IE 11 is not supported. For an optimal experience visit our site on another browser.

Home PC users weigh price of protection

Virus attacks.  Phish scams.  Zombie armies.  The Internet is a jungle, and according to many experts, getting more perilous all the time.  And behind nearly every Internet menace is a single problem: vulnerable personal computers. 

Criminals hijack consumers' PCs by the thousands every day and use them to do their dirty work. Armies of zombies, for example, are now regularly used to attack Web sites and extort their owners.

Because all computers on the Internet are connected, the Internet is only as safe as its weakest link. And right now, the weak link -- home computers -- is pretty weak. 

The task of keeping home computers safe, and free from Internet prowlers, is entirely the responsibility of individual consumers. Asked to download software patch after software patch, update their virus software and configure their firewall, most people simply don't do it.

"We are not trained to be the chief information officer of our home PCs," said Bentley College professor Mary Culnan, who recently directed a survey called Consumers and Internet Safety.

The survey found that only one in 10 consumers update their antivirus software regularly.

Making it worse in part is the proliferation of broadband connections, which are easier to hack and much more valuable to hackers. A recent government report said use of broadband doubled in the United States from 2001 to 2003.

Most don't know the risk
Most people apparently don't even know they are at risk. A recent survey released by America Online and the National Cyber Security Alliance indicated 77 percent of consumers think they are safe online -- but follow-up visits showed two thirds didn't have up-to-date antivirus software or firewalls, and 80 percent had spyware on their machines.

And so, Internet providers are hard at work examining another, radical possibility: Taking the job of keeping computers safe away from consumers entirely.

"America Online and other companies have realized it's impossible for consumers to do all the technology fixes they need to do to keep their computers safe," said Andrew Weinstein, AOL spokesman. "Consumers are tired of figuring out what they need to do to stay safe online."

The suggestion seems simple: Why can't a big software company like Microsoft, or a large Internet provider like AOL, simply take over home PCs and make sure they are safe before they connect to the Internet?

Privacy fears
There is, however, one catch, and it's a big one: Many privacy advocates and consumers don't want a company like Microsoft or American Online meddling with their PCs.

"The problem is when they tell consumers that means you have to let us scan your computer, the answer from an American audience can be, 'No you don't get access to my machine,' " said Bill Stillwell, Security Technical Program Manager at Microsoft Corp.

The software giant founded the Global Infrastructure Alliance for Internet Safety after a wave of computer worms plagued the Internet in 2003. The group, largely made up of Internet service providers, is considering methods for easing consumers' responsibility for their safety. 

(Microsoft is a partner in

Some ISPs, for example, are already testing checks that would simply knock users offline if their computer isn't up to date, and point them toward what they need to do to be secure.

"We are already working on quarantining people," Stillwell said. "We have ISPs today already involved in proof of concept, that when a user logs in, they scan the machine, and tell them if they are up to date. If not, they dump them in the 'padded room.' "

The idea of forced security was a main topic at a Bentley College conference held last week in Waltham, Mass., called "Securing the Weak Link in Cyberspace," following the release of the school's survey.  In the study, 56 percent said they thought security updates should be automatically installed by manufacturers, but 32 percent said the measures should be voluntary.

Alan Paller, director of research at security training firm SANS, said the time has come for this training wheel version of the Internet.

"All of us are grandma some of the time," he said.  "There will be people who say, 'don't touch my machine,' but this is the answer to how do we protect people from extortion and denial of service."

Paller favors a system implemented by Internet service providers that simply prevents users from gaining access to the network if their computer is found to be unsafe.  But don't expect Internet providers to go it alone on such a plan -- the competitive disadvantage would be too great.

Market forces at play
"It's not in their business interest to do so. If they insist, they would lose sales," said Pradeep Khosla, dean of Carnegie Mellon University's College of Engineering. Consumers would just use other ISPs without restrictions, he said.

Furthermore, Khosla said, companies would be loathe to take on extra liability, and cannot guarantee that they will be able to make computers 100 percent safe.  Instead, he thinks market forces must slowly solve the problem

"If one ISP guarantees a slightly more protected level of service, for example, then you will see how competition will take over," he said.

That's also the approach favored by AOL, Weinstein said. Like MSN and Earthlink, the firm is aggressively marketing safety tools like spam filters and pop-up blockers as part of its service offering, something Weinstein referred to as "seat belts and air bags" for the Internet.

"The goal of the Internet is not to block off large sections of it. When you do that, you catch a lot of legitimate people," he said, citing attempted enforcements of anti-pornography laws that inevitably caught up legitimate Web sites in their webs. "There are unintended consequence of setting huge areas out of limits."

The largest hands-off security effort to date has been Microsoft's automatic updates for Windows. Consumers who sign up for the service download software patches regularly and automatically. With 230 million computers signed up, the service  has been a modest success, said John Pescatore of Gartner Research. But it's imperfect.

"There are a couple of problems. It only patches the operating system," he said.  "And frequently, auto-update downloads the patch, but the install doesn't complete for some reason ... or you reach a point where it says, 'insert your office CD.' And many consumers don't have it."

There are other problems, too. Because consumers modify their systems with complex non-Microsoft software, there's no way the software giant can test for every possible configuration -- and some problems will always occur. That's one main objection for those who would tell large Internet providers to keep away from their systems: What happens if the ISP breaks it?

"This is just such a huge, complex problem," Bentley professor Culnan said. An overarching solution that guarantees PC safety is probably some time off, she said.

So for now, the current system which relies largely on consumer vigilance will remain in place.

Culnan thinks greater efforts must be made to educate consumers to help themselves, such as aggressive marketing of, the consumer-focused site published by the government-sponsored National Cyber Security Alliance.

"It's really a social marketing challenge," she said. "An FTC commissioner made this comment at the workshop, that when he was a kid during World War II he picked up tin cans because it was in the national interest. Well, on the Internet, everybody needs to pick up their tin cans. But the issue is not viewed that way (today). "