Skip Links

Microsoft Proposes Each PC Needs A Health Certificate or No Net Access Allowed

Microsoft has proposed a plan that each PC would be required to present a "health certificate" or else be considered too sick to connect to the Internet.

By Ms. Smith on Wed, 10/06/10 - 6:21pm.

Many security experts have talked about quarantining infected computers, but Microsoft has proposed a plan that each PC would be required to present a "health certificate" or else be considered too sick to connect to the Internet.

Scott Charney, Microsoft’s vice president of trustworthy computing, presented his idea of "implementing a global collective defense of Internet health much like what we see in place today in the world of public health... Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others."

Charney gave his speech at the International Security Solutions Europe (ISSE) Conference in Berlin, Germany, and posted his "vision" on his blog. Other countries like Australia and the Netherlands are attempting similar security models; Charney uses examples like France’s Signal Spam or Japan’s Cyber Clean Center as cyber models to keep only healthy computers online.

Comparing the proposal to a global collective defense for health is not necessarily comforting. How many older computers would be digitally quarantined for false positives? Think back a year to the H1N1 hysteria in which unvaccinated persons were a threat to everyone's good health. If a computer cannot issue a "health certificate" and is cut off the Internet, wouldn't that be similar to not allowing a sick person transportation to a doctor's office? How does the sick computer get well without the tools or "medicine" available at Dr. Net?

Should ISPs like Comcast be responsible for cyber-patrolling and sending out bot-notifications to all its customers? Krebs on Security reported that the FCC may encourage ISPs to be more proactive in cleaning up bot infected computers. How does an entity go about it, by throwing scareware warnings on startup screens or simply no Net access? Does this lead to downloading software to monitor PC health? This could very well be a disaster, as it would be way too easy to abuse. An ISP could decide a computer was sick and couldn't connect to the Net if that computer uses too much bandwidth. I've seen domains be shutdown as hosts insisted they were under DDoS attacks . . . but the reality of the situation was Slashdotting or the Digg effect. That may be close, but the intent was not malicious.

Graham Cluely, of security firm Sophos, told BBC, "Microsoft doesn't have a faultless record when it comes to security. It has improved over the years, but every month they have to release a package of updates. There may be some who would say that Microsoft shouldn't be on the internet until they get their own house in order."

Whose software gets access to your data to scan your computer for good health? Who decides who gets to play doctor and peek under the sheet? Violating privacy and civil liberties by installing a possible backdoor? Microsoft Security Essentials is not a bad product, but hello? C'mon Microsoft! Harden your OS or ban Windows from the Net since that is where botnets, viruses, trojans and malware thrive.

Microsoft plans to advocate for legislation and policies to help advance the model in a way that "advances principles supporting user control and privacy." However, unless there is a giant collective NO to more privacy and freedom violations, online regulations and cyber-patrols may inevitably open users up to more surveillance by authorities.

Charney wrote, "Privacy concerns must be carefully considered in any effort to promote Internet security by focusing on device health. In that regard, examining health is not the same as examining content; communicating health is not the same as communicating identity; and consumers can be protected in privacy-centric ways that do not adversely impact freedom of expression and freedom of association."

What do you think of Microsoft's proposal that if a computer is not well enough to be issued a health certificate, then it's no Internet access for that PC? Is this the answer to clean up botnets or an invitation to Big Brother?

Like this? Check out these other posts:

Follow me on Twitter @PrivacyFanatic