Who would want to police the internet? Who would want to search a virtual haystack for a million needles?
Step forward, Microsoft. The company’s drive to improve the security of its software products is just part of an ambitious programme to locate and defang the fraudsters, scammers and miscreants who lurk online.
Redmond has already sued spammers, promising to use the proceeds on other antispam and social IT initiatives. But the anti-phishing tools built into IE7 — and due for earlier release in the MSN toolbar — reveal that Microsoft intends to take an even more proactive role in cleaning up the internet.
Computerworldwas shown the anti-phishing technology as part of a Vista demo at Tech Ed last week. When a user visits a website, the URL is checked against a local list of sites known to be “clean”. The URL of possibly-bogus sites is dispatched to Microsoft and the browser lets the user know whether the site is considered safe, suspicious, or downright dodgy.
This isn’t a pure technology solution; Microsoft says it will maintain its lists with human beings. Humans are expensive, don’t scale well, are difficult to cluster and notoriously tricky to debug, but many also possess a streetwise cunning that lets them quickly distinguish between genuine websites and genuine web scams.
Microsoft is taking a big step in this endeavour. Shouldering responsibility for maintaining those lists will be an onerous and sometimes awkward job. Some false positives are probably inevitable, which will lead to some court cases where wronged companies seek redress with the redistribution of some of Microsoft’s wealth. Some victims, fooled by phishers who hadn’t yet been caught by Redmond’s finest, are going to blame Microsoft for not protecting them.
Microsoft says the anti-phishing tool will be opt-in — users will have to specifically say they want it enabled — but many, of course, will. Before long, millions of Windows users will be sending the company information about all their browsing habits. Although Microsoft says that data will only be kept in aggregate form, that’s still hugely valuable information.
The company also says it will approach service providers with information about dodgy websites operating on their networks. It’s clear Redmond’s ambition to be the expert on “trusted computing” doesn’t just extend to more secure software; it’s prepared to take a more active role in protecting the weakest link: the user.
Those users will probably welcome Microsoft’s efforts. The company has shown it can produce secure software; releases such as the latest version of IIS have proven to be at least as secure as open-source alternatives. The mainstream media often present Microsoft staff as security experts, even when they’re discussing a hole in their own software.
Security-related decisions that were expected to be controversial, such as enabling the XP firewall and automatic updates by default, have largely been accepted without complaint.
Okay, so idiots on the internet will be safer, but I must admit to mixed emotions. The internet has always had an anarchic appeal, and the fact that there will be fewer zombies, spambots and phishing sites around doesn’t quite make up for the fact that the internet is a more interesting place when you have to keep your wits about you.
Cooney is Editor of Computerworld