Microsoft’s VP Scott Charney made quite a few headlines this week at RSA’s security conference when he suggested that perhaps an Internet tax is needed to fight malware.  Predictably, this incited quite a few rebuttals that perhaps Microsoft should pay for the malware infestations since it’s primarily a Microsoft Windows problem.  I view both ideas silly because there are alternatives for dealing with malware without an Internet tax and Windows isn’t the only vulnerable operating system since most of the modern day hacks happen because of bad user behavior.

But there was another part of Charney’s suggestion which is the idea that infected computers need to be quarantined.  This is actually an old idea that has been sporadically used at various ISPs since the early 2000s and Comcast implemented something a little more proactive late last year but Comcast’s system doesn’t actually quarantine infected customers and only asks them to clean their computers.

Note: Network engineers and security professionals have known that a centralized network-based Intrusion Detection Systems (IDS) and network-wide vulnerability scanning are extremely effective at stopping rapidly spreading worms and mass infections, but these systems have largely been limited to private networks.   If we see a vulnerable computer that’s ripe for hacking or a computer that is actively trying to infect other computers, we quarantine that computer until it’s patched up and cleaned if necessary.

The problem is that infected PC quarantines need to be implemented on a very wide scale to be truly effective.  The hangup is that it’s a sensitive business issue because customers who often know they’re infected with something would rather continue using the Internet and they could care less if anyone else is infected.  As far as the customer is concerned, they’re already a victim and they’re paying for broadband access.  If their ISP cuts off from service until they clean their computers, it’s going to cost them one or two hours of computer repair labor to get the problem fixed.

If the ISP merely warns the customer, it might not be too effective because infected users often know they’re infected and choose not to do anything about it because of the cleanup expense.  If the ISP really forces the issue by invoking a quarantine, the customer might go to another ISP unless more ISPs begin adopting the same quarantine policies.  Of course if every ISP implemented quarantines, that might sound draconian but there would be far fewer infections in the first place which would benefit everyone.  But how do we get all ISPs on a quarantine policy?  Charney mentioned government action but perhaps voluntary industry cooperation is a better alternative.

An interesting side topic that Charney brought up was privacy and piracy.  Charney believes that it’s OK to scan networks for malware but not pirated content on the grounds of privacy issues.  This is a strange argument on multiple levels.

For one thing, the issue of copyright detection is effectively moot because it isn’t practical to scan on the network to begin with.  Peer-to-peer (P2P) traffic which is almost entirely used for piracy is often encrypted.  If network based piracy detection is implemented, we can expect nearly everyone to start enabling P2P encryption.  Malware or malicious activity on the other hand can’t generally be encrypted because the target systems don’t support encryption, and the lack of encryption makes malware scanning easy.

As for the privacy concern in general, network scanners aren’t looking for private data and they merely looks for matching signatures of known malicious activity.  These network scanning systems that look for malicious traffic signatures aren’t trying to collect information on consumers for advertising purposes or personal details about consumers.  This is the equivalent of going through a metal or chemical residue screening system which most people don’t view as a violation of privacy.