In an effort to make open source security tools more user friendly, Google and Dropbox announced Thursday that they have teamed up with the Open Technology Fund to form “Simply Secure." The goal of the new non-profit organization is to “help craft usably secure technologies and make them available for everyone.”
This is the second time this week a major technology company has launched an open source initiative. On Monday, Facebook announced its new TODO initiative, which is focused on developing best practices and tools to support open source development between companies. Google and Dropbox are also participating in the TODO collaboration.
The companies said the importance of providing easy-to-use secure tools has become increasingly important following revelations by Edward Snowden that the NSA, GCHQ, Unit 2800 and other spy agencies penetrated numerous technology organizations and collected personal data from millions of people.
Making Security Tools Usable
Both Google and Dropbox have received negative press over their participation in the NSA’s covert mass surveillance program, PRISM. Dropbox has also been criticized for electing Condoleezza Rice, the former National Security Advisor to President George W. Bush and outspoken supporter of warrantless wiretapping, to its board of directors.
Nevertheless, both Dropbox and Google promoted the benefit of putting more privacy tools in the hands of users in public statements backing Simply Secure.
“Security shouldn’t come at the expense of simplicity or design, and you shouldn’t have to be a tech expert to stay protected online,” Dropbox said in a post on its corporate blog about the new initiative. The company released the first of its semi-annual privacy transparency reports last week, detailing requests to access client data from government agencies.
“People shouldn’t have to make a trade-off between security and ease of use,” Google said on its open source blog. “We’re excited for a future where people won’t have to choose between ease and security, and where tools that allow people to secure their communications, content, and online activity are as easy as choosing to use them.”
Improving Existing Tools
According to its Web site, Simply Secure aims to bring security experts and user interface designers together to create effective open source security tools that are simple and easy enough that users will actually adopt them. “If privacy and security aren’t easy and intuitive, they don’t work. Usability is key,” the organization said on its blog.
A variety of security tools and procedures already proliferate the marketplace. The problem is that they are too cumbersome for most users to implement, according to Simply Secure. Tools such as two-step authentication, for example, may be extremely effective security measures, but their overall impacts are hampered by limited adoption by users.
Simply Secure said it would support existing open source work, instead of developing new tools itself. In particular, the initiative will focus on providing usability and development expertise, direct ties to user communities, and connections to funding sources. Another core component of its work will be conducting public audits of interfaces and code to validate security and usability claims.
The organization plans to publicly disseminate whatever methodologies and best practices for security usability and open source collaboration it develops. It will also be collaborating with existing open source security and privacy initiatives such as Open Whisper Systems, The Guardian Project and Off-the-Record Messaging.
Simply Secure is being led by Sara Sinclair Brody, a former product manager at Google who worked on two-step authentication. It has also brought in science fiction author and technology and privacy activist Cory Doctorow to sit on its board of directors.
“This is critical, and not just for ‘normal people,’” Doctorow said in a piece on Simply Secure published in The Guardian on Thursday. “Even technically sophisticated people often find it difficult to follow security protocol in their own communications and computing.”
Not So Simple
Not everyone, however, is quite as optimistic about how effective the new initiative can be. Derek Brink, Vice President and Research Fellow at Aberdeen Group, told us that the announcement represents an attempt to break with the traditional view that a there is a necessary trade-off between convenience and productivity on the one hand and security and cost on the other.
“The solution, apparently, is that we just need to get the right collection of smart people . . . to work together on implementing consumer-facing devices and applications that are simple enough that regular Joes and Janes will be more likely to adopt them,” Brink said.
Changing that mindset and developing tools that are both effective and easy to use is likely to take time, he added. “I’d use caution against the irrational exuberance that tends to build around these initiatives,” he added. “Any material impact will probably be the result of a sustained effort over a long period of time.”
Nevertheless, the idea behind Simply Secure is a good one that should be supported, he said. “I'm encouraged when smart people put their time and effort where their ideas are and try to effect a positive change.”