“Dave! Dave, come here! My computer is acting weird again!” I hate when my wife calls me from the other end of the house like that. I just know something bad has come up. Something beyond the capability of my daughters—now 9 and 11—and if a child can’t fix it, you know it’s serious.
She was reacting to a dialog box displayed by Norton Internet Security. Shown in Figure 1, the dialog box read, in part: “carboniteservice.exe is attempting to access the Internet. This program has been modified since it was last used.” It then went on to ask if the program should be allowed to access the Internet.
Figure 1 “Low Risk”? Who knows?
What kind of silliness is this? If all the brainpower at Norton can’t figure out whether this application should be allowed to access the Internet, how the hell is my wife ever going to?
For that matter, how would you or I, computer professionals that we claim to be, go about figuring that out? The name of the process means nothing at all. Even if we stipulate that Norton is indicating the correct Carbonite process that we installed, how do we know that Carbonite has been properly updated rather than hijacked by a bad guy, a common attack mode?
We don’t, and we shouldn’t be asked to. That’s why we buy Norton, to access the top brains in the computer security business. Accepting money for a product called “Internet Security” means knowing how to handle these common situations. If the risk is low, then Norton shouldn’t be bugging me. And if it’s not low, Norton shouldn’t be saying it is.
What does Norton think it’s doing? I spoke at a conference some time ago, next door to an unrelated computer security meeting. When I slid over during a break to scarf their free beer (we only had juice), I met a guy wearing a Norton badge and jumped on him about this dialog box. He said it makes perfect sense to the company: “We’re getting the user’s informed consent.”
Sorry, that doesn’t cut it. Wikipedia defines “informed consent” as consent given “… based upon a clear appreciation and understanding of the facts, implications and future consequences of an action.” Ordinary users can’t do this, and neither can computer professionals who are not security specialists. Informed consent is impossible in this type of situation.
I opened myself another beer and handed one to the Norton guy, as his meeting was paying for them. He wasn’t giving up. “It’s like the doctor, who tells you the risks and lets you decide,” he said.
No it isn’t. Norton throwing this box in a user’s face is like an airline asking a passenger if he thinks the weather is safe for flying. The passenger is not competent to make such a judgment. That decision rests entirely on trained and licensed professionals who hold responsibility for transporting passengers safely. That model works well for air travel (zero fatalities on mainline U.S. carriers in the last decade, see bit.ly/GFOcs1), and we should be working the same way.
The main reason I think we’re seeing this box is lawyers. Norton’s lawyers told the developers, in effect, “If you’re not sure, then just ask the user, and you’re off the hook. Then if it breaks, it’s the user’s own fault.”
Not to my mind, it isn’t. If I were on a jury and the defense tried using this excuse in a trial, I’d not only throw the defendant in jail, I’d add extra punishment for weaseling instead of standing straight and saying, “Sorry, we messed up, here’s how we’ll fix it.” He’s probably the kind of guy who refers to bugs as issues. (See “Weasel Words” in the September 2010 issue: msdn.microsoft.com/magazine/ff955613.)
We developers are the experts, and users depend on us. We cannot abdicate our responsibility by asking for guidance from someone who cannot possibly know. Informed consent in computing is a myth, and companies that claim it as an excuse for their malpractice are weasels. Stop it. Now.
David S. Platt teaches Programming .NET at Harvard University Extension School and at companies all over the world. He’s the author of 11 programming books, including “Why Software Sucks” (Addison-Wesley Professional, 2006) and “Introducing Microsoft .NET” (Microsoft Press, 2002). Microsoft named him a Software Legend in 2002. He wonders whether he should tape down two of his daughter’s fingers so she learns how to count in octal. Contact him at rollthunder.com.
I am no medical expert. So I feel equally unhappy when doctors show me the risk associated with those terms I don't know the meaning of. But I don't have a choice, do I?
I see catastrophic virus infections several times a year as church members or neighborhood friends hit me up for computer help. Every time, Norton is the package that failed them. Personally I'm getting very tired of scareware toast popups like that. It always seems like there are at least 15 software agents trolling for updates or problems at the same time on any of my computers. It amounts to a "DO MY WORK NOW!" interruption every other day, often at the beginning of the day.
Almost as bad as "Do you want to allow foobar.exe to make changes to your computer?" I don't know, Windows... do I? It says it's performing an update but what if it isn't? If the beat up old van says "Free Candy" on the side, do you ask the 5 year old if they think it looks legit? The point I'm making is that this behaviour is far from being a Norton specialty, and really became prevalent with the introduction of Vista's UAC. I fully support the notion of users (even Admins) running with restricted privileges until they need to make a system change, but making the user click Yes when an application tries to do something that requires elevation is the OS equivalent of having them sign a legal disclaimer. "I hereby revoke my rights to yell at Microsoft if this application I just downloaded does bad things to my computer."
Modern antivirus\firewalls have 2 modes: automatic and interactive. In the latter they display such windows. But it is not meant to be used by an average user (and wives\mothers\fathers and etc. are below an average user usually..). Once a similar warning from a firewall, about outgoing request, saved me my passwords.
Interesting read, I want to discuss this with some friends to get some good conversation going. However, since I'm reading a blog post about not getting one started, I think it only appropriate to mention one of my small pet peeves with those who use Wikipedia as a reference; a good place to get references but not a good reference itself. A battle at the beginning of each semester to which the students look like they have been slapped across the face ;)
A very nice example using which one can demonstrate a difference between UI and UX - a well developed dialog but so bad user experience. Thanks.
Thanks, David. I went through the same thinking process a few weeks ago with the same security software and a similar warning. I googled about an hour to try to find some clues if I should or should not accept the risk and possibly loose the beloved carbonite service. I finally gave up with a substantial dent in my self esteem as a senior programmer. Of course I accepted, since the experts classified the risk as low. One day I will write an auto-accept program. It will save me from fruitless googeling and further damage to my self esteem. I will send it to you after you signed my hold-harmless agreement!
"if a child can't fix it, you know it's serious"... I'm going to steal these words.
More MSDN Magazine Blog entries >
Browse All MSDN Magazines
Subscribe to MSDN Flash newsletter
Receive the MSDN Flash e-mail newsletter every other week, with news and information personalized to your interests and areas of focus.