Don't Get Me Started - The Myth of Informed Consent
By David Platt | May 2012
“Dave! Dave, come here! My computer is acting weird again!” I hate when my wife calls me from the other end of the house like that. I just know something bad has come up. Something beyond the capability of my daughters—now 9 and 11—and if a child can’t fix it, you know it’s serious.
She was reacting to a dialog box displayed by Norton Internet Security. Shown in Figure 1, the dialog box read, in part: “carboniteservice.exe is attempting to access the Internet. This program has been modified since it was last used.” It then went on to ask if the program should be allowed to access the Internet.
Figure 1 “Low Risk”? Who knows?
What kind of silliness is this? If all the brainpower at Norton can’t figure out whether this application should be allowed to access the Internet, how the hell is my wife ever going to?
For that matter, how would you or I, computer professionals that we claim to be, go about figuring that out? The name of the process means nothing at all. Even if we stipulate that Norton is indicating the correct Carbonite process that we installed, how do we know that Carbonite has been properly updated rather than hijacked by a bad guy, a common attack mode?
We don’t, and we shouldn’t be asked to. That’s why we buy Norton, to access the top brains in the computer security business. Accepting money for a product called “Internet Security” means knowing how to handle these common situations. If the risk is low, then Norton shouldn’t be bugging me. And if it’s not low, Norton shouldn’t be saying it is.
What does Norton think it’s doing? I spoke at a conference some time ago, next door to an unrelated computer security meeting. When I slid over during a break to scarf their free beer (we only had juice), I met a guy wearing a Norton badge and jumped on him about this dialog box. He said it makes perfect sense to the company: “We’re getting the user’s informed consent.”
Sorry, that doesn’t cut it. Wikipedia defines “informed consent” as consent given “… based upon a clear appreciation and understanding of the facts, implications and future consequences of an action.” Ordinary users can’t do this, and neither can computer professionals who are not security specialists. Informed consent is impossible in this type of situation.
I opened myself another beer and handed one to the Norton guy, as his meeting was paying for them. He wasn’t giving up. “It’s like the doctor, who tells you the risks and lets you decide,” he said.
No it isn’t. Norton throwing this box in a user’s face is like an airline asking a passenger if he thinks the weather is safe for flying. The passenger is not competent to make such a judgment. That decision rests entirely on trained and licensed professionals who hold responsibility for transporting passengers safely. That model works well for air travel (zero fatalities on mainline U.S. carriers in the last decade, see bit.ly/GFOcs1), and we should be working the same way.
The main reason I think we’re seeing this box is lawyers. Norton’s lawyers told the developers, in effect, “If you’re not sure, then just ask the user, and you’re off the hook. Then if it breaks, it’s the user’s own fault.”
Not to my mind, it isn’t. If I were on a jury and the defense tried using this excuse in a trial, I’d not only throw the defendant in jail, I’d add extra punishment for weaseling instead of standing straight and saying, “Sorry, we messed up, here’s how we’ll fix it.” He’s probably the kind of guy who refers to bugs as issues. (See “Weasel Words” in the September 2010 issue: msdn.microsoft.com/magazine/ff955613.)
We developers are the experts, and users depend on us. We cannot abdicate our responsibility by asking for guidance from someone who cannot possibly know. Informed consent in computing is a myth, and companies that claim it as an excuse for their malpractice are weasels. Stop it. Now.
David S. Platt teaches Programming .NET at Harvard University Extension School and at companies all over the world. He’s the author of 11 programming books, including “Why Software Sucks” (Addison-Wesley Professional, 2006) and “Introducing Microsoft .NET” (Microsoft Press, 2002). Microsoft named him a Software Legend in 2002. He wonders whether he should tape down two of his daughter’s fingers so she learns how to count in octal. Contact him at rollthunder.com.