Fuzzy Math on Malware-Piracy Connection
A follow-on to last Friday’s post about the BSA’s recent worldwide study linking software piracy rates with the proliferation of PC malware:
Jeff Williams, principle group program manager for Microsoft’s Malware Protection Center, announced that Microsoft has come out with a report revealing that malware infection rates are directly correlated with the reluctance of those running counterfeit copies of Windows to use Windows Update, the service that pushes OS patches out to PCs. (Microsoft’s research on malware infection rates was also used to draw similar conclusions in the BSA’s own study.)
But according to Gregg Keizer of Computer World, Microsoft’s numbers don’t add up. Here are a couple of excerpts from a column he published on Monday.
“China [whose piracy rate is estimated to be four times that of the US], for example, boasted a malware infection rate…of just 6.7, significantly lower than the global average of 8.7 or the U.S.’s rate of 8.2 per thousand.”
“Of the three countries Microsoft called out as examples of nations whose users are reluctant to run Windows Update because of high piracy rates, only Brazil fit William’s argument: Brazil’s infection rate was 25.4, nearly three times the global average.”
Those familiar with the studies also criticize the BSA’s “cherry picking” of numbers to support its own anti-piracy agenda. Here’s one example of such a critique.
Though I can’t personally validate any of these statistics, it seems that both Microsoft and the BSA are oversimplifying the connection between the use of Windows Update and lower malware infection rates. Even if there is a correlation (which I’m sure there is), it appears that in some cases there are more powerful factors at work that offset the effect. I’d personally love to better understand the roles that cultural, governmental, demographic, and economic factors might play in the overall equation. For example, to what extent might each of the following impact regional malware infection rates?
- Government commitment to and effectiveness at targeting cybercrime
- Severity of government penalties for perpetrating malware schemes
- Rate of unemployment or underemployment (in societies with fewer employment opportunities, are people more likely to turn to malicious computer activity?)
- Prevalance of individuals that possess technical capabilities to carry out malware attacks
- Percentage of security threats designed to exploit vulnerabilities in the Windows OS versus other means of tunneling into the PC
- Relationship between investment in desktop security (i.e. AV or anti-malware programs) and demographic factors such as personal income, computer literacy, education level, spoken language, etc.
- Access of the general population to information regarding the presence and/or remedy to any specific security threat
- Ambivalence or cultural cynicism toward Microsoft (to what extent do legitimate Windows users choose not to run Windows Update?)
And of course, similar factors exist for the supply and demand side of counterfeit software. Simply put, based on Microsoft’s and the BSA’s published statistics alone, there appears to be no clear-cut relationship between software piracy and malware infection rates. Unfortunately for Microsoft and the BSA, the less rigorous their research methods, the less credibility their reports hold among those whose behavior they seek to change.
I’d be interested to understand how any meaningful conclusions about the relation between malware and piracy can be drawn from this information. The Computerworld article mentions that Microsoft’s malware infection rate is based on the number of PCs “cleaned” by the Malicious Software Removal Tool (MSRT). I see a few problems with this measure being used to correlate infection rates and software piracy:
1) You can’t run Windows Update if you can’t pass the “Genuine Windows” test, which implies that machine using pirated copies of Windows don’t have the latest malware definitions. It seems reasonable that such machines would, if anything, under-report malware infections due to more recent malware variants.
2) Microsoft’s MSRT is not the only tool used to detect and remove malware — yet it seems that the only malware removed by the MSRT is actually counted in their infection rate statistics.
3) The characteristics of the user populations (in countries with high piracy rates) that *do* run Windows Update, and those that *don’t*, may be very different. Computers used by private individuals may have much different piracy (and infection) rates than computers owned by governments or corporations. Any such variance could skew the reported malware statistics.
I don’t know exactly how these removals are counted by Microsoft, but the conclusion seems a bit simplistic. As Kris mentions, it seems reasonable that pirated copies of Windows *would* have higher infection rates — the MSRT definitions are presumably older — but this strikes me more as hand-waving than anything else.
Dave – thanks for your thoughts; you raise some excellent points. The basis for these statistics seems questionable at best. It probably would have been wise for Microsoft not to draw conclusions from them … and for Compterworld to avoid attempting to refute those conclusions!