Monday, May 2, 2011

Acting on My Behalf

One thing that has really bothered me lately is how many software developers have lost one of the key essentials in software. The computer is a tool to do what I want, when I want it done. Installing or running software shouldn’t be beyond my knowledge or control. I should always be aware of what the computer is doing when it is acting on my behalf.

It used to be that way. You installed software, and that software only did things when you requested it to. The functionality could be at a very high level, or a set of low-level tools. The older programmers where very careful about making sure that all actions, all of the time where directed by the users.

I think that started to change when Microsoft became targeted for viruses. Somehow they convinced us that they had to have control over releasing immediate critical security updates. It was in our best interests to leave the problem to them.

Once that door opened, everybody flooded in and now we have all sorts of software sending and communicating on our behalf, without us being aware. There are annoying popups on the screen, things turning all sorts of colors and it’s a constant battle just to type something in without some type of interruption. To me, these are very unwelcome behaviors. I need to trust my machine it order to get the most out of it. I can’t trust it, if I don’t know what it is doing.

Of course, it was security concerns that got us into this mess, but because of the way people chose to address the problems, we’ve done nothing but make that problem worse. The more crap that interrupts, the more people ignore it. It makes it easier to get in bad code, not harder. A hasty approach to security has sent us in a downward spiral.

I’d love to see this trend get reversed. If the computer can’t initiate actions without our consent, then it becomes harder for people to run malicious code on our machines. The answer to our security issues is to put the users back into the driver’s seat. They choose what functionality they want to execute and when, and only then can the machine initiate actions. From there we can strengthen their ability to know and understand what they are doing (or at least certify it in a way that they can know it’s not malicious). User’s need to drive their computers, not software. That approach is clearly not working.