Archive 5 min read

Privacy And Security vs. Usability

It's often stated that you have to trade usability for security. I call 馃挬

Privacy And Security vs. Usability

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning. How's everyone doing, had a couple of days off. Um, due to some scheduling conflicts really couldn't, uh, avoid that. Um, but now I'm back. Um, and of course nothing's been going on in the tech world. So we don't need to talk anything about anything today.

So it's nice and short and sweet. Can I get away with that? Holy crap. Um, Facebook, Facebook, Facebook, Facebook. Um, don't want to dive into the specifics. Um, obviously, um, Mark Zuckerberg is testifying in front of the US Congress again today. He testified yesterday.

Um, you can read a ton about it. Um, just go to tech and everything on the front page is all about Facebook. Um, but I think there's a couple of important things that we can take away from that, that I hit with a couple of other conversations that I've had recently that really kind of, um, hit an issue that frustrates me.

Um, but that I think we need to talk about more. Um, let me just get the lighting here. There we go. Ok. So one of the things that came up yesterday, there was a great article in Vox and I'll I'll tag it down below as always.

Um Or I think I've already tweeted out at marknca. Um Anyway, Vox had this article that basically said, you know, here's a bunch of the challenges with the questions that were asked to Zuckerberg yesterday that show a lack of understanding about like what Facebook does, the goal of Facebook, all this kind of stuff.

And they are absolutely right. A lot of those questions that were asked, show a complete lack of understanding. Um but the, well, some outlets are not vox but some outlets are taking more of a look at these, you know, look at Congress asking these ridiculous questions.

I think it highlights a bigger issue of this stuff is complicated and the blinders that people have on when they're building these systems that deal with private information and with security in general is like, no, no people understand this stuff. They don't, we make it too hard for people to understand how technology impacts them.

So that was, that was one thing I had a complete opposite experience the other day in a very deep technical form, having some discussions with some peers about a particular set of issues and it was a very similar kind of thing. It was like there's all these great security controls, how come they're not doing what I need them to do or how come it's not easier to manage them in a way that makes sense for the challenge at hand.

So in that case, it wasn't people being unaware of it, but it was people who are even steeped in these technical, in these technologies in the understanding, know what they want to accomplish and having a challenge. So if and yes, completely different systems, end user product versus back end infrastructure stuff.

But for me, those really kind of connected the dots of going, wait a second, this stuff is all very, very difficult. It's probably too difficult in fact, and it doesn't need to be that way. Now, there's a long held bullshit belief that it's security versus usability and it's very much not that security needs to be built in.

And when security is built into the fabric of something, usability is still achievable, it's not, it doesn't set you out of your way like, oh, we need this to be secure and that means it's going to be unusable and nobody's going to, you know, take advantage of this great product we're offering.

That's a load of horseshit. You can build highly secure privacy, respecting usable products. You just have to start with usability and privacy and security is one of your core foundations and build up from there. You can't bolt usability on in the end, you can't bolt security or privacy on in the end.

And the third thing that kind of got me on this topic today was I was doing a response for a reporter here in Canada around some of the challenges with Canadian data protection and data breach notification. And they're saying, well, you know, what can, what can organizations do better?

How can they tackle this better? And so really, it comes down to this, this sort of culture, this information management culture, this awareness of the data that you're entrusted with. And how do you move forward with that data in a proper manner?

Um And that's all relying on education, it's relying on usable systems. There's so many different factors here that it makes it really, really difficult. But all the solutions unfortunately don't address the primary cause and I won't use root cause because I did read that SRE article falling around, but the primary cause is not that, you know, people don't understand privacy or that security is hard or the primary cause of these unsecure or privacy.

I don't know what a good word for it is like these open systems is not um a lack of awareness, it's a lack of effort early on to build this stuff into the fabric. Um People want to do the right thing. People would prefer to do the right thing.

Now, in the case of Facebook, there's a real question of is that the right thing, their entire business model is predicated around understanding you the user to better target ads to you. Um So there's a question there is that system by design, that system is doing what it's supposed to.

It's just being some edge cases of a used, used and abused or maybe there is some naivety, but there's a substantial amount of other examples out there where privacy is the number one goal or security and privacy could be a number one principle or foundational pillar for that product or that offering.

And it isn't because people go, oh, we'll bolt it on in the end. Well, it doesn't really, really work. If simple analogy, if you built a house and didn't think about doors until the end you go, we'll just throw one wherever we want.

That host isn't going to work nearly as well as it should. The flow in and out isn't going to work. You know, you're going to get into these awkward situations, security privacy, they need to be built in from day one. They need to be highly usable.

It's not security and privacy versus usability. It's usability enables security and privacy. And I think that's a real big takeaway, be thinking about that more as we dive into this week. And of course, leading into next week at RSA, I'm on site in San Francisco and RSA next week.

That is where a lot of the security community comes together. It's an interesting, interesting place to go simply because there's a lot of great content. But there's also a lot of really interesting pushes from start ups from other players in the industry that maybe push credibility sometimes.

But there's a, you know, hopefully on market NC, I'll be pulling away some of the BS and looking for the real core nuggets because there's always some really amazing innovation and of course some great hallway conversations. So um big thoughts for today, building privacy and security in usability is a real enabler for that accelerator.

Um We'll see what happens for day two of testimony for Zuckerberg show is just beginning now. I'm glad that there's this attention here, but let's make sure we're focusing on the real primary cause and not just political theater. So we'll see what happens.

I hope you have a great day. As always, you can hit me up online. marknca comments down below. Happy to chat. What are your thoughts around privacy being built in privacy by design, security by design? What about that whole fallacy of usability versus security?

Where do you stand on that? Let me know, have a great day and we'll talk to you tomorrow.

Read next