Friday, November 30, 2012

Which house would you live in?

I re-discovered a wonderful analogy from The Economist's 'Babbage' column dating to 2011:

  1. Would you like to live in a gated community where you show your passport or driving licence to a security guard who then walks you to your home and lets you in through the front door?
  2. Or would you rather live in a gated community where you get to choose your own door lock and key; with the risk that you might lose your key and not be able to get in?
The first is like Dropbox, and pretty much every cloud-based data storage service from major players like Microsoft, Apple, Google and more. And it's like your Facebook account and, probably, your photo storage site. And so on.

Even before reading that last paragraph, most of us instinctively would choose the second option. But that's not what we do in practice! In reality, we know that there's normally a fall-back if we do in fact lose our key to the house: maybe we've left a window open, or the back door unlocked. If worst comes, we can always smash a door down or break the glass in a window to get back in before changing the locks and getting new keys cut...

In the computer world, we don't have that convenience. If we set our own keys to the computers we use and the data we store then we have a major difficulty if we forget what we chose and didn't risk the compromise to security by writing down a back-up copy somewhere. 

Last weekend I re-visited an old laptop that I'd not used for a year, intending to refurbish it for my daughter. It was only as I powered it on that I realised that I had no clue what password I'd used for it. Once so familiar because I was logging in to that machine most days, now the letters, numbers and symbols seemed to have evaporated from my brain. What might have been 'just' a catch-up on all the software updates since I last used the machine turned into a much bigger re-build job!

So, let's ask again, which community would you live in? In practice, judging by the user numbers, almost everyone chooses the first kind. We have a naive trust in the companies that supply our computing convenience; and we're not prepared to bear the cost of keeping our own keys safe.

How can we build a better solution? How can we combine the convenience of option 1 and the privacy of option 2?
Get more like this