Wednesday, April 11, 2007

Should Apple include security with iPods?

I corresponded with Cara Garretson via email yesterday, after I read her article but before I wrote my previous post. She invited me to comment on a follow-up article she was considering: should Apple include security with iPods?

I actually received that message from her while driving home from the office, and the wheels have been turning ever since. Perhaps a bit too much so because now I'm not sure I understand which angle she is thinking of taking. It's a very good question, but I can spin it a number of ways. My questions in bold followed by my answers:
  1. Should Apple include security features that make it less likely for an end-user's iPod to be infected by malware?
    Notwithstanding Kaspersky's recent claim of an iPod virus, there is no real evidence that it is likely (or possible) for an iPod to be infected by malware. The problems with Kaspersky's claims are obvious -- not only is it a harmless "proof of concept" virus, but Linux must be installed on the iPod (something that no one outside of a few in the Slashdot crowd or MIT Media Lab is likely to do) in order for it to be vulnerable in the first place. Therefore, I would argue that Apple already does a good job of making it unlikely for an iPod to become infected; with 100 million iPods sold and zero vulnerabilities, it would be hard to argue differently.

  2. Should Apple include security features that make it less likely for an end-user to be tempted to use their iPod for evil?
    I don't know how this would be possible without restricting the user's ability to use the product correctly. One of the selling features of iPods is the fact that they can be used as a portable hard disk. Witness the explosion of portable applications designed to be launched from an iPod or datakey: common sense says there must be a market for these applications if so many vendors are creating them. Existence of a market proves there must be customer demand. Also, Mac OS X has promised the concept of portable home directories for years now and I believe this capability will be built in to iPods and OS X in the near future. So, I would say that this is not Apple's responsibility nor would it be desirable.

  3. Should Apple include security features that make it easier for IT staff to protect against end-users using iPods for evil?
    To me, this is the most legitimate angle. There are possibly arguments to be made that Apple should provide this somehow, and although I can think of a few scenarios to make this possible, there are many more questions raised. Would it be done in software? If so, would Apple charge for the software? How would the software be distributed? How would an IT person deploy, configure, monitor, and manage the software? Perhaps most importantly, what problem would Apple be solving by doing this? There are already software products in existence that could be used to block iPods (my company Faronics makes one called Device Filter Mac); what could or should Apple bring to the table that doesn't already exist?

  4. Because Apple is responsible for 100 million iPods in existence, all of which could potentially be used for nefarious purposes, does Apple have a moral or legal responsibility to ensure iPods are used for good instead of evil?
    I don't believe it is Apple's responsibility to ensure iPods are used for good any more than I believe it is Honda's responsibility to ensure a Civic is never used as a getaway car. In both cases, the product is only a means of potentially enabling a type of behavior, but is not intended to encourage that behavior. Perhaps if there were no alternative security solutions available, Apple would have some minor responsibility here, but the truth is that the worldwide market for endpoint security products is larger than the worldwide market for iPod accessories. If a need exists, someone will fill that need and profit from it. Isn't that what free enterprise is all about?

No comments: