Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

] more on Sony's Escalating "Spyware" Fiasco

From: David Farber <dave () farber net>
Date: Sat, 3 Dec 2005 15:26:45 -0500


Begin forwarded message:

From: Marc <marcaniballi () hotmail com>
Date: December 3, 2005 12:01:35 PM EST
To: dave () farber net
Subject: RE: [IP] more on Sony's Escalating "Spyware" Fiasco
Mr. Crocker brings up interesting usability issue with security models - and not just Microsoft's, but all the anti virus vendors, firewall vendors and 
other security oriented software systems.

The problem (as I see it) is two fold;
First; we are not always presented with the information required to make a 
good decision. This is endemic in ALL software platforms and operating
systems. I have yet to find a system that consistently provides adequate
information to make the "click OK" decision.
Second; The "average user" wants the system to take care of most of these decisions for them - automatically. This is a project of mammoth proportions 
for any software vendor, and especially daunting for an operating system
vendor. Creating such an infrastructure would require several components
that would bloat both the creation and maintenance costs for the system, as 
well as affect its performance (likely, significantly).
For a system to make an effective automated decision it will need to make so many assumptions that it will become ineffective within weeks of deployment - unless you have a highly configurable decision engine, in which case, you 
have just reintroduced the complexity that the users don't want to deal
with.

Marc

-----Original Message-----
From: David Farber [mailto:dave () farber net]
Sent: Friday, December 02, 2005 8:52 PM
To: ip () v2 listbox com
Subject: [IP] more on Sony's Escalating "Spyware" Fiasco



Begin forwarded message:

From: Dave Crocker <dhc2 () dcrocker net>
Date: December 2, 2005 6:01:29 PM EST
To: dave () farber net
Cc: ip () v2 listbox com, "Synthesis: Law and Technology"
<synthesis.law.and.technology () gmail com>, Bob Hinden
<bob.hinden () nokia com>
Subject: Re: [IP] more on Sony's Escalating "Spyware" Fiasco
Reply-To: dcrocker () bbiw net


Blaming Microsoft for software that requires you to click OK seems
as silly as blaming GM if someone pumps bad gasoline into your car,
no?


No.

The human factors (usability, interaction design, cognitive modeling,
decision context, etc.) issues are entirely different.

Presenting users with a simple pop-up to click presumes a number
things inappropriately and ignores a number of essential concerns.

Some examples:

1. Users are expected to fully understand the security model of their
system.  Since computer experts often don't, placing such a burden on
non-technical consumers is quite simply silly.

2. The messages that are displayed are cryptic, incomplete and tend
to be full of jargon.  Even with a good technical model, a user often
has difficulty knowing what is going on.

3. The more dangerous a user interaction, the more important it is to
protect against the user's performing the action automatically,
rather than having to deliberate on the choices.  User must click
"ok" so frequently, it is far too easy to click ok as a habit.

4. Related to this is the meta-point that users are burdened with so
much "system administration" work that they MUST develop a habitual
response, so that they can return to doing their primary activity.
The habitual response works fine... except when it doesn't.



People bought the CD and ckicked OK because they trusted Sony, not
because they trusted Microsoft to protect them against Sony, surely?


Clicking OK is taken to mean informed consent.  The reality is that
it means nothing of the sort.



Since when did anyone trust Microsoft?  Did anyone not wearing a
tinfoil hat at the time remotely suspect that we needed protection
against Sony?  Why should Microsoft be more prescient?


When a product purports to have safety features, there should be a
good basis for believing that the features will be effective.  In
this case, there is quite a bit of basis for knowing that it will be
INeffective.

The design of critical user interactions needs to pay far more
attention to the nature, capabilities and preferences of the average
user.

Unfortunately any serious effort along these lines means finding ways
to reduce the overall user burden for system administration, so that
critical user interactions are much more distinctive and rare.

d/
--

Dave Crocker
Brandenburg InternetWorking
<http://bbiw.net>


-------------------------------------
You are subscribed as marcaniballi () hotmail com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting- people/ 


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: