Kaspersky Lab Accuses Microsoft of Aggressive Attitude Towards Endpoint Security Firms With Windows 10
On Thursday November 10, the Russian Federal Anti-Monopoly Service (FAS) announced that it was investigating Microsoft following a complaint from endpoint security firm Kaspersky Lab. On the same day Kaspersky Lab Chairman and CEO, Eugene Kaspersky, published a hard-hitting explanation in the form of a blog post. Kaspersky Lab believes Microsoft is abusing its dominant position to squeeze third party vendors with competitive offerings out of the Windows 10 ecosystem – and in particular, to force users to switch to Microsoft’s own Defender anti-virus product.
Individual consumers and privacy activists will not be surprised. They have long complained about the high-handed Windows updates coming from Redmond. This, however, is the first time that a major world business firm has both publicly complained and actively sought redress.
In his blog post, Kaspersky makes it clear that he does not believe that Microsoft is limiting this approach to security and security products. He quotes gaming as another target. In March 2016, Tim Sweeney (founder of Epic Games) wrote in The Guardian, “Microsoft has built a closed platform-within-a-platform into Windows 10, as the first apparent step towards locking down the consumer PC ecosystem and monopolizing app distribution and commerce… They’re curtailing users’ freedom to install full-featured PC software, and subverting the rights of developers and publishers to maintain a direct relationship with their customers.”
Kaspersky believes that Microsoft is taking a similarly aggressive attitude towards endpoint security firms. In a separate statement, Kaspersky Lab gave two examples. Firstly, when a user migrates to Windows 10, if the current AV software is not specifically compatible with W10 it is arbitrarily removed without notice; and Microsoft Defender is switched on by default.
Secondly, the two months warning that Microsoft once gave to security vendors before a new build of Windows 7 or 8 has been reduced to a few days for Windows 10. “Several days,” says the statement, “are not enough for developers to modify security solutions properly, to make them compatible and effective against all types of cyber threats from the day of release, leaving users without the level of protection they have chosen and paid for.” Note that two weeks ago Microsoft complained that Google researchers had only given it seven days to prepare a patch against an active threat.
Kaspersky has also announced that it will make a similar complaint against Microsoft to the European Commission, and is “currently preparing the application.”
For its part, Microsoft does not appear to be conciliatory. In an emailed statement to SecurityWeek, it simply said, “Microsoft Russia and Kaspersky Lab has a long history of cooperation in different areas. Microsoft is committed to work in full compliance with Russian law. The company hasn’t received an official notification from FAS. As soon as we get it, we will review it carefully.”
There is no suggestion of Microsoft trying to reconcile differences with Kaspersky before hearing from FAS.
Noticeable by its absence is any immediate indication that Kaspersky will take similar action in the US. This could leave it open to accusations of geopolitical bias. Indeed, this is suggested by Carl Gottlieb, CTO at Cognition (a next-gen endpoint security reseller): “I doubt many vendors will support Kaspersky in this ‘crusade’,” he told SecurityWeek. “When it comes to selling AV to the mass market, the Windows platform is the only game in town, and vendors know that partnering with Microsoft is always a better business model than poking the bear. We can’t rule out geopolitical involvement here either.”
Industry Support; and its Lack
Nevertheless, there is already support among European endpoint security vendors. Luis Corrons, technical director at Panda Labs, commented, “I do agree with him [Eugene Kaspersky]. So does Panda Security (Spain), and I am sure he won’t be alone. I know that some other European vendors have the same concerns.”
There is also at least moral support from F-Secure (Finland). “We agree with Kaspersky that Microsoft’s current practice is not allowing the best protection for the end-customer,” its CTO Mika Stahlberg told SecurityWeek. “Any operating system vendor needs to carefully balance its own against its customers’ interest. Free and open competition is essential to provide users the innovation necessary to face the escalating threats we encounter in this connected world.”
