Conflict of Interest Leads to Big Malware Attack
Today’s disclosure by Google and Microsoft that they were tricked into serving malware highlights an inherent conflict of interest between advertising-based businesses and the security needs of their customers.
Save to Folio
(Ed. note: While the following does not strictly deal with "cloud security," we thought it was of such a degree of importance to post it here.)
Today’s disclosure by Google and Microsoft that they were tricked into serving malware highlights an inherent conflict of interest between advertising-based businesses and the security needs of their customers. Ad networks like Google and MSN get paid when they sell ads, so they naturally focus on being the best at selling ads. Because these ad networks don’t get paid to keep people’s computers secure, they spend just enough on security to sell the most ads. If they did not invest anything in security, customers would stop using their sites. But if they spent ten times more on security measures, they would not sell any more ads. If you’re in the business of selling ads, security inadvertently becomes a cost to be minimized.
There is a conflict of interest between consumer’s needs (secure Web surfing) and ad networks’ needs (more revenue for less). In fact, my Wharton MBA tells me that a well-run ad network should keep a spreadsheet showing how many more ads they can sell per dollar spent on security (very few), and how little they stand to lose from spending a little less on security. Advertising at that scale is a numbers game. On the other hand, companies in the business of keeping people’s PCs safe get paid less if they do not perform as expected. There is a natural alignment between security companies’ main focus and consumers’ needs for safe surfing. There is no tension between selling more ads and being secure because selling ads isn’t a part of the equation. It’s a little scary that both Microsoft and Google also provide security services. In both cases, the revenue from security is a tiny percentage of advertising revenues, inevitably drawing R&D investment away from security and towards advertising. That’s why I use security tools from companies that focus on security instead of ads, and you should too.
Ad-revenue-based models are an amazing business innovation, but they shouldn’t be applied to every business. Consumers should be aware that their safety and security is inherently less important than ad revenue when they use an ad-supported business.
Trend Micro would like to know what you think about this. We enthusiastically invite your comments and we will read every one of them.