One of my favorite classes I took in the past three years of college was Computers and Ethics (also known as the disgusting, 1990s term: “Cyberethics”). Although most of it was bashing the use of computers in everyday life and attributing them to a very morbid, Terminator/Matrix-esque view of the future, there were some interesting points that were brought up. One of them was known as the “Silicon Imperative”. The general idea is that we should always question whether a computer should do everything for us. The obvious fact here is that humans are smart and computers are stupid. It’s simple — humans are not “digital” (either this, and/or that) in their logic. We have emotions. We learn based on previous events. We can see patterns very quickly that computers cannot possibly do at the moment. Therefore, there are many things that should not be “Silicon Imperative”.
I agree with all of that — for the present. However, if you have a software project that has a goal, that interacts with users, and gives them a useful featureset, you shouldn’t half-ass it. One of the most debatable areas, I think, of the Silicon Imperative, is in security. The reason why I’m writing this is because, from an end-user point of view, it seems like we are promising security at the sacrifice of innovation and user interaction.
There are some products that have been entering the market – you can probably guess what they are — that seem to embody this kind of thinking. What would your life be like if you had an assistant that promised to do a lot of things for you? Doesn’t that sound nice? Someone who made your food, cleaned your house, organized your desk at work. That would be awesome! Now, imagine if this same assistant would ask you, every time if you really wanted the food you were about to eat. Or, everytime you left the house for work, would ask you how you wanted every room to look like. Or how you wanted your desk to be organized everyday, and if you really wanted that manuscript to be shredded at the end of the day. Yeah, not so great, huh?
Why can’t the assistant remember what we asked? Why can’t it realize that the manuscript is confidential and that we don’t want it, instead of asking us everytime? Is it really that stupid? That assistant has manifested himself in the form of software.
“Hey, I’ve got a great idea, let’s ask the user every time if they really want to perform this certain action. That way, if something goes wrong, it’s not our fault! Sweet!”.
In this day and age in the software industry, is security really that bad that we should sacrifice user interaction like this? The “guaranteed” way of software security is not usually the best. Your software might not have any innovation and it might not do some intelligent adaptation based on what evils are out there, but I tell you what — your users will. You can barrage them with all kinds of prompts and confirmations, but the inevitable will happen: they’ll just click through them without even reading them, and that’s a huge security risk in itself.
What happens after a user accidentally clicks through a prompt and breaks the threat model? Are you going to sit back and point a finger? Is that what we do? Isn’t our goal to help people in their everyday lives instead of making them feel stupid by blaming them? Perhaps we should think some more about the Silicon Imperative…