Avira (Germany) also shares Kaspersky’s concerns. “Eugene is right to be upset,” CEO Travis Witteveen told SecurityWeek in an emailed statement. “Microsoft is making significant changes within the security, specifically antimalware, setup. We are in active dialogue with Microsoft, as not all changes, as well as upcoming changes, are considered as beneficial for the user. We are glad they are investing effort, but have warned them about abusing their position.”
“Similar to the upgrade to Windows 10 and the unauthorized users default browser settings change to Edge,” he added, “we expect consent be required before changes are made. Currently we are in active talks and have not decided to take a legal route. Our goal is to preserve user choice and ensure the best user experience and security possible.”
SecurityWeek also reached out to more than a dozen US-based endpoint security vendors. Not one had a spokesperson available or willing to comment. This is perhaps unsurprising since there is currently no planned or threatened legal action against Microsoft in the US; and a ‘wait and watch’ strategy makes sense.
The only comment from North America came from Canada-based malware researcher, educator and author Rob Slade. He is no fan of Windows 10 and its intrusive behavior, and has written several critical articles. “Win 10 is a disaster in many ways,” he told SecurityWeek. “I’ve written about the network problems as well as the updates. Win 10 has turned off my main backup… Interestingly, Win 10 did not turn off the AV that I currently have under test.” But, he added, “I agree that MS is getting really high-handed about what they will let you do with your machine; and I’m this close to switching to Linux.”
Some Legal Views
Moral support, however, is not the same as legal support. Two US lawyers approached by SecurityWeek have concerns over whether any such action would succeed in the US. Mitzi Hill, a technology law specialist with Taylor English Duma, pointed out that the US is moving “from an eight-year Democratic presidency, which generally showed a desire to rein in business excesses, to a new Administration.” That’s not to say that Microsoft is without critics. “Various forces in the US are going after this under different theories: advertising opt-in, forced upgrade, etc. I would imagine that privacy rather than anti-competition is a better bet for the current business and political climate.” This has already happened in Europe, with the French data protection regulator (CNIL) serving notice on Microsoft over its ‘excessive’ collection of user data.
David Willson, an Attorney with considerable security expertise, believes that if anything was going to happen in the US, it would have already done so. The FCC, he said, “has been very heavy-handed lately with companies regarding security under the banner of consumer protection.” He added, “I would suspect if they were going to go after MS they would have.” But he does have a warning for Microsoft. “If MS forces only their security on all users, then when that security fails or is substandard and users suffer breaches, they have no one else to point the finger at.”
There is more support for Kaspersky’s position from UK lawyer Dr. Brian Bandey, a Doctor of Law specializing in international technology matters. He points out that competition law is mostly about prohibiting agreements or practices that restrict free trading and competition between business. “I believe that is the thrust of Eugene Kaspersky’s argument,” he told SecurityWeek; “especially where Microsoft (as he alleges) restricts connectivity information to 3rd party Anti-Virus suppliers and includes an almost (perhaps de facto) covert programming method of disabling installed third party software.”
He adds, “I also speculate whether Microsoft is involving itself in some form of misrepresentation to its licensees. Most licensees (you and I) would not (I suggest) have a legitimate expectation that the operating system would seek out competing product, disable it and then activate its own competing product.”
From a legal point of view, the devil is in the detail of the various competition laws. Microsoft has been here before and probably knows what to expect. After an eight year Democratic administration, it would not have been unreasonable for Microsoft to make its long term plans on the assumption of a business-friendly Republican administration next.
Kaspersky will also have considered its steps carefully. It won’t be by chance that the Russian FAS was the first step. Certainly the FAS will be politically friendly towards Kaspersky; but more pertinently it is already taking action against other US giants. In August 2016 it fined Google $6.75 million for abusing its dominant market position, and also started action against Apple for allegedly fixing the retail prices for iPhones in Russia.
Europe will be the big one. While the European Commission is friendly towards Microsoft, European laws are strong and rigorously upheld by the independent court of justice. Europe is slow, and this could drag on for many years. But if Kaspersky Lab were to prevail over Microsoft in Europe, then action in the US – if still felt necessary – would undoubtedly follow.