Choice Considered Harmful

The Mozilla Foundation’s mission is to preserve choice and innovation on the Internet. And that’s a great thing.

But there are some contexts where choice is harmful. Security is one. For example, I believe that if a Link Fingerprint download fails, the file should be deleted without giving the user the option to retain it. That’s because when you ask the user about security decisions (like “This certificate is bogus; do you want to continue?”), they normally do the insecure/convenient thing. So the trick is to avoid having to ask. But my view has been attacked in discussion as not “giving the user choice” and “just deciding for them, like Microsoft”, as if taking decisions for users is somehow always a bad thing.

Another example is shown by this O’Reilly Radar post, which notes with derision that Windows Vista preserves a distinction between “Sleep” and “Hibernate”. Commenter “Rick” exemplifies the “what’s wrong with choice? Choice is good” view when he says:

OMG, they give users a choice instead of assuming they are all morons…

Sure, there is a lot to be said for simplicity, but leaving the choice up to the user is equally valid.

But commenter RichB points out:

For example, OSX combines these two features into a single sleep feature which also hibernates in case your power dies (battery exhausted) during sleep.

This is clearly, plainly, obviously, the right way to implement the feature. And it amazes me that we’ve taken so long to see it. (Perhaps it’s harder for Vista because it has to work on a much wider range of hardware.) But it also goes to show that you can improve things for a user by reducing choice. With apparently no irony, a Microsoft representative is quoted here as saying:

[R]edundancies and choice are the second most important reason to use Windows (the first being backwards compatibility), and without it, Windows would just be a Mac.

Well, exactly.

Looks like I’m echoing Joel here.

25 thoughts on “Choice Considered Harmful

  1. Is this really a problem at all? How many users have you heard of not sure whether to push sleep or hibernate? I’ve never seen a single one. In fact, I think most people just use the power button on their computer, or at most the off button in the Start Menu. The extra options are there for people who are picky. Whats wrong with providing something for both types of users (as long as you’re not confusing users, which I don’t think this is)?

  2. I don’t think the certificate example is that great. For example, during my time working on Mozilla things, Mozilla’s own IRC server cert expired twice. It always took IT some time to fix things. In the meantime, I would have been very upset if my (Mozilla) IRC application didn’t give me the choice to ignore the expired certificate warning, as I would be well aware that the cert is expired, and still belongs to Mozilla (there would usually be a bug on file, on a secure bugzilla with a different (working) cert).

    In other words, sometimes users will know better than the actual program what’s good for them, due to meta-knowledge (ie, the bugzilla bug stating the cert is indeed expired) the program couldn’t possibly know about, in which case taking away choice is not good.

    In other news, if I were a betting kind of person, I’d bet money on someone making either a (hidden) pref or an extension for it if cert dialog choice ever went away. :-)

  3. DigDug: read Joel’s article, where he references research on choice bringing unhappiness and stress. If a new computer user is faced with this choice, how do they know which is the right one? Why not eliminate that indecision and confusion?

    Gijs: I have no problems with a hidden pref, because anyone who manipulates hidden prefs should know what they are doing. I also think it would be handy to write an extension server admins could use, which warns you if your cert is less than two weeks from expiry.

  4. For link fingerprints, not deleting the file can be useful as well (it’s just launching it that is not useful). If I have some way of repairing that file in a trusted manner, that would be very useful – for example, a large FTP download that also has a matching .torrent (which works by checksumming chunks, so if only a few parts have errors I would still be able to use most of the download).

    Sometimes not all failures are security failures.

    (What happens if I know that I will not use the laptop for a while, followed by using it with no power socket available? Can I force it to hibernate to save that batter power I need later?)

    Having too many choices sucks. Having too few sucks more. Finding the balance is very, very hard. But you knew that better than I do :)

  5. As a mobile user, the thought of not being able to explicitly pick hibernate over sleep, because ‘choice is bad’, is quite frightening. Since there’s a fairly good reason why one would want to preserve battery power, as much as possible, when traveling. This comment is of course, based on the limited description of the OSX sleep function mentioned here, which sounds simply, useless. (FWIW, power management on Windows does coordinate a sleep –> hibernate transition based on the idle time of the system.) Separate from the Sleep/Hibernate option. (which on Vista, is in a submenu, and not the rather obvious big yellow (for sleep) or red (shutdown) button, which, if you hover over it, does tell you what it does, despite Joel’s intentional acting more stupid than needed post. and on XP, hibernate is not exposed, by default, unless you’re using the 2k/2k3 style dialog or press shift. (Do both options need to be exposed all the time? certainly not. a single sleep option, configurable in power managment to either sleep/hibernate/or sleep–>hibernate automatically would work.)

