Google’s bad UX can even cause seasoned professionals to make novice mistakes

Today I did something that, when I realized what I had done, I metaphorically kicked myself over. It was so stupid. It reminded me of something I did at one of my earliest professional jobs… over 20 years ago.

I’ve been using email for nearly 30 years, and I’ve been a professional web developer for 25 of them. I know the difference between CC and BCC.

But today, when I was sending a mass email to a number of my clients, I made a critical mistake. I always handle these emails in the same way: I set the To field to a generic, non-existent email address on my own domain, and I put all of my clients’ email addresses — the real recipients — in the BCC field. That way, they all receive the email and, critically, they can’t see who else I sent it to.

Unfortunately, that’s not what happened today. Instead I unwittingly put all of their email addresses in the CC field. Sure, they still all received the email. But now they can also see who else received it, and, much worse, they can potentially hit Reply All and send their response to the entire list of recipients.

That’s not only embarrassing, but given the nature of the message, it could cause them to potentially blast some of my personal financial information out to a huge swath of my other clients.


I felt like a fool, and I nearly sent a second message (being sure to use BCC this time!) explaining my error… but then I realized that would just make me look like an even bigger fool, and the best thing to do was nothing, and just hope it goes away quietly. (So, of course, I’m writing a blog post about it.)

But the more I thought about it, the more I realized that the real culprit is Google’s bad UX design. For years I’ve been railing against Google’s “Material Design” or whatever they’re calling what they do these days. It’s too vague and unintuitive. Too much is hidden.

Good design should be obvious. Users should be able to see at a glance what they’re able to do with a piece of software. Of course in the early 2000s, Microsoft took that concept to an absurd extreme with the “Ribbon” in Office: a giant mosaic of every imaginable feature of the program, thrown together in a jumble of icons and text that would overwhelm anyone. Thankfully that approach has fallen by the wayside, but in its place is something arguably even worse: the illusion of simplicity, created by hiding so many features away that users probably don’t even know they exist, and then compounding the problem by stripping down the visual elements of the interface to such an extreme that it’s difficult to even know what’s clickable.

Such is the case with Gmail, something that should have a pretty simple interface, even with all features exposed.

I learned email back in college in the ’90s, using Eudora. Oh how I loved that program. Every mail client that has come since has been a downgrade, in my opinion. These days, practically speaking, my options are to use Apple’s Mail app, or Gmail’s web interface. For better or worse, I use Gmail. But in light of today’s debacle, I decided to do a comparison.

Since the days of Eudora, mail programs always had separate and distinct To, CC, and BCC fields, each on their own line. It made it very difficult to accidentally use the wrong field, and easy to tell if you were making a mistake. Apple Mail still does something very similar… with the modification that the BCC field is off by default, and you have to go to a menu to show it. Then it appears on its own line. All of which reinforces the deliberate choice of using BCC when you want it. All in all, it’s remarkably similar to what I remember from Eudora, but a bit cleaner.

In comparison, Gmail hides both of those fields by default, and the way to get one of them is to click the light gray text for the one you want, on the right side of the same line as the To field, right next to each other.

Oops! My cursor was a few pixels too far to the left — and since there’s no visible button, it’s not clear where exactly the clickable areas end — so I accidentally clicked CC without noticing.

And then, once you do click one of them, it appears on a new line, but again, if you’re moving quickly, as I regrettably was today, it was far too easy not to notice the mistake I had made. Since either CC or BCC doesn’t appear unless you’ve clicked it, you have to specifically look at the label on the left side of the line to know which one is on. That’s not possible in Mac Mail (or Eudora), where CC is always there, so BCC, if you’re using it, is always two lines below To.

The only way I realized what I had done today was when one of the clients replied to the email — thankfully he did not “reply all” — and I saw the “CC” dump of email addresses in my original email quoted at the bottom of his reply. Eek!

This is the current state of supposed “best practices” in UX design… flaws in things so basic, things that were already solved a generation ago, that someone who does this for a living makes novice mistakes.

Addendum, January 17, 2022: It gets worse. Over the past few days I have been working with some agency partners on a proposal for an RFP. There have been two glaring problems that have occurred as a direct result of Gmail’s interface quirks. First, I was waiting over the weekend for my partners to email me a link to their draft document. Late Friday, one of them emailed me a one-sentence message saying they’d send over the proposal on Saturday. I didn’t bother opening the email to read it, because I could read the entire thing in the preview. (This was in the Gmail app on my iPhone.) I waited Saturday and Sunday for another email from them, but I got none! Except, I did. But because Gmail only shows the first unread message in a thread, with no indication that there are more unread messages in the thread, I had no idea that they actually had sent another email until this morning, when I took the time to open the email on my desktop.

Then, to make matters worse, I was just preparing a new email to send them, with my latest draft, and as I entered their email addresses in the “To” field, Gmail suggested the RFP client as another recipient. No no no no no. It would have been far too easy, if I were in just slightly more of a hurry, for me to have accidentally clicked the client’s name, and sent them my draft of the proposal and the associated internal comments. Yikes. This wouldn’t be the first time its suggestions have led me astray… I’ve accidentally sent emails intended for the drummer in my band to a client, because they have the same first name and as soon as I started typing it, Gmail decided for me which person I was emailing and autocompleted the address.

Please think twice before leaving a flippant negative review

Last week I launched a new WordPress plugin, No Nonsense, and much to my surprise, it started to pick up steam after just a couple of days. It turns out, it got featured with a nice review on WP Tavern, and people took notice.

Unfortunately, almost immediately, it got a couple of really negative reviews, both of which were clearly dashed off with very little thought, or apparently even the slightest bit of effort on the part of the reviewers to try to determine the cause of their issues before leaving a negative review — rather than submitting a support ticket, which would be the correct channel for addressing a problem… if they actually wanted to solve it.

