Many workers in human services, she told me, are reluctant to provide data that would be useful to improve the services. She’d like to track homeless people as they move from one jurisdiction to another for instance, to provide better continuity of service and find out what works and what doesn’t. The agency staff are afraid that sinister forces within government will misuse data. While we have no lack of sinister forces in government, it appears that the people needing human services are more at risk of snooping by random staff people, facilitated by the awful security practices just mentioned.
I’m not surprised that employees would treat passwords as just one of the many random impediments they have to bypass each day to do their jobs. Given how many regulations reflect political grandstanding rather than life on the street, and how many well-meaning regulations outlive their usefulness, workers have to interpret the rules in a (shall we say) creative manner. I’m sure many employees in private industry get through the day the same way; it’s not limited to government. But an even deeper issue is at work.
Security systems are, to many ill-trained workers, indistinguishable from the other odd computing annoyances they suffer from every day. From the beginning of data centers over fifty years ago, we’ve felt that computer systems were impersonal and somewhat supernatural. Like too many government regulations, we’re never told why the rules in place, and nobody can seem to update them.
To this day, our passivity is reinforced by designers’ rigidity. We perform a certain operation fifty times a day and still have to press a button in an “Are you sure?” dialog box. We have to go to one menu to enter a header on a document, and another menu far away to add fields to that header. We assume that elements of Microsoft Office’s interface take on the immutability of a force of nature (and reproduce those elements in all sorts of other products) until suddenly a new release changes them.
It becomes inconceivable that a particular element of our daily computing, such as a requirement to enter a password, might actually have been rationally designed by some human being and put in to protect us.
Luckily, savvy computer users complain. They also call for more adaptable systems. I know that the drive in the computer industry nowadays is to make systems more intuitive and easier to use, but I don’t know whether we can anticipate the needs of every user enough to achieve those goals. What we can do it make systems more open, document them better, and make them easier to change. And then maybe employees will start to become responsible guardians of security procedures. As a security researcher at CERT confirmed for me recently, no computer system can be secure if the end-user undermines the policy.