For those of us living day in and day out in technology, we’ve become pretty familiar with most of the fundamental constructs used to protect ourselves online. As various approaches have emerged over the years and slowly been refined and incorporated into our everyday workflow, we’ve come to embrace many of them and consider them “normal”. But I’m becoming increasingly conscious that it’s getting harder and harder for mere mortals to stay on top of the security game.
A lot of this stems back to passwords. We’ve always known they’re all meant to be non-guessable and unique, but without exception we’ve all broken these rules. As we got more and more online accounts and saw bad things occur to those who’d followed those weak but very common password patterns, many of us migrated towards password managers. But have you tried getting a non-techie to use one? It’s painful. Even the best of them are full of edge cases where they don’t work under certain circumstances or your data may not be available on specific places or all manner of other scenarios where you have to explain to the poor user that don’t worry, this is all worth it. Honest.
Multi step verification is another one and this is a fundamentally important security feature. Thing is though, it’s rarely mandated and as such the adoption rates are very low. The reason the likes of say, Facebook, don’t mandate it is because it poses a usability barrier. People have to do something different as opposed to simply entering an email address and a password. And it is a barrier because no matter how easy you make it, it’s an extra step and that scares people off.
And how about PINs on mobile devices? How many times do you see friends and family with phones that have no lock on them whatsoever? Now that’s a portable, losable, pick-pocketable device too so it’s a valuable target for evildoers. A lock screen is a barrier and yes, there’s the likes of TouchID on iOS which make things significantly easier, but have you tried getting a non-techie to go through the enrolment process? I tried it recently and it was… I’m not sure if “entertaining” or “infuriating” is the right way to explain the number of goes it took to roll the finger over just the right areas of the home button.
Finally – and this is what really got me thinking about all this – is VPNs. A local Aussie reporter contacted me today and asked me for comments on National “Get a VPN” Day. What?! Turns out it’s actually a real thing and it coincides with Australia’s enforcement of mandatory metadata retention laws. This is a law that in sentiment, says that ISPs must store your browsing history in case one day you decide to be a terrorist and our government needs it (you probably won’t become a terrorist, but they’ll keep a hold of your data just in case…)
When asked what I thought about the EFF’s recommendation that all Aussies should now consider using a VPN when accessing the internet, I honestly didn’t know where to begin. Perhaps with the good bits – VPNs are awesome for protecting your traffic between a device and the provider’s exit node. Unfortunately, they cost money. The consumer-centric stuff also has to run on a device and if you have a bunch of them, that’s even more money. Then they always impact performance to some extent due to the increased latency of routing out through another location. Plus, they can make life hard when joining networks that expect to intercept your traffic so you can accept T&Cs first. Using one in circumstances of greater risk or where more privacy is required is one thing, but making it a 24x7 proposition in the home is quite another.
And so I concluded that whilst all of these security measures are unquestionably valuable and I use each and every one of them extensively, most of the time they remain beyond the grasp of your layperson. Although people with genuinely evil intent will no doubt figure out how to make VPNs work and circumvent the whole thing anyway!