    Not giving the user choice, won’t stop them from making a bad one, if you refuse to give them the content they want, they’ll find someone who will. Because your product, is broken, in their eyes.

  6. @wolf – OS X sleep isn’t the same as Windows sleep either. I can leave a laptop in sleep for 7 days before the battery runs out. It’s anything but useless.

  7. Mook said: Sometimes not all failures are security failures.

    Then don’t use Link Fingerprints, use Bittorrent’s built-in hashing, or the eTag HTTP header. Link Fingerprints are for when a failure of the hash is a security problem. You can’t use them for something else then complain they don’t work the way you want. :-)

  8. Using Sleep for long periods causes a drain on the battery, which over time causes the battery to stop retaining charge at all. I agree with the people above who say that forcing me to always use it is downright scary.

    I would consider the option if I had the choice of how long to leave the laptop running on sleep before it hibernated. But I wouldn’t make that more than five minutes and I’d still be uncomfortable with it.

  9. Lack of choice results in lack of adoption. For example, if a browser didn’t let a user visit a website that has a SSL cert self-signed… would a company adopt the browser?

    Considering most organizations use these certs all the time internally… likely not.

    I think the key is to make wording less technical, and make the even more visual.

    Most people don’t even know what SSL is, much less want to make a decision about it. They just want to visit the site.

    We tend to overlook how complicated all the tech really is when we work with it daily. Casual users know nothing about most of these terms. Heck from what I’ve seen most don’t even know what a browser is. The “internet” is defined as either “the blue ‘e'” or “firefox”.

    We need to dumb things down, not restrict.

  10. Gerv, your �clearly, plainly, obviously, the right way to implement the feature� means that if my laptop is unplugged and I know I won’t be using it for a while, it will sleep until its battery runs out and then hibernate. So when I return to it I might not have any battery left.

    But if I’d been able to tell it to hibernate immediately, it would still have had some battery later.

  11. Now taking the discussion off to this blog, alright.

    The Hibernate and Link Fingerprint examples aren’t about the same thing.
    The users might not know the difference between Hibernate/Sleep, which was the point of criticism, but they will clearly know what “Retry download/Ignore error/Delete file” means.
    The hibernate/sleep choice is always there, the Retry/Ignore/Delete choice associated with Link Fingerprints is only displayed if something went wrong.

    A bad choice would be instead something like

    “The download is complete and was successfully verified by Some Technology The Name of Which You Never Heard B4(tm). I’m not going to tell you what this means anyway.
    Want to keep the download?

    [YES], [NO], [FILE_NOT_FOUND]”

    So here is my opinion/my observations and maybe a little general truth, mostly assembled from my newsgroup comments:

    • Link Fingerprints have nothing to do with security.They can be easily forged, as they can be easily generated by just everbody.There is no Identity/Authentication/Authorization associated with Link Fingerprints like it is with certificates or digital signatures.
    • They are solely for noticing “possible” data corruption during transfer.
    • They will help prevent malicious downloads only in the case that a legitimate mirror was compromised but the legitimate download page is still intact.Unofficial mirrors are not protected at all.
      And even then you don’t know if the data was actually trojaned/corrupt or the webmaster simply messed up that link.

