatever safeguards are in place. And on that day we also switched to more restrictive SSO access.
This all happens because the person doing the work "knows what they're doing". They "know" exactly what they're doing. And they "know" that whatever prompts that come up are there as part of the process of doing what they "know" that they're doing.
This process is not an exploratory process for them at that point, it's simply the actions necessary to get it done. Check the box, sign the form, stand on one leg, "yea yea, yada yada yada. GO!!!".
The fact that they are WRONG in their knowledge is long past. This is not in question in their mind. The decision is done, now it's all action. And we all have long become immune to all of the click throughs and other arcane dances necessary to "get things done".
It's no different from being in an intersection and seeing another driver LOOK RIGHT AT YOU and drive into you anyway. You're not "supposed to be there", and they have that driving maneuver locked into their brain, they're just following through.
This is actually a best practice given the data, not a dark pattern. Irreversible, high impact operations should require the user to prove they are not impaired, but instead fully aware of what they are doing.
Yes, this is something I believe even users don't quite understand.
Certain things should be a little harder. They should require deliberate action from the user to ensure as much as possible that they are engaged with the task at hand.
Typically you'll have requests like "I just want to do X with 'one click'" and "I want to be able to delete X with 'one click'".
I hate "one click". I hate counting clicks. Counting clicks is the fucking stupidest way to measure ease of interaction. I can make everything one click away, but it will be a fucking mess of an interface because there is not enough real estate for all that mess. A children's book requires far fewer clicks to type than the works of Shakespeare, but no one will say that a children's book is "better".
And I know that comparison is a little strained, but user experience isn't just clicks either. In some ways, it is a story about your application.
Ease of discovery is far more important. Relying on things people already know. I've slowly moved away from categories for most things and have gone to just alphabetize things. I don't have to worry if something is a TV show or movie, if it's horror, comedy, or action, or if it's a TV movie taking place between two seasons of a sci-fi western drama.
Yup. Cancelling should be easy, but one-click for something that can't be undone is unreasonable. This is especially an issue with web pages as the nature of browsers will cause occasional wild misclicks--you click just as the browser succeeds in loading something that caused the layout to change.
I very much favor type-to-delete for important irreversible actions--and when it's delete one of a list the type-to-delete is the name of the object you are getting rid of. I never implement one-click for options which are rarely used and are potentially bad. This isn't a dark pattern, this is simply sensible UI design. (My entire career has been spent programming for industry--I have absolutely zero reason to implement any sort of dark pattern as my users aren't my customers.)
I don't think this is a dark pattern, but a better approach might be requiring the user to type in their account name. It's preventing an accidental deletion.
I like that Azure makes you type in the resource name before deleting it, I know I am not going to accidentally click the button.
I'd say performing an action wrong item when having lots of tabs/windows open is probably pretty common.
absolutely not a dark pattern. I love when websites do this, actually - when I see a website has a big angry danger message around any permanent delete dialog and a box you need to type into, it makes me more confident around the rest of the interface, because I know the dev won't let me do anything destructive without safeguards.
> One approach I take is to make the user type something before taking the destructive action. Make them type IRREVERSIBLY DELETE MY ACCOUNT!, in all caps, with punctuation.
The more websites start doing this, the more users will be trained to typing whatever you ask them to type. A dangerous trend is in formation!
Why not make them sit for 30 seconds on a page that strictly says: "Your account has been deleted" with a button that says "Undo"... And after that 30 seconds it would be perfectly deleted.
I might use a word other than irreversible. At a glance, a wishful brain can see “This is reversible”. A vocabulary challenged brain may think “oh cool, it’s reversible”, or revert to the wishful thinking brain.
Ideas:
- ALL YOUR STUFF WILL BE GONE FOREVER
- YOUR ACCOUNT CANNOT BE RESTORED
- IT IS IMPOSSIBLE TO RESTORE YOUR ACCOUNT
The thing they keep asking you to do is undelete. Tailor your messaging to explicitly indicate the opposite of the outcome users keep asking for. Irreversible requires some interpretation, even though it probably makes perfect sense to most people.
(Hard learned lessons after years in enterprise product management. It’s amazing how many odd conclusions users can reach about seemingly obvious labels and messages).
Not much to be done about the ones who don’t read at all.
The best way of making statements for things like this is to disclude any negatives in it.
