Google, Sun Backing New Anti-Malware Effort
Harvard, Oxford researchers aim to create Internet defensive strategies geared to consumers.
Major figures at Sun and Google – including Vinton Cerf, one of the inventors of the Internet and now Google’s Chief Internet Evangelist – are backing a new academic anti-malware initiative that aims to spotlight spyware purveyors and ultimately give besieged computer owners simple technologies to guide their Web surfing and downloading decisions.
The new effort launches today in the form of a website, www.stopbadware.org, created by Harvard Law School’s Berkman Center for Internet and Society and Oxford University. The site’s initial function is to serve as a collection point for empirical information – from consumers and technical experts alike – about nasty code that infects computers and aims to steal data, send spam, and churn out obnoxious pop-up advertisements. The researchers behind the effort plan to use this data to understand the scourge, spotlight offending malware purveyors, and generate consumer-friendly defensive strategies.
Malware (or the anglicized “badware”) is a catchall term for little pieces of code that can ride like parasites inside pieces of software, games, and other objects downloaded from web sites. In some cases, the malware slips in when the user merely visits certain sites.
Infected machines often slow down dramatically and begin generating error messages. According a recent Pew Internet & American Life Project, the computers of roughly 59 million Americans suffer from these digital infections. And home computer users spent roughly $3.5 billion in 2003 and 2004 to fix the problems, according to a recent Consumer Reports investigation.
“There are lots of efforts at fighting spyware or badware,” says John Palfrey, the Berkman Center’s executive director. However, he adds, until now “there has been no consumer-focused, disinterested, nonprofit effort that will give consumers guidance in terms of what they want, or don’t want to download on their computers. We can bring expert guidance.” The research team will comprise researchers at academic institutions, including Harvard, MIT, and Oxford.
While the research will be done by academic figures, Palfrey says, it is supported by grants from Google, Sun, and Lenovo, the Chinese company that bought IBM’s PC business. He said the grants are in the “multi-year, multi-million dollar” range. Consumers Union, the publisher of Consumer Reports magazine, is helping design the program and assisting with strategies for notifying and educating consumers.
Google’s Cerf will offer technical input when it’s sought by the researchers, Palfrey says; as will his two counterparts at Sun, Greg Papadapolous, chief technical officer, and Carl Cargill, director of standards, and Lenovo’s George He, chief technology officer.
Asked what service or product he hoped to see coming from the effort, Cerf replied via e-mail that he sought “specific information for users about known badware” and “alerts for the software, networking, and operating systems industry about problems.” He added that “by cataloging as many of the known bad software cases and their means of infection, we may be able to assist operators and programmers to filter, inhibit, or even eliminate such software in a more automatic fashion.”
The team hopes to publish academic research, inform consumers, and highlight offending companies. Its long-range goal is to give consumers a simple collaborative technology for gauging the likely hazards of a web site they are considering visiting, or a file they’re considering downloading.
Berkman cofounder Jonathan Zittrain, now also the chair in Internet governance at Oxford, who helped hatch the idea for www.stopbadware.org, says this technology might take the form of a kind of PC “dashboard” that indicates the level of novelty or danger associated with a piece of code. This “dashboard” would draw upon the anonymized, aggregated mouse clicks and experiences of thousands or even millions of PC users.
To be sure, companies like Symantec are already offering sophisticated anti-malware products. Microsoft, too, regularly provides operating system updates meant partly to fight malware. And myriad small companies offer services; a recent entrant, SiteAdvisor, is launching a product that offers web site ratings based on its automated web-crawling technology.
The key question all consumers should ponder, Zittrain says, is: Who gets control over decisions to either banish a piece of code, or allow it through? “The definitions of what is bad and what is not are not agreed upon; software is constantly changing,” he notes. So giving one company control over the decision to block may not be the right decision for all people.
Zittrain argues that today’s anti-malware efforts may prove to be highly effective solutions. Yet they also reflect a toehold of corporate control over individuals’ computer activities that could metastasize into something more invasive, or one day serve as a vehicle for court-ordered software purges. Consumers should worry, too, that a worsening of Internet security – especially a successful cyber-attack – could precipitate heavy-handed government regulation akin to the USA Patriot Act that followed the September 11 attacks.
Zittrain describes the project as an effort to head off this dystopia, and preserve consumer willingness to operate open PCs. He calls the project a “collaborative effort to define the axes along which software can be evaluated, to develop and distill those evaluations in ways that consumers can understand, and in which they can participate, and to ultimately create an environment where heavy-handed regulation isn’t called upon to deal with these ills in ways that cause a lot of collateral damage.”
Sun, Google, and Lenovo did not immediately respond to interview requests. In a written statement, Cerf sounded a dire tone: “I believe the potential growth of the Internet will be limited if we allow invasive badware and spyware to continue to fester without strong action. All consumers must be in control of their experiences when they browse the Internet and the mass proliferation of badware threatens this control. We cannot allow that to continue. In order to stem the unimpeded growth of badware, we must develop a better understanding of the avenues by which this abusive behavior is conducted in order to inhibit its effects – and I believe that this initiative will help with that.” He added: “The providers of Internet services and software simply must get this problem under control.”
Cerf and Google left unanswered such questions as whether their www.stopbadware.org involvement might presage a Google bid to enter the PC market with, say, a machine that wards off “evil.” Cerf was cagey about the connection to Google’s corporate moves, offering only the usual high-level Google mission statement that the company would “continue on its path to organize all kinds of network-based information and learn how to index it so that it can be found again. We hope to make what is found more relevant to what the users are looking for at any particular moment.”
What’s clear is that the malware problem is far more than merely annoying. To many leading figures in Internet research, these problems could erode consumer confidence to the degree that Internet growth is stalled (see “The Internet Is Broken”). Earlier this year, MIT’s David D. Clark, an Internet elder statesman and onetime chief protocol architect, characterized the problem this way in a conversation with Technology Review: “We might just be at the point where the utility of the Internet stalls – and perhaps turns downward.” In recent months, Clark himself has been trying to cobble together a government-funded research effort to design new Internet architectures more in tune with the modern era, incorporating security features and other improvements.
Home page image courtesy of William Thomas Cain/Getty Images.