Misuse & Abuse Cases

Most who have worked in an Agile team will be familiar with user stories and use cases. “As a millenial in their 30s, I want access to 90s cartoons, so I can bask in nostalgia”. Many teams go further and identify ways a system can be misused or “hacked”, and worked to prevent those to make the system secure. But not enough get past misuse cases, and work to keep people safe.

In this post - by way of examples - I want to talk about “abuse cases”, as distinct from misuse cases. In short: misuse cases are how users might unintentionally or intentionally misuse the features of your product. Abuse cases are how humans might abuse other humans with your product. The features are technically working as intended, but are facilitating abuse.

Product teams should consider all three types of use cases when architecting systems, to enable good use cases, and to design ways to prevent, detect, or respond to misuse or abuse. How, you might ask?

Include diverse voices in your team and stakeholders, and listen to their lived experiences

The more diverse the voices on your team, the better placed you are to recall or imagine misuse or abuse cases. Also realise that many people won’t feel safe to talk about this topic, and you need to be sensitive to that.

The misuse and abuse cases below contain references to the real-life stories, where applicable. I am not the first nor the best person to write about this, so please seek out other voices if this post resonates with you.

Misuse Cases

Here are some example unintentional misuse cases:

As a confused officer, I send a false alarm nuclear alert warning to the entire population of Hawai’i¹
- Prevent: UI & UX improvements, better confirmation message, better test practices
- Respond: ability to send “oops my bad” after false alarm
As a user, I unintentionally send confidential content to a public chat channel, when I wanted to send it via private message
- Prevent / Detect: automatic rules to detect potentially confidential information (credit cards, passwords)
- Respond: a way to delete messages
As a police department, I want to use the racially-biased facial recognition API to identify potential criminals²
- Prevent: preclude police from using facial recognition, build unbaised training sets, discontinue the product and consider your life choices

Here are some intentional misuse cases:

As a hacker, I intentionally try different usernames and passwords on the login page to access people’s accounts³
- Prevent: rate limiting on the login page, enforcing good passwords, providing users with multi-factor authentication
- Detect: detect unusual login locations or devices
- Respond: email users when their account is accessed from a new location/device, prepare for security incidents
As a cheapskate, I intentionally look for bugs to give me free stuff
- Prevent: write comprehensive software tests, start doing code reviews to prevent bugs, get independent security testing done
- Detect: automate account balancing to identify discrepancies

These stories might be more familiar to us, especially in a security context. We want to prevent our applications from being misused.

Let’s take a look at abuse cases then, where the functionality of the application itself is not strinctly being “misused”; it’s being used to abuse.

Abuse Cases

Here are some abuse cases (all intentional):

As an abusive banking customer, I intentionally send multiple $0.01 payments with nasty “transaction details” to my ex, to exert power⁴
- Detect: make support teams aware of this scenario ahead of a victim’s call coming through
- Respond: give users the capability to report or block transactions, create a policy to suspend abusive users
As an abusive person, I monitor and control my home when I’m not there to intimidate my partner⁵
- Prevent: work with domestic violence advocates to design devices such that abused people can take control and/or feel safe at home
- Detect: provide means for people to report domestic violence covertly
As a (mean/normal) teenager, I send nasty direct messages to a person from school I don’t like⁶
- Detect / Prevent: add a confirmation message when messages look mean
- Respond: allow users to report abusive content

And these examples aren’t even getting into mis- or dis-information, or other types of abuse!

Closing thoughts

When you next write a user story, think to yourself “what are we doing to make our system safe for the people using it?”

Remember - this topic brings up real pain felt by people. You can try to start this conversation with your team, but be sensitive. Don’t single out team members who might be “more likely” to have answers. Don’t force people to talk about it if they don’t want to.

A huge caveat: I am just me, and I have only a few examples. I have led a privileged and pretty much abuse-less life! I have written this post because I have worked with too many development teams where this conversation is not being had.

Start higher level with “Embracing Evil with Evil User Stories” by @jeremyjarrell
Or dive deeper into “Misuse Cases: Use Cases with Hostile Intent” by Ian Alexander
Or a paper from Auckland University with a different more formal take on the difference: “Misuse Cases and Abuse Cases in Eliciting Security Requirements”

Books

“Automating Inequality” by Virginia Eubanks
“Shouting Ones and Zeros - Digital Technology, Ethics and Policy in New Zealand” by many authors, edited by Andrew Chen

References

Depending on who you believe it was a UI problem (in small part) or the officer believed it was real due to a poorly worded test-message (2018) ↩
Debatable whether this counts as “unintentional misuse” or willfully ignorant, but: Multiple US police departments were using AWS Rekognition until AWS said no (2020) ↩
OWASP Cheatsheet on Authentication - Protect Against Automated Attacks ↩
Commonwealth Bank reveals bullies and domestic violence perpetrators use banking app for abuse by 7news (2020) ↩
“Thermostats, Locks and Lights: Digital Tools of Domestic Abuse” by NY Times (2018) ↩
Netsafe NZ’s “What is online bullying?” ↩

5 November 2020

Nick Malcolm