Tuesday, May 15, 2007

Norton Internet Security Doesn't Just Work, and It Should

Norton Internet Security is sold as a turnkey system for novice users. They certainly need something of the sort (although a case can be made that security is now so important that it should be the operating system vendor's responsibility). Users need something that keeps the bad guys from hurting them, without requiring a whole lot of fiddling with, because they don't know how to do it. That's why they buying that product, right?

Unfortunately, Norton Security is written by geeks, who are unable to shed their geek mindsets and produce something that Just Works, as their users need it to. Here's an example of their doing it wrong.

Carbonite, as I've shown you on this blog, is an automatic Internet backup system that not only Just Works, but is my poster application for the Its Just Works movement. Carbonite, like many other applications, periodically updates itself with bug fixes and (we hope) improvements. When Carbonite communicates back to its Internet home site after an update, Norton security detects it and pops up the following box, which caused my wife to come running to me in panic:



If the ultra-smart geeks at Norton, who do nothing but eat, sleep, drink, and live security, can't figure out whether allowing Carbonite to access the Internet is safe or not, how the heck is my poor wife supposed to know? In fact, I MYSELF do not know whether this box is crying wolf, or whether it actually has detected something bad, such as Carbonite being hijacked by bad guys. Take that one step further, and I MYSELF don't know how I would even go about figuring out whether this communication is safe or not.

Norton seems to THINK that this situation is probably benign, as you can see by the "Low Risk" label and the recommendation of "Allow Always". And I think, or at least I HOPE, that they're right. But if that's true and the action really is benign, why is Norton bothering to ask me? It's the same confirmation mindset that I've decried over and over again on this blog. Rather than put themselves in their users shoes, Norton is forcing the user to put on security programmer shoes, and there's not a chance in hell that any user on God's good earth, and I mean NOT ONE SINGLE PERSON, can possibly do it properly. Instead, by crying wolf when no lupine creature is in sight, Norton is conditioning users to click "Yes" every time they see a security warning. They're making all users less secure. Bad idea.

Maybe Norton's lawyers made them do this so that they can disclaim responsibility if they actually do make a mistake. In that case, it wouldn't be the designer's fault, and I will hereby transfer my annoyance and scorn to the lawyers. But Norton messed up here, because they did not put themselves in their users' shoes, as they should have.