Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 261 - 279)



  Q261  Chairman: Mr Fishenden and Mr Lambert, thank you very much for coming to join us. Welcome to members of the public who are here for this evidence session. First I would like you to introduce yourselves and then if you wish you can make an opening statement or we will go straight into the questions.

  Mr Fishenden: Thank you Chairman. I am Jerry Fishenden. I am National Technology Officer for Microsoft here in the UK.

  Mr Lambert: I am Matt Lambert. I am Director of Government Affairs for Microsoft also in the UK.

  Q262  Chairman: Would you like to make a statement at the beginning?

  Mr Fishenden: I would like to make a few brief opening comments if I may to reiterate some of the points we made in our written submission in that we see successful combating of cyber crime and criminal activity on-line as comprising three core components, not just the technology. We look at consumer or citizen education, making sure that people are much more aware of the threats they face when they are on-line and how they can mitigate those. The technology itself, of course, is constantly changing and evolving as time goes by and a lot of tools will be provided to users to help them visibly protect their PC when on-line. They range from things like anti-phishing filters to identify if you are going to a rogue website to anti-malware that tries to prevent spyware and the like being installed on your machine. The third part is the enforcement, which is making sure that we are working collectively on prosecuting cyber criminals, if you want to call them that, criminals who are making use of the Internet and PCs and the like, so that there are deterrents to them and people know they will be investigated and prosecuted as appropriate.

  Q263  Chairman: Do you wish to add anything, Mr Lambert?

  Mr Lambert: No.

  Q264  Chairman: Let me start with the first question. Who do you believe should be responsible for keeping end user machines secure?

  Mr Fishenden: If we go back to the preceding comments about the three-way relationship, I think it is a collective responsibility. I certainly think consumers themselves need to be aware of some of the issues that they face, if you take something like phishing, where people are perhaps receiving fraudulent emails claiming to be from their bank, that they understand how they might identify those if they have managed to get through to them, or that when they go to a website they look for any visual cues there might be that that is not really their bank but perhaps a site that some fraudulent people have set up who are trying to get hold of their identity information and perpetrate some fraud against them. You can see that making sure that users themselves are aware is a core component. There is a lot of work in the UK specifically with things like Get Safe Online, an initiative which is a mixture of private and public sector initiatives. There is a lot of context relevant information that we provide in our tools and other companies do in theirs so that people are as aware as we can make them of some of the risks and the types of things they need to be thinking about themselves. The second part is the technology itself. That continues to evolve. Every time the bad guys, if you like, move their attacks onto new elements of the Internet ecosystem the industry moves on as well and begins to provide more tools to lock down and protect the PC environment for users to try and make sure that they are as secure as they possibly can be without taking away from the users the very benefits that the Internet is meant to bring. Obviously, you can go to extremes if you lock down a PC so that it is so secure that it becomes almost unusable to the user, so there is a balance to be struck between what the technology can do and how the user interacts with that. On the legal side we have taken legal action. Just under a year ago I helped launch in the UK our Global Phishing Enforcement Initiative. We have taken a number of people to court around the European area, prosecuting them where they have, for example, set up a fake Microsoft site, so pretending to be a Microsoft site, asking people to log in with their user ID details and then misappropriating them and using them for illegal purposes. If all three of those are being worked on collectively we see that as the most effective way of making sure that users have the most secure experience when they are on-line.

  Q265  Chairman: Does Microsoft accept ultimate liability for the security of machines running its software, and, if not, how do you engage with retailers, security practitioners and end users in keeping machines secure?

  Mr Fishenden: We provide a range of tools, as I have mentioned, anti-phishing and anti-malware, and a variety of our partners do as well, and users are free to choose whether they want to use Symantec or Norton or any of the other tools that are out there and we make sure our platform offers that choice to users. In terms of whether the user decides to use them, that is obviously their choice. We always recommend that they do, that they look to protect themselves as best they can. There are issues that occasionally come up. If you take the example of parental controls, which attempt to secure the on-line environment for younger children in the household, sometimes if they are not configured properly people find that they become so intrusive into their Internet experience that they end up switching them off, which obviously is not desirable but there is an interesting trade-off, if you like, sometimes between security that people want to put into place and the practical experience of using some of those tools and how intrusive they can be into people's daily experience of the Internet.

  Q266  Lord O'Neill of Clackmannan: With regard to the tools that are incorporated in the next generation of Microsoft Windows, to what extent are those reflected in the increased cost of the next generation of Windows? Is cost a factor? Is it reflected in price or is it absorbed by you?

  Mr Fishenden: For each generation of software we release to market substantial research and development goes into it. Typically each year we are spending something like seven to eight billion dollars on R&D. Generally when we bring a new product to market it is priced in accordance with the investment that we have put into it. To be honest, I am not a licensing person. I am not precisely sure what the formally announced list price is in the UK. Generally upgrade prices are already in place on pre-installed machines such as Dell and Compaq, and the others are reasonably consistent from one generation of Windows to the next. People have the choice of staying with their existing operating system and existing Windows applications or they can decide that there is sufficient reason why they would want to move to something like Windows Vista. Obviously, we think there are good reasons why you would want to move, and not just for security. There are many other features in Vista that perhaps are not relevant to today's inquiry, but we exist in a market place. People vote with their feet. They can see different parts of the market. People make different decisions. We have made available media players for years and Apple comes along and does a very good job with the iPod, for example, in that particular market. Consumers are very quick to decide whether what any of us offer in the market place is a product that they want to choose to adopt or not.

  Q267  Lord O'Neill of Clackmannan: If I were going, as I was a few weeks ago, to get a new computer for our house and I was incorporating the latest Windows into that, would you make available to salesmen the kind of information that I have just asked you: how much more am I paying this time than the last and how much of that is accounted for by additional security? I accept that it is required but I think one is always a wee bit curious, given your market dominance, as to the extent to which you might be exploiting your market dominance when you are selling additional products.

  Mr Lambert: I think, Lord O'Neill, that there is not a huge difference, if any, in the price increase between XP and Vista. The honest answer to your question is that I do not think the salesperson in PC World or Dixons is going to be able to answer that question. It is not an easy question to answer, but I think overall the answer is that the cost of these improvements is absorbed over time and the cost does indeed, as Jerry Fishenden has already said, reflect the huge cost in research and development that goes on over a number of years, as he said, about seven billion dollars a year.

  Q268  Baroness Sharp of Guildford: Can you tell us how far these tools are available as updates for those who do not shift from one operating system to another? For example, I updated my computer about 18 months ago and I am on XP and would not expect to update probably for another 18 months on my home computer. Does the updating that I download automatically from Microsoft include these anti-phishing tools and so forth?

  Mr Fishenden: Yes, it does. Windows XP is fully capable of downloading the anti-phishing tools, anti-malware detection and removal tools and the like. The new version of Internet Explorer is available as well, which has anti-phishing tools in it, and there are other facilities to help users. There are one or two minor differences between the way those tools work in Windows Vista and in Windows XP because of the new security features, but you as a Windows XP user can get the vast majority of those components freely downloadable from the Microsoft update site.

  Q269  Chairman: Overall would you say that Microsoft software is secure?

  Mr Fishenden: It is part of a complex eco-system. I think any piece of software is inherently a complex product that is designed to be very configurable by the end user. They can choose how they want to use it in many different types of environment and situation. They can add on many different thousands of third party hardware devices and many thousands of different applications that people make available. We are doing the best that we can to make sure that the core platform of tools that we ship to users is as secure as we can possibly make it. Over time, of course, we will continue to get feedback and information from police and other agencies about the way people might be trying to exploit the platform. We ourselves monitor the way that people might be trying to attack our platform and its applications, and we learn from that and try to make available back to our users products that then address the issues that we have highlighted.

  Q270  Chairman: Some open source software, such as Red Hat Linux, is shipped with built-in firewall protection, and that has been the case for years, I believe. Why is Microsoft only now following this route?

  Mr Fishenden: We seem to be between a rock and a hard place with this. If we slowly extend our platform and put more and more features in it to help our users, some of our competitors say, "That is a core business that we were building up". There have always been third party firewall providers for the Windows platform and many of those companies have made very successful businesses out of it. We took a decision as of Windows XP SP2 to build some core firewall functionality into those products because we were aware, based on the information we get back from the police and other people, of the types of attack being made on this platform and we wanted to make sure that at least the core shell, if you like, of Windows was as secure as it could be, but we have been very cognisant of the fact that there are third party companies making their own products that they want to sell in the market place to Windows users and that we need to design the platform in such a way that end users can choose to push off those features we provide and enable their choice of firewall or other software, such as anti-phishing software.

  Q271  Lord Harris of Haringey: But until about two and a half years ago the firewall default was switched off.

  Mr Fishenden: Yes, that is true.

  Q272  Lord Harris of Haringey: Why?

  Mr Fishenden: A lot of this goes back to usability. Over time we have moved more to the default position of putting security on, partly as people have become more educated. There is an issue, and it is the parental controls example earlier on, whereby when you try and lock down certain features of the platform people do have to have a better understanding of the way the software works. Typically I can see that when I am talking to my neighbours about the types of issues they have, say, in setting up wireless networks. You begin to understand some of the issues because if people need to go and open up ports on their firewalls to get certain things to work there are issues of user education, which is why I made the earlier point that there is quite a careful balance between the tools we make available and the defaults we put on those and the consumer understanding then how they can use that platform securely when they are trying to access the Internet and set up a home network or maybe share files between different PCs in their home environment.

  Q273  Lord Mitchell: Is the practice of selling software "as is", warts and all, still an acceptable practice? Should you not be making your software much more fit for purpose and taking legal responsibility for the damage your security holes cause?

  Mr Fishenden: I would contend that we are making our platform as secure as we possibly can within the complex nature of software. Our third party partners are working with us as well, so if you take the example of Windows Vista, we have been working for over two years now with third party anti-virus providers and the like so that we can provide users with as secure an experience as is humanly possible with these very complex pieces of software. There is a broader issue. By analogy you talk about the physical world. People do not tend to immediately look for liability towards lock or window companies because houses are still being burgled. The tendency is to want to blame the perpetrator rather than the people who are the victims of those types of assault. When you look at software, which is inherently more complex than a lot of the physical world, I do not really see why the same example would not apply whereby you would be after the perpetrator.

  Q274  Lord Mitchell: How do you measure security? You say things are getting better. How do you internally measure security?

  Mr Fishenden: Five years ago we adopted something known as the Trustworthy Computing Initiative which took a lot of people out of development, about 8,500 developers in the US, in order to look through very specific secure coding programmes, and the true measure of what we have achieved is in the statistics of monitoring the number of vulnerabilities on our platform over time and by specific product over time compared to earlier products. There has been a dramatic reduction in the number of security vulnerabilities on our platform which to us is a reflection of the progress we have made under the Trustworthy Computing Initiative. Of course, there is always progress to be made. Every time we tackle a particular security issue or vulnerability the hackers out there and other people are constantly moving forward and finding new ways of attacking the platform.

  Q275  Lord Mitchell: I suspect I know how you are going to answer this question but I will ask it all the same. Is it fair to say that Microsoft has been more concerned with establishing market dominance by rushing out operating systems than they are with ensuring that their security and fitness for purpose exists?

  Mr Fishenden: I guess I would almost take the opposite view. We have been waiting five years for Windows Vista. I certainly do not think it is true that we have been rushing out new operating systems without due account of security. In fact, one of the reasons it was delayed was that, when we took all of those people out of developing new products such as Vista and put them through a rigorous training exercise on the secure codes, we then released a pretty major update to Windows XP, which was mentioned before, a service pack which was deliberately designed to put in a lot of additional security features and that included things like the firewall being on by default. There is a lot of debate about that in the industry, about whether it should be on or off by default. I think we have shown due diligence, if you like, and have not just been stampeding endlessly towards new operating systems and getting them out of the door before they are ready. I think we have paid a lot of attention to our existing users, trying to make sure they are happy with the existing gear, and that Windows Vista, when it comes out, is the most secure operating system we have.

  Q276  Lord Howie of Troon: Microsoft has been in dispute with the European Commission for some time on anti-competitive grounds, and last year made changes to the Vista operating system which was alleged might have prevented competitors' security software from running. There has to be a balance struck between security and open competition. Where do you think that should be?

  Mr Lambert: I think there has to be essentially a balance there and, as Mr Fishenden has already said, we believe that Windows Vista is the most secure version of our operating systems that we have ever produced, but within that you have to accept that consumers have to be given an absolute choice to load whatever other security software they want to put onto their system and that manufacturers of PCs and hardware can also ship PCs loaded with Vista with other people's security software pre-loaded on it when the consumer buys the PC for the first time. That is a critical principle that we have accepted all the way along and have always tried to build into our operating systems. One of the things about Windows is that we work with manufacturers and all sorts of other software applications to try and give them as much information in advance as we can so that they can build good applications ready for when, for example, Vista launches to the public market in a few days' time so that they are ready to go with some of those software applications that are sold with new PCs as they go out of the door after the launch at the end of January. That was the approach that we took and when we were sitting down with the Commission, as you rightly say, we were discussing a number of these issues and we have been in dispute with DG Competition at the European Commission for a number of years in a case that will be resolved when the Court of First Instance gives us a judgment some time later this year, we think, to our appeal against the ruling from the European Commission. When we look at a new system what we want to do is move beyond that. We do not want to spend more of our time arguing with competitors and competition authorities. We try to work with them as closely as we can and listen to what they are saying, and we try to respond to that within the grounds of producing products which our consumers find in this case safe and secure. What we did there was that we sat down with the Commission and said, "What is the nature of these complaints?", and there were a couple of areas that came up, some of which were nothing to do with security, but on security we listened to what they said and we produced a number of what we call APIs, application programme interfaces, which we shared with any of our competitors so that they can work with our system and produce their security products effectively with Vista and satisfy their concerns. We are very happy to do that. What we are trying to do is move into an area where it is more a matter of discussion and agreement rather than sitting before judges in Luxembourg trying to debate the ins and outs of our different efforts to comply with the law. That is where we stand. I think some what the consumer is getting is the best of both worlds. They are getting Windows Vista with the most secure operating system that has ever been available, plus they are absolutely free to choose anybody else's security software which will work, we hope, very well with Windows. It is designed to work well with Windows, and we work with them to make sure that it does. For example, one of the areas which was a matter for debate was the Windows Security Center. The Windows Security Center, as I say, is essentially a dashboard at which you can check which security software is running on your operating system on your PC. Some of our competitors were concerned about whether that would potentially favour some of our security software. In fact it does not; it is absolutely neutral, and what the Security Center does is just tell you if there is a problem with somebody else's software security or with ours, so you can see immediately if there is any issue there and resolve it. That is essentially what we are trying to do, that is, all the time build a neutral operating system which others can work with very easily and consumers can get a good deal on in terms of the Microsoft software that they are using and other people's software on our system.

  Q277  Lord Howie of Troon: That was a very full reply. Do you feel that you have met the Commission's concerns?

  Mr Lambert: We believe that we have. The Commission always has a right to make its own view known on that and come to its own conclusions and, if it does not feel that we have done that then it will, I am sure, tell us. What we are trying to do, as I said earlier, with the Commission is work with them on a basis of co-operation so that, rather than going back before the courts, we would ask them, "If you do have concerns about this, what we have done, or other things that you might want us to do, come and tell us". We are in a process of constant dialogue with the Commission anyway. If they tell us we will listen and if the objections or requests are reasonable we will do our best to comply with them.

  Q278  Lord Howie of Troon: Why has the dispute gone on so long?

  Mr Lambert: You are probably aware that the legal process in Europe, when you are going before the Court of First Instance, just takes a very long time. These are very complex issues, so when you are discussing them with the Commission experts are poring over them, sometimes other competitors or interested parties are raising issues. These are all complex matters. There have to be public hearings sometimes. It does take a long time. There is some frustration on our part. We have been before the legal process in Europe for eight years now. It is a distraction and one would hope that in an ideal world it could be settled out of court much more quickly than that.

  Q279  Lord Howie of Troon: So none of the delay was your fault?

  Mr Lambert: I contend that we have tried to comply with everything that was asked of us in terms of supplying information as quickly as possible, but it is a fact that if you take an appeal to the Court of First Instance it takes a long time. We gave evidence at a hearing back in April. We are still waiting for the judgment from the Court of First Instance. These are complex matters. The judges have to look into them very carefully and it takes a long time.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007