
Hawaii missile false alarm due to badly designed user interface, reports say - robin_reala
https://www.theguardian.com/technology/2018/jan/15/hawaii-missile-false-alarm-design-user-interface
======
rovek
This will be an incredibly useful, accessible case study the next time I need
to push back on "can we add a confirmation popup?" with corporate bods.

~~~
atoko
The answer here is to make the action easily reversible if possible.

~~~
lemoncucumber
Brings to mind this old but good article from A List Apart:
[https://alistapart.com/article/neveruseawarning](https://alistapart.com/article/neveruseawarning)

(Not to suggest that could or should be the solution in this particular case —
obviously undo doesn’t seem like the right fit once the alert has gone out).

------
oftenwrong
>On Saturday, sending that second “false alarm” alert required extraordinary
permission, delaying it for 38 minutes.

It was easy to unintentionally send a false alarm, but difficult to
intentionally send a correction. Not a great system...

------
gooseus
> “Even though the menu option still required confirmation that the user
> really wanted to send an alert, that wasn’t enough, on this occasion, to
> prevent the worker from robotically clicking onwards.”

> “It was too easy — for anyone — to make such a big mistake,” Rapoza told the
> Post.

Is the "ballistic missile alert technician" role filled by freaking interns or
something? HEMA is a part of the DoD, so is this not a military role of some
sort where discipline is impressed upon people?

> HEMA has also added a requirement for a second person to confirm the message
> to be sent, hopefully preventing the first from simply clicking through
> mistakenly.

But don't worry, we'll just double the humans required (and likely, the cost)
since you can't actually trust one human to read confirmation boxes when
they're dealing with a first-line defense system that impacts millions of
people.

~~~
carlmr
Why don't we just redesign the system with good UX? I want to send a copy of
"The Design of Everyday Things" to the Hawaiian government now.

~~~
gooseus
Certainly UX can always be improved, but doing so without proper training and
making the operator ultimately responsible for their actions is just
ridiculous.

Sure the buttons could have been named something different, but with a
confirmation box, this UX passes what should be considered reasonable to
prevent a literate and aware individual (the only type that should be approved
for this position) from making a mistake like this.

I'm really astonished at the need to defend my position on this... it's almost
like everyone replying here is thinking that they, too, would treat a
legitimate missile defense drill (in the era of saber-rattling between Trump
and Kim) the same way they treat installing a software EULA or an update to
their FB ToS.

~~~
pheldagryph
You're staking out some pretty tough ground, there. Human error can be
unconscious or reflexive, and that type of UI element is sometimes barely a
speedbump, cognitively.

Occasionally I reflexively click-through a confirmation dialogue box and
regret it. I feel like I've been trained by the software industry for decades
to bludgeon my way through these confirmations, many of which are unnecessary
to begin with. I basically have muscle memory for it, the skids are greased
for clicking-through. I know I'm not the only one.

So, I could see myself making this type of slip. It's really hard to know the
balance between human and system error for this incident, but to me it looks
like the system naively assumes a perfect human. Even if the incident turns
out to have been an intentionally malicious act, the problem with the system
would still remain.

~~~
carlmr
Agreed, click-through should be nigh impossible. You need to do something that
deviates so much from the normal routine that you don't accidentally do it.

One way to do this is to let the operator do a simple task that can't be
clicked through.

------
CodeWriter23
Sorry, I’m not buying it. It takes supervisor approval to void a duplicate
scan of a $3 item at Trader Joe’s. No way in hell does an emergency alert
system allow just anyone sitting at the computer to send one just because they
want to.

~~~
skellera
In the event of an emergency, do you really want it to come down to asking a
supervisor?

It’s literally a worse case scenario and you can’t expect multiple people to
be there. The off chance that trying to get supervisor approval taking 10+
mins means that no one gets notified in time.

I got the message. I’m mad it was sent out but it’s better they learn these
problems now rather than during an emergency. I don’t think having another
person approve it would be a better situation. Just make the interface more
clear or even add a buffer of 5 seconds to cancel the alert before it even
gets sent.

