A few times in my life I've had the mixed blessing of dealing with Visa authorities. Their job is to ask for impressive piles of paper that I guess noone will read closely, and among the things one must document is usually that you have enough money in your bank account to survive for a while without "resorting to public funds" (doesn't sound like the type of resort I'd want to spend a holiday at but Visa People like reminding you not to anyway).
Now, since I try to save some trees by asking all my banks never to send me paperwork and prefer online banking, I usually supply printouts of online bank statements. I'm always shocked that nobody questions this. I mean, it's not rocket science to edit the cache file before printing or use a bookmarklet to add a couple of strategic zeros is it? If becoming a millionaire was that easy..
Well, I'm glad visa authorities don't know this – but there is absolutely nothing in the design of a browser that is meant to guarantee the authenticity of a printout. The very simple reason for that lies in the term "User Agent". The browser is your "agent", your tool for performing tasks online. It is designed to "trust" and empower YOU as the user. It wasn't designed to verify the size of your bank account. It never ever submitted an application about becoming the Visa Authority's agent. And it does not accept responsibility for any consequences of being forced into this role by ignorant Visa Officers!
I'm sure someone in the right office would call that a security problem. To me, it demonstrates how the simple design principle "User Agent" has plenty of scope for controversy. I believe that while the importance of the Internet keeps growing, we'll run into more and more of these implicit and explicit expectations to user agent behaviour – like the assumption "web page printouts show the authentic data sent from the server" – and it may sometimes be difficult to balance these expectations.
Not every website or authority likes an empowered user. You've got those sites who don't want you to right-click or view source or save or whatever idiocy they try to enforce. Noone needs to be concerned with those that "hide" source code under such tin foil hats – but then you also have the sites that for very plausible reasons want to prevent passwords being saved or make sure the back button doesn't return you to the cached version of the previously viewed page. And several of those sites have both guts and importance to give the UA the ultimate threat: do as we tell you, or we block your users!
And those sites have a point – there are security concerns inherent inn building software that trusts the user – because what if the user right now isn't you but the next guest at the internet cafe you left without closing the browser, or your rogue colleague at work playing with your Wand logins?
Evidently, we don't want to let pages block right-click nor become the Visa Authority Agent – but how do we strike the balance between security for the sites that really need it and a trust-the-user, empowering design?