The Science and Technology Committee of the House of Lords published a report on 10 August. It includes a series of interesting conclusions and recommendations. Read a brief summary and comment and access the full report.
The House of Lords Science and Technology Committee highlight the threat to the future of the Internet posed by e-crime, and argue that the Government must do more to protect individual Internet users. SCL was a major contributor to the evidence, having contributed written evidence and, through Professor Ian Walden, substantial oral evidence.
The Press Release on the report states that the Committee argue that the laissez-faire attitude taken to Internet security by a range of stakeholders including Government, Internet Service Providers, hardware and software manufacturers and others risks undermining public confidence in the Internet and contributes to a 'wild west' culture where the end user alone is responsible for ensuring they are protected from criminal attacks online. It goes on to describe the Committee’s view that the Internet, while still a powerful force for good, has increasingly become the playground for criminals. Today's e-criminals are highly skilled, organised, and motivated by financial gain. Individual Internet users are increasingly victimised - yet instead of acting to protect individuals, or providing incentives for the private sector to act, Government continues to insist that individuals are ultimately responsible for their own security. The Committee describe this approach as ‘inefficient and unrealistic’.
The Lords Committee recommend a range of measures that would:
• increase the resources and skills available to the police and criminal justice system to catch and prosecute e-criminals
• establish a centralised and automated system, administered by law enforcement, for the reporting of e-crime
• provide incentives to banks and other companies trading online to improve the data security by establishing a data security breach notification law
• improve standards of new software and hardware by taking the first steps towards the establishment of legal liability for damage resulting from security flaws
• encourage Internet service providers to improve the security offered to customers by establishing a ‘kite mark’ for Internet services.
The Committee also recommend that the Government should review, as a matter of urgency, their decision to require online frauds to be reported to the banks rather than police in the first instance. Victims of e-crime should have acknowledgment from law enforcement bodies that a serious crime has taken place.
Lord Broers, Chairman of the House of Lords Science and Technology Committee, said:
‘We are firm believers in the Internet. It is a huge force for good. But it relies on the confidence of millions of users. At the moment it seems that the Internet is increasingly perceived as a sort of 'wild west', outside the law. People are said to fear e-crime more than mugging. That needs to change, or else confidence in the Internet could be destroyed. You can't just rely on individuals to take responsibility for their own security. They will always be out-foxed by the bad guys. We feel many of the organisations profiting from Internet services now need to take their share of the responsibility. That includes the IT industry and the software vendors, the banks and Internet traders, and the Internet Service Providers. The state also needs to do more to protect the public, not only the government itself, but regulators like Ofcom, the police and the court system. You can't legislate for better Internet security. But the Government can put in place incentives for the private sector to up their game. And they can invest in better data protection and law enforcement. It's time to act now, before it's too late.’
See here for the full report; Chapter 8 includes a full list of conclusions and recommendations and is set out below:
CHAPTER 8: SUMMARY OF CONCLUSIONS AND RECOMMENDATIONS
8.1. In this Chapter we set out our recommendations and conclusions in full. The numbers in brackets refer to the relevant paragraphs in the text.