Don’t include any “cannot”, “never”, “is impossible”, etc because if they are ignored then the statement reverses in meaning.
Instead, describe the action with a word that is negative in and of itself e.g. “Please Delete Everything”.
So instead of “Your account cannot be restored”, it’s “Your account will be (irrevocably) deleted”.
And if a word has a positive affirmation as a substring of the negative affirmation, then avoid using it aswell since it’s a similar principal.
Much more likely to mentally skip over an extant negation than introduce a phantom one.
My personal favorite: Driving through backroads with some friends, sign says "Impassible Road: No Tow Service Available". Friend turns down it, drives half a mile, gets stuck. "No worries, we'll just call the tow service. Anyone remember their number?". Queue a half hour of us on our knees digging mud around.
Yeah, even crystal clear messaging won’t fix all cases.
But crystal clear messaging is low hanging fruit that does help. The goal is to raise the bar for the wishful brain, and to eliminate as many semi-plausible wishes as possible.
Combining this with a cooling off period is probably the next best step.
There will always be exceptions, no matter how much wordsmithing you do.
If you're seriously concerned with the morons who don't read:
"To delete your account enter the exact name of your account in the first field and enter the normal color of the daytime sky in the second field."
If you don't read you won't be able to answer the second field and the button won't go hot. Use many different options for the second field so people can't become habituated to filling it in. Note that the answer to the verification does not appear in the text, you can't skim for the answer but have to actually read the whole thing.
Starting from the premise that users are morons instead of “users are busy and distracted” is problematic.
There’s a degree of user hostility here that seems likely to distract users from the task at hand, and if busyness/distractedness is the actual issue, adding a new level of distraction on top (now start thinking about the color of the daytime sky, a task that is wholly unrelated to the outcome), seems likely to backfire at best, and will piss off the rest of the customers by degrading user experience at worst.
I think there’s a balance to be found by adding enough friction while using that friction to orient the user towards the realization you want them to have (“this is permanent”), and sky puzzles only add friction.
Whenever this sort of topic comes up I am reminded of this moment in 2010 where a blog post about Facebook briefly ranked higher than Facebook’s own login page, generating thousands of angry comments from users complaining about “the new Facebook”.
Reading about this was actually formative for me, in that it helped develop the understanding that very many people out there are using and perceiving the internet in a way that is completely foreign to me. I bring this up frequently when product conversations veer into phrases like “users will get it” or “people know to click on the menu” etc.
One thing that seems to really get the point across is to have someone type the words “permanently delete” in a text box before enabling the button.
I’ve seen this UI pattern in a few places, and it is a bit annoying for something you might do semi-regularly, but seems totally appropriate for your use-case. Something about typing that makes people’s brains fully activate, I think.
> Something about typing that makes people’s brains fully activate, I think.
Part of it might be that, but I think it’s also about the previous experiences that people have with programs.
How much a person thinks about something is inversely proportional to how much they see it. Typing is just something not many companies have added, so seeing it is off-putting and makes people think.
If you had to type “Permanently Delete This” all day to delete random entries in a database, you wouldn’t think twice before you accidentally deleted all of production.
This is why having the same warning for two different severities is a big problem. People encounter the first and realize it isn’t a big deal, and then glaze through the second because of their previous experience.
Deleting an empty folder is fine, but deleting your home directory might not be, even if both are just “deleting a folder”.
Came here to mention that UI option. At an old job, some of the internal tools made you add a flag "--I-am-not-a-moran[sic]-I-know-what-I-do" or "--sudo-make-me-a-sandwich" to important operations, presumably to remind you of their impact and give you a moment of typing to think about it.
AWS is so strangely inconsistent about this. In some places it is "delete", others "permanently delete", and others still it is the name of the resource. Thinking about it more, keeping the user on their toes like that makes it less likely to fat-finger a deletion, I suppose.
Kind of came to say this. I feel like to reasonably chime in on this thread one should have some experience with customer service. There are a lot of times where user errors are because of bad usability, but there's also just a certain percentage of people who will ignore everything you put in front of them and then complain.
Had a user yesterday complaining that we were using deceptive practices because we didn't mention our app is paid. It says so multiple times on our home page, once in large, bright, bold letters, and clicking on download redirects to our license purchase page, which uses even larger, bold letters and virtually nothing else. (The first text is an H1 with "Purchase License".) But of course they installed it without reading any of that, and then wrote to complain.
