What measures do you employ to secure your forms? Are you aware of any
vulnerable forms on your website?
What, if any, measures do you take to prevent spam?
What problems with CAPTCHA are you aware of?
Accessibility, Usability, Design
What annoys you most about bad forms? What makes a form easy to use?
What are the legal issues we need to be aware of when developing forms?
‘ The Process’
What political / institutional issues prevent a smooth development process?
What, if any, workflows do you have in place to manage form development?
Security problems It’s EASY to make an insecure form, & there are LOTS of vulnerabilities out there. Reproduced with permission of WASC, http://www.webappsec.org/projects/statistics/
Security strategies Scan your existing forms. Test forms for vulnerabilities while in development. Employ a reusable library or framework of server-side code. Build security into your development lifecycle .
Spam: the CAPTCHA conundrum Most people use CAPTCHA to prevent spam. BUT... CAPTCHA is notoriously inaccessible. CAPTCHA can be circumvented. CAPTCHA has been discredited. “ Just like DRM, CAPTCHA systems ultimately fail to protect against the original threat, while simultaneously inconveniencing ordinary users.” ‘ Beyond CAPTCHA: No Bots Allowed!’, http://www.sitepoint.com/article/captcha-problems-alternatives, viewed 04/07/08)
Accessibility, Usability, Design problems Forms are often long, confusing, badly designed AND painful to complete. There are LOTS of design questions to tackle. How should I chunk up my form? What are the right field types to use? Where do I place my input field labels? Should I provide field hints? Where do I place primary & secondary actions? Where do I place error messages?
Accessibility, Usability, Design strategies You Must Buy This Book. Web Form Design: Filling in the Blanks Luke Wroblewski; Rosenfeld Media, 2008.
Accessibility, Usability, Design strategies Forms should be: Clear Is the purpose of the form obvious? Are the labels helpful? Are error messages clear? Is the layout good? etc. Concise ‘ Do we really need to ask this question?’ Clever Help direct users around the form; skip irrelevant questions. Contextual Tell users why certain questions are asked, especially when you’re asking for personal data. http ://formulate.com.au/articles/what-makes-a-good-form/ , visited 15/07/08
Accessibility, Usability, Design strategies Be nice! Use natural language. Try to organise your form as a conversation rather than an interrogation . Design from the ‘outside in’, not ‘inside out’. Forms shouldn’t be a simple mirror of the fields in our database records; we need to look at our forms from the perspective of our users. Don’t construct unnecessary barriers. If a student wants a prospectus, why make her register? http://www.flickr.com/photos/martigras/2383422487/
Accessibility, Usability, Design strategies Visual Clarity Visual path to completion. Make your forms easily scannable. Fieldsets are your friend. Organising your forms into logical groups aids scanning & completion. Communicate error & success messages clearly. Hide irrelevant form controls. Figure 3.4 from Web Form Design: Filling in the Blanks by Luke Wroblewski; Rosenfeld Media, 2008. http://www.rosenfeldmedia.com/books/webforms/
Data Protection Act 1998 governs the protection of personal data.
Privacy and Electronic Communications Regulations.
Unsolicited marketing material by electronic mail (includes email, text and messaging)
should only be sent if the individual has consented to receive them.
Legal strategies Transparency is key. Tell your users what your policies are & what you plan to do with their data. Provide them with the chance to opt-in/out of mailings where relevant. Control. Control how your form data is stored, accessed and used. Don’t store data for longer than required. Draw up standard notices “ Personal data in this form may be used only in accordance with City University’s notification under the Data Protection Act 1998 and in compliance with the Freedom of Information Act 2000. Further details in relation to the use of personal data can be found on the University’s web site www.city.ac.uk/dataprotection . Any queries concerning Data Protection and Freedom of Information should be addressed to the Head of Information Compliance and Policy.” Get advice.
The Process: problems Agreeing on the contents of a form can be difficult. Everyone wants a say (marketing, technical, legal, departmental, etc). “ What’s this form for?” It can be hard to establish what the organisational goals of the form are. Why is this form needed? What information do we need? http://www.flickr.com/photos/colbycosh/2266583598
Useful links http://phpsecurity.org/ch02.pdf - Essential PHP Security Chapter 2 – Forms and URLs http://formulate.com.au/ - Formulate Information Design. Useful articles about form design. http://www.sitepoint.com/article/captcha-problems-alternatives - Excellent summary of CAPCTHA debate. http://www.lukew.com/ff/index.asp - Luke Wroblewski’s form & general usability site.