Overview: The Internet and Personal Security
8.2. The benefits, costs and dangers of the Internet, are poorly appreciated by the general public. This is not surprising, given the lack of reliable data, for which the Government must bear some responsibility. The Government are not themselves in a position directly to gather the necessary data, but they do have a responsibility to show leadership in pulling together the data that are available, interpreting them for the public and setting them in context, balancing risks and benefits. Instead of doing this, the Government have not even agreed definitions of key concepts such as “e-crime”. (2.42)
8.3. We recommend that the Government establish a cross-departmental group, bringing in experts from industry and academia, to develop a more coordinated approach to data collection in future. This should include a classification scheme for recording the incidence of all forms of e-crime. Such a scheme should cover not just Internet-specific crimes, such as Distributed Denial of Service attacks, but also e-enabled crimes—that is to say, traditional crimes committed by electronic means or where there is a significant electronic aspect to their commission. (2.43)
8.4. Research into IT security in the
8.5. Legitimate security researchers are at risk of being criminalised as a result of the recent amendments to the Computer Misuse Act 1990. We welcome the Minister’s assurance that guidance on this point will appear later in the summer, but urge the Crown Prosecution Service to publish this guidance as soon as possible, so as to avoid undermining such research in the interim. (2.45)
8.6. We see no prospect of a fundamental redesign of the Internet in the foreseeable future. At the same time, we believe that research into alternative network architectures is vital to inform the incremental improvements to the existing network that will be necessary in the coming years. We recommend that the Research Councils continue to give such fundamental research priority. (3.8)
8.7. The current emphasis of Government and policy-makers upon end-user responsibility for security bears little relation either to the capabilities of many individuals or to the changing nature of the technology and the risk. It is time for Government to develop a more holistic understanding of the distributed responsibility for personal Internet security. This may well require reduced adherence to the “end-to-end principle”, in such a way as to reflect the reality of the mass market in Internet services. (3.34)
8.8. The current assumption that end-users should be responsible for security is inefficient and unrealistic. We therefore urge the Government and Ofcom to engage with the network operators and Internet Service Providers to develop higher and more uniform standards of security within the industry. In particular we recommend the development of a BSI-approved kite mark for secure Internet services. We further recommend that this voluntary approach should be reinforced by an undertaking that in the longer term an obligation will be placed upon ISPs to provide a good standard of security as part of their regulated service. (3.67)
8.9. We recommend that ISPs should be encouraged as part of the kite mark scheme to monitor and detect “bad” outgoing traffic from their customers. (3.68)
8.10. We recommend that the “mere conduit” immunity should be removed once ISPs have detected or been notified of the fact that machines on their network are sending out spam or infected code. This would give third parties harmed by infected machines the opportunity to recover damages from the ISP responsible. However, in order not to discourage ISPs from monitoring outgoing traffic proactively, they should enjoy a time-limited immunity when they have themselves detected the problem. (3.69)
8.11. The uncertainty over the regulatory framework for VoIP providers, particularly with regard to emergency services, is impeding this emerging industry. We see no benefit in obliging VoIP providers to comply with a regulatory framework shaped with copper-based telephony in mind. We recommend instead that VoIP providers be encouraged to provide a 999 service on a “best efforts” basis reflecting the reality of Internet traffic, provided that they also make clear to customers the limitations of their service and the possibility that it may not always work when it is needed. (3.70)
Appliances and applications
8.12. The IT industry has not historically made security a priority. This is gradually changing—but more radical and rapid change is needed if the industry is to keep pace with the ingenuity of criminals and avoid a disastrous loss of confidence in the Internet. The major companies, particularly the software vendors, must now make the development of more secure technologies their top design priority. We urge the industry, through selfregulation and codes of best practice, to demonstrate its commitment to this principle. (4.38)
8.13. In particular, we urge the industry to endorse the following as best practice:
• Increasing the provision of security advice to users when first booting up PCs or launching applications;
• Automatic downloading of security updates upon first connecting machines to the Internet;
• Ensuring that default security settings are as high as practicable, even if functionality is restricted while users are still learning about the risks they face; and
• An industry-wide code of practice on the use of clear and simple language in security messages. (4.39)
8.14. However, efforts to promote best practice are hampered by the current lack of commercial incentives for the industry to make products secure: companies are all too easily able to dump risks onto consumers through licensing agreements, so avoiding paying the costs of insecurity. This must change. (4.40)
8.15. We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced. (4.41)
Using the Internet: businesses
8.16. The steps currently being taken by many businesses trading over the Internet to protect their customer’s personal information are inadequate. The refusal of the financial services sector in particular to accept responsibility for the security of personal information is disturbing, and is compounded by apparent indifference at Government level. Governments and legislators are not in position to prescribe the security precautions that should be taken; however, they do have a responsibility to ensure that the right incentives are in place to persuade businesses to take the necessary steps to act proportionately to protect personal data. (5.53)
8.17. We therefore recommend that the Government introduce legislation, consistent with the principles enshrined in common law and, with regard to cheques, in the Bills of Exchange Act 1882, to establish the principle that banks should be held liable for losses incurred as a result of electronic fraud. (5.54)
8.18. We further believe that a data security breach notification law would be among the most important advances that the
8.19. We recommend that a data security breach notification law should incorporate the following key elements:
• Workable definitions of data security breaches, covering both a threshold for the sensitivity of the data lost, and criteria for the accessibility of that data;
• A mandatory and uniform central reporting system;
