The Internet is Fundamentally Broken
Did you know that the internet is fundamentally broken? An excerpt from a recent interview by Emma Barnett with Carl Sjogreen, product manager at Facebook, includes this amazing comment: "The fact that I can go to a site and it doesn't know who I am or what I like shows how fundamentally broken the internet still is". Huh? Is this a new definition of the phrase "fundamentally broken"? Or is it just me exhibiting my usual level of dinosaurian paranoia?
Maybe it's just a coincidence that last week's rant was all about tracking ads, hidden background requests, and related nefarious stuff - but I really don't want every website I visit to know all about me. I realize that, even with occasional trips to the Tools|Options dialog to delete cookies, I leave some trail across the internet as I browse and click to achieve my daily work tasks. And as a regular online shopper I know that I'm leaving an increasingly broad and well-worn path for spam emails to follow; though thankfully Message Labs blocks the vast majority from reaching my inbox. But I'm increasingly noticing new events that indicate just how little control we may really have over our personal information.
For example, I have my usual web browsing machine set up to warn about switching to and from secure (HTTPS) pages, and it seems to pop up warnings now for even the most unexpected sites where the page itself isn't HTTPS. However, tucked away in one corner is a selection of social media site buttons such as Twitter and Facebook, and simply loading the page causes the browser to try and log me into these sites using an authentication cookie stored on my browser (presumably so I can instantly "Like", or apply some other adjectival verb, to the content). It's not going to happen because I don't have a Twitter or Facebook account, but it's an indication of what's going on behind the scenes. These people would know from the referrer string exactly which sites I'm visiting.
Of course, the reason is so that sites can (quoting from the interview again) make their pages "look different to a 60-year old man and an 18-year old girl based on their interests". OK, I am a much better match to the first of these categories than the second, so I probably don't want to read about how wonderful the latest boy bands are, and which color eye-shadow goes best with this year's fashion choice in summer hats. But surely this is illegal under age discrimination laws. And I'm not sure I want Amazon to automatically show me a choice selection of stair lifts and Zimmer frames every time I visit their site either.
Likewise, I recently downloaded a sample application from a very reputable source to learn more about HTML 5, and discovered that to use it I have to set up an account with OpenID to be able to log in. Why? I already have enough accounts and passwords just to do the things I need to, without scattering my personal details across more and more sites. And, when you read about the number of sites that "lose" your information to hackers, do I really want to increase the chance of my personal details arriving in the public domain? Especially as I'm fast running out of available memorable passwords, so I'm bound to have used it somewhere else. Good security practice suggests minimizing your attack surface, not expanding it.
Thankfully, modern browsers are making it easier to protect yourself online; though I'm still having daily disagreements with both IE9 and an increasing number of websites. I've recently encountered sites where you have to allow the browser to download and run an ActiveX control or Java applet just to be able to click the "Buy Now" button, or a Flash animation to be able to enter your delivery information. With most of the browser extensions and add-ins disabled, four out of five page loads pop up the message "An add-on for this site failed to load" (which, in IE9, unhelpfully manages to obscure the horizontal scroll bar as well).
And while we're in IE9 territory, have you figured out how to use the combined search and address box yet? Or managed to get a separate search box to show without filling half the window with a selection of other useless buttons? And how are you finding the download information bar? It seems like a really good idea, helping to protect against downloading and running malicious code. OK, so it took me a while to figure out why files wouldn't download (I was waiting for the pop-up download dialog), but the integration with Security Essentials that scans the file is nice – even though you'd assume that Security Essentials would scan it anyway as it was written to the disk.
But then I tried to download the latest drivers for the network card in my server from the Dell website and got the red-bordered warning that "This file is not commonly downloaded and could damage your computer". I'd entered my computer's Asset Tag number, checked the network card make and model number against the file that Dell offered, and so assumed it was the correct one. And as IE9 hadn't yet downloaded it, it couldn't have checked if it was laced with viruses and trojans. What am I supposed to do in that situation...? I downloaded the file anyway and scanned it with a couple of different anti-virus tools (it passed). But what will most non-paranoid users do after they've see this warning a few times?
Maybe it's time we looked seriously at the real risks to privacy, safety, and protection from malicious attack and came up with some realistic statistics. I'm guessing that the occurrence of successful attacks as a percentage of internet use is very small, but the daily revelations of sites being hacked, personal details being stolen, and viruses spreading like wildfire can't help but damage the way we regard the internet. It already gets enough bad press, yet we're constantly finding new ways to incorporate it into our daily life; to the extent that it's already nearly impossible to survive without it.
There's plenty of good advice about protecting yourself available out there, but perhaps it's time somebody started publishing information in a form that will help us to understand the real risks - before an increasing number of people come to the conclusion that the internet is just too dangerous to use. What's the percentage chance of suffering a successful attack if you use the default security settings and keep your system up to date? How many people are affected by viruses as a proportion of the population? Do certain well-known add-ons increase the risk by a specific amount?
Or will I have to actually go out of the house in future to do my shopping...