Vista's European battleground

As the slippery due date draws near for the Windows release, Microsoft and the EU are now at odds over security features.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
6 min read
Windows Vista hasn't shipped yet, but Microsoft and the European Union are already caught up in a tussle over the antitrust impact of security technology in the operating system.

Microsoft wants the 25-nation bloc to set clear boundaries as to what it can and can't do. By asking European regulators for guidelines now, Microsoft hopes to avoid an antitrust battle after Vista ships, where it might be forced to pull features out of the operating system. However, the EU has only provided a more general picture of the landscape.

Last month, Microsoft Chief Executive Officer Steve Ballmer met with EU Competition Commissioner Neelie Kroes. The visit came after the software giant received a list of 79 questions related to Vista from the European Commission, the EU's executive body. Despite this list, Microsoft feels it is driving blind.

"We still have not received the guidance we're seeking," Jack Evans, a Microsoft spokesman, said Thursday. "In July, we received a formal list of questions, but no answers about what specific concerns the Commission has, or how we should address them. We need answers, not questions."

But as far as the Commission is concerned, it is not the regulators' responsibility to vet Vista before it ships. Rather, it is Microsoft's responsibility as a "near monopolist" to abide by EU competition rules--in particular, those that prohibit abuse of a dominant market position, Commission spokesman Jonathan Todd said Friday.

"The Commission is ready to give guidance to Microsoft and has done so so many times, but it is not up to the Commission to give Microsoft a definitive green light before Vista is put on the market," Todd said. This is also the message Kroes gave "very clearly" to Ballmer when the two met on Aug. 22, he added.

The main rule for Microsoft is to ensure that the market allows competition between security providers on the merits of their products, Todd said. "If business and home users are deprived of choice, a security 'monoculture' based on Microsoft products may lead to less innovation and could harm all computer users. Security risks could increase, and not decrease," he said.

What's the fuss about?

The European Union won't publicly specify what parts of Vista it doesn't like, but Microsoft has highlighted some areas where it sees "confusion."

Feature in 64-bit version of Vista that locks down the kernel. Security companies say they're being locked out and need kernel access for their products to secure systems.
Feature included in Vista Business and Ultimate that lets people encrypt all the data on their hard drive. Other businesses sell encryption software.
Windows Defender
Anti-spyware tool that is part of all versions of Vista. Third-party products offer similar functionality. Until recently, Defender could not be disabled by those products.
Windows Security Center
Feature in Vista that gives a "neutral" view of the status of security software, Microsoft says. Other players aren't so sure about that neutrality, since Microsoft competes with them.

Source: Microsoft

Microsoft, with its $34 billion war chest, is now a player in the antivirus market. It launched Windows Live OneCare for consumers and is readying enterprise security products under its new Forefront brand. With its huge presence on desktops, the software giant has a built-in advantage--one that is making some security companies nervous.

Earlier this month, Microsoft suggested that the European launch of the already oft-delayed Vista could be pushed back as the result of a lack of direction from the Commission. Last week, however, the company said the European launch is on track. Vista is expected to be released to computer makers in November and is slated to be broadly available in January.

European dispute
Microsoft and the Commission have been at loggerheads for years over antitrust. Two months ago, European regulators slapped the Redmond, Wash.-based company with a $357 million fine for noncompliance with a 2004 antitrust ruling, which Microsoft is still appealing.

The argument over Vista is only the next stage in that discussion, Roger Kay, an analyst at Endpoint Technologies Associates, wrote in a research note published Friday. "This argument is an extension of a longtime dispute that essentially has no real solution," he wrote.

In the landmark 2004 European ruling Microsoft was faulted for abusing its market position by shipping its own media player software with Windows, giving it a huge market share in one go. In Vista, security software and features have emerged as the hottest point of contention among a number of concerns.

"The Commission has monitored and discussed with Microsoft several aspects of Vista, including Microsoft's integration of security software into Vista," Todd said.

Microsoft is worried that the European regulators might require it to strip some security features out of Vista. "The bottom line is that we want to launch Vista in a fully lawful manner, and we want to avoid regulatory decisions that could increase security risks for European consumers," Evans said.

The Commission does not intend to prevent Microsoft from improving the security of its products in general and Vista in particular, Todd said. It will not require Microsoft to ship products without security software, he said. "Improving the security of Microsoft products is a welcome development and not one to which the Commission has ever objected," he added.

Vista will include anti-spyware software called "Windows Defender" and a new Windows Security Center that tells people the status of the protection on their PC. Companies such as Symantec and McAfee also sell their own alternatives to both technologies.

Symantec and some of Microsoft's other security rivals have publicly complained about other aspects of Vista--specifically, a feature called "PatchGuard" that Microsoft says is designed to guard core parts of the 64-bit version of the operating system against attacks. However, the technology also locks out helpful software from security rivals, the critics have claimed.

The Commission has requested comments from security providers, including Symantec, about the new Windows operating system.

"We have responded to inquiries from the Commission," Symantec spokesman Cris Paden said. The questions covered the security industry overall, he said, declining to be more specific. The European body has asked for information several times since June last year--most recently, in July, he said.

European tour
Microsoft sent its security chief on a European tour last week. Ben Fathi, a vice president in Microsoft's Security Technology Unit, presented the security features in Vista to journalists, analysts and government officials, the company said. Fathi did not, however, meet with EU competition authorities, it said.

Fathi's presentation included several slides on PatchGuard, BitLocker, Windows Security Center and Windows Defender--the same technologies that concern Microsoft's competition and that the EU is believed to be looking at.

"These are four different technologies that we feel there is confusion about, even amongst our customers," Stephen Toulouse, a Microsoft Security Response program manager, said. "They raise the baseline of security for the operating system."

One recent change to Vista made in response to industry requests is the ability for third-party products to turn off Windows Defender, rather than requiring the user to do it, Toulouse said. Prior to Release Candidate 1 of the operating system, delivered early this month, there was no way to automatically disable the Microsoft anti-spyware tool when installing a competing product.

This had been a sticking point with some of Microsoft's rivals, including Symantec. "Up until recently, Microsoft had refused to give us an interface to disable Defender," said Bruce McCorkendale, a chief engineer at Symantec.

The Commission's position is that computer security depends on variety and innovation in security software, Todd said.

"Microsoft's design of the security features in Vista should not put this diversity and innovation at risk. This might occur if reputable third-party security vendors, which have proven experience in addressing security problems, are prevented from competing on an equal footing," he said.

The back-and-forth between Microsoft and the Commission may yet lead to a delay of Vista, Kay predicts. "We come down to the wire on the Vista launch," he wrote. "The sides are not too far apart, but a gap, sufficiently large to cause a potential delay in the European launch, still exists."