Our current software architectures are still fighting the last war. Our software architectures date from the 1970s, when there were several people per computer, a large fraction of users were programmers, programs operated on passive files, programs were assumed to operate in their user’s interests, and users were aware of the file system as the repository of their persistent data. Users composed the functionality of separate programs by sharing file access among them.

Today, there are many computers per person, the vast majority of users are non-programmers, apps interact with cloud-based services, these apps serve many interests besides their user’s, and users interact with many app-based persistent filing systems -- gmail, itunes, web search, none of which they understand in terms of conventional file systems. Instead, users need other means to compose together these apps, and the content managed by these apps -- photos, location and other feeds, contacts, gadgets, etc. Their current composition choices either have poor usability or poor security.

By composition, users give one app access to the fruits of another app. Like it or not, to compose securely is to make access control decisions. To enable users to securely compose apps, we must design user interface frameworks (desktops, browsers, ...) that gently suggest and guide the user into forming models of the security implications of their actions. We must find access control models that users can learn without thinking much about it, and that we can be faithful to, to avoid misleading. Only then can users afford to make informed choices about their risks.