> there's also just a certain percentage of people who will ignore everything you put in front of them and then complain.
These are the people you don't want as customers. Perhaps one polite response then just ignore them. You can't please every idiot and trying to do so will just drag you into their idiocy.
An ex of mine, much smarter that me, literal PhD in quantum mechanics from Cambridge, misread the text of a free "create account" option on a game service (having an account would let you record high-scores and achievements) as a request for money to play that specific game.
I think your ex was a little more intuitive than you think. Those accounts are never free. They just don't have an upfront "cost." You're gonna pay for it one way or another. You know the expression, TANSTAAFL.
Have you considered tweaking your design to mark it as deleted and then follow up with an irreversible delete after a few days? So people have time to notice that actually they really do need the account? Then this whole process can be self-service, they will leave you alone, and people who currently make mistakes without writing to you are also better off.
i too started only 'soft-deleting' rows after my first few support calls
unless you're somehow required to delete the data, it's simpler to flip a "Deleted?" bit or put it into a 'recycle bin' that's cleared by some cron job
I get the occasional customer asking for a refund because they claim they accidentally placed an order. For a while I just thought it was a stupid excuse, how do you accidentally enter your credit card number into a form but now with the browser auto completing everything maybe they’re actually serious?
Just a guess, but maybe there were curious about the shipping fees.
Probably most of my online purchases start with trying to figure out where the package will be shipped from so that I can factor in import taxes to the EU. Surprisingly many webshops don't indicate their business of location clearly.
Yup, it's something of a dark pattern by many companies. They make it as hard as possible to see what the final cost will be until you're deep in the order process. Oops, if you're dealing with something that never has extra costs and thus doesn't have a final cost stage to ordering it wouldn't be hard to imagine someone actually ordering when they intended to get the final cost.
Likewise for shipping time. I need it by X and will not order if it's going to arrive later. That one isn't as much of a dark pattern as it's rarely done for deceptive reasons.
Some people will add things to their cart and then wait a few hours (or days) to see if they really want it. If they do, it's in their cart, and there's no reason to go find it again. If they don't, they just remove it.
I can see people who shop like this accidentally hitting "purchase" every now and then.
I once ordered something, because I wanted it, but then the vendor immediately signed me up for their shitty mailing list without asking. This upset me so much that I immediately cancelled the order.
They decided to ignore my cancellation and ship me the thing anyways. Now we're in a pitched battle over who should pay to fix their mistake. Regardless of the outcome, I'm never going to buy anything from them again.
Once I had to request a refund from Amazon because I did in fact accidentally order something. The best guess I have is that my phone was in my pocket, I was sweaty, and apparently the sweat and movement opened the Amazon app and ordered one of the recommended items while I was working outside. The order date coincided with only that as a real option (meaning, I wasn't drinking or doing drugs that day so that I might've forgotten the order).
I was super confused when a tool I had looked at three weeks prior turned up at my house.
The EqualLogic series of SANs made you type "DELETEALLMYDATANOW" in order to wipe the system and reset it. There was more than one call about "where did my data go?" and the answer was "what did you type?"
Why don’t you just restore it? It’s naive to think that something will not happen (or drive you crazy) if there’s a set of preventive measures. Think how much respect and loyalty you could earn by reversing the irreversible, especially if you play it like “usually we can’t but in your case I’ll assign a system administrator to see if it’s possible to restore it from backups”. You can even describe this exact conversation in help/FAQ — none of these folks read them and if it gets viral they couldn’t blame you for trickery.
Nah, I'm pretty anti-dark pattern, and I think it's fine to make the user think for a second before deleting their account irreversibly. A dark pattern would be something like Facebook, where they really try to get you to deactivate it, and make you wait 30 days or whatever if you do manage to use the very hidden delete button.
Definitely agree, a dark pattern for deleting/unsubscribing would be to make the user call an 800 or email someone, or not writing all the rules about payments surrounding cancelling an account (for paid stuff).
I'm reminded me of this big red button with red placard reading "ATTENTION: do not push red button unless it is an emergency" I came across in a bathroom at a highway rest stop years ago:
> I have an app that lets people delete their accounts.
Canceling a paid subscription doesn't need to mean delete the content immediately. The companies are trying to conflate the two in the complaining just to make it sound like they care about customer experience instead of their own pocket.
It's very easy to allow canceling a paid subscription with a single click in a way that immediately disables access to the service/data but keep the actual data around for a while (this is generally the default under the covers whether the company admits it or not).
This means a customer can reinstate their account by re-enabling payments without any data loss for however long the company wants to support that.
The most frequent cause of accidental clicks in my experience are, in no particular order:
layout reflows after first paint
UX changes/updates. If a piece of software is used regularly and users habituate to it then devs should be darn careful when making ux changes
Unresponsive or delayed responses, usually a strong smell of a poorly coded piece of software.
Lack of explicit confirmation on critical actions.
Inconsistent interfaces or workflows
Related to the previous, actions that depend on unreliable resources exhibit unusual behaviors in production environments. Amusingly, these often get conflated by techs for user error when they’re not perfectly reproducible.
I’m not saying your app has any of these or anything against you. I just wanted to share the other side of the coin, that it is frustrating for users to deal with hacked together barely functional apps to get condescended to by support who consider mistakes with the app to be solely the users fault. Any system, no matter how well designed will be misused and it should be possible to partially or fully recover from one or two sequential mistakes. If not that’s a sign to improve the workflow. Well above the baseline frequency of mistakes is a point when the frequency of errors is so great that it is evidently the app itself that is leading users to take actions contrary to their intentions.
To your example, how much effort is needed to fully delete their account once on the right screen? This is a good situation to use a multi step work flow that breaks a users momentum. Consider a big scary warning that covers the screen with a nice long delay before users can proceed, follow that up with a captcha of some sort followed by another delay and warning before showing/enabling the delete button. Once clicked give users another big warning and a scary countdown telling users how much time they have before their accounts permanently gone with a prominent cancel button.
Its my belief that any account deletion mechanism should never act instantaneously, it should disable login, and then create a job into a queue, which runs once a week, once a month, whatever.
Users do stupid things, they do things they dont want, their dog licks their phone, whatever.
The best solution I found was to delay the deletion and make it reversible (within a few days). Mark the account as to-be-deleted and prevent any action. The only page/screen available should show: this account is scheduled for permanent deletion within X days. Click to restore.
It has an added benefit of preventing people from easily recycling accounts and still meets GDPR.
This sounds like a problem with your app rather than the people using it. If this is a high issue, change the app to reduce this. This is product management 101.
That purely depends on your service, how much it costs vs how much time and resources they waste with customer support. We've dropped clients that were morons in the past because it was cheaper for us, and sometimes just because it was just really annoying to deal with them. It depends where you draw the line and what you can afford.
I might seem crazy here, but have the button download their complete account excluding sensitive information like passwords or credit card info as a file for them. Then delete it off your server.
That way, if they can recover it with that file. You could even make it a gigantic jwt token to validate the data incoming.
Why not just implement "logical delete" and have another process sweep through a few weeks later that does any pending deletes? Then they get what they want (or closer to it), and it isn't a lot more effort.
The thing is that it actually is reversible. I just don't have the wherewithal to restore everyone's accounts every day. I will do it if they're super insistent or directly message me, I suppose.
Some sites will automatically restore your account if you log into it again before the deletion completes. For example, Twitter.
A while ago, I went through and deactivated a bunch of social media accounts. In fact I first did it for an organization I was a member of. And of course, I got to learn first-hand how crazy-difficult it is sometimes to figure out how to get off a social media site. And the truth is, you can't. Not really. You can play the "Deactivate Account" game with them, but they will still retain your data, plus anyone who ever scraped the site will have it all.
So I attempted to deactivate my personal Twitter account, and I was fairly confident that I'd done it right. I never logged into it again, and I forgot about it for months, much longer than the deletion deadline. Well one day I found a link to it, and I followed that link and found my account live. Of course, none of the passwords worked, and I couldn't log in, nor recover the account, to deactivate it again. All I had was a lone TOTP code cycling in my Authenticator. I wrote to Twitter Support and I pleaded with them and said I could furnish the code and they were implacable.
So my Twitter account is out there, frozen in time, unrecoverable and undeletable. It could happen to you. Be very careful when you create a Social Media account, because it'll follow you for the rest of eternity.
