At StopBadware, we're currently revising our guidelines for badware applications. The goal of these guidelines is to distinguish between applications that are badware (defined as "software that fundamentally disregards a user's choice about how his or her computer or network connection is used") and those that aren't. One major reason for distinguishing badware from non-badware applications is to help people make informed choices before installing software that may compromise their privacy or security.

It is in this context that we ask a question that has been troubling us: if a "legitimate" anti-virus or security product has to send data about your computer use (e.g., your web search or browsing history) back to the vendor's servers to protect you as promised, how clearly should that data usage be disclosed?

Historically, we have thought of surreptitious collection of this type of data as a badware behavior. But what if the data isn't really being collected or used in any nefarious way, and the transmission of the data is necessary to make the product work as intended?

Consider a product like McAfee SiteAdvisor, a free browser plug-in that informs you of the safety of websites as you visit them or while browsing through search results. SiteAdvisor has to query a McAfee server with the URL (or the hash of the URL) of every site you visit or find during a search.  This means that, if McAfee wanted to (or if a rogue employee gained access), a profile of your browsing history could be compiled and tied back to your IP address. Yet this is never disclosed in any visible way prior to or during installation. In fact, it's not even in the Privacy Policy. (It could be considered covered by a vague provision in the EULA about the collection of personal information from your computer necessary to the function of McAfee's security products.)

This is not unique to SiteAdvisor. Many AV products now query a centralized database about URLs and/or executables to ensure users are protected. In our experience, most of these products fail to disclose this potential threat to a user's privacy in any meaningful way.

So, back to the question. Is this a badware behavior, one that in this case is being perpetuated by several well-respected software companies? Or is it reasonable to expect that users either know or wouldn't care that their security comes at the price of a company having access to some private data? Is it dependent on the trustworthiness of the vendor or the stated use of the data once it's been received? What should we expect as a minimum bar from AV vendors whose products behave in this way?

Please let us know your thoughts in the comments!

In early June, the Australian Internet Industry Association, an ISP industry trade group, published icode [PDF], a voluntary code of conduct for ISPs to follow to better fight bots on their networks. Like the previously-mentioned IETF draft, this document lays out a rationale for, and recommendations on how to implement, an ISP-level response to bots. Unlike the IETF draft, icode is a reflection of a coordinated effort by a large number of ISPs to buy in to a common framework for how to respond.

The icode framework has four parts:

1. Education. ISPs that adopt icode are expected to educate their customers about keeping their computers from becoming compromised.
2. Detection. ISPs can implement their own detection methods and/or get data from trusted third parties. Even better, they can get data from the Australian Internet Security Initiative, a government-led effort to centralize bot reporting by collecting bot reports from trusted providers and then distributing ISP-specific data daily to participating ISPs. (Wouldn’t it be great if we had something like this for infected URLs and hosting companies?)
3. Action. ISPs are encouraged to act on the information about bots, through whatever combination of customer notification, password resets, bandwidth throttling, walled garden quarantining, smtp blocking, or other measures they consider appropriate.
4. Reporting. ISPs are expected to report “significant cyber security incidents” to governments.

icode also recommends, though doesn’t require, that participating ISPs share threat data with each other, facilitated by the Australian CERT.

One could quibble over some of the details, but it’s clear that the Australian ISPs that created and will be adopting icode are light years ahead of most ISPs (and web hosting providers) globally in tackling the spread of malware.

The China Internet Network Information Center (CNNIC) announced new rules a few days ago that are intended to "enhance the authenticity, accuracy, and integrality [sic] of the domain name registration information."

These rules require applicants for .cn domain names to submit copies of their business license and personal ID for review by the registrar within five days of registering the name. There are two big questions that aren’t clear from the announcement:

First, does the requirement to submit a business license apply only to registrations on behalf of businesses, or does this mean that individuals are no longer allowed to register .cn domain names? The latter would be a substantial restriction on the Internet privileges of individuals in the country.

Second, what happens between the time an online registration occurs and the end of the five day period? Is the domain active during this time, or does the domain not become active until after the paperwork is reviewed? The exact language is "From the day of the submission of online application, if CNNIC does not receive the formal paper based application material within 5 days or the application material auditing is not qualified, the domain name to be applied will be deleted." This implies that someone can sign up for a domain name with fake information, use it for five days, and then have the name revoked. I suppose that’s better than being able to use a fake domain indefinitely (sort of – it may make tracking down the perpetrator more difficult), but we’ve seen with domain tasting that this can be abused for creating ephemeral phishing and malware sites.

Underlying all of this, of course, is a long-running battle between privacy advocates who argue that being able to anonymously register a domain name extends the free speech opportunities, especially for dissidents in repressive regimes, and the security and law enforcement communities, which fret about the lack of accountability if the operator of a domain name cannot be tracked down. I’m not sure whether ICANN’s requirement for registrars to disable domains with false registrant information applies to country-level TLDs, but the CNNIC policy for .cn domains would certainly be consistent with that requirement, if more heavy-handed than we’ve seen from most registrars.

[Update 12/18: Berkman Center Fellow Donnie (Hao Dong) posted this piece explaining even more aggressive measures being taken by the Chinese government to crack down on malicious use of domain registrations. This will almost certainly reduce the number of misused Chinese domain names, but as indicated above, we may see some additional consequences.

Brian Krebs at the Washington Post reports on some ill-advised proposed legislation:

The chairman of the House Oversight and Government Reform Committee introduced legislation on Tuesday to prohibit the use of peer-to-peer (P2P) file-sharing software across all federal government computers and networks.

This is what happens when policymakers fail to separate problems from the technology that the problems are built upon. It’s roughly equivalent to observing that sports cars are involved in a lot of accidents and therefore banning sports cars from public roadways. Whenever possible, legislation should avoid even mentioning specific technologies, and instead should focus on the underlying problem (in this case, the inadvertent leaking of information by government employees/computers).

According to Wired’s Threat Level blog, the president of the Internet Security Alliance, Larry Clinton, blames many cyber security problems on individuals and businesses failing to take responsibility for the role they could/should play:

Larry Clinton, president of the Internet Security Alliance, told senators that public apathy and ignorance played as much a role in the current state of cyber security as the unwillingness of corporate entities to take responsibility for securing the public’s data.

“Many consumers have a false sense of security due to their belief that most of the financial impact resulting from the loss of personal data will be fully covered by corporate entities like the banks,” he said. “In fact, much of these losses are transferred back to consumers in the form of higher interest rates and consumer fees.”

As for corporate and government entities that collect and store the public data, they “do not understand themselves to be responsible for the defense of the data,” said Clinton, whose group represents banks, telecoms, defense and technology companies and other industries that rely on the internet. “The marketing department has data, the finance department has data, etc, but they think the security of the data is the responsibility of the IT guys at the end of the hall.”

Clinton goes on to say that the solution lies in government creating market incentives, and he promises a proposal from the Internet Security Alliance soon. It will be very interesting to see what they propose. As StopBadware board member Michael Barrett (CISO at PayPal) has pointed out, government involvement may be a necessary part of changing incentives and behaviors in an area where externalities are inevitable. At the same time, there are other ways to modify market incentives, as StopBadware and its partners have demonstrated over the last few years. The challenge for all of us working in this space is finding the right balance of public and private interventions.

Clinton himself points out one of the risks of trying to impose new market incentives in his explanation of why consumers don’t take credit card security seriously. As soon as government put the burden of liability on the credit card issuers, consumers no longer had the incentive to protect their card numbers. (Note: one problem with this example is it’s not clear what consumers would be likely to do differently if they were on the hook for unauthorized credit card charges.)

Another concern about imposing new incentives is reflected in StopBadware co-founder Jonathan Zittrain’s work: what happens to freedom (and, by extension, innovation) as the market increasingly values security?

There are no easy solutions here, but it’s clear that market incentives do, in fact, need to be changed, and that some combination of governmental and non-governmental will be required to make that happen. StopBadware and its partners have demonstrated some examples of the latter, showing that malware warnings, alerts about badware applications, and lists of infected hosting providers can encourage improved website security and better applciation behavior without limiting freedom. I look forward to seeing and weighing in on how ISA’s proposal complements what is being done, and can still be done, within the market.

