Microsoft: Want Unrestricted Net Access? Need PC Health Certificate

Microsoft took a softer "Collective Defensive" approach to requiring a certificate of good health for each PC before allowing the device "unfettered" Internet access.

At the RSA conference, Scott Charney, Microsoft's VP for Trustworthy Computing, presented a revised "health certificates" for computers proposal. This time Charney had a softer approach, addressing more privacy concerns, to the "Collective Defense" which still is about certifying the good health of computers before the devices are allowed "unfettered" Internet access. In October, many people voiced objections when Charney proposed that each PC needed a health certificate or no Net access allowed.

When Charney profiled the cybersecurity Collective Defense proposal, he still emphasized the greater good would be served to the "IT ecosystem as a whole" by devices being certified as healthy. "To realize this vision, governments, the IT industry, and Internet access providers should ensure the health of consumer devices before granting them unfettered access to the Internet."

He maintains that privacy concerns must be addressed, yet in Microsoft's Collective Defense: Applying Public Health Models to the Internet [PDF], two of the shared principles for progress are:

Voluntary behavior and market forces are the preferred means to drive action, but if these means fail, governments should ensure these concepts are advanced.

ŸPrivacy concerns must be carefully considered in any effort to promote Internet security by focusing on device health. In that regard, examining health is not the same as examining content; communicating health is not the same as communicating identity; and consumers can be protected in privacy-centric ways that do not adversely impact freedom of expression and freedom of association.

Computer viruses may spread faster than viruses in real life, and people are sometimes (rarely) quarantined to prevent the spread of viral epidemics, but the idea that governments or ISPs should police PCs before granting unregulated connectivity is troubling. Charney previously worked for the Justice Department to combat computer crime, so the idea of the government having even more surveillance power may not alarm him in the least.

In theory, the scope of the program would be limited to gathering device health information. According to Charney's blog post, other purposes should not include "the enforcement of intellectual property rights or the creation of marketing profiles." Yet the same article suggests that users might not have a malware infection, but could be notified of other "problems or configuration issues" that could increase the risk of the computer becoming infected with malware.

Whose software gets access to your data to scan your computer? Microsoft put out a video that might provide an answer. In it, a women visits the bank where she is offered a pilot program to improve online security. She is "concerned about the prospect of cybercrime," so she signs up. (At that point in the video, it sort of set my teeth on edge, as it seemed to imply that anyone who might choose not to sign up would not care about cybercrime or security.) The pilot program gives the bank consent to check her PC health "before transmitting sensitive financial data." However, due to a busy life full of distractions, her antivirus is out-of-date (this is funny since it shows a big Microsoft warning to update her antivirus, but she must have choosen to ignore it). The bank's computer health check determines the antivirus is outdated, so she must fix that problem before she is allowed to connect to online banking.

That scenario doesn't sound too far from the truth since there are many computers that are not kept updated with Windows patches or antivirus, anti-spyware, anti-malware, etc. Cybercrime is growing and many computers have malware infections, running botnets without the users being aware of it. But is the answer this push from Microsoft that a device must be certified as healthy? At least in the video, a "private" company did the PC health test scanning.

Microsoft's Collective Defense paperwork talks of users having control over health certificates while also understanding "implications of refusing to attest to good health." It suggests that health certificates for PCs could reveal the state of the machine only, or uniquely identify devices, or a combination to identify user and device.

To what extent a health system should allow specific devices and their users to be identified cannot be resolved here, but it is important to note that a carefully architected system that embraces privacy by design, along with carefully constructed threat models that contemplate potential abuses of the health system, can help ensure the right technical and non-technical controls are in place to mitigate potential social harms and ensure the appropriate balancing of interests.

Generally when we've seen security compared to privacy in terms of "balance" — it equals a loss of privacy for more security theater. Charney's blog said the time for action is now. So what do you think? Does Microsoft's revised health certificates for PCs sound better to you than Charney's proposal in October . . . or does it basically sound the same?

Like this? Check out these other posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!