Dealing with users myself has had the somewhat uncomfortable effect of making me often give the benefit of the doubt to faceless corporations over users when there's a scandal of "$service did $thing without my permission!". Frankly the empirical evidence is that it is impossible to get users to acknowledge something, short of sending a messenger to their house in person. People will ignore any forced messages and click literally any button, and the blame will always land on you
It's also why I'm marginally less annoyed now when software prevents me from doing something "for my own good", even when I know what I'm doing. Or proactively prevents "off-label" use cases, because they know that a failure to block a use case will be taken as a commitment to support it
And finally, this is also why true zero-trust encryption situations will always be a niche - almost no users can be trusted to accept the ramifications of being the sole keyholder. And that's not even starting on the users who take server message history for granted yet act outraged when they hear that Facebook does indeed have their message history, and include it in their GDPR exports as requested
My person favorite is when something pops and immediately goes away because I was in the middle of typing, clicking, etc.
Umm okay well I just agreed or disagreed to something, and I have no idea what.
Also after watching my kids, there is nothing they wouldn’t agree to onscreen if gets them to next step in whatever they are doing. Would easily sell soul for a donut.
We have a resource management UI. You could delete resources by clicking ‘delete’ then clicking ‘yes’ on the delete confirmation box.
Users complained that that’s not sufficient, “We fat finger it all the time”. Ok, we added a text box to the delete dialogue where you have to type ‘confirm’. “Guess what, we still fat finger it”. Ok, instead of ‘confirm’ you have to type the resource name, id, or type. “Hey, we still fat finger it”. Fine, you can set a resource to un-deletable in its settings, then you have to go to its settings and uncheck that before you can delete it. We get complaints about both how convoluted our delete experience is and about how people still fat finger that.
It’s hard to make everything soft-delete with undo and needing to handle all integrity and correctness between deleted, restored and newly created resources etc. Not to mention regulatory things that require actual delete. But it’s becoming more and more expected or you’re “amateurish”.
> Frankly the empirical evidence is that it is impossible to get users to acknowledge something
Interesting that you changed from “permission” to “acknowledge”. If the people are not “acknowledging” whatever then that sounds like you don’t have their permission.
What kind of forced message are we talking about here?
Yeah I was really talking about two slightly different things
* Need to notify users about something (not something that requires new consent, just a service announcement like a breaking workflow change). Use emails, uncloseable banners for a month, forced modals, whatever. Users still claim they didn't see it despite proof that they had seen the modal and banner many times
* New feature exists. User explicitly enables it despite a very clear explanation of what it does and simple yes/no buttons. User clicks yes and then complains that it was enabled automatically without their permission. The stuff I work on doesn't deal much in personal data so this wasn't even legal consent, just power features that can cause harm if used flippantly
Not exclusive to development either. I hear the same stories from sysadmins on a weekly basis (of users ignoring any IT communication and clicking buttons randomly without reading, then blaming everyone but themselves). Probably similar stories from any non-tech service job too
I just took some time at actually configuring a MS Windows VM I "care" about, after not really having paid attention to Windows in well over a decade. They're still doing it. Ongoing countless pop up dialogs about "permissions", "are you sure", windows "defender", etc. I would have thought they would have worked on security, cleaned up the UI load by streamlining a lot of the popup questions, made elevated permissions into a better defined thing you enable once per major action rather than just something you routinely need, etc. But no, they really just took the same dumpster fire of an operating system, ported over notification hell from mobile land, rigged ads into various UI elements, and called it a new version. Shame on me for having expected anything more, but oof.
I guess the dynamic is just the equivalent of the US legal regime where individuals are forced into "consenting" to all sorts of vile things through unilateral contracts of adhesion. The only real purpose seems to be so that when someone complains about some poor outcome, they can be told it's their own fault for having accepted.
No I do really mean "we". Every website that asks for cookies. Every phone app that asks for permissions. Every interface with technology with an "I agree" to do anything. Microsoft isn't special, just an egregious example of it. But everyone does it.
And I really intended to specifically condemn Microsoft for how strongly they normalized it. For one, pinning it on "we" is too widely scoped when it was only some developers/managers responsible for horrible UIs. For example the only people responsible for cookie spite-nags are the companies that decided malicious compliance was the way to go.
Phone apps were actually a decent way of asking for permissions - at the start when an app is first installed. That users couldn't say "no" was a problem, but the flow was correct. The newer style of interrupting a user to prompt on the first use is much worse. But the overall idea of setting permissions per app is sound - users needing to make these decisions is unavoidable, especially in the world of proprietary software where the interests of the developers strongly diverge from the interest of the users.