As reported by Ars Technica and others, Rep. Henry Waxman (D-WA) and the rest of the House Energy & Commerce Committee are pushing a bill that requires peer-to-peer (P2P) file sharing applications to provide informed consent before installation and before making files available for sharing. The bill labels a failure to provide the required consent as an unfair trade practice, which means the Federal Trade Commission (FTC) can use its authority to punish the offending software distributor. The motivation for the bill seems to be a combination of two concerns: first, that important confidential files may be inadvertently shared by government or corporate employees; and second, that individuals accused of illegal file sharing may use "I didn’t know I was sharing those files" as a defense.

From my initial read of the bill (PDF), this seems like decent legislation. It is brief and clear in its definitions, and the only requirements are "clear and conspicuous notice," "informed consent," and the ability to uninstall or disable the software, all of which approximate the language we use in our software guidelines. There is an appropriate exception for software that is pre-installed on the computer (the user doesn’t have to consent prior to installation but is required to be notified that the software is installed). The most notable thing about the bill is probably what isn’t covered: software installed by the government (let’s call that the "FBI exemption"), non-commercial software (probably because there’s no entity for the FTC to punish for unfair business practices), and several specific categories of software that don’t look like P2P software (servers, communications apps, and security software).

I can’t help wonder about the sense in legislating behavior of only one specific type of application, but I have to admit it seems like the bill addresses the specific concerns about P2P software I alluded to earlier without overstepping. It’s good to see legislation that doesn’t try to dictate technical solutions and instead sticks to the basics: tell the user what is happening, and let him/her decide what to do next.

In an important case for the anti-malware industry, the United States Court of Appeals for the Ninth Circuit affirmed a lower court ruling that anti-virus firm Kaspersky was protected by section 230 of the Communications Decency Act (CDA) in deciding to block software by Zango, which Kaspersky deemed adware or spyware. StopBadware is a member of the Anti-Spyware Coalition, which filed an amicus brief encouraging the court to find in Kaspersky’s favor. (Side note: one of Zango’s products was labeled by us as badware prior to this lawsuit.)

At issue were three key questions:

1. Is Kaspersky an "interactive service provider," which is the entity that is protected by CDA section 230. The courts found that it is, as the term is defined by the legislation to include providers of software intended to filter or disallow objectionable content.
2. Is adware or spyware "objectionable content," as intended by CDA section 230? The courts found that it is, as the legislation is explicit in allowing the filtering of "content that the provider or user considers obscene, lewd, lascivious, filthy, excessively violent, harassing, or otherwise objectionable."
3. Does Kaspersky have to prove "good faith" in order to use CDA section 230 as a defense? The courts ruled that no such proof is necessary, as the section that Kaspersky is using as its defense does not include a good faith clause. (In a concurring opinion, one of the judges noted the potential for this section to be abused if there is no good faith requirement, but affirms that in the Zango v. Kaspersky case, Kaspersky does not have to prove good faith.)

The concern about the good faith clause is an important one. In fact, the ASC amicus brief specifically asked the court to consider whether the good faith provision in one section of the legislation could be implicitly applied to another section. The court left this at least somewhat open with the concurring opinion’s stated concerns. While the judge’s concern was about anti-competitive behavior (e.g., Symantec blocks access to McAfee’s website as "objectionable"), one could imagine a case where a piece of badware, installed without a user’s permission, tries to hide behind CDA 230 because the software is blocking access to content the "provider" (i.e., the badware distributor) considers objectionable. Hopefully, if such a case occurred, the courts would find that the intent of the law was not to provide enforced blocking on users without their knowledge or permission.

Overall, we’re very pleased by the circuit court’s decision, as it is critical for anti-malware companies to be able to warn about or block potentially unwanted software without fear of liability.

In a New York Times op-ed piece today, Harvard Law School Professor and Berkman Center Faculty Co-Director Jack Goldsmith called on the federal government to regulate consumer-level PC security:

Our digital security problems start with ordinary computer users who do not take security seriously. Their computers can be infiltrated and used as vehicles for attacks on military or corporate systems. They are also often the first place that adversaries go to steal credentials or identify targets as a prelude to larger attacks.

President Obama has recognized the need to educate the public about computer security. The government should jump-start this education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious multiple computer probes into the network.

