Security, Dropbox and the Illusion of Control

by Rich on June 22, 2011

My wife and I drive similarly. Neither of us is particularly aggressive, we always use turn signals, we maintain similar speeds in comparable conditions. I tend to follow a little closer than she does, and she tends to brake a little later than I do, but there’s no real difference in how we drive.¬†Yet when I’m driving, I know she often has a tight grip on the armrest. When she’s driving, my foot reaches for the imaginary passenger brake.

We take identical risks and the same precautions, but I feel less safe when she’s driving, and she feels less safe when I’m driving (though we’re both too nice to mention it).

Dropbox recently had a significant security failure where, for several hours, anyone could log into any account with any password. That’s a big mistake, they fixed it, they admitted it, and they moved on.

A recurring refrain in response has been “any data not under your control is insecure”. True, but so what. Regardless of the magnitude of Dropbox’s mistake, security is hard to get right. You may know what you’ve done to protect your data, but that’s no indication you know what you’re doing. My bank has been robbed more often than my house, but I don’t keep my money in the mattress (please don’t rob my house to teach me a poetic lesson).

Leaving my data out of my control means I’m victim to the mistakes Dropbox makes. Keeping it under my control means I not only miss out on a great service like Dropbox, I’m the responsible one. I need to get things right and not lose my stuff.

Some people can do that. They make the effort, they develop the skills, they do the hard work Dropbox is supposed to do. Most people can’t. Not because security is magic and inscrutable, but because it’s hard and they have better ways to spend their time.

We tend to have faith in our own abilities because we know what we’ve done, we can construct stories that help us understand why our choices and actions were right. We might believe the other guy is smart, but we can’t know his decisions, can’t construct a faith-building narrative. So when he’s driving, we grip the armrest, we stomp on the imaginary passenger brake.

But it doesn’t mean we’re any less safe because someone else is driving. Competence is the key, and control is not competence.

Previous post:

Next post: