The rôle of trust in security and liberty
I had an email from Captain Kirk the other day. That’s enough to make me distrust it immediately. But I often look at these things to see what methods the scammers are using to make me trust them. This one had an interesting device. Don’t just take my word for it, it said, check out this story on the BBC news site. More than that, the link was genuine, not some obfuscation really sending me to an obscure site in China or Russia: it genuinely pointed at news.bbc.co.uk/news-story.
That’s good, I thought. Who doesn’t trust the BBC? Except that the BBC’s news service is at bbc.co.uk/news… It just goes to prove my, slightly derivative, motto: distrust then verify. But notice that there is one word that runs throughout this text: trust. Trust and distrust lie at the heart of all personal computer security. You should only do what you trust; you should only go where you have trust. And, provided you have the basic anti-virus and personal firewall software, nothing (much) can happen to you unless your trust is betrayed.
That is something the bad guys understand. Almost all attacks against your data are predicated on the bad guys gaining your trust and persuading you to do something you shouldn’t. Like clicking on an infected email attachment, or visiting a malicious site, or downloading rogue anti-malware or a false video codec to let you watch a risqué video, or going anywhere on the internet without blocking scripts. That’s why I say ‘distrust everything as your default position, and verify it before you do anything’.
This raises a wider issue, for while I promote this for ourselves, I object to the same approach from the authorities. But I believe in the Golden Rule; I believe that what is sauce for the goose is sauce for the gander. Where we need to assume guilt on the internet, and make the other parties prove their innocence, I object to law enforcement using the same approach with me. It is absolutely wrong for the police to assume our guilt and make us prove our innocence. And therein is the conundrum: if you want security, you need to foster distrust first. But if you want freedom, you need to prove guilt first and otherwise accept innocence.
Frankly, I don’t know how to resolve this conundrum. It may make me a hypocrite; but I’ll have to accept that. On the internet, I shall always distrust first; and I shall continue to recommend that others do the same. But where our political and legal masters are concerned, I shall continue to demand that they trust me as their default position, and have to prove to the world that they shouldn’t.
Perhaps on the seesaw of security and liberty we simply have to accept that the pivot should be set in one position for the cyberworld, and a different position for the physical world.