[IP] ] more on Sony's Escalating "Spyware" Fiasco

To: ip@xxxxxxxxxxxxxx
Subject: [IP] ] more on Sony's Escalating "Spyware" Fiasco
From: David Farber <dave@xxxxxxxxxx>
Date: Sat, 3 Dec 2005 15:26:45 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
References: <BAY103-DAV1C04DACC19456FDEE7A72DE4F0@xxxxxxx>
Reply-to: dave@xxxxxxxxxx



Begin forwarded message:

From: Marc <marcaniballi@xxxxxxxxxxx>
Date: December 3, 2005 12:01:35 PM EST
To: dave@xxxxxxxxxx
Subject: RE: [IP] more on Sony's Escalating "Spyware" Fiasco

Mr. Crocker brings up interesting usability issue with securitymodels - andnot just Microsoft's, but all the anti virus vendors, firewallvendors and

other security oriented software systems.

The problem (as I see it) is two fold;

First; we are not always presented with the information required tomake a

good decision. This is endemic in ALL software platforms and operating
systems. I have yet to find a system that consistently provides adequate
information to make the "click OK" decision.

Second; The "average user" wants the system to take care of most ofthesedecisions for them - automatically. This is a project of mammothproportions

for any software vendor, and especially daunting for an operating system
vendor. Creating such an infrastructure would require several components

that would bloat both the creation and maintenance costs for thesystem, as

well as affect its performance (likely, significantly).

For a system to make an effective automated decision it will need tomake somany assumptions that it will become ineffective within weeks ofdeployment- unless you have a highly configurable decision engine, in whichcase, you

have just reintroduced the complexity that the users don't want to deal
with.

Marc

-----Original Message-----
From: David Farber [mailto:dave@xxxxxxxxxx]
Sent: Friday, December 02, 2005 8:52 PM
To: ip@xxxxxxxxxxxxxx
Subject: [IP] more on Sony's Escalating "Spyware" Fiasco



Begin forwarded message:

From: Dave Crocker <dhc2@xxxxxxxxxxxx>
Date: December 2, 2005 6:01:29 PM EST
To: dave@xxxxxxxxxx
Cc: ip@xxxxxxxxxxxxxx, "Synthesis: Law and Technology"
<synthesis.law.and.technology@xxxxxxxxx>, Bob Hinden
<bob.hinden@xxxxxxxxx>
Subject: Re: [IP] more on Sony's Escalating "Spyware" Fiasco
Reply-To: dcrocker@xxxxxxxx

Blaming Microsoft for software that requires you to click OK seems
as silly as blaming GM if someone pumps bad gasoline into your car,
no?


No.

The human factors (usability, interaction design, cognitive modeling,
decision context, etc.) issues are entirely different.

Presenting users with a simple pop-up to click presumes a number
things inappropriately and ignores a number of essential concerns.

Some examples:

1. Users are expected to fully understand the security model of their
system.  Since computer experts often don't, placing such a burden on
non-technical consumers is quite simply silly.

2. The messages that are displayed are cryptic, incomplete and tend
to be full of jargon.  Even with a good technical model, a user often
has difficulty knowing what is going on.

3. The more dangerous a user interaction, the more important it is to
protect against the user's performing the action automatically,
rather than having to deliberate on the choices.  User must click
"ok" so frequently, it is far too easy to click ok as a habit.

4. Related to this is the meta-point that users are burdened with so
much "system administration" work that they MUST develop a habitual
response, so that they can return to doing their primary activity.
The habitual response works fine... except when it doesn't.

People bought the CD and ckicked OK because they trusted Sony, not
because they trusted Microsoft to protect them against Sony, surely?


Clicking OK is taken to mean informed consent.  The reality is that
it means nothing of the sort.

Since when did anyone trust Microsoft?  Did anyone not wearing a
tinfoil hat at the time remotely suspect that we needed protection
against Sony?  Why should Microsoft be more prescient?


When a product purports to have safety features, there should be a
good basis for believing that the features will be effective.  In
this case, there is quite a bit of basis for knowing that it will be
INeffective.

The design of critical user interactions needs to pay far more
attention to the nature, capabilities and preferences of the average
user.

Unfortunately any serious effort along these lines means finding ways
to reduce the overall user burden for system administration, so that
critical user interactions are much more distinctive and rare.

d/
--

Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>


-------------------------------------
You are subscribed as marcaniballi@xxxxxxxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/



-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] more on Amazon Phishing scam - BEWARE!
Next by Date: [IP] more on GOP Lawmakers Propose Forming Secretive Federal Agency to Spur Vaccine Development
Previous by thread: [IP] more on Amazon Phishing scam - BEWARE!
Next by thread: [IP] more on GOP Lawmakers Propose Forming Secretive Federal Agency to Spur Vaccine Development
Index(es):
- Date
- Thread