What technologies do you (or should you) trust? Your operating system provider? Your ISP? Google? Facebook? Lawmakers and law enforcers? The media? Your security software? If your answer to any of these is an unequivocal ‘yes,’ you’re too trusting. That doesn’t mean I’m encouraging one’s participation on a humongous conspiracy theory. However, trusting the good intentions of an agency shouldn’t carry an automatic assumption that what they do or say, or where they say it, is always good for you. It’s ok to trust your friends with your life, but can you trust them with your data?
One might find it strange that someone associated with the security industry should deny its trustworthiness, but after decades in security, working both sides of the customer/vendor divide, I’m painfully aware that the security industry in particular is mistrusted, but for the wrong reasons: because one type of software is so often dismissed as obsolete by vendors pushing alternative solutions, because it may sell through fear, because the vendors write all the viruses, because it may offer a choice between free but incomplete solutions and expensive security suites, or because they’re disappointed that it sometimes fails. These reasons are partly justified some of the time, but they miss the point. Security is primarily an attempt to solve a social problem (well, several) and technology always falls short of eliminating social problems unless it’s supported by strategies that take into account the human element.
Most internet users fall somewhere on a spectrum between two extremes: the please-do-what-you-like-with-my-data social butterfly, and the ultra-paranoid “Facebook is for fools” who see participation in social networking as narcissism, to paraphrase an anonymous (of course) comment to one of Stephen Cobb’s blog articles.
“Security is as much about mistrust as it is about trust.”
– David Harley, ESET senior research fellow
Aging curmudgeon I may be, but I can’t raise much enthusiasm for any viewpoint that assumes that all other viewpoints are a sign of stupidity. Professional paranoid I may be, and I appreciate more than most the dangers of making personal data too freely obtainable online. Governments and service providers of all sorts have proved all too competent at enabling that sort of leakage – without your making it even easier. But I can’t help wonder about the mental health and/or inclination to criminality of people who feel the need to be totally pseudonymous and/or anonymous online, and I can’t bring myself to advocate routinely breaking a contract with a social network by giving false and deliberate misleading information. I can’t say that faking or withholding information is never appropriate, but surely in many contexts it’s more appropriate simply not to participate in a network that demands information you’re not comfortable with sharing.
Security is as much about mistrust as it is about trust. You shouldn’t trust technology to protect you from your own lack of caution: there are no 100 percent solutions. It’s neither wrong nor moronic to buy into social media as a way of interacting with other people. It is naive, though, to do so without ensuring that you’re well enough informed to decide when and how to say no to requests for information. And, of course, to know when an apparently harmless request entails giving away information you assume to be private (think Facebook apps, for example).
The real problem is that so many people have a blind spot when it comes to translating the term “acceptable behavior” between the real world and the online world. Apart from the all-too-many individuals who knowingly engage in criminal behavior, there are many more who would never steal a book from a bookshop (to take an example dear to my heart) but have no problem pirating an eBook or software. At the same time, too many people are far more trusting online than they are in the real world.
Would you trust someone who came up to you in the street and said, “I want to give you a million dollars. Give me some money so that I can send it to you,” or “I want to be your friend. Give me your address and date of birth”?