Convenience or security: Who decides which is more important?

A fascinating discussion in the IT Security Blog raises an equally fascinating question: Who decides when convenience is more important than security?

On June 15, 2011, in the TechRepublic IT Security Blog, Donovan Colbert reported a somewhat disturbing convenience feature in some Android devices that creates, at the very least, a potential security problem. The subsequent discussion thread is very enlightening.

There is a setting in certain Android devices that will back up some of your personal data to Google servers, unless you decide to opt-out. The official wording:

"Check to back up some of your personal data to Google servers, with your Google Account. If you replace your phone, you can restore the data you've backed up, the first time you sign in with your Google Account. If you check this option, a wide variety of your personal data is backed up, including your Wi-Fi passwords, Browser bookmarks, a list of the applications you've installed, the words you've added to the dictionary used by the onscreen keyboard, and most of the settings that you configure with the Settings application. Some third-party applications may also take advantage of this feature, so you can restore your data if you reinstall an application. If you uncheck this option, you stop backing up your data to your account, and any existing backups are deleted from Google servers."

(Thank you Michael Kassner)

At first glance, all of that sounds very convenient, but as Donovan points out, when you start to consider what information is actually being saved on Google's servers, you may wonder if your convenience is coming at too high a price with regard to security.

For example, consider the information Google is saving if your Android device connects to your corporate WiFi network - after a successful connection, the access codes to your enterprise network are now stored on a Google server. Now, if you access that Google server with another device on another WiFi network using only the credentials required to access your Google account, those corporate access codes will be "restored" to your new device. A malicious user could potentially acquire access codes to a corporate network by merely knowing a Google username and password. On public networks, that information is not difficult to come by.

As you can imagine, this does not sit well with IT professionals who are responsible for maintaining secure networks. Such potential security vulnerabilities will likely cause many network administrators to make policy changes with regard to the use of Android-based devices on their corporate systems.

Potential versus actual threat

Now, the scenario described above and the other issues raised by Donovan in his article are serious, but they are mostly in the potential threat category at the moment. We know of no actual abuses of this Google-provided feature for Android devices. But that is not the real issue is it?

The problem with the feature is that Google has chosen to make it an opt-out transaction. The default on many devices is to check the box in the settings control that allows Google to store this sensitive data. However, that is not the secure and responsible approach. Users should have to actively opt-in to the feature. Google should be erring on the side of security over convenience. The only person who has the right to make the decision to override security in favor of a convenience feature is the user - not the vendor, service provider, or software developer.

Do you agree or disagree? Do you think the potential security risks are overstated or understated? Do older IT professionals and computer nerds like me need to chill or do we provide sage wisdom?