• Clear rules on form and content of notification letters, which must state clearly the nature of the breach and provide advice on the steps that individuals should take to deal with it. (5.56)
8.20. We further recommend that the Government examine as a matter of urgency the effectiveness of the Information Commissioner’s Office in enforcing good standards of data protection across the business community. The Commissioner is currently handicapped in his work by lack of resources; a cumbersome “two strike” enforcement process; and inadequate penalties upon conviction. The Government have expressed readiness to address the question of penalties for one type of offence; we recommend that they reconsider the tariffs for the whole of the data protection regime, while also addressing resources and enforcement procedures as well. These should include the power to conduct random audits of the security measures in place in businesses and other organisations holding personal data. (5.57)
Using the Internet: the individual
8.21. The Government-sponsored Get Safe Online website already provides useful information and practical advice to Internet users, but its impact is undermined by the multiplication of other overlapping websites. We recommend that the Government provide more explicit high-level political support to the Get Safe Online initiative and make every effort to recruit additional private sector sponsors. If necessary, the site should be relaunched as a single Internet security “portal”, providing access not only to the site itself but acting as a focus and entry-point for other related projects. (6.46)
8.22. We agree with the Minister that there needs to be a “step change” in the way the regulator Ofcom approaches its duties in relation to media literacy. We recommend that Ofcom not only co-sponsor the Get Safe Online project, but that it take on responsibility for securing support from the communications industry for the initiative. (6.47)
8.23. We further recommend that, in addition to the new kite mark for content control software, Ofcom work with the industry partners and the British Standards Institute to develop additional kite marks for security software and social networking sites; and that it continue to keep under review possible areas where codes of best practice, backed up by kite marks, might be appropriate. (6.48)
8.24. We recommend that the Department for Children, Schools and Families, in recognition of its revised remit, establish a project, involving a wide range of partners, to identify and promote new ways to educate the adult population, in particular parents, in online security and safety. (6.49)
Policing the Internet
8.25. We recommend that the Government introduce amendments to the criminal law, explicitly to criminalise the sale or purchase of the services of a botnet, regardless of the use to which it is put. (7.74)
8.26. We recommend that the Government, in partnership with the Association of Chief Police Officers and the Serious Organised Crime Agency, develop a unified, web-based reporting system for e-crime. The public face of this system should be a website designed to facilitate public and business reporting of incidents. The back-end software should have the capacity to collect and collate reports of e-crime, identify patterns, and generate data on the incidence of criminality. The website could also serve as a portal to other more specialised sites, for instance on online child abuse or identity theft. It would be an invaluable source of information for both law enforcement and researchers. (7.75)
8.27. As a corollary to the development of an online reporting system, we recommend that the Government review as a matter of urgency their decision to require online frauds to be reported to the banks in the first instance. We believe that this decision will undermine public trust in both the police and the Internet. It is essential that victims of e-crime should be able to lodge a police report and have some formal acknowledgement of the fact of a crime having been committed in exchange. We see no reason why such reports should not be made online, processed and forwarded to the banks automatically. (7.76)
8.28. If these recommendations are to be acted upon, the police service will need to devote more resources to e-crime. We acknowledge the good work undertaken by SOCA and on behalf of ACPO, but within the police skills and forensic capability still vary from force to force. While it is vital to raise police skills across the board, rather than just those of specialists, “mainstreaming” is only part of the answer. We therefore recommend the establishment of a network of computer forensic laboratories, under the aegis of the proposed ACPO national e-crime unit, but with significant central funding. (7.77)
8.29. We further urge the Home Office, without delay, to provide the necessary funds to kick-start the establishment of the Police Central ecrime Unit, without waiting for the private sector to come forward with funding. It is time for the Government to demonstrate their good faith and their commitment to fighting e-crime. (7.78)
8.30. These recommendations will all cost money. But e-crime is expanding rapidly: the choice is either to intervene now to make the necessary investment, and perhaps to keep the threat to the Internet under control, or to let it grow unchecked, and risk an economically disastrous, long-term loss of public confidence in the Internet as a means of communication for business and Government alike. (7.79)
8.31. We urge the Government to fulfil its commitment to ratify the Council of Europe CyberCrime Convention at the earliest possible opportunity. At the same time, in order to ensure that the
8.32. Finally, we recommend that the Government take steps to raise the level of understanding of the Internet and e-crime across the court system. In particular:
• In the context of the prevalence of identity theft and online card fraud, we urge the Government to issue new guidance to the courts, including magistrates’ courts, on the reliability of unsupported credit card evidence as an indicator of guilt;
• We recommend that the Government review the availability to the courts of independent specialist advice in cases of Internet-related crime;
• We believe that the sentence should fit the crime. The nature of e-crime is such that mostly (but not exclusively) small crimes are committed in very large numbers; they also generally involve a high level of intrusion into personal life. Sentencing guidelines should be reviewed in recognition of these realities. (7.81)
Simon Deane-Johns, General Counsel to money marketplace innovators Zopa and a member of the SCL Media Board, commented to SCL: ‘The report is a valuable addition to the debate about where responsibility for Internet security should sit and how it should be addressed. I see little controversy in it, other than in relation to the following aspects:
• It is difficult to argue with the notion that the “end-to-end principle” (that the network should only carry traffic and additional services should only be delivered at the edges) should be qualified to the extent necessary to allow the blocking of content that is demonstrated by commercially available software to be a virus or other malicious code (“malware”), in the most efficient way.
