Sunday, December 13, 2009


Protection and trust

Yesterday, The Ridger posted an item at The Greenbelt about some misleading marketing spin:

Several times in the last week I’ve seen an ad for Identity Guard, which is some form of protection against identity theft.

Their slogan: Identity Guard - making it OK to trust again.

No. They’re making it unnecessary to trust.

Indeed; it’s the difference between “No one will rip you off,” and “When someone rips you off, we’ll fix it.”

I thought I’d riff on that distinction for a moment, because it’s really where much of our security “protection” leads us.

There certainly is plenty of actual defense going on. When the presence of police deters a criminal, that’s what we’re really looking for. When using a secure (encrypted and verified) connection to a web site prevents a Bad GuyTM from listening in, that’s what we want. We’re fending off problems. And the extended validation certificates, along with browser support that highlights them, can be said to “make it OK to trust” a web site (but see my discussion of that).

In contrast, things like TRUSTe for web sites and certified email systems, penalize violations. They don’t stop anyone from doing bad things in the first place, and, depending upon what one can get away with before being shut down, they may be providing insufficient protection. Indeed, something like TRUSTe can actually be dangerous, to the extent that it gives people a false sense of security.

That’s how it is with spam filters and anti-phishing filters on your email. They’re shielding you from having to deal with a lot of garbage, and that’s good. The phishing filters are protecting you from a good many messages that would fool you into giving away your passwords, and that, too, is good. But they’re often marketed as things that let you trust your email... and that’s bad.

If you consider that these things enable trust, you’ll be snagged by the stuff that gets past them. The web site that has a bogus TRUSTe logo, the email message that claims to be from your bank (but isn’t), and the bogus “e-holiday greeting” that’s ready to deliver some nasty software that will take over your computer are even more likely to catch you unawares when they’re rare.

Protection and trust are not the same thing.

No comments: