By Igor Magun
Security software has a problem–it’s absolutely dreadful to use.
Take Signal, the end-to-end encrypted messaging app endorsed by Edward Snowden. It collects very little metadata and uses a robust encryption protocol that, in theory, keeps your messages unreadable if anyone tries to intercept them.
But in practice, here’s what happens: I get a Signal message from my friend and I try to respond. The app tells me, over and over, that my friend doesn’t have Signal–even though he just messaged me using it. So, I text him instead, putting us at the mercy of less-than-adequate SMS encryption.
This problem extends beyond Signal. I use a virtual private network (VPN) to encrypt my web traffic over public WiFi. My last VPN provider refused to play ball with Microsoft’s cloud storage service, OneDrive. My current one works perfectly with OneDrive–but breaks four other programs.
So, if I need those programs, I turn the VPN off, exposing any unencrypted internet traffic to snoops.
And then there’s full-disk encryption, designed to protect the files on your computer. It’s enabled by default on my iPhone and my Surface Pro tablet, so I don’t even have to think about it. But implementing it on my desktop requires a mess of third-party programs that I don’t have the time and energy for.
Security is hard, make no mistake. Some very clever thinking goes into the examples I’ve mentioned, and even with their flaws, programs like Signal serve a purpose. Depending on who you need to keep your data safe from, these tools can be indispensable.
But having a security system that only works some of the time really isn’t good enough.
This highlights something important that tech companies have only just started to realize: security shouldn’t be something people ever need to think about. Why aren’t SMS messages end-to-end encrypted? Why does anyone still need to get a VPN to protect their internet traffic on public WiFi?
User experience plays as big a role in security as does good encryption. Security needs to be the default, not an afterthought that you download from an app store. And it needs to work well. If users must go out of their way to be secure, chances are they won’t. And that leaves us all less secure.
the watcher
Good point but therein lies the problem,several companies will offer”behind the scenes security by default”. since the end user has only the vendors word that the software is “secure by default” the end user cannot know , until a serious breach occurs , whether or not the software/service is in fact secure. one reason being that, in most cases the code is proprietary, and therefore cannot be independently scrutinized for vulnerabilities. security , however conveniently packaged is only as good as the procedures a person or organization puts into place.
Short answer if you need security of communication or data storage, you need to consciously make the effort to ensure that you employ positive measures that meet your particular needs. the one size fits all approach does not, and cannot work as a good security model. your security is your responsibility not that of a vendor.
there have been a number of cases where a vendor has offered”secure packages “etc when in fact the”secure package” has been silently leaking the end users data or communications.