The Stop Badware Coalition was mentioned last week on Security Now! In a week of truly depressing security news, this was the one beacon of optimism discussed. The Stop Badware Coalition is an organization that is developing a list of web sites with known malware content. The coalition categorizes software that disregards a user’s choice over how his or her computer will be used as badware. This broad categorization includes things like spyware, malware, and adware that can compromise a computer’s privacy, download advertising without the user’s consent, or compromise the system’s security.
The coalition is spearheaded by Harvard’s Beckman Center for Internet & Society in cooperation with the Oxford Internet Institute. Recently, they have partnered with Google to try to protect Internet users from this malware. When a person uses Google to search for something and encounters a site on the “badware” list, Google will display a message indicating that the site has known badware. The user can then choose to enter the site anyway or to go back to the search results and choose something else.
While I applaud the effort to protect consumers, this is a very dangerous technology. The badware warning page says “The website you attempted to visit has been reported to StopBadware.org as a site that hosts or distributes badware,” and then gives the user some more options. The potential for abuse is enormous.
Let’s say we use Dell computers in our school. I could go to stopbadware.org and submit gateway.com. hp.com, and apple.com as sites that contain “badware.” Then, when people go to those sites from Google, they’d get a scary warning.
Sure, they’re going to check the sites and make sure they really do have bad content. And with huge companies like the ones I mentioned, it won’t take very long. But if I’m a small business owner and I’ve been blacklisted by my competitors, you can bet that it’s not going to be easy to get off the list. They certainly don’t have the human resources to check all of the sites that are going to be submitted. And if they wait to list sites that haven’t been verified, they’re not going to be responsive enough to protect people.
I’m not crazy about other people deciding what’s good or bad for me to do on the Internet. Even well-intentioned efforts (like this one undoubtedly is) may end up doing more harm than good.