1.1.  The Internet is a global network of millions of interconnected computer networks linking hundreds of millions of machines used by over a billion people. It transfers data between these machines in such a way that the computers at each end of a connection need not be aware of each other's physical location, or the technical details of the many intervening data transmission systems.

1.2.  The origins of the Internet lie in the 1970s, but it was opened to commercial traffic in 1985, began to be widely used by individuals in the early 1990s and is now so important that it is deemed to be part of the critical national infrastructure of all developed nations.

1.3.  The Internet underpins a considerable amount of global economic activity, permitting huge changes in traditional business models. It has also radically changed the way in which individuals are able to access information, entertain themselves, and even the way in which they meet their partners. It has undoubtedly been, and continues to be, a powerful force for good.

1.4.  It is also a complex phenomenon that continues to evolve and grow at a rapid pace. In March 2007 the total number of Internet users world-wide was put at 1.114 billion, or 16.9 percent of the world's population. Internet penetration continent by continent varies from 3.6 percent in Africa to 69.7 percent in North America. In the United Kingdom Internet penetration is 62.3 percent, among the highest in Europe, with growth from 2000-2007 put at 144.2 percent.[1] Some eastern European countries have seen growth over the same period, albeit from very low levels, of well over 1,000 percent.

1.5.  The fast-changing technology underpinning this growth in Internet use is very poorly understood by the vast majority of its users. Indeed, one reason for the prodigious success of the Internet is that users can "surf the web" without having to understand the technical means by which information is accessed or communicated. The many layers of technology that lie beneath the interface seen by the user, typically a software application known as a web browser, are effectively hidden. But just as the technology is for most users invisible, so are the risks.

1.6.  These risks are manifold. They threaten personal security—that is to say, they may undermine the individual's ability to control the information that they have entered into or stored on connective devices such as PCs, mobile telephones, or databases operated by commercial organisations, government agencies and others. Victims typically suffer financial loss through fraud, though in cases of identity theft they may also suffer loss of reputation, or, in extreme cases, may be accused of crimes they did not commit.

1.7.  Online risks may also impact upon personal safety—by which we mean they may lead to direct physical or psychological harm to the individual. One high-profile threat is that posed to children by predatory paedophiles, who conceal their true identity whilst using the Internet to "groom" potential victims. Probably far more common is the online bullying of children by their peers, while even adults who injudiciously disclose personal information online have found that their personal physical safety has been compromised.

1.8.  The title of this Report is Personal Internet Security—we have considered primarily issues pertaining to individual experiences of the Internet. We have not generally considered business security issues, except insofar as these affect the security of the data of individual customers. Thus we have made recommendations around the theft of personal data but not around industrial espionage. Nor have we considered matters of business continuity, risks to services, or possible failure of the critical national infrastructure as a result of the Internet ceasing to operate for an extended period. These are all important issues—but outside the scope of this Report.

1.9.  We have heard many analogies in the course of our inquiry. None of these analogies is exact—the Internet is not like any other technology or industry that has ever been created before. Nevertheless, we have found analogies useful, if not in developing conclusions and recommendations, then at least in structuring our evidence and our arguments in a readily comprehensible form. The analogy that underpins the structure of this report derives from road transport. Within the road transport system, the safety or security of the individual road user is protected at several levels:

• The network—roads are designed and engineered for safety, maintained, lit, sign-posted, and so on.
• The equipment that uses the network—cars and other vehicles that use the network have safety features built into their design.
• Individual users themselves—they are taught how to drive, subjected to testing; their behaviour may be monitored; social pressures are also exerted.
• The policing of the network—there is a clearly defined legal framework for the use of the network; those who breach the law risk prosecution.

1.10.  These headings have helped us to establish a clear and comprehensive analytical approach to Internet security, embracing technical security (at both network and appliance level), individual behaviour, and policing. The bulk of this report is therefore structured around these main headings. First, however, we describe the background—the history of the Internet, its major technical features, and the nature of the threat faced by individual users.

Background and acknowledgments

1.11.  The membership of the sub-committee is set out in Appendix 1, and our call for evidence, published in July 2006, in Appendix 3. Those who submitted written and oral evidence are listed in Appendix 2. We would like to thank all of our witnesses, as well as those who submitted articles, briefings and other materials in the course of the inquiry.

1.12.  We launched this inquiry with a seminar, held at the Institution of Engineering and Technology, in November 2006, and a note of the seminar is given in Appendix 4. We are very grateful to all participants in this event.

1.13.  We would like to put on record our thanks to the Deputy Ambassador in Washington, Alan Charlton, the Consul General in San Francisco, Martin Uden, and all their staff, for their help in organising a hugely valuable visit to the United States in March 2007. We are also grateful to a number of people who, while not appearing formally as witnesses, have been extremely generous in offering assistance and advice—in particular Linda Criddle of Look Both Ways and Ed Gibson of Microsoft.

1.14.  Finally, our Specialist Adviser for this inquiry was Dr Richard Clayton, of the University of Cambridge Computer Laboratory. His expertise in computer security has been invaluable to us throughout the inquiry. However, our conclusions are ours alone.