Opinion: So why can't Microsoft build in security?

Regardless of whether you believe Microsoft is responsible for the poor state of computer security, even if Redmond now wanted to shore up Windows, it probably couldn't, says Simon Moores.

When, two years ago, Microsoft purchased Romanian antivirus vendor GeCAD as part of its Trustworthy Computing initiative, I warned the result might lead to a queue of antitrust lawyers gathering around the Capitol building in Washington, as the thriving and lucrative antivirus industry protested at the very notion of Microsoft including better security in its products.

The courts have unwittingly created something approaching a cartel of commercial security interests which run contrary to the interests of a billion or so internet users.

Time has passed and the mutters of discontent seemed to have subsided following diplomatic expressions of co-existence with the Redmond giant from the largest antivirus companies.

However, this month, Europe decided the prospect of Microsoft marketing consumer security was an oxymoron that demanded further investigation, and the Brussels antitrust regulators have reportedly invited Symantec to volunteer its opinions on Microsoft's OneCare - a plan for a comprehensive, subscription-based consumer PC health check service that will offer automatically updated antivirus, anti-spyware and firewall protection.

There is, however, a moral slant on this story that makes me uncomfortable. In a rational world, a company such a Microsoft - which many would regard as directly or indirectly responsible for the mess we now find ourselves in - might reasonably be expected to offer inclusive measures that would make the Windows platform more robust from a security perspective.

Two years ago after a number of conversations with people at Microsoft, I was fairly satisfied that many in the Trustworthy Computing group would have been quite happy to bundle better and better security into Windows entirely free of charge. "The trouble is," one person told me, "that the antivirus industry would scream antitrust if we did. We would have to charge because the rules won't let us give it away free."

Whether Microsoft has changed its position and would now prefer to milk the consumer instead, I don't know - but I doubt it. In my own experience, Microsoft wants to be able to deliver the best possible security to the weakest link in its business - the millions upon millions of consumers who are unwittingly breeding tens of thousands of botnets and other nasties that threaten the economic fabric of the internet on a daily basis. But if I'm right, Microsoft can't because the law won't allow it.

In some ways, this is rather like saying that if you buy a new house, the builder is not permitted to make it burglar-proof. Of course you can have basic locks but double-glazing is certainly not permitted, neither is an inclusive burglar or fire alarm. You have to go to the aftermarket for these and perhaps pay through the nose on a subscription basis if you want any peace of mind.

Without a doubt, Microsoft, through previous antitrust actions which very nearly saw it broken up, has created a moral dilemma which the courts cannot easily resolve. Through vigorously protecting society against the risks of a software monopoly, the courts have unwittingly created something approaching a cartel of commercial security interests which run contrary to the interests of a billion or so internet users.

In theory, internet security should be free and transparent to the end user in much the same way as one takes for granted that one's television or telephone won't be hacked. But this is an industry now worth in excess of $20bn each year - and it's not one you can expect to be given away to the man in the street, or even Microsoft, without a fight.