A Hippocratic oath for digital medicine

Antivirus software companies have a special responsibility. Those not prepared to accept this should not pretend otherwise
Written by Leader , Contributor

Symantec is not doing well with Norton. Not only does the company regularly attract huge amounts of negative reader feedback in product review after product review, it's also generating news for inducing security problems and being vulnerable to unfortunate failures. The fact that last year it came 22nd out of 23 in a test of new virus response times — taking more than 27 hours on average, compared to the leader Kaspersky at under seven — doesn't help.

Such mishaps are regrettable in any class of software. Security is special. When it goes wrong, the consequences can affect everyone on the Internet whether or not they've bought a particular brand of software. Anti-malware companies owe it to us all to be timely and correct. Symantec is not alone in failing us on occasion, but we lack a solid set of standards by which to judge such software and its makers.

We therefore propose four rules for all malware security companies — a digital Hippocratic oath which sets the minimum standards for those who practice in this field.

  1. Do no harm. A product must not make a computer harder to use, more unreliable or introduce new security problems.
  2. Do not mislead. No press releases overselling threats in general or in particular, no deliberate mixing of theoretical problems with real danger, and no surveys. Leave those to the independents and the industry groups. And no hidden costs: be free or be up front.
  3. Keep your promises. Safety from new threats requires rapid, accurate and swiftly disseminated responses.
  4. Innovate relentlessly. Malware is constantly evolving: you must be prepared to meet it head on — just never at the expense of the first three rules.

Any company which states that it is working to the best of its abilities to meet these four rules — and is open about how well they are met — deserves respect and consideration. Those which do not or cannot hold themselves to these standards should find another field of software.

This is not a matter of marketing, of clashing antlers over feature lists or fake performance tables. That may be acceptable — unfortunately — in other areas, where caveat emptor still holds. Online security is something that affects everyone, customer or not. It is this responsibility which demands the highest ethical and technical standards in the business.

Do you have any rules you'd like us to add to the list? Let us know in Talkback below.

Editorial standards