The Superfish Truth: A letter about Internet Security and Online Advertising.
Internet security and online advertising are fundamentally incompatible. Full stop.
Another week, another major security topic dominating the headlines. This time top PC manufacturer Lenovo was outed pre-installing heinously insecure software onto laptops. More specifically, software that intercepted web traffic and manipulated the results in order to show relevant ads. The term for this kind of software is Adware. But let’s call it what it is. Software that is pre-installed on laptops and then set free to demolish the Internet’s security model without user consent is called Malware.
Software that is pre-installed on laptops and then set free to demolish the Internet’s security model without user consent is called Malware.
The whole industry spent the week talking about why it was so bad, and how it eroded and undermined the Secure Sockets Layer (SSL) security model — the one with the lock icon technology companies have told their users they can trust and to look for in their browsers.
As the founder of a large security company — one that was started with an advertising-focused revenue model and then shifted to a paid model (for reasons I’ll discuss in a moment) — I’d like to take the conversation up a level and focus on the two larger issues here:
- Online advertising will always work to undermine user security and privacy.
- Internet security companies can never succeed with an advertising business model if they truly intend to protect their users from harm or privacy violations.
Why Superfish had to happen
The Superfish + Lenovo partnership (likely Superfish paying Lenovo for pre-installs) was designed to “supplement the shopping experience” by showing Lenovo users different search results and ads than the website owner would otherwise have a user normally see. To do this, the Superfish software needed to see and modify the webpages users were visiting. Because most sites that Superfish wanted to modify used SSL to encrypt the traffic and prevent eavesdropping by hackers, the engineers at Superfish had to create software that altered the Lenovo computer’s security settings, and effectively removed the benefits of SSL.
So that’s what they did. Superfish worked with a company called Komodia to break the SSL security of websites, ironic because Komodia actually has their own security tools, and works with other security companies. There’s no way either company was naive to the security threats.
And therein lies the rub. The Superfish software, which Lenovo users didn’t ask for, had to modify a fundamental part of the Internet security model for this business model to work.
Superfish didn’t have to make its software work this way, and I’m guessing at first, it didn’t. If Superfish execs had gone out to ecommerce sites and crafted partnerships to license or embed their search technology, this vulnerability wouldn’t have happened. But that route wasn’t appealing (or so it seems) and so the execs at Superfish made the decision to evict end user security to raise their revenues. This design pattern is common in adware.
If your business has an algorithmic advertising revenue model where more user installs equates to more revenue dollars, you will become addicted to a metrics-tracking mindset where the user-experience is ignored, security models are just a hurdle to jump over, and the only thing that matters is more user installs.
What about Internet Security companies that are free?
Any company setting out to provide Internet security services is doing so to protect their users’ systems and machines. To eliminate vulnerabilities and weaknesses, and reduce the possibility of exploitation by criminals and hackers.
That sounds great, right? And what if it’s free? How will the company make money? Usually, the answer is through ads. And when it is, the slope gets slippery quickly. Here’s why:
At first, the company might just introduce ads in an innocuous way, like when users manage their security settings or preferences. But that’s not going to bring in enough money, so then someone has the great idea to “secure” search results in a way that invariably results in a new revenue stream for the security company and a questionable benefit to the user.
One of the best examples of this slippery slope reaching its borderline-ironic status is when the very popular AdBlock Plus software designed to block ads started to forge strategic partnerships with ad networks and started showing ads by default in exchange for revenue. The service designed to block ads now shows ads!
The service designed to block ads now shows ads!
The Onion could not imagine a better headline.
So what? Who cares if the software shows ads. What does that have to do with user security? Well, two things: First, third-party ad networks are often vectors for malware infection because they carry untrusted code that can exploit weaknesses in your browser (or more likely weaknesses in Adobe Flash or Adobe PDF, two notoriously brittle and widely installed pieces of software). So the more ads, the less security. The second reason has to do with privacy, or lack thereof. As Tim Cook has been starting to say more frequently, if you aren’t paying for the product, you are the product.
With ad-supported business models, the desire to collect as much data as possible to better target advertising to you becomes an insatiable addiction.
With ad-supported business models, the desire to collect as much data as possible to better target advertising to you becomes an insatiable addiction.
Security companies that track their users and share the data with ad networks or other data-mining companies are reducing their users’ security. Sure, you might not be getting a flash exploit today thanks to your free security software, but that same software might be sharing data with a vendor like Experian, who will sell it to a spammer or fraudster later.
At the end of the day, third-party advertising reduces the end-user security posture. If you’re thinking of installing a free security product from a company that generates revenue from third-party ad networks, you will be reducing your security. It’s just intractable. [Sidebar: Is there a market for a “secure” ad network? Maybe. But I doubt it. Plus, then the business is in two very competitive markets, security and advertising. ]
Security and ads don’t mix.
No one knows this better than us.
As the CEO of OpenDNS, an Internet security company that protects tens of millions of people around the world, I made the decision last year to put customer experience and security first and eliminate the last vestiges of a once meaningful revenue-generating component of our business — the advertising.
Our free DNS resolution service had long been supported by ads, but we had already learned the lesson that Superfish just learned: that online advertising will always be fundamentally incompatible with security. And that incompatibility got in the way of our primary mission of securing our customers’ systems, devices, and data. So the ads went away.
We actually learned the lesson many years before we turned them off, and we constantly took steps to minimize the security threats posed by our advertising model — steps that always walked away from revenue.
For instance, we refused to run flash advertisements and pop-ups, two kinds of ads that would have brought anywhere from $10m to $25m in additional revenue to the business. We also had the option to replace Google ads on any website, or even to replace the ads on Google’s own search properties. While momentarily tempting, we never did this. We had the option to replace every link to amazon.com with a link to amazon.com that included our own affiliate code. We also avoided this. We did some things which walked the line, for instance, redirecting parked domains like delll.com (note the three L’s) to dell.com and including our affiliate code when making the correction.
Like any slippery slope argument, one can always find a way to rationalize it, but at the end of the day, we knew we were just tapping a vein that we didn’t want to maximize in the long run, and that none of us were interested in pursuing.
Not only did we dislike the cognitive dissonance created by trying to build a security service that was funded by advertising, but we knew that paid security provided a much bigger opportunity. That it was an opportunity that aligned our interest with our users made it that much more motivating to work on. And that’s a key point.
Online advertising models don’t align your interests with your users’ interests.
Online advertising models don’t align your interests with your users’ interests. Justifying the invasive and insecure actions as being a fair trade for free isn’t the kind of justification any company should make, let alone a security company.
I started out this letter highlighting two key points:
- Online advertising is a vector for infection and privacy reduction and always results in weakened security.
- Security companies that use advertising as a model are fundamentally flawed because they will be forced to make revenue-generating decisions that decrease user security or privacy.
I should have added a third: Security has never been more important to the health and well-being of the Internet and its users, and every technology company should be thinking of themselves as a security company.
On that third point, we live in an era where technology touches nearly every aspect of our day to day lives. We carry our devices with us constantly, using them to stay connected to our loved ones, to do work and stay connected to our colleagues. The companies manufacturing our devices and providing the services we run on them should treat our security and privacy as a tenant that needs to be maintained and supported.
Superfish would not have broken SSL and Lenovo would not have bundled in malware if the companies had viewed themselves as having a responsibility for user security.
Thanks,
David Ulevitch
