On being a user agent

A few times in my life I've had the mixed blessing of dealing with Visa authorities. Their job is to ask for impressive piles of paper that I guess noone will read closely, and among the things one must document is usually that you have enough money in your bank account to survive for a while without "resorting to public funds" (doesn't sound like the type of resort I'd want to spend a holiday at but Visa People like reminding you not to anyway).

Now, since I try to save some trees by asking all my banks never to send me paperwork and prefer online banking, I usually supply printouts of online bank statements. I'm always shocked that nobody questions this. I mean, it's not rocket science to edit the cache file before printing or use a bookmarklet to add a couple of strategic zeros is it? If becoming a millionaire was that easy..

Well, I'm glad visa authorities don't know this – but there is absolutely nothing in the design of a browser that is meant to guarantee the authenticity of a printout. The very simple reason for that lies in the term "User Agent". The browser is your "agent", your tool for performing tasks online. It is designed to "trust" and empower YOU as the user. It wasn't designed to verify the size of your bank account. It never ever submitted an application about becoming the Visa Authority's agent. And it does not accept responsibility for any consequences of being forced into this role by ignorant Visa Officers!

I'm sure someone in the right office would call that a security problem. To me, it demonstrates how the simple design principle "User Agent" has plenty of scope for controversy. I believe that while the importance of the Internet keeps growing, we'll run into more and more of these implicit and explicit expectations to user agent behaviour – like the assumption "web page printouts show the authentic data sent from the server" – and it may sometimes be difficult to balance these expectations.

Not every website or authority likes an empowered user. You've got those sites who don't want you to right-click or view source or save or whatever idiocy they try to enforce. Noone needs to be concerned with those that "hide" source code under such tin foil hats – but then you also have the sites that for very plausible reasons want to prevent passwords being saved or make sure the back button doesn't return you to the cached version of the previously viewed page. And several of those sites have both guts and importance to give the UA the ultimate threat: do as we tell you, or we block your users!

And those sites have a point – there are security concerns inherent inn building software that trusts the user – because what if the user right now isn't you but the next guest at the internet cafe you left without closing the browser, or your rogue colleague at work playing with your Wand logins?

Evidently, we don't want to let pages block right-click nor become the Visa Authority Agent – but how do we strike the balance between security for the sites that really need it and a trust-the-user, empowering design?


7 thoughts on “On being a user agent

  1. In the US, for some things (Unemployment claims, mortgage documentation depending on broker), anything "printed from a computer" is explicitly not counted. Unfortunately, there is no corresponding law requiring employers to provide printed copies of paychecks. I'm assuming that the "printed from a computer doesn't count" rules will cease to be enforced in time, but … I hope not to find out too soon.

  2. It has always been the user's responsibility to "drive safely". Not even the most secure piece of software would save you if you don't log out when you leave your workstation. A user should be able to do everything, and software shouldn't dare to restrict him in order to enforce security. The user, on his side, should protect his identity from abuse by others.

  3. I've thought of similar problems from time to time.But I say no: User Agent should stay User Agent and nothing else. If you really nead to, make a safe system, but don't blame the "damn User Agent system".There should be machine readable code written on the paper. Containing the Session_ID (not necessarily the PHP function), the cash amount, … etc. etc. … not easy to crack that down.And at the Bank you could just have a scanner reading the code and looking up if that code is valid and if it has been used before …You just have to *think*. Blaming anybody else and/or inventing unsecure (doesn't need explanation) or unconstitutional (see: DRM) systems is just no way. You've got to live with the consequences.I hope Opera will stay a full-fanged User Agent in the future … don't you?

  4. Grey: I certainly hope so!feldgendler: it is the user's responsibility to "drive safely"? Sure, but look at IE's BHO mess. There is no way we can require a "driving test" before you start browsing with Opera..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s