Vista's Faux Security

Friday Feb 23rd 2007 by Ray Everett-Church
Share:

An endless series of meaningless choices does not equal privacy, argues a security expert. Nor will they equal security for Vista.

For those who haven’t had the joy of installing the new Windows Vista operating system, the humor of the latest installment in Apple Computer’s “I’m a Mac; I’m a PC” series of television ads may be lost on you.

But if you’ve ever been asked by a piece of software, your operating system, or a website whether you want to make a choice – without the benefit of any background information or useful context – then you can pretty much get the gist of joke.

The new TV ad, titled “Security,” features the grungy Mac guy standing next to the geeky PC guy, and behind the PC guy is some sort of Secret Service agent in sunglasses and a dark suit.

Every few seconds, the security guard asks PC if he’d like to “cancel or allow” virtually everything PC does: “You are returning Mac’s salutation. Cancel or allow?”

Related Articles
Great Security Blunders

Is the Mac Really More Secure than Windows?

Restoring Online Privacy

Security Flaw Could Ground Wi-Fi Users

FREE IT Management Newsletters

As the ad goes on, PC gets increasingly frustrated with the repeated questions, when finally PC explains: “I could turn him off, but then he wouldn’t give me any warnings at all and that would defeat the purpose…”

This brand of faux security is well known to privacy folks, because the robot-like process of asking for user authorization has passed as a form of privacy protection for years.

(Before I’m accused of some kind of bias, I should note that I’m not particularly enamored of Mac security, either.)

"Privacy" Features

For nearly a decade, most of the things that have passed for “privacy” features in a wide variety of applications, especially web browsers, have made those applications virtually unusable without choosing the equivalent of “allow” every time you’re asked.

Be it the firewall under Windows XP, or Internet Explorer’s cookie settings, JavaScript enabling, ActiveX components, or “compact privacy policy” settings, those and a host of other applications have asked users to allow various activities, and the vast majority of users choose “allow,” because they really don’t have any other choice.

As we have learned through sad experience in the privacy world, an endless series of meaningless choices and even more meaningless actions do not equal privacy. Nor will they equal security in the world of Vista. Come to think of it, they don’t equal security in airline transportation either, but I digress…

The real concept at work here is less about protecting the privacy or security of the user than it is shifting the blame to them and away from the software creator whose application is about to do something that may be about to compromise the user.

The notion of giving users choices and letting them make their own decisions is fundamentally appropriate. But as with any choice that has significant consequences, no one can be expected to make a sound and reasonable decision without having enough useful information.

Enough Information?

In the end, whether it’s asking a user to agree to a Terms of Service document that’s full of privacy loopholes, or whether you’re asking them if they want to allow a Trojan Horse application to upload a user’s banking records to an identity thief, it’s a sham.

Related Articles
Great Security Blunders

Is the Mac Really More Secure than Windows?

Restoring Online Privacy

Security Flaw Could Ground Wi-Fi Users

FREE IT Management Newsletters

Unless a user has enough information, and enough context in which to judge the consequences of their choices, the choice to “cancel or allow” is nothing more than yet another annoying obstruction between the end-user and the task they’re wishing to accomplish. In such a case, users can be counted upon to make whatever choice gets their task accomplished, regardless of whether it costs them their first-born child.

As I noted, none of this is very new to the privacy world. Indeed, organizations like the Internet industry’s favorite so-called “privacy watchdog” group, TRUSTe, have made a cottage industry of creating faux choices and calling it consumer protection. Companies have learned to construct devious privacy policies and pretzel-like processes that are summed up by a “cancel or allow” decision that stands between the consumer and whatever it is she’s trying to accomplish.

These processes are designed to look like they’re empowering users, but really they’re providing them with what amounts to a Hobson’s choice – a choice that is really no choice at all.

According to Wikipedia (so you know it must be accurate – and if it isn’t, feel free to change it!), the concept of the Hobson’s choice originated with an English livery stable owner in the 1500s. Customers seeking to rent a horse were given the choice of whatever horse Hobson offered them, or pulling your carriage yourself.

Over the last decade, many websites have adopted a privacy model that is similar to Vista’s new security model: present users with a choice between agreeing to whatever consequences are being foisted upon them, or be stopped dead in your tracks and get nothing done.

Given the extraordinarily task-oriented nature of most people’s computing experiences (when was the last time you sat down at your computer actually intending to get nothing accomplished?), presenting useless choices as being any choice at all is cynical at best and fraudulent at worst.

Yet many will undoubtedly continue to parrot the line that Vista is the most security-minded version of Windows yet. And if your definition of “security-minded” is the conditioning of consumers to click “allow” in order to get anything done, it is indeed one of the best testing grounds of conditioned responses since somebody bought Dr. Pavlov a dog and a bell.

Cancel or Allow?

At the end of the new Apple ad, the security guard finally asks the hapless PC: “You are coming to a sad realization. Cancel or allow?”

Unfortunately, after conditioning the world to click “allow,” all Microsoft will have accomplished is to pass the buck to the hapless PC user, trying to make the user responsible for anything bad that happens because they ultimately chose to allow it.

While that may allow Microsoft’s security engineers to sleep at night, the rest of us won’t rest as easy until Vista’s holes are plugged with something more substantial than a dialog box.

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved