Kaspersky Complaint Reopens an Old Antitrust Wound

Kaspersky CEO Eugene Kaspersky has dredged up a familiar argument from Microsoft’s terrible antitrust period. Sadly, he may have a point.

“That’s it. I’ve had enough!” he writes in his personal blog. “We think that Microsoft has been using its dominating position in the market of operating systems to create competitive advantages for its own product. The company is foisting its Defender on the user, which isn’t beneficial from the point of view of protection of a computer against cyberattacks. The company is also creating obstacles for companies to access the market, and infringes upon the interests of independent developers of security products.”

Mr. Kaspersky’s complaint extends far beyond a blog post, however. He’s also formally requested that antitrust regulators in the EU and Russia—the latter is Kaspersky’s home base—require that Microsoft change its business practices.

Anyone familiar with Microsoft’s lost decade—the time period during which antitrust action in both the United States and EU hamstrung the software giant, leading directly to the rise of both Apple and Google—is probably wincing at this charge. And wondering whether such a thing is still relevant in today’s world, where Windows is no longer the dominant personal computing platform.

There’s a great discussion to be had there. But let’s examine the complaints first. Mr. Kaspersky is very specific:

Windows 10 replaces third-party solutions with Microsoft’s applications and services. “In the name of better ease of usage, security, [and] performance,” Windows 10 “changes settings, uninstalls user-installed apps, and replaces them with standard Microsoft ones,” he writes. This is true of many services—“[web] browsers, gaming hubs, image viewing, processing of multimedia files and PDF documents”—and it’s now true of security products as well. The worst part? Microsoft solutions are almost universally not as good as the solutions they replace.

Windows 10 deactivates “incompatible” security products, including Kaspersky’s. “When you upgrade to Windows 10, Microsoft automatically and without any warning deactivates all ‘incompatible’ security software and in its place installs—you guessed it—its own Defender antivirus,” he notes. He then complains that Microsoft gave security companies “one week” before the release of the Anniversary Update to make their products compatible. “Even if software did manage to be compatible according to the initial check before the upgrade … Defender would still take over,” he claims.

Windows 10 warns users against turning off Defender even when third-party anti-virus/antimalware is installed.“Even if users have compatible protection from an independent developer already installed, Defender appears with an alarming window,” he writes. “Pressing the big [‘Turn on Defender’] button [that appears] will also deactivate your existing AV.” And that change is noted only by a tiny and hidden window, he says.

Windows 10 hides security solution messages about license expiration. New to Windows 10, security products can no longer actively “warn users about their licenses expiring in the first three days after expiration … It’s a big deal because this is the crucial period during which a significant number of users seek extensions of their security software licenses. And if a user forgets to renew a license, then Microsoft deactivates the existing AV, and turns on Defender.”

In some cases, Windows 10 silently turns off third-party AV and leaves Defender running. “Let’s say you’ve [installed a third-party] AV [solution],” he writes. “You intentionally – or not (e.g., with bundled software) – install a trial version of a different AV, but forget to delete it or purchase a license for it. When the trial period is up, Windows quietly turns off both AVs, and – you guessed it – turns on Defender.”

Windows 10 lets you have two security solutions installed. But only if one of them is Defender. “Microsoft violates its own rule regarding only being able to have one AV on a system,” Kaspersky says. “The rule doesn’t apply to Defender: despite the presence of an independent AV, Windows will occasionally turn on its AV scanner. It demonstrates the results of its blustery activity, again egging the user on to ditch the other AV and stick with Defender.”

I kind of come down in the middle on most of this.

For example, he’s right that Windows 10 too aggressively replaces users’ choices and that Microsoft’s in-box solutions are worse than many third-party options. But complaining that Kaspersky only had “one week” to get its security software compatible with the Anniversary Updates rings as untrue; regardless, the very slow roll out of this update renders the complaint moot. Surely the software is compatible now.

But having written and spoken about the reliability and quality issues with Microsoft’s software—not just Windows, but also the apps and services that are bundled with the OS—many times, I see the point. And as with Google’s recent rebuttal to the EU antitrust charges against Android, Microsoft’s goals for the platform don’t always mesh with reality. As I noted in my article Windows as a Service Isn’t Working, there is a big gap between the promise and the reality.

More specifically, Microsoft is pretending that there is only one Windows, called Windows 10, when in fact there are now three major versions of Windows 10—1507, 1511, and 1607—and a fourth is coming in early 2017. Each time a user’s PC is upgraded, which happens whether they want it or not, they undergo a major OS upgrade in which the defaults Mr. Kaspersky is complaining about are changed, in many cases according to Microsoft’s—not the user’s—wishes.

This is a major change from previous Windows versions. If you were using Windows 7 when Windows 8 arrived, you were not automatically updated. But today, with Windows 10, you are. So the Kaspersky complaints may sound familiar, but the situation he’s complaining about is, in anything, even more serious today because it is happening without the user’s explicit choice.

So Kaspersky is seeking the following relief from Microsoft:

Developers need more time to make their solutions compatible with new versions of Windows. This one I’m a bit confused by, since Windows 10 is developed in the open, and most changes are telegraphed for months in advance.

Better communication to the user about incompatible software. When users upgrade to a major new Windows 10 version, the OS should “explicitly inform the user of the presence of incompatible software before the upgrade.” And once the upgrade is complete, Windows should “recommend the user to install a compatible version of the software,” rather than just silently replace it with a Microsoft solution.

Make Windows Defender an explicit opt-in. Windows should “always explicitly ask the user for his/her approval to enable Windows Defender,” Kaspersky says. Especially since he claims that Defender is vastly inferior to third-party solutions.

Equally controversial, Kaspersky says that cybercriminals, and not users, benefit the most from Microsoft’s business practices. That is, the security monoculture that would arise from Microsoft’s dominance of the market would make us all less safe.

“No need to deal with dozens of different developers’ security solutions [as] cyber-criminals would concentrate on getting around the defenses of just Defender,” he writes. “Diversity of an open ecosystem is an essential condition of its security. Competition gives rise to new ideas; technologies get polished, infrastructure gets developed, and all-around security gets raised. And all that with minimal costs for Microsoft itself.”

The natural byproduct of this behavior is that users would trust Microsoft and Windows less over time, a situation I do think is already happening thanks to Microsoft’s overly-aggressive tactics with Windows 10. And that because of these poor experiences, Microsoft will cede users to rival platforms like the Mac and Chrome OS.

To his credit, Kaspersky hopes that Microsoft will see the error of its ways and will work with the independent software community to fight cybercriminals together. But if not, he’s going to do what he thinks is right for their customers and the industry.

“Users have the right to choose the best [solutions for their needs],” Mr. Kaspersky writes. “Freedom of choice enables the development of competition, and competition leads to technical progress. We intend to fight for such freedom, even if we have to do so alone.”

I’m curious to see how—or, more to the point, if—Microsoft responds to these charges. It’s not hard to poke holes in some of the specifics, but Kaspersky’s broad points are well-made: Microsoft has indeed designed Windows 10 to be more user-hostile than previous Windows versions, though it would argue it has made these changes for customers. The question is whether these changes, especially forced updating and upgrading, will ultimately benefit the user base or just drive them away as reliability problems mount.

So what say you, Microsoft? Will you work with Kaspersky and your other software partners to ensure that Windows users are both protected and respected? Or will you ignore this complaint and continue down a road that I and many others worry is too unilateral and too patronizing for many of your customers?