acm-header
Sign In

Communications of the ACM

Last byte

Future Tense: The Primal Cue


Many centuries ago, a mystified Roman farmer held a bronze ingot crudely imprinted with a cow. He was handling an early form of currency that supplanted a true cow—a life-sustaining, milk-and-flesh-producing piece of wealth—with a chunk of metal that was strangely, with its embossed animal figure, supposedly of equivalent value. (Roman cattle spawned our English word "pecuniary"; the Latin for cattle is "pecus.")

The early Romans faced an abstraction that often distorted the material world beyond their intuition. Their befuddlement gives an historical glimpse of the vast mental challenges that people of all stripes face today as cyberspace undercuts our own deeply embedded intuition and instincts—with ripple effects throughout security and privacy.

For pecuniary surrealism today, look no farther than virtual worlds like World of Warcraft and Second Life. In them, developers of virtual "real estate" earn real-world money for their oxymoronic efforts. Laborers in third-world sweatshops work in gold mines represented only in cyberspace. There have been real-world prosecutions for larceny of virtual-world goods and at least one real-world murder over the theft of a virtual sword. Virtual-world currency is spilling over into the real world in the billions of dollars, adding a new dimension to security concerns like money laundering. The law can't keep pace with these phenomena; the Internal Revenue Service doesn't yet know whether or how to tax them. The interpenetration of the real and virtual worlds is happening in other ways, too. It's possible to order a pizza in a virtual world and have it delivered to our real doorsteps. It's just a matter of time before other real-virtual linkages become routine, say, surgery conducted in a virtual world operating on real patients and electric grids mapped into virtual space. Security failures will inevitably propagate from virtual worlds into the real one.

It's difficult to wrap our minds around these virtual/real entanglements. But the online world also thwarts our security instincts in much simpler ways. Humans are biologically wired to make trust judgments through attunement to faces, gestures, and verbal intonations. Social networking sites strip away these primal cues. For instance, when a social networking site used by friends asks us to log into an external email account, the request seems instinctively safe thanks to the friends' implicit endorsement. Some social networking sites have exploited this herd instinct toward safety to entrap subscribers through viral attacks. They invite new users to "Log into your email account so we can see if you have other friends on this network." They then hijack our address books and send email to our contacts in their name—inviting new victims in turn to join the social network and render themselves vulnerable to the same trick.

Consumer education about online security is often trumpeted as a countermeasure to such blunders. "Never give away your email password to another site" is a ubiquitous warning. But cybersecurity education often fails because it's not true education. It doesn't teach fundamental principles that can be grafted onto our instincts and drilled into our minds. It's just a set of guerilla tactics for the lawless byways and ramshackle security of the Internet. Consider the warning about giving away our passwords. Are you "giving it away" if the site that requests it promises not to store it—as social networking sites often do? Are we even aware that we're giving it away if a Trojan (infected software) on our computer pops up an apparently perfect but fake Web page for our online banks? Other planks of cybersecurity education are equally flimsy.

Online privacy is another arena in which human instinct is foundering. Drawing a curtain over a window at night offers a concrete, intuitive form of privacy (and doesn't require agreement to a thousand-word privacy policy). Online privacy is a different matter. Suppose the average user—or savvy one, for that matter—could digest online privacy policies. Suppose the policy was simply "you own your data," a widely favored nostrum. It is still well beyond any person's mental capacity today to understand what data this person owns and how to go about controlling it. When, for instance, photos of our face seep into search engines, friends' online content, archived Webcam images, and digital photo albums of sightseers in cities we've visited, what does ownership or control mean?


Cybersecurity education often fails because it doesn't teach fundamental principles that can be grafted onto our instincts.


The poster children for the future of computer security are often intellectually flashy inventions, such as, say, quantum cryptography. These technological showpieces create trustworthy connections between machines (sometimes) but not trustworthy connections between people—the source of the real challenge.

The Romans adjusted to a new material world. Today, we're mentally capable of translating numbers on computer screens into a measure of wealth, then into bread and circuses, houses, clothes, and cars. Human instinct lags in most of the places where cyberspace is swelling and ramifying. A future of informed and secure choice demands tools—technological, educational, policy-oriented—that project cyberspace down to the scale of human instinct and intelligence. If not, we might wind up as stupefied as an early Roman staring at a chunk of bronze.

Back to Top

Author

Ari Juels ([email protected]) is chief scientist and director of RSA Laboratories, Cambridge, MA, and author of the novel Tetraktys, Emerald Bay Books, Newport Coast, CA, 2009.

Back to Top

Footnotes

DOI: http://doi.acm.org/10.1145/1666420.1666448


©2010 ACM  0001-0782/10/0300  $10.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.


 

No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account
Article Contents: