Today, I had to take a trip to the Apple Store. Because of all of the things that could break on my computer, the most important one that I can’t live without started misbehaving: my trackpad.
After checking in, leaving a trail of umbrella drips from the front door to the upstairs Genius Bar, and getting my machine ready to be all fixed up, I was ready to surrender my darling little machine to the powers that be so that what was broken could be fixed in-warranty. I entertained a round of interrogation about the colorful stickers on my laptop— “Oh, that’s Threatbutt, it’s a totally innovative security thing that only the smartest people know about!’’ and once my machine was whisked away, I sat back and observed the interactions going on between the people near me.
To my right, an older woman had brought in her computer because it wouldn’t connect to the internet. She had been hunting down the perfect quilting pattern for her granddaughter’s wedding gift, and while downloading templates, she had somehow added 45 different extensions to her browser. Hidden in these malicious extensions were competing strains of adware that were running amok on her machine, making it impossible for it find its way to the internet and transfer any sort of data back and forth.
Behind me, another woman had a similar issue: her twenty-something daughter was telling her to download a new app that was just ~*to die for*~ on her computer, and she did. But once she downloaded it, the app disappeared and couldn’t be found on her computer or phone. For the past few days, she had gone to the web and searched for the app to download again, but didn’t understand why it wasn’t showing up on her device. A few minutes later, the was clear: after she downloaded the app from the first Google result on the web, she opened iTunes and tried dragging the app onto her phone while it was syncing with her computer. As a result of downloading software from an untrusted source, she had adware on her machine. When the technician explained what this was and why it happened, she sighed deeply and had a positively dejected look on her face.
“My daughter kept telling me to download this app on my phone— she lives in Miami— and I tried, I really did. My husband used to do these things for me and he was so patient, but he passed away last year…I have absolutely no idea what any of this is. Everyone else seems to be having so much fun with these apps and things, and I want to enjoy technology with them, but that just doesn’t feel like it’s ever going to happen. I spend more time scared I’m going to break the damned thing than I do having fun with it.”
Another quite sassy lady sitting across the table from us had a computer that just “wouldn’t listen to her.” When she “told” her computer to go to a website, it just went wherever it pleased, and she was “damned tired” of it acting like it’s “possessed.” And lest ye think that the Apple Store was full of damsels in distress on that very, very rainy day, there was a man behind me whose computer kept emailing people… but he couldn’t figure out how. When he searched, he couldn’t see or find the emails, and didn’t know how to make something that was invisible to him stop infecting the inboxes of his friends, colleagues and family. In the space of a half an hour, six more people around me were (very patiently, professionally and diligently) walked through the steps and given a few basic tools to help them solve security problems and avoid reintroducing them to their computers. Which got me thinking…
Far too often, security practitioners and technologists take the position of blaming users for security failures or thinking that users deserve all of the bad things that they might encounter out there on the web as a consequence of not knowing all of the ins and outs of technology. “People are the weakest link in security!” seems to be more of a comfortable excuse lean on than a rallying cry to actually do something to change the status quo. While we might be able to master protocols, grok complex technological concepts, and break whatever we feel like whenever we want… those skills and the highly specialized language surrounding them isolate us from the people we are defending.
(“Wait, what?! When we do this security stuff, we’re defending people?! People are SO dumb.” … Um, yes, what in the hell did you think you were doing when you took that security job?)
To date, billions of people have literally bought into the idea that their computers would change their lives (and sometimes they do), and we know quite a bit about how and why they interact the ways they do with technology. We know that no one has taken on the responsibility of truly educating most people about the risks that come with the very many rewards the internet has to offer. And then many of us fault them for not knowing things, especially the things that they had no way of knowing or learning about them whatsoever. But tell me…
When was the grandmother making a quilt for her granddaughter’s wedding supposed to learn basic online security principles? How should she have known where to find information that she didn’t know she needed to know?
When would a 75-year-old lady ever have learned that the machine she uses for knitting needs backing up? Who would have explained to her the value of her data?
How was the widow going to learn all of the ins and outs of technology when her husband was the one with years of tech experience?
How should little old ladies navigate operating system updates when the quilting software they use for sewing isn’t compatible with the latest, greatest and shiniest new thing out? (“Use better software” isn’t an option.)
Where would someone who had never before been exposed to an App Store ever learn about how any of those things work?
And how would someone whose use case of the internet never, ever gave them reason to think of malicious uses of the internet? How would anyone in this situation know to take proactive security measures against them?
At the end of the day, sitting around and speaking poorly of end users doesn’t help any of us fix the eleventy twelve billion problems at hand, and it doesn’t make end users smarter and wiser either. Neither does ignoring reliable data, psychology, science, usability studies, or the reality that we will need a multitude of tactics to truly get end users and technologists doing everything they can on both sides to help us take care of the web.
After spending days, months, years, and thousands of hours behind a computer, it’s sometimes hard to remember what it felt lie to sit in front of one of these things and have absolutely no fucking idea how it worked. It’s almost impossible to recall what it felt like to not know that there were so many things you didn’t know. Should we all have to be experts in every single detail of technology to be able to use it? No— and that’s just not going to happen given the ease with which anyone, even in developing countries, can gain access to the connected world. (And seriously, show me someone who is deserving of such a thing, an absolute and total expert in every technological capacity — I’ll wait.)
Staying holed off in our own little corner of the internet and fighting with each other about the most senseless of things isn’t helping us in any way, and yet some days it feels like we’re good at doing very little else than that. We complain that people are why security fails all of the time, but then forget that at the core, we’re people too and we are no better than anyone (everyone) else. When we ignore the facts of the situation— that the web is supposed to belong to everyone, not just the technological geniuses and cool kids who can hack this then whack that— and isolate ourselves from ever having to interact with people not like us, we fail everyone and we make our jobs much harder than they truly have to be.
But what do I know? I just went to the Apple Store to get my computer fixed one day. And now a bunch of people know that Taylor Swift and her squad are basically one badass hacking gang.