fbpx

Shutterstock

“Security is mostly a superstition. It does not exist in nature, nor do the children of men as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing.” – Helen Keller

One of my employees has a theory. The lock on your front door or the padlock on your locker isn’t actually a lock — it’s a social contract. When you walk up to a door, the lock there is a little reminder from the owner that the stuff inside is his, and he would like you to leave that stuff alone.

We know in the physical world that locks aren’t perfect security. A padlock can easily be picked, shimmed or cut within seconds. Yet our society functions as though we believe our lockers, cars and homes are secure. A door can be taken off the hinges. You can break a window open. There hasn’t ever been a lock that couldn’t be picked. Almost.

For 67 years, the world thought it had a  perfect lock. Joseph Bramah was so confident in his lock design that he painted a challenge on the lock itself and hung it in the window of his shop in London. The winner would have won what amounts to about $25,000 by today’s standards.

Rather than keep his design a secret, he published detailed information on how it worked, in contrast with the commonly accepted maxim “security through obscurity.” If the lock really was impossible to pick, then being completely transparent and open about the details of the lock would only serve to reinforce the strength of the design.

American locksmith A.C. Hobbs would eventually pick the lock, shattering the image of perfect security. But it took Hobbs two weeks of actually living upstairs in that London shop, spending every waking moment attempting to pick the lock. After the perception of the lock’s impregnability had been broken — even though it took two weeks of trying by an expert locksmith in ideal conditions — people stopped wanting to pay premium prices for very nearly perfect security when they could get good enough security cheaply in the form of mass-produced locks.

Security through obscurity works because it takes time to defeat obscurity. The effectiveness of encryption, for example, is measured in the amount of time it takes to break it, not that encryption is unbreakable. We know with certainty that the processing power of a computer in just a handful of years will be able to break in a few minutes what would take hundreds of years today.

It is understandable, then, that the social contract concept is more difficult to understand when it comes to computers. I think this is in part due to the fact that to get into another person’s computer, I never leave my own keyboard. It is further complicated by the nature of digital information. If I break into your house and steal something, then it is more clear that I have violated the social contract. It is less clear if I break into your house and simply take photos or replicate your stuff with a 3D printer. It’s still a violation of the social contract, but psychologically, this behavior is more like voyeurism or espionage than theft.