| > they have a choice: stricter annoying rules with fewer victims, or looser rules with more victims? Yep, there's a reason freedom vs safety (or libertarianism vs authoritarianism) is an axis on many political spectrum charts. This is a very common source of tension in politics. As you can probably guess, I usually find myself on the libertarian side of such debates. Freedom is worth the price. > Give them freedom to chose their password without mandating 2FA, and some will lose money to a password database leak & offline guessing To be clear, I have no issue with secure defaults. There's only an issue when you start trying to make it impossible for users to compromise their own security, because accomplishing that requires you to take away their freedom to make choices, which I don't think is an acceptable thing to do to mentally sound adults. There's plenty of competition in the banking space, so normally I'd be fine letting banks and their customers sort this out on their own. But there's not a lot of competition in the OS space, and allowing banks to limit your choice of OS exacerbates that problem. The fix I've been floating in my head for some time now for a lot of these types of problems in the digital space is some sort of software freedom law guaranteeing users the right to modify software running on devices they own. It would fix so many issues with the software industry, including probably this one, since many common uses of hardware attestation would probably fall afoul of such a law. |
I generally lean towards that too, including for this issue. But we do need to own up to it. Explicitly ask ourselves, what kind of bad consequences, and how much of them, are we willing to put up with in the name of freedom?
Also, some framings make it difficult: the second someone speaks of protecting the children, all of a sudden freedom becomes secondary. Which leaves two counters, which are logically compatible, but tend to be rhetorically exclusive: denying that this new thing will actually protect the children; and asserting that the protection it allegedly provides is not worth the loss of freedom.
The second one is a hard sell, which is why we so often revert to the first one. Take age verification: sure it won’t stop determined underage teens from seeing images of bunny girls. But it will deter some of them. And assuming images of bunny girls are bad for teen health, it means age verification does "protect the children". A little. And voilà, we’ve destroyed the argument that age verification does absolutely nothing, mass surveillance for the win!
> […] which I don't think is an acceptable thing to do to mentally sound adults.
I haven’t thought of the psychological damage over-protectiveness may cause. That’s a bloody good point.
> There's plenty of competition in the banking space,
Given how people in some countries complain that it’s difficult to find a bank that doesn’t require a locked down phone for online payments, I would argue perhaps not plenty enough. I totally agree though that for any bank to require one of two OSes is not good, and for this reason would be tempted to outlaw such requirements (thus reducing corporate freedom, but I care more about individual freedom).
> some sort of software freedom law guaranteeing users the right to modify software running on devices they own.
That is very tempting indeed. Do understand though that such a law comes very close to mandating Free Software everywhere: for this right to be effective, users need access to the source code, and be allowed to let some professional modify that code for them. Any mass produce piece of hardware would effectively have to publish the full code source of their drivers for all to see. I would absolutely love that, but NVDIA would likely lose their marbles over this.