Vista’s Faux Security

Enough Information?

In the end, whether it’s asking a user to agree to a Terms of Service document that’s full of privacy loopholes, or whether you’re asking them if they want to allow a Trojan Horse application to upload a user’s banking records to an identity thief, it’s a sham.

Unless a user has enough information, and enough context in which to judge the consequences of their choices, the choice to “cancel or allow” is nothing more than yet another annoying obstruction between the end-user and the task they’re wishing to accomplish. In such a case, users can be counted upon to make whatever choice gets their task accomplished, regardless of whether it costs them their first-born child.

As I noted, none of this is very new to the privacy world. Indeed, organizations like the Internet industry’s favorite so-called “privacy watchdog” group, TRUSTe, have made a cottage industry of creating faux choices and calling it consumer protection. Companies have learned to construct devious privacy policies and pretzel-like processes that are summed up by a “cancel or allow” decision that stands between the consumer and whatever it is she’s trying to accomplish.

These processes are designed to look like they’re empowering users, but really they’re providing them with what amounts to a Hobson’s choice – a choice that is really no choice at all.

According to Wikipedia (so you know it must be accurate – and if it isn’t, feel free to change it!), the concept of the Hobson’s choice originated with an English livery stable owner in the 1500s. Customers seeking to rent a horse were given the choice of whatever horse Hobson offered them, or pulling your carriage yourself.

Over the last decade, many websites have adopted a privacy model that is similar to Vista’s new security model: present users with a choice between agreeing to whatever consequences are being foisted upon them, or be stopped dead in your tracks and get nothing done.

Given the extraordinarily task-oriented nature of most people’s computing experiences (when was the last time you sat down at your computer actually intending to get nothing accomplished?), presenting useless choices as being any choice at all is cynical at best and fraudulent at worst.

Yet many will undoubtedly continue to parrot the line that Vista is the most security-minded version of Windows yet. And if your definition of “security-minded” is the conditioning of consumers to click “allow” in order to get anything done, it is indeed one of the best testing grounds of conditioned responses since somebody bought Dr. Pavlov a dog and a bell.

Cancel or Allow?

At the end of the new Apple ad, the security guard finally asks the hapless PC: “You are coming to a sad realization. Cancel or allow?”

Unfortunately, after conditioning the world to click “allow,” all Microsoft will have accomplished is to pass the buck to the hapless PC user, trying to make the user responsible for anything bad that happens because they ultimately chose to allow it.

While that may allow Microsoft’s security engineers to sleep at night, the rest of us won’t rest as easy until Vista’s holes are plugged with something more substantial than a dialog box.