09 September 2008

Know Your Form Data

Developers often build data entry forms that don't match with the reality of the information they are trying to collect. This can mean the forms are unusable.

I am surprised about how reluctant most specialist usability companies, at least in the UK, are to considering the security implications during usability testing. Reactions I've come across range from "usability has nothing to do with security" to "the client will deal with that". I think they are missing an opportunity.

Although we hear a lot about confidentiality, information security includes the principles of availability and integrity:

  • Availability - Maintaining systems, resources and data so they are accessible when required and are functioning correctly
  • Integrity - Ensuring data is valid, complete and cannot be modified or deleted without authorisation

Here's an example "change address" form where the integrity checks are not correct and therefore denying use of the service to a customer:

Partial screen capture of an address entry form - the house number, flat number and street names have been left blank and the form submitted to show an error message 'please enter a valid address'

The form belongs to a very customer focused organisation in a highly regulated business sector. Therefore, I suspect that the web site has been through extensive usability testing. But it is not possible to provide an address that doesn't have a house number, flat number or street name. Strange, since there are many valid Royal Mail listed addresses like this, yet this web site has been built to specifically exclude them.

Well, I don't think the project team set out with this intent, but that's what happened. There is no way to change your address, except to phone the call centre. Of course, it might be that the database behind the scenes has some (incorrect) constraints on what it thinks constitutes an address and the developers have coded the web site to match. What makes me suspect this, is that the drop down list of county/region names includes truncated county names, and even entities that are not counties, regions or metropolitan areas. Also, the displayed text is the same as the values submitted by the form. However, that's not the right way to do it.

HTML source code of the drop down list showing county values and names like 'Stafford' and 'Tynewear'

Some of these are not counties, and if the address was on Skye, would you select 'Skye' or 'Highland' (region)?

Even if the back-end system doesn't allow addresses without street names etc, the web site should accept valid addresses and then put the change into a pending state, for subsequent checking and update of the main system. It must be possible somehow, since you can do it by telephone.

The Royal Mail has an overview of what constitutes a correct postal address in the United Kingdom, but it always pays to check the original source which tells a slightly different story: Why, What and How - A Guide to using the PAF® (PDF):

There may be no Thoroughfare information for an address. This usually occurs in rural areas, where the Locality information identifies the location...

This 204-page document also explains how long each address line could be, and everything else about the Royal Mail's Postcode Address File (PAF) products including character conversions. BitBoost Systems maintain a useful International Mailing Address Formats web page but always check with the original sources - don't rely on anyone else's interpretation.

Recommendations:

  • Understand the properties of all your data
  • Don't enforce internal constraints and methods on remote users
  • Don't make your web systems more complex than your other methods of communication (such as telephone)
  • Make it easy for web site user to get it right

And, include consideration of security issues during usability and user acceptance testing.

Posted on: 09 September 2008 at 10:55 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Know Your Form Data
http://www.clerkendweller.com/2008/9/9/Know-Your-Form-Data
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2008/9/9/Know-Your-Form-Data
Requested by 38.107.179.222 on Saturday, 4 February 2012 at 22:59 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2008-2012 clerkendweller.com