The internet needs to be more trustworthy if it wants to grow, according to Microsoft's senior security executive, Scott Charney.
In a video posted to Microsoft's website ahead of Charney's keynote at next week's RSA security conference, Microsoft's corporate vice president of Trustworthy Computing described how anonymity on the internet is increasingly being exploited by cyber criminals. "We need to push back on anonymity and lack of traceability," he said.
"Because the internet can be anonymous and untraceable, criminals flock to the internet," Charney explained. "Today too many people do not know what software is running on their machine and often they have malware. They often don’t know who they're communicating with, whether an email they've received is spoofed or from some unknown sender even when it appears to come from someone they know. When they visit websites, they don't know if that website is to be trusted or not."
"For all of these reasons we need End-to-End Trust," Charney said.
End-to-End Trust is a security marketing initiative introduced by Microsoft Chief Research and Strategy Officer Craig Mundie at last year's RSA conference. Keynoting next Tuesday, Charney is expected to give an update on the initiative, which the company has thusfar billed as an effort to engage industry, consumers and policy makers in a serious discussion of online security problems. His video was posted this week on a revamped version of Microsoft's End-to-End Trust website.
As the world's dominant supplier of software, Microsoft is constantly in the crosshairs of attackers. Even as the company has taken steps to lock down its flagship Windows operating system, hackers have exploited countless flaws in the programs that run on top of it, such as Office and Internet Explorer.
Microsoft would like to give its users a better idea of whether a website or email attachment is trustworthy. But how you identify people on the internet without raising serious privacy concerns? It's a problem that Microsoft hopes to solve first by engaging in discussion.
"We've been talking about this since last year, spending a lot of time with the policy makers," said Doug Leland, general manager of Microsoft's Identity and Security Business Group, in an interview. "This is an agenda we're trying to advance with the reset of the industry and with policy makers and lawmakers and law enforcement as a proposal of a solution to tackle a very significant problem."
Last September, for example, Microsoft made a submission to the Internet Safety Technical Task Force, a group looking at ways to improve online safety for children. Microsoft's paper (pdf) advocated the replacement of web user names and passwords with Information Card systems, such as Microsoft's own CardSpace technology, and calling on a collaboration between government, industry and child development experts to solve the problem.
Microsoft has been working with a number of countries, including the UK, Singapore, Belgium, and France to develop government-issued digital credentials, Leland said.
In his video, Charney called for a "model where people get in-person proof and then can pass digital identities on the internet. So, for example, if you got a drivers licence or a passport and it also had a digital certificate on it, you could later pass your identity to a site along with your credit card number for example and they would know you are who you claim to be".
But Microsoft doesn't think these digital IDs should be mandatory.
In December, Charney sent a letter to the Attorney General Richard Blumenthal of Connecticut and Roy Cooper of North Carolina arguing that any move toward mandatory digital IDs "would not only compromise privacy but would have a chilling effect on other important social values such as freedom of expression".
Instead of centralised digital IDs, Microsoft is pushing a concept known as federated identity, where different organisations develop ways to share and trust identity information about their users. With CardSpace, Microsoft has been careful to give users the ability to decide what information they want to share.
"The way in which Microsoft has been thinking about it has been very constructive," said John Palfrey, a co-director of Harvard's Berkman Center, which published the Internet Safety Task Force report. "They would leave all or virtually all of the decision making in the hand of the users."
Charney's RSA keynote, entitled "End to End Trust: A Collaborative Effort" is set to be delivered Tuesday morning. RSA runs at San Francisco's Moscone Center from Monday to Friday next week.