I take pride in the quality of my work, and I try hard to make sure it performs flawlessly. I respond quickly to any issues — even for a free plugin like this — because I want to make things right. So it is really painful to have the product of my efforts permanently stained with a negative review by someone who can’t be bothered to take the time to write a single cohesive sentence detailing the issues they had with it.

I understand the temptation to rip on something you think is garbage, and I’ve left a few one-star plugin reviews myself. But I feel it’s important to at least explain in detailed and objective terms why I think something is bad. And maybe if it’s clearly something brand new, I’d wait a while to see if the creators take the time to work out the kinks first.

So, no matter what you do, no matter where you are, if you are in a position to criticize someone else’s work, I implore you to take a second and think about the impact you might be having on that person and on what they’re trying to accomplish, and whether or not your criticism is truly valid and warranted. Perhaps it is not, in which case, I would respectfully suggest you stay quiet. But maybe it is. In that case, think about whether a terse and flippant negative review is really the best way you can contribute to improving the situation, or if there’s a more effective, more constructive way to share your input.

Two-factor authentication is not the solution to the inherent flaws of password-based security

Uh, I really don’t have much more to say than that.

OK, maybe a bit. As a web developer working in client services, at least once a week I am confronted with the situation of having to log into a client’s account for something… MailChimp, GoDaddy, etc.

Many of these services have switched to 2FA-by-default, which I agree is more secure than plain old passwords (which I bet some of them still store in their databases as clear text). But 2FA is a pain in the ass. Especially when you’re in my position, and the phone number or email address that receives the one-time authorization code belongs to the client, not me.

Any time I need to log in, it requires coordination with the client to be sure they’re available to pass along the code to me. Which is just stupid.

Fortunately a lot of these companies have realized how common this kind of situation is, and how it’s a valid scenario, and they’ve worked around the limitation by creating “teams,” so clients can add me to their account as my own separate user, with my own login credentials, and my own 2FA.

But it’s still a pain in the ass. And not every service offers it. For example, MailChimp used to allow up to 3 users, I believe, on their free accounts, but now it’s just one. Of course, of course. Just pay for the service, right? Well sure, but service providers with a free tier imposing such a ridiculous limitation on that free tier as a way to upsell the paid tiers is kind of self-defeating. “Hi, we’re creating a crappy experience for you, and that’s the only experience you’ve known with us. But if you start paying us, we’ll make it not-crappy. We promise!” OK.

But it’s not really MailChimp’s fault. It’s that 2FA sucks. It’s more secure than plain ol’ passwords, but it’s even less convenient.

And while I’m ranting futilely, why do we even need security at all? Because people suck, period.

While I was writing this, I was waiting for a client to send me a 2FA for MailChimp. I’m in! And fortunately, this particular client is on the paid tier, so I was able to add myself as a user. A process which involved… wait for it… a CAPTCHA! (Time for another rant.)

New WordPress plugin: Remove Broken Images

If you have a WordPress blog dating back many, many years, and you’ve just completed a massive cleanup of images from your Media Library, or if you just have any other reason why there might be a bunch of <img> tags in your blog posts that no longer go anywhere, you may be wondering if there’s an easy way to just, you know, have those annoying broken image icons not show up all over your pages.

Now there’s a way!

OK, actually there already were a few different ways, via free plugins, but as is so often the case with a lot of these types of small, single-purpose plugins, I find they’re almost always either really clumsily written, overloaded with unnecessary features, or both.

So I wrote my own.

This plugin couldn’t be simpler. It assumes that you just don’t want to display broken images — whether that’s the ugly little “missing image” icon some browsers display, the large outlined box containing an ugly little icon and the missing image’s “alt” text, or just a big blank white space. It doesn’t have an option for showing a different, placeholder image. Because, let’s be honest, that doesn’t look good… especially if you have more than a few of these to deal with. Having the same placeholder appear all over your site looks as bad as having broken image icons everywhere.

The plugin relies on the JavaScript error event, and uses some very compact jQuery code to remove any <img> tags that trigger the error, and their containing link and caption element, if present.

The end result is a clean looking blog with no indications whatsoever that anything is missing. Unless the text of your blog post describes the image in excruciating detail. In that case… you’ll just have to wait for version 2.

You can download Remove Broken Images right now from the WordPress Plugin Directory.

Just another Halloween…

So last night a kid who honestly was probably too old to be trick-or-treating said, “thank you SO much” very sarcastically when I dropped one small piece of candy into his pillowcase and it stuck very conspicuously near the top, so it was obvious how little I gave him.

I immediately had negative thoughts about his reaction, but I had nothing to say because honestly, he was right. It was pretty stingy. But the problem was, we only bought one bag of candy this year, not knowing how many kids to expect, and it turned out to be a busier-than-usual year. (Most years we buy 2-3 bags and have 2+ bags’ worth left over at the end of the night.)

I started the night giving each kid 2 pieces, but I quickly realized that at that rate I was going to run out before 7 PM, so it was time to dial it back.

So yeah, I guess I deserved to get called out by a snotty 13-year-old for my less-than-copious candy offerings. Some people might say kids shouldn’t act so entitled but honestly, this is part of the social contract we agree to when we decorate the front of our house and turn on the porch light on October 31. Kids are going to come to our door for the express purpose of us putting a reasonable amount of candy into whatever receptacle they happen to be carrying, and one “fun size” Twix is not a reasonable amount.

On a more positive note, not only did it feel like a “normal” year last night, but SLP and I even managed to watch both Halloween and The Shining in their entirety, without falling asleep. (Well… she may have dozed off briefly around the time Dick Halloran was sensing the call to leave his Miami retreat.)