How (Not) to Slow the Spread of Computer Viruses

Microsoft, without a touch of irony, says that a healthy Internet is one that quarantines infected computers.

When Scott Charney came to Berlin earlier this month for a conference on Internet security, he discussed an idea — "Internet hygiene" — that's now enjoying some fashionable attention. Internet hygiene is nothing more than good, clean computing practice to keep your machine virus-free. But Charney, Microsoft's vice president of trustworthy computing, took it a step further. He suggested that infected computers ought to be quarantined.

"If a device is known to be a danger to the Internet," he said, "the user should be notified and the device should be cleaned before it is allowed unfettered access to the Internet."

At the International Security Solutions Europe keynote speech on Oct. 5, Charney compared infected computers to diseased human beings and called on "government, industry and consumers" to support public-health-style strategies to keep the Internet clean. "For a society to be healthy," he said, "its members must be aware of basic health risks and be educated on how to avoid them."

He worried, in particular, about denial-of-service attacks, or large-scale floods of data directed at a server with the idea of making it crash. Since denial-of-service attacks rely on armies of unsuspecting private computers (or "botnets") infected with a virus, Charney's concern for the health of ordinary private PCs might seem sensible. But it's ironic that these recommendations come from a Microsoft executive, because botnets regularly use flaws in Windows to propagate.

In fact, public-health metaphors can easily turn awkward for Microsoft.

EUROPEAN DISPATCHMichael Scott Moore complements his standing feature in Miller-McCune magazine with frequent posts on the policy challenges and solutions popping up on the other side of the pond.

Michael Scott Moore complements his standing feature in Miller-McCune magazine with frequent posts on the policy challenges and solutions popping up on the other side of the pond.

"While the poor sap who ends up catching bird flu might have to stay indoors for a couple of weeks," writes Davey Winder at the British tech blog ITPro, "the farmer whose chickens carried the disease will have his flock destroyed. Transfer this into the world of tech, and Old Farmer Microsoft could surely find itself having its flock of Web browser clients and operating systems put down for effectively 'allowing' the disease to spread."

Charney suggested a system of "health certificates" that computers can show to service providers. A certificate would be a digital profile of a user's system, with certain details to suggest whether the machine has a virus. Any machine with a failing bill of health would be kept off the Web. Of course, a good virus writer would learn to forge these certificates.

Charney's recommendations are a tacit admission that Microsoft can't control its own product. We can't prevent bugs in Windows, he basically said in Berlin, so we're going to suggest scrubbing the Internet — at the level of a customer's hard drive — instead.

There are, however, a few policy precedents. In 2005, the French government hired a private company called Signal Spam to gather customers' denunciations of unwanted e-mail as "spam." The company's database then builds blacklists of spammers, which it provides to ISPs as well as the government, to block and prosecute large-scale violators.

Signal Spam is considered a success, and Microsoft helped the French government develop the system. But the European Commission, which announced a new push last month to combat denial-of-service attacks and other forms of cybercrime, is happily not too interested in Charney's notion of hygiene.

"While the commission does not deem that it is currently feasible to replicate public health models to treating 'infected' computers," Michele Cercone, a spokesman, told me, with a blandness typical of Brussels, "it shares the concern regarding more prevention against cyber threats and more responsibility for individual users to protect their computers."

Commenters on Microsoft's own site were less bland. "Oh no you didn't just go there!" writes one Debbie Mahler in response to Charney's official post about banning unsafe machines from the Internet. "... By that logic we need to remove every machine running Windows! Great job Microsoft!"