Would you agree though Steve that wearing seat belts is our best current practice for safety, and that we (if we imagine ourselves car designers) should explain to people how unsafe the roads are and that they really should wear seat belts? Not everyone who builds cars might feel like they need to take responsibility for explaining this, of course, but some will.
I don't want us to throw up our hands and say there's nothing to be done to improve the situation because users don't understand security and some deployments would resist it. Here in the IETF, our responsibilities as participants differ from those of users and even operators. We write standards. I think we need to write standards that are clear about what people should do to be secure on the Internet as we understand it. Our understanding of the Internet has changed because of these revelations, and what we need to do has to change as well. I agree that we can't levy unrealistic mandates and hope for anything but our own irrelevance. But let's not swing too far in the opposite direction here either. Jon Peterson Neustar, Inc. From: Stephen Kent <[email protected]<mailto:[email protected]>> Date: Monday, October 14, 2013 12:33 PM To: Ralf Skyper Kaiser <[email protected]<mailto:[email protected]>> Cc: perpass <[email protected]<mailto:[email protected]>> Subject: Re: [perpass] mandatory-to-implement vs. more? If most users feel that security and privacy are high priorities, why do so many users download free apps that monitor aspects of mobile phone use and direct ads accordingly? My position, in part, is that people behave in a fashion that suggests that personal privacy is not a very high priority when it comes to use of the Internet. That's like saying "People should not have airbags because they should not drive ruthless or fast in the first place. They surely do not care about their safety so why should we invent the airbag?". regards, Ralf Your proposed analogy is really, really bad, yet again. But it does provide a good basis for a better analogy. Seat belts are an example of an MTI, mandated by government-level regulations. There are state laws in the U.S. that make them MTU, in 33 states. Note that the MTU provision is a weak one; an audible warning sounds for a few seconds, and then is silent. If one were very serious about seat belt use, there could be an ignition interlock. But, since seat belt use is not mandatory in all U.S. states, such an interlock would be problematic for vehicle manufacturers. Air bags were initially an alternative, passive restraint option, viewed as equivalent to 3-point seat belts, when passive restraints were first mandated in 1984 (for vehicles produced in 1989), and the regulation applied only to drivers, not passengers. In 1998 the rules were changed to mandate airbags in addition to (3-point) seat belts, for front seat passengers, as well as drivers. Over time vehicle manufacturers have voluntarily added more air bags in cars, as a selling point, i.e., they perceive that some buyers will pay more for knee bags, etc. So, some take aways from this (corrected) analogy are - MTI can be appropriate for safety (security/privacy) features - MTU is a problem for such featyures when products are used across a wide range of jurisdictions - a safety (security/privacy) feature will be offered by vendors (service providers) when they that it is valued by their customers Steve
_______________________________________________ perpass mailing list [email protected] https://www.ietf.org/mailman/listinfo/perpass