Obviously we at StopBadware agree strongly with the first paragraph. Rather than taking a position on the second, I pose these questions that would have to be answered about Prof. Goldsmith’s policy recommendations:

• Would computer security standards be based on technology (e.g., computers must have real-time anti-virus scanning), principles open to interpretation (e.g., computers must be kept updated with security fixes), or something else? In any case, who decides on these standards and how do we ensure that they are kept current and do not benefit the software industry more than they benefit national security?
• If ISPs are expected to play gatekeeper, how do we build transparency and a fair, responsive appeals process into the system? What happens when an ISP blocks my connection because they think I’m sending spam, when in fact I’m operating a high-volume, opt-in mailing list?
• If the government "jump-starts this education," who will actually provide the education? After all, blocking a user from the Internet because his computer is infected does not educate the user, it just creates a motivation for the user to become educated. Is the responsibility of helping the user to clean up and protect his PC the ISP’s? The government’s? StopBadware’s? Or is the user just expected to be on his/her own?

These are not trivial questions, but there is precedent for answering all three successfully. Our Badware Guidelines have been a helpful tool in identifying applications that dip below a certain level of community expectations. Our independent review process keeps a check on our data partners’ autonomous detection of badware websites. And our BadwareBusters.org community and StopBadware security tips have proven a useful educational resource for website owners with compromised sites.

Despite these successes, there are many differences between Prof. Goldsmith’s proposal and StopBadware’s independent, voluntary system. And setting minimum security standards for computers is a different animal than setting behavioral standards for applications. It remains to be seen whether the questions above can be adequately answered within a system like the one described by Prof. Goldsmith.

Within the past hour, President Obama addressed the nation from the White House to emphasize the importance of cyber security, to announce the release of the administration’s report of its 60-day cyberspace policy review, and to announce the creation of a new White House position, the Coordinator of National Cyber Security.

This represents an enormous step forward in national awareness of the role cyber security in general and malware in particular play in our economy and our physical security. Having the "leader of the free world" describe the threat of botnets and spyware on national television will expand press and citizen interest in this issue.

As important as the threats, though, are the freedoms that the President discussed. He emphasized the importance of preserving both personal privacy and net neutrality while securing our infrastructure. He also pointed out that this will require a collaborative effort amongst individuals, schools, corporations, and governments from the local level through the national level, not just in the U.S., but internationally, as well.

The attention is an important start, but of course execution is the key. Melissa Hathaway, Cybersecurity Chief at the National Security Council, posted some information about the policy review she led, as well as links to the report (PDF) and to the papers that informed the report. Based on a preview of the report that Melissa Hathaway delivered at the Kennedy School last night, I expect the administration is moving in the right direction. I look forward to reading the report, and I encourage others to do so, as well. Meanwhile, it’s up to all of us to work together to build a safer Internet. StopBadware looks forward to playing a role in bringing together the people, the organizations, and the data that make this possible.

President Obama’s cyber security plan is revealed within the Homeland Security agenda posted on Whitehouse.gov. The plan echoes many of the recommendations made in a report (PDF) by the Commission on Cyber Security for the 44th Presidency.

The elements, all of which are sensible, include:

• Appointing a national cyber advisor
• Investing in R&D for infrastructure security
• Working with the private sector to set standards for infrastructure security
• Working with industry to develop safeguards against cyber-espionage
• Shutting down untraceable payment schemes used to facilitate cybercrime
• Providing law enforcement with money and training to improve their cybercrime enforcement efforts
• Set standards for securing personal data and disclosing data breaches

If the administration makes progress towards all of these goals and plays its part well, this would represent a significant step forward in the fight to secure our homeland security and to protect consumers.

I am, however, disappointed that the President’s plan does not include elements specifically focused on botnets and other malware that present a risk to individuals, business, and critical infrastructure. As demonstrated in the 2007 cyber attack against Estonia, infected PCs can be used to attack infrastructure. Just as a traditional military strives to not only defend its assets, but also to reduce its opponent’s armaments, we must work to get the malware off of users’ PCs. A sensible federal cyber security policy should include a focus on education, technology, and research to help keep users’ PCs safe. Ideally, this would incorporate working with the private sector to encourage data sharing, engaging the academic and malware research communities, increasing funding for non-profit initiatives such as the National Cyber Security Alliance (and, dare I say, StopBadware.org), and investing in the development of new technologies and new policies aimed at keeping computers secure.