• While it is clear that end-users are incapable of ensuring internet security (and/or may not be interested in doing so), it seems likely to be catastrophic for e-commerce and internet innovation if internet service providers were suddenly obliged to both scan for malware and be made liable for damages to third parties arising out of any failure to actually isolate affected devices. Subject to any disproportionately severe impact on the competitive landscape that might rule out such a move, Internet service providers might be obliged (ideally by self-regulation) to run commercially available malware detection software, and face some sort of sanction if they do not. But there should then be a pause to gauge the impact of that initiative on improving internet security before making them liable for actually failing to isolate affected devices. The economies of scale should also result in savings to consumers and improve uptake of services that comply.
• In terms of priorities, I would agree with the conclusion that internet applications and operating systems should be more secure, while preserving interoperability. However, no new legislation should be necessary. It is conceivable that negligence claims may be made out against suppliers if they do not make reasonable endeavours to make their applications and operating systems reasonably secure. Similarly, it should not be possible to effectively exclude liability for such negligence under Unfair Contract Terms regulation. However, it is right that contributory negligence should remain a factor. If there is concern on the state of the law, or supplier complacency about its effect, in this regard, then perhaps a test case would be worthwhile before resorting to legislation. It is also difficult to see how legislation on the topic could cope with the complex factual situation prevailing in relation to any single user’s machine.
• It is disappointing to see two separate chapters on use of the Internet by “businesses” and “the individual” when there is vast overlap between the two. In 2005, there were 4.3 million businesses in the UK, 3.2 million (74%) of which were owner operated, employed no staff and generated an estimated annual turnover of about £190 billion, whereas only 6000 UK businesses, or 0.1%, had more than 250 employees. http://www.sbs.gov.uk/sbsgov/action/newsDetail?type=NEWSITEM&itemId=7000033961&atom_id=PR000001 ). On this basis, most “businesses” by number may be as exposed as other “individuals” to internet security risks, yet may also guilty of the abuse of others’ personal data for commercial gain. The implications of this need to be considered carefully. For instance, why should we devolve responsibility for internet security to end users, when they may actually be individuals who stand to gain commercially from the absence of malware detection software?
• While the notion of requiring businesses to report security breaches to their affected customers is laudable, it would surely be too bureaucratic, unwieldy and disproportionate to require them to take the additional step of reporting individual breaches to “a mandatory and uniform central reporting system”. A better solution would be to require businesses to have a policy of reporting security breaches to their affected customers and to face sanction if they do not have such a policy and adhere to it, as is the approach to, say, complaints handling under the FSA’s Handbook. There could be some level of summary reporting, just as the FSA requires that in some instances, but it would not be on a breach by breach basis.
• Criminalising the sale or purchase of the services of “botnets”, regardless of the use to which they are put, seems to collide with the notion that security firms need to be able to understand the behaviour of the criminals in order to pre-empt or counter their activities.’
The report 'Personal Internet Security' is published by The Stationery Office, House of Lords Science and Technology Committee, 5th Report of 2006/07, HL Paper 165. It can be accessed at http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i.pdf
The Members of the Science and Technology Sub-Committee who conducted the inquiry are:
Lord Broers (Chairman)
Earl of Erroll
Lord Harris of Haringey
Baroness Hilton of Eggardon
Lord Howie of Troon
Lord O'Neil of Clackmannan
Baroness Sharp of Guildford
Lord Sutherland of Houndwood
Lord Young of Graffham