    • Preventing users from something that he would like to do will just make the user curse your software, especially if it used to work.Like preventing him from downloading files or visiting a website with a self-signed cert which was issues for localhost.
    • Giving a warning and “real” choices will raise awareness as well. Simply failing leaving no options will drive the user to use other tools that “work”, and create a bad perception of your product.
    • Messing with the user’s data without confirmation, like deleting downloads when the Link-Fingerprint based verfication fails, will make the user curse your product.There must be some reason that even Antivirus software provides you with choices.Your software (which means you, the developer) is simply not in the position to make such decisions.
    • Even it the hostname of a cert mismatches this just voids some, but not all the reasons to use SSL.You still get an encrypted channel, although you cannot verify the identity of the server anymore. If encryption is all you need you’ll be still lucky.
  12. Nils, while I disagree with Gerv’s suggestion for hibernate/sleep, I am in agreement with him on Link Fingerprints. The point is that the user attempted to download a file; if the fingerprint doesn’t match, then they *did not get the file they wanted*. Not “possibly didn’t get it”, definitely didn’t get it.

    Firefox’s reaction to this should be a dialog to the effect of “The file was corrupted or tampered with during download. Try again?”. NOT to offer to give them the file they *did* get, because we *know* it’s the wrong one.

    Perhaps it’s not necessary to actually delete the file, just to leave it in a temporary storage location that only an expert would know to look in. But it’s absolutely wrong to give the user any suggestion that their download succeeded. Because it didn’t.

  13. Choice is not only harmful. It’s a pain in the neck. I don’t want to know this stuff, and I don’t need to.

    My own department server often has an expired or invalid or something certificate. What do I care? I just say it’s OK, and that’s that. Believe me, the site is not getting spoofed. The certificate is about as useful as a fire alarm that always goes off. Come to think of it, all the certificates I see are not only unwanted and unneeded, but there is something wrong with all of them.

    As for sleep, hibernate, or cat-nap, who cares? It doesn’t matter. If a computer with newly, professional installed system has trouble waking up from hibernation anyway, what good is it?

    The system (Win XP) is so incredibly complicated, and I am presented with so many irrelevant choices that it’s impossible to get them all right, and I’m a computer veteran. In fact, it’s so complicated that I have no confidence that the OS will honor my choices, do what it promises, or even work correctly. Too many choices is a very bad thing.

    Gerv, I think you’ve got the right idea. Please, just simplify, simplify, simplify. Make is so choice is unnecessary and irrelevant.

  14. By default Vista does uses Hybrid sleep (standby + hibernate) so this is a bit unfair to MS (I can’t believe I’m saying that).

  15. We need to dumb things down, not restrict.

    Whoops! No, this is the exact wrong approach. I want the computer to do the Right Thing automatically for me whenever possible without asking. I do not want it to baby-talk to me when this is not possible; I want a UI engineer to redesign the system so OS+1 doesn’t need to ask me.

    Have a look around OS X’s more cryptic pref panels some time; in a large number of cases, prefs which no normal person would go near are worded in non-technical language which makes it a royal pain for experienced users to manipulate them. I’d rather that dialogues weren’t prematurely simplified where rethinking the whole UI would be a better idea.

    – Chris

  16. I agree that the choices of reboot, suspend, hibernate and switch off are confusing to users, but at the same time I really hate the idea of merging suspend and hibernate.
    I do use the two differently, I don’t always just suspend and wait for the machine to run out of power and hibernate itself – hibernate is a valid feature in its own right (e.g. if I’m putting my laptop away and know I won’t use it for a few hours, or have to take it through security scanners, I hibernate it).

    Just because we haven’t yet found an appropriate way to display/describe these choices doesn’t mean we should just throw the choices away.

  17. Nils: I think it’s utterly clear from your post that you and I have completely different ideas of what Link Fingerprints are for. I invented them to be a cheap, quick and UI-less way of raising the bar on securing downloads. You can react to that in two ways – saying either A) “That’s a fine idea”, or B) “That won’t help secure downloads; we shouldn’t do it”.

    However, what you can’t say is: “It’s not for securing downloads, it’s for data corruption detection, and therefore it should work in an entirely different way”. That is just invalid. And what you want it to do reinvents the wheel anyway. If you want data corruption detection, use HTTP eTag headers or Bittorrent.

    WBob: the criticism is of the UI, not the underlying capabilities. In fact, if Vista does do this, then there’s even less justification for all those options.

    Several people seem to think that a combined suspend/hibernate waits for the power to run down completely before hibernating. There’s no reason it should, and I don’t think Apple’s implementation does.

