Section 29.5. The Ideal | Security and Usability: Designing Secure Systems That People Can Use

29.5. The Ideal

The redesigned consent dialogs presented in this chapter all follow the consent dialog redesign format that we based on user research into trust issues. During the process of creating this format, we came across infrastructure and technical constraints that prevented us from taking the design as far as we would have liked in the timeframe we had.

Certificate Authorities such as VeriSign allow Internet browsers to have a level of confidence that statements made by software publishers are true. However, only a few pieces of information are currently certified, such as publisher name and issuer name. With changes in the Certificate Authority model, it should be possible to also have certified graphics (for the icon area in the dialog redesign earlier), certified membership of communities such as TRUSTe, and even a certified audit of the software with accompanying statements about privacy, security, and reliability. Having a certified audit would bring the concept of certification much closer to users' ideals than today's reality.

Users typically see recommendations from a friend as trustable. This is true even when it is a tenuous recommendation (the friend sends a link to a site that wants to download something). Users also often have trusted friends whom they will ask whether something is safe to download. It is not difficult to imagine mechanisms that allow this type of interaction to occur from within the consent dialog using synchronous communication channels such as Instant Messaging.

Taking this one stage further, consider expert or community ratings. It is highly likely that many other people will already have downloaded a specific piece of software or will have consented to a certain action. Their comments on this software form a trust rating. Certain users may subscribe to a particular guru's ratings; others may subscribe to Slashdot, CNET, or even Good Housekeeping's ratings. These ratings could appear as part of the consent dialog process to assist users with their decision. An early version of this process has already been implemented in SpyNet, the part of the (post-XP SP2) Windows antispyware application that analyzes user recommendations in order to make determinations as to what is and is not spyware.