A news coming from Australia became a hot topic in lot of security forums and mailing lists today. The Australian authorities brainstormed about new ways to fight the cyber crime. One of the submitted project is forcing people to install (and activate!) an anti-virus software to be able to access the Internet. In case of viral infection, the Australian ISP’s will be allowed to disconnect the user until he fixed his computer. If this looks interesting on a pure security point of view (after all, increasing security is always good), it can lead to several issues and reflexions. Protect yourself of being protected (by force) can affect your sense of freedom. Which is worse?
First, how will ISP’s control if an anti-virus software is running on the home computer? By installing their own agent? This is touchy, they should have a look at the “Orange Story” in France. And, personal point of view, external organizations (my ISP or my local agencies whatever they’re) will never install a piece of code on my computer.
Second, lot of people are not aware of the risks they take by surfing the web. It’s a fact! Internet became a public media and is used daily by millions of people. It’s like your car, you use it every day to go from point A to point B but do you exactly know how your engine works? No, and you don’t need to know! But you’ve to understand the risks: It is mandatory to wear your seat belt! If you don’t, you risk a fine. But your car won’t be confiscated or blocked.
Third, running an anti-virus software is a false sense of security. In this case, the weakest remains the end-user. If he decided to click on a link, he will! The anti-virus is a first line of defense but can also generate issues like the one which hit TrendMicro a few weeks ago (and prevented lot of Windows XP to boot due to a bad signature).
Fourth, this project will require huge amounts of money to bother the regular user which is after all the victim. Instead why not use this money to set up a powerful organization with enough means to fight cyber crime. Just like the Police services which try to catch the head of organizations instead of the local dealers.
Finally, what’s the best solution? Take the user by the hand and explain him why some behaviors are dangerous? Or just ask him to follow a set of rules and shut up? It’s exactly like the children education (I’ve two so I’ve some experience). If you just punish them because they did something wrong, they will try again. On the other side, if you take time to explain the facts, they will fully understand and realize by themselves why it was dangerous or prohibited. Education is the key!