But in my condemnation I really do mean to call out Microsoft specifically. Sure a lot of things have routine dark patterns, but Windows is exceptional in terms of sheer volume and opaqueness. There's a massive difference between some javascript popup that can be ignored or Android asking one pertintent permissions question before accessing contacts/photos/etc, and Windows popping up multiple nondescript "OK" dialogs after a single user intent click.
Most users care more about the service working well, than they do about their data being secure. Its why things like Mastodon (et al) will always have an uphill battle.
I'm currently on the telephone to Virgin Media (a UK domestic fibre-optic broadband provider) and they are certainly making it difficult.
This is the annual price renegotiation dance, which requires a call to the helpline, at least three menu options to get to the 'thinking of leaving us' option. This goes to a first-line call centre operative, who speaks with a 'manager' whilst the caller is on hold and then returns with a not particularly great 'agent discount'. The next step is to politely refuse the initial offer and ask to be 'put through to cancellations'. After a half-hour wait, I will then make it to the second line call centre who can give the actual discount. I have been cut off once during the hold queue music for stage two, and this is my second attempt.
The Web-based cancellation form didn't work on my browser, although this may be due to cookie or script blockers.
I'm all in favour of a streamlined workflow for cancellation processes, and if users do that by mistake, fine - that's life. Just give clear and unambiguous notices describing the consequences of the user's decision and keep the dark patterns well away from the entire process.
I do have equipment for that but Virgin Media was cheaper at the time that I was setting up when I moved in (new-build) . It's fibre to premises.
The result of my call today was an acceptable discount via the UK-based call centre, so I'm sticking with my current provider for the next 18 months. I spent over an hour on the telephone though, which shouldn't be necessary.
I think the hack here is to say you're moving and can't transfer your account for whatever reason, and you typically get fasttracked to cancellation. (along with the standard phone-tree escape of holding down a button on your phone)
I know many people who, after working phone support themselves, call up just to ask for a discount once a year.
While I do not think the trade industry is correct here, and that the power should go to the consumers.... At my current job (we sell Hosted PBX and SIP Trunking VOIP products) I have had Channel Partners "accidentally" cancel their own sub-accounts and then businesses (such as doctor's offices) do not have VoIP service for 24 hours while the account is rebuilt.
Having the ability to immediately turn the product back on works for a lot of things, but certain actions require immediate clearing of our system (number porting is an example, due to laws). Yes, I have had customers "accidentally" port their numbers. Comcast was notorious for this as just LOOKING into service with them might have a customer sign a document that triggered a number port.
This is not idiot customers though, this is just sales being sales and clicking buttons that are shiny.
I once had a Cloud Ops engineer "accidentally" delete an S3 bucket containing all the logos for our whitelisted page. Claims he was cleaning up and didn't think these were important until after the fact.
We couldn't just turn this back and had to ask each client (about 50 at the time) to send us their brand guides again. Of course, being the PM this was somehow my fault
I think the right fix for subscriptions is probably to require an affirmative renewal rather than a passive renewal. Since customers are too lazy to affirmatively cancel subscriptions they aren't using, a passive renewal means they keep spending money on it.
If you require affirmative renewal then there is no need to offer a "cancel my subscription" option at all because the way to cancel a subscription would be to just not renew it after it expires.
I think passive renewal is reasonable for utility services because obviously you want to continue your electric service and the cost of a momentary lapse in service would be potentially catastrophic. But your subscription to a music streaming app can lapse without anything bad happening and be renewed whenever you decide to use the app again. And that means that people who stopped using it but forgot to cancel aren't being billed for it.
It would be nice if that were offered, but tbh I would find the volume of "affirmative renewal" messages annoying.
I wonder if subscription payments could be handled at the payment provider level. Ideally when I use a payment method at a merchant, I would be able to choose between one time payment, and recurring payment. If I choose recurring payment, a token is generated, and I can revoke / cancel the token from my payment provider's website / app.
To be entirely fair, such volume would only come because everything has become a subscription. Maybe this would drive it back to buy a product and you now have it?
That's one of the things I appreciate about BazQux as an RSS service. I get a reminder that my year "subscription" is coming up and if I'd like to continue I need to purchase another year. Perhaps it's because of their billing platform but I'm happy its a pattern.
I agree. This is essentially how Apple handles subscriptions. If you created a subscription using Apple Pay, you can go to settings and cancel it from there. It’s one of the reasons I value Apple Pay.
