Want to download free AV software? Don't have a Muslim name
Reg reader struggles to gain Sophos protection thanks to export laws
What's in a name?
However, Ali is no longer interested in the software, which he only needed for testing rather than regular use.
Ali agreed with El Reg’s assessment that the self-declared significant number of false positives thrown up by the vetting process sounds inefficient (at best) and a nuisance to those affected, like himself.
The whole episode has left Ali somewhat bemused. “[It] seems a bit bizarre,” he said, adding that “other downloads function as normal.” The processes Sophos are applying is unfortunate from at least two perspectives, according to Ali. Firstly there’s the issue of false positive alarms.
“‘Hasan Ali’ is not an uncommon name – I would imagine there are tens, if not hundreds of thousands of people with those names,” Ali said. “To filter on something with so many likely positive hits is at best inefficient."
"This can't be of benefit for Sophos, and it seems unlikely that this process is required by law. Aside from the hundreds of other vendors who manage to operate without this problem, Sophos also makes its software available on CNET (here), and possibly other download sites without mandating this process," he said.
El Reg pressed Sophos for a response to criticism that screening checks aren't applied for software downloads from download.com or other third-party sites. Screening direct downloads from Sophos only would appear to be pointless even without getting into the question of whether the whole process is necessary.
In response, the company said: "All our download products go through the same screening process as highlighted in our previous statement. We can’t really comment on why Mr Ali doesn’t experience the same situation with other vendors, or when he downloads our software from third party sites such as CNET. Sophos adheres strictly to US, EU and other jurisdictions' export regulations, and complies with all requirements. Companies can be heavily fined for non-compliance."
Caught in the net
Ali also criticised the secondary screening process from the perspective of those caught in the net and blocked from downloading Sophos’s software.
“From a user perspective, or the perspective of the Sophos client market, for them to ask, by email, for fullname, DoB, and ID number or passport number, essentially comes across as similar to a phishing scam,” Ali said.
“Any organisation that sits in the security sector should be particularly aware of the need to discourage people from responding with this type of information, without complete confidence in the source of the request and the mechanism for transmitting/storing the data,” he added.
Ali concluded that Sophos’s whole rationale is, “well – not very rational [and] I’m left more with an impression that Sophos could enable identity theft, rather than protect my systems and my data".
“I don’t really have any further interest in its antivirus software – I was playing around with a Mac that includes a boot-camped Windows 10, and was curious about what a Mac based AV program might pick up," he said.
“I’m still stunned that a company like Sophos could apply this process without thinking through the implications. Even in the 1980s/1990s export regulations context (although things are arguably more nuts now) I don't think an AV product would have been caught by the net.”
In response to Ali's criticisms, Sophos said: "The message he will have seen on the screen alerts to the fact that Sophos will be in touch asking for personal details. Within that follow-up email, there is a reference number he can use to contact Sophos to verify that the email is genuine."
Sophos also elaborated on its name-denial policy: "The information held on the denied parties list is variable and will usually include name and country and in some cases date of birth or passport number. Because we are bound by the export regulations to check, we cannot provide the software until we have verified the individual’s identity. We appreciate this does sometimes cause inconvenience to users such as Mr Ali, and understand his frustration. We deliver millions of downloads of our software and our business export validation alert rate is below 0.05 per cent."
Ali isn’t religious. He explained: “Incidentally, not that this should matter in any way, I – and likely many others with similar names – don’t have any religious persuasion. (Except maybe OpenVMS from my younger days.)”