Don’t just blame users for woeful security online

The BBC this morning reports that many net users are not safety aware. The piece is based on research by Get Safe Online, a UK Government-sponsored initiative to promote internet safety. More details of the survey are here. I’m intrigued by a couple of these figures. Apparently 45% of internet users only connect to “secure” wi-fi networks outside the home. That’s surprising since most public wi-fi is not secured; but why would you trust the security of someone else’s network anyway? I’m in the 55%.

There’s also some figures on passwords, showing that nearly 25% of users have a single password they use everywhere. Even more surprising, another 25% claim to use a different password for every site. It’s a mess either way. We will never get even a moderately secure internet without better authentication.

The key question, as this Get Safe Online press release observes, is about who should take responsibility for online safety – meaning everything from viruses and fraud to predatory chatroom impostors. Here are some popular candidates:

  • The ISPs
  • The banks (presumably for financial safety)
  • The individual
  • The security companies – Symantec, Sophos etc.
  • The operating system vendor – Apple, Microsoft etc
  • The Government – let’s regulate

I guess the answer is “all of the above”, though the role of security software is vastly exaggerated, especially that of anti-virus software which in reality does not work well – see Ed Bott’s recent piece The Sorry State of Security Software.

User education is welcome though anyone with technical knowledge will likely find the homely advice doled out by a site like Get Safe Online frustratingly inadequate. Online safety is difficult for all sorts of reasons. One problem is that users get confronted with decisions they are not equipped to make. Another issue is that even conscientious and informed users are forced to compromise in order to get their work done, like the occasion last week when Thawte advised me to turn off my firewall in order to buy its product.

The Internet will never be safe, but it can be made better. Strong authentication, no more passwords. Digitally signed emails. Networks of trust. Secure operating systems. It’s no good just blaming users, many of them are doing their best.