I think this article is an example of poor journalism: repeating the claims of the parties concerned without investigating which parts, if any, are bullshit. Sure, the title has an incredulous tone, but the body has no discernable skepticism.
Title of this post omits a pretty important few words, the full text being "Companies Think Their Idiot Customers Will Accidentally Cancel Their Subscriptions if It's Too Easy"
I don't believe that's what they think at all. I think their reasoning is that the more difficult they make cancelling, the more people will get frustrated and give up trying (maybe telling themselves "screw this, I'll try again another day" -- and some of those won't try again another day).
Many of the comments I've seen here so far seem to focus on whether or not there's a warning, and making folks type exactly the name of what they intend to delete.
"THIS IS IRREVERSIBLE! Please type 'owner/account' to proceed."
But https://httpie.io/blog/stardust seems to suggest that it would be an improvement to let people know just what they're going to lose. That might be a challenge, but it does sound like good UX to me. If a company knows what its users actually (might) value about a system, they could present it that way.
"Understand that deleting your account is irreversible. If you are sure, type 'Lose 10000 followers' to proceed."
Looking at the article talking about this proposal, it appears that the requirement is actually that it's as easy to cancel as it is to sign up, not that it is "one click." A confirmation box is pretty standard practice in UX for destructive actions and it doesn't sound like that is prevented.
What the proposal DOES do is prevent dark patterns, like having to click through five screens of offers before cancelling. Overall this is a very poorly written article. But it's gizmodo so I'm not sure what else people are expecting!
Most companies know that people won't cancel because people are lazy. Making it hard will make them angry customers. I would like to see stats if the 'hidden'/aggressive stance ever works. When you cancel with us, we encrypt your data and give you the key (and wipe it on our side). We delete the encrypted data after 6 months. Not many people cancel (they drop to freemium and that's it usually), but stats show there are 0 accidents as no-one ever reactivated.
Disclaimer: I only do b2b ; I know nothing about b2c, so my remarks reflect the former.
Exactly this, that's the way to handle it. Not to 'on the spot' hard delete a bunch of stuff. Just send them an email with a link that they need to click to re-activate their account and 30 or 90 days within which to do that. No action in that time -> deletion is permanent and data will be wiped.
If I'm deleting my account there's a reason for doing so. I don't want the company I'm trying to leave to continue to hold on to my data for any reason whatsoever. If I did, I'd just cancel or deactivate my account. There are often legal reasons for doing this as well, particularly when handling PII.
Incidentally, this is why I not fond of engineering solutions like append-only databases. They deliberately take agency away from your users/customers in order to make life for the engineers easier.
Then we could deal with that by adding another link that says 'if you really want to delete your stuff right now without recourse then click here and it will be done'.
This of course would cause a ton of trouble for those cases where someone managed an account takeover or for people who are really clueless. See upthread comment about the number of CS calls such implementation details can lead to.
The shorter version: you can't please everybody. There will always be exceptions.
Interesting and somewhat ironic that WSJ itself (cited, this really should link to the original) isn't alone among big newspapers in making it somewhat difficult to cancel their subscriptions!
> “If sellers are required to enable cancellation through a single click or action by the consumer, accidental cancellations will become much more common, as consumers will not reasonably expect to remove their recurring goods or services with just one click,” the Association said in a statement.
This seems like a non-issue. Shouldn't it be trivial for customers to reactivate their subscriptions if they accidentally cancel?
It is a non-issue for customers. It's the same trap as a gym membership. Ideally, they want people to subscribe and just leave it running without actually using it. The best way to maximize that is to put speed bumps to cancelling. In the instance of a gym membership, you have to go in there to cancel and sign papers and all that. Imagine if everyone with a gym membership actually showed up every day, there would be a line circling the place like an iPhone launch.
The issue is they don't want to remove their speed bump because that speed bump equates to a ton of revenue every month without the cost of user load.
I mean, some will. We have a two button cancel process and we'll have accidental clicks a couple times a year. However, two incidents a year does not justify the lengths that some companies will go to retain your sub.
I am currently trying to cancel internet, mobile and electricity contracts as I am moving out in germany. The process is so twisted that there are startups whose products is canceling contracts.
I guess at the point the customer has cancelled their subscription you're like fine calling them idiots because you no longer have a business relationship withstanding with them?
> "Of course they're idiots if they cancelled us."
