Most who have worked in an Agile team will be familiar with user stories and use cases. “As a millenial in their 30s, I want access to 90s cartoons, so I can bask in nostalgia”. Many teams go further and identify ways a system can be misused or “hacked”, and worked to prevent those to make the system secure. But not enough get past misuse cases, and work to keep people safe.
In this post - by way of examples - I want to talk about “abuse cases”, as distinct from misuse cases. In short: misuse cases are how users might unintentionally or intentionally misuse the features of your product. Abuse cases are how humans might abuse other humans with your product. The features are technically working as intended, but are facilitating abuse.
Product teams should consider all three types of use cases when architecting systems, to enable good use cases, and to design ways to prevent, detect, or respond to misuse or abuse. How, you might ask?
The more diverse the voices on your team, the better placed you are to recall or imagine misuse or abuse cases. Also realise that many people won’t feel safe to talk about this topic, and you need to be sensitive to that.
The misuse and abuse cases below contain references to the real-life stories, where applicable. I am not the first nor the best person to write about this, so please seek out other voices if this post resonates with you.
Here are some example unintentional misuse cases:
Here are some intentional misuse cases:
These stories might be more familiar to us, especially in a security context. We want to prevent our applications from being misused.
Let’s take a look at abuse cases then, where the functionality of the application itself is not strinctly being “misused”; it’s being used to abuse.
Here are some abuse cases (all intentional):
And these examples aren’t even getting into mis- or dis-information, or other types of abuse!
When you next write a user story, think to yourself “what are we doing to make our system safe for the people using it?”
Remember - this topic brings up real pain felt by people. You can try to start this conversation with your team, but be sensitive. Don’t single out team members who might be “more likely” to have answers. Don’t force people to talk about it if they don’t want to.
A huge caveat: I am just me, and I have only a few examples. I have led a privileged and pretty much abuse-less life! I have written this post because I have worked with too many development teams where this conversation is not being had.
Depending on who you believe it was a UI problem (in small part) or the officer believed it was real due to a poorly worded test-message (2018) ↩
Debatable whether this counts as “unintentional misuse” or willfully ignorant, but: Multiple US police departments were using AWS Rekognition until AWS said no (2020) ↩
“Thermostats, Locks and Lights: Digital Tools of Domestic Abuse” by NY Times (2018) ↩