  18. “as if taking decisions for users is somehow always a bad thing”

    It may not always be a bad thing, but lots of people seem to agree that it’s sometimes a bad thing. I guess, in general, giving the user a choice is bad thing if it’s not a choice they want and/or not a choice they understand. On the other hand, failing to offer a choice and making the wrong decision on behalf of the user is also bad.

    Taking the power thing as an example, the user might want to choose a different power state according to whether they know how long it’s going to be before they come back.

    So, you can either:

    1. Give the user a choice of “stand by, then hibernate after X time”, “stand by then hibernate when the power runs out” (Windows XP and Vista can both do these things, by the way), “hibernate” or “shut down”, and then have some help page somewhere that explains (which probably nobody will read).

    2. Dumb it down: label the options as “save power, I’ll be back within half an hour”, “save power, I’ll be back after a long time”, “save power, I have no clue when I might come back” or “end the session and turn the power off” (obviously the wording could be better, but something plain English).

    3. Take away the choice and assume the most likely option “save power, I don’t know when I’ll be back”.

    I don’t know how many people there are in that second group who care about the choice but would like to read some plain English to understand it. However, there are certainly people in the first group and the third group. There are probably more people in the 3rd group than in the 1st group, so maybe we should have 95% of people using Mac OS and 5% on Windows rather than the other way around, but…

  19. “Several people seem to think that a combined suspend/hibernate waits for the power to run down completely before hibernating. There’s no reason it should, and I don’t think Apple’s implementation does.”

    So how long does it wait then? If it waits an hour in stand by before hibernating, then it’s running the battery down much more than people might like. On the other hand, if it only waits 10 minutes, then people who often reopen their laptop after 15 minutes might find they always have to wait for it to load stuff from disk.

    Whatever it does, there’s going to be a load of people out there that it’s making the wrong decision for, and some of them who could do a much better job than OS X of making the decision, and get more stuff done between charging the battery.

  20. The hibernate/sleep/off choice is easy for me – I can’t even find the option to enable sleep support and hibernate hangs my PC and corrupts half of /bin/ :)

  21. ARGH! Windows Vista’s “hybrid sleep” is one of the most infuriating things I’ve found in it. There are PLENTY of reasons for wanting to be able to hibernate explicitly. I’ll give you two:

    1. I have a questionably reliable power company. If I’m working on something and want to be able to come back to it, I HAVE to be able to tell the machine to hibernate. If I can’t, chances are when I come back, it’ll have been “force restarted” because of a power dip.

    2. Even when I set a machine to “sleep”, the fans are LOUD. The only way I can effectively (Without ruining my system) quiet them is via hibernation.

    As for the Microsoft representative, I don’t know about the Windows/Mac comparison, but I definitely agree on both and can see that I find both of those features very important in my use of their operating system.

  22. @Gerv

    Sure, but in the real world sometimes users really do need to log off, or power-down or restart, that’s not a choice software can make on its own. Having the Sleep button be the only visible UI with a dropdown arrow to select those other options seems to be a perfectly reasonable compromise given that.


    You may want to check the BIOS options on your machine, the fans shouldn’t be running during sleep (only the RAM is supposed to be powered).

  23. Michael: I don’t know how long it waits. But, presuming that the hardware is well designed (and Apple controls that too), the power drain when suspended should be small enough that they can set the timeout to an hour or more without it being a problem.

    But let’s look at the other option. If it gives you a choice, how often will you pick the wrong one? You think you are coming back in 15 minutes, so suspend rather than hibernate, but get called away and return the next day. Flat battery? You hibernate to leave the office, but then realise you need the address of the restaurant – so you pay the extra time penalty.

    The combined suspend/hibernate mechanism helps you in both these cases – because you get power saving in the former, and a quick resume in the latter.

    WBob said: Sure, but in the real world sometimes users really do need to log off, or power-down or restart, that’s not a choice software can make on its own.

    Of course they do. The Joel article explains how all of this can be achieved with just one option.

  24. @Gerv

    That Joel article makes a very good case, I stand corrected, I hope an open-source OS will try implementing it (if one hasn’t already done so).

  25. WBob: Tried, but to no avail. It either stays running with the fans on or completely dies with Windows recording it as a “disruptive shutdown” when I changed the BIOS power options.