Playing chicken with cat.jpgIn a game of chicken, which is the better strategy: Writing a lengthy and detailed "persistence policy" guaranteeing that you'll persist in your course and will not, under any circumstances, swerve to avoid your opponent; or ostentatiously removing your steering wheel and throwing it out the window? As noted by innumerable game theorists over the past fifty years, the latter strategy is the only one which is useful: Humans can't be — and aren't — trusted to follow their stated intentions.
People drive in excess of the posted speed limits. People enter intersections on yellow lights even when they could have safely stopped. People make illegal copies of music, movies, and software. People click checkboxes labelled "I have read and agree to the terms and conditions". People "bend the rules" on (i.e., violate) non-disclosure agreements. Men (and women, in some states) cheat on their wives. And all around the world, people treat privacy policies — and every other sort of policy — more as setting out lists of things to not get caught doing than as rules which must be followed.
37signals bemoans the fact that "trust is fragile"; as far as I'm concerned, they're missing the point. The answer isn't for 37signals to prove that they can be trusted; the answer is to ensure that their customers don't need to trust them. In Tarsnap I might take this to an extreme — in addition to the aforementioned encryption, I encourage users to read the tarsnap source code rather than trusting that I got everything right (even to the point of offering bug bounties) — but even if 37signals doesn't want to offer cryptographically secure storage, they could at least remove the temptation to look at file names in log files by not writing sensitive information to log files in the first place.
blog comments powered by Disqus