Security Curve Weblog

Antitrust and Diversity for it's Own Sake

In a pretty strange move, Microsoft may be requiried to remove some security features from Vista based on a warning from EU regulators. The thinking is that if Microsoft includes additional security features, that other companies who sell security products may not be able to compete as effectively; check out the logic:

"...computer security depends on diversity and innovation in the field of security software, (and) such diversity and innovation could be at risk if Microsoft was allowed to foreclose the existing competition in the security software markets... [this] would ultimately harm consumers through reduced choice and higher security risks."

Their position is both true and alarming at the same time. It's true because, in some ways, they're right: Microsoft offering certain types of security software - like antivirus, personal firewalls, and/or spyware protection - could impede the ability of some of the niche players in that space to compete. Moreover, this isn't a point the EU folks have made only recently; it's a continuation of what EU regulators have made before about Microsoft's role in the security software space - it's been at issue ever since MSFT acquired GeCAD.

On the other hand, it's alarming as well. Alarming because while it makes sense for AV and (potentially) spyware, the extent to which they expect Microsoft to "leave security alone" in other areas is unclear. Would, for example, Microsoft be required to exclude technologies like stack layout randomization because it reduces the efficacy of HIPS solutions? Not to mention that there are some who would argue that the courts are preventing MSFT from cleaning up their own mess. For example, you've heard folks who think that the festival of malware is because of poor engineering on Microsoft's part right? For example, many users say things liek "[Microsoft] shares some blame here, especially for creating such a swiss-cheese virus delivery client" and "Microsoft is responsible for this mess and we all know it." So, if MIcrosoft is responsible for the problem, shouldn't they be allowed to fix it? I don't know the answer, but it's an interesting question.

I'll also admit that I don't think that I buy the argument from EU regulators that Microsoft adding security features "would ultimately harm consumers through reduced choice and higher security risks." Or, at least, I think they should clearly specify which features they're talking about; for example, I'm not sure that features that we've had around for ever like auto-update, EFS, heap protection services, and autheticode (which all arguably have security benefit) reduce choice or increase security risks. And after all, there are tons of products that compete with those features: CA Unicenter's SDO for example arguably competes with Autoupdate and PGP's Full-Disk Encryption arguably competes with EFS. It seems to me that an argument could have been made about these features before they were released about competition issues; but yet, at the end of the day, there was none.