So, security expert Bruce Schneier writes often in his blog
about what he calls "security theater": measures that governmental and other bodies take that make people feel
secure, but which may or may not have any actual value in really making us safer. He recently blogged about phishers' use of fake SSL certificates
to lull visitors into thinking they are at a legitimate site. Moreover, what's to stop someone from going the low-tech route and just taking, say, the TRUSTe
logo and sticking it on their phishing
site, using it until TRUSTe catches them at it (if ever), and then flying by night as is their wont? (That's a real question; I admit ignorance of certifying authorities' process for preventing and rooting out fraudulent use of their marks.) And then there's the higher-order question of whether the bodies who give sites their thumbs-up are themselves unswayably impartial judges (see first comment to the Schneier blog post, alleging that VeriSign SSL certification means nothing but that somebody shelled out the money for a certificate).
There are a lot of dodgy sites on the Internet, but there are a lot of legitimate businesses out there too, and it can be difficult for the user to tell the good guys from the bad guys. You can search the 'net for previous customers' feedback, but you might be unable to find any, or customer ratings may conflict, or "customer" reviews might be fake (definition case: Amazon.com), and so on. How does a user know whom to trust when looking for goods or services online?
A few days ago, while surfing around a bunch of possibly-dodgy ringtone download sites*, I realized that I could use Google AdSense as a rudimentary dodginess detector. I'm not sure this idea works, so I'm running it by you -- please comment. AdSense has guidelines for what sort of sites it will accept to the program, so in order to pass muster, I'm guessing a site has to be at least fairly legitimate. I'm hesitating to make the strong statement that "AdSense only accepts legit sites," as I've heard speculation about possible gaps in their guidelines; I wish I could check over the guidelines, but the AdSense site is down right now. D'OH! Anyway, while surfing these ringtone sites, I started looking for AdSense ads as an indicator of a site's authenticity. Of course, this strategy is very rudimentary: there may be false positives due to sites putting up fake AdSense ads or flouting the guidelines; moreover, there may be a lot of false negatives, since not all legit site owners participate in AdSense or similar programs.
Therefore, due to my uncorroborated suspicions about the nigh-inevitable occasional gap between AdSense's guidelines and real-world site owner behavior, AdSense ads' implicit function as a validating authority constitutes a sort of "security theater": having Ads by Goooogle on your site gives you at least the appearance
of legitimacy, and users (or at least yours truly) feel they can trust you. Despite my paranoia, I feel that in most cases, AdSense ads are indeed a valid baseline standard for "hey, this site isn't a totally flagrant scam operation." Caveat emptor
I wonder if the implicit message sent by AdSense ads' presence, that "Google vouches for this site," is at all statistically significant as a way the AdSense program brings revenue to site owners. A user might lead out on an AdSense ad, earning the site owner money, or she might say, "Hey, this site has Google ads on it. It must be legit. I will buy my 'Benny Hill' ringtone from this site instead of from that other site that doesn't have Google ads." Maybe Google should comment on the TRUSTe whitepaper I linked above ("How Not to Look Like a Phish") to promote the value of good old-fashioned advertising, with its habit of building customer confidence. People trust brands they've seen advertised; perhaps they also trust brands that carry advertising
, the way a sports fan might assume a certain player must be good because she's got sponsorship from some sneaker company. And since that rather poor analogy leads me to whimsical thoughts of Anna Kournikova scamming people out of their credit card numbers, I suspect I should conclude this post now.
*In the end, I decided not to shell out the money for the "Doctor Who" theme, even from as eminently trustworthy a provider as the Beeb itself