Overview

6.1.  Enormous reliance is currently being placed by Government upon education, information and training. Arguably the key question in our Call for Evidence was "What can and should be done to provide greater computer security to private individuals?" The Government's response began as follows:

"Both Government and industry have roles in ensuring that people are aware of the general risks online. Both also have a critical role to play in ensuring that the public are conducting online transactions with them safely. The nature of the Internet means that it is our collective responsibility to ensure that people are doing what they can to make themselves and their families safe online so that they can enjoy the real benefits of the Internet" (p 4).

6.2.  The tone is typical of the Government's evidence to this inquiry. While there is a passing acknowledgement that Government and the industry have a "collective responsibility" in the area of personal Internet security, in practice their roles appear to be limited to making people "aware" of the risks online, and providing them with the tools "to make themselves and their families" secure.

6.3.  The tenor of our Report thus far is clear: we have argued throughout for Government, regulators, the IT industry and online businesses to take more active steps to improve personal Internet security. We have recommended a range of incentives designed to ensure that those best placed and most competent to improve personal Internet security—the ISPs, software and hardware vendors, and the companies who conduct business online—are motivated to do so.

6.4.  But at the same time, just as drivers are required to meet certain standards, not just for their own protection, but for the protection of other road-users, so individuals in the online world must take a measure of responsibility for their own security and that of others. We therefore begin this chapter by examining where the balance lies between individual responsibility and Government, regulatory or corporate action.

6.5.  We also consider in this chapter the largely self-contained issue of online safety, the prevention of actual physical or psychological harm to individuals. This is a matter in large part of personal behaviour, though here too the IT industry and businesses operating online bear a significant responsibility.

Individual skills

6.6.  There are those who argue that the astonishing rate of change and innovation which the Internet continues to witness will inevitably outstrip the individual's ability to keep pace with technology. In the words of the Foundation for Information Policy Research (FIPR):

"The typical computer user can do little to identify or mitigate technical risks. He buys a computer as a consumer electronic appliance, plugs it in and uses it; attempts to turn up the 'security level' of his browser will cause some web sites to not work; he has no way of telling good security software from bad; and many of the problems are completely outside the control of even technically sophisticated users" (p 211).

6.7.  There were many other expressions of a similar view. We have already drawn on Bruce Schneier's arguments that ISPs should do more to protect individuals. He summed up his position by reference to his mother: "I always use my mother as an example. She is not stupid; she is very intelligent, but this is not her area of expertise. If I tell her, 'You have to be responsible for your Internet security', she will not be able to. It is too technical, in ways she cannot deal with" (Q 529).

6.8.  Elderly parents cropped up several times in our inquiry. Professor Handley said, "I do use e-banking but I have specifically told my parents not to … I do not respond to any bank e-mail no matter whether it is legitimate or not but I do not trust my parents' ability to make those same kind of decisions" (Q 694). Professor Anderson (who chairs the FIPR), commenting on the complexities of software design, said "Ultimately, when trying to design such things, you are not designing for geeks because geeks can look after themselves. I always ask myself … 'Well, what about my mum?'" (Q 691). More optimistically, Andrew Cormack said that "I taught my parents how to use [the Internet] safely and that was fairly painless" (Q 992).

6.9.  Such comments mask a real demographic change of the last decade, following on from the development of the World Wide Web, and Microsoft's inclusion in the late 1990s of an easy-to-use web browser as standard with its operating systems. We began this Report by noting that Internet use in the United Kingdom grew from 2000-2007 by 144.2 percent. A significant part of this growth is made up of older people—according to the Oxford Internet Survey, from 2003-2005, Internet use among pupils and the working population remained almost entirely flat, but among the retired it rose from 22 to 30 percent[26]. As the population continues to age there is every likelihood that "silver surfers" will make up an even larger proportion of Internet users. Education, as Roy Isbell of Symantec noted, will increasingly need to "target that demographic" (Q 452).

6.10.  This is not to say that the stereotype of the elderly, gullible and technically incompetent Internet user is justified—gullibility and lack of technical know-how will be found in individuals in every age cohort. The key point is that the rate of growth in Internet use across society means that there are bound to be many individuals, of all ages, using the Internet to bank, shop, or send and receive email, without having high levels of IT skills.

Awareness vs knowledge

6.11.  There are two key aspects to improving the ability of individuals to manage online security. One is to promote awareness of the risks online; the second is to instil knowledge of how practically to manage them. Both are necessary—one without the other is of little use.

6.12.  Currently the picture is disjointed. Evidence from Professor Steven Furnell and Dr Andy Phippen, of the Network Research Group at Plymouth University, highlighted a very high level of understanding of basic terms such as "virus", "firewall" or "Trojan horse". However, it is less clear how far this self-reported "understanding" of general risks translates into detailed understanding of specific risks and counter-measures. In hands-on trials the Plymouth survey showed that only 73 percent of users were able to determine the security settings level within their web browser, while only 33 percent were able to determine whether communication with a specific web page was using a secure connection (p 383). Even those who described themselves as "advanced" Internet users (and had academic qualifications relating to IT and experience of Internet security) were by no means uniformly able to perform these tasks.

6.13.  Such findings were echoed by several witnesses. According to the Royal Academy of Engineering, "despite fairly high levels of awareness and concern about threats in general, the level of awareness of the actual threats is fairly low" (p 427). EURIM concluded that "awareness is less of a problem than conflicting and impractical advice and guidance", and expressed concern at the "very real risk that further raising awareness without making it very much easier for consumers to protect themselves and their children and to report malpractice will lead to a serious loss of confidence" (p 370).

6.14.  We fully endorse EURIM's point, that raising awareness or risks without developing the knowledge and skills needed to manage such risks could undermine confidence in the Internet. The Government's evidence, however, blurs this distinction. It identifies "information, understanding and appropriate training" as "among the primary challenges in tackling the growing risk of Internet security threats". It also draws attention to initiatives "to raise public awareness of e-crime and the basic steps users can take to protect themselves" (p 5).

6.15.  We have already drawn attention to the findings of a survey sponsored by the Government's "Get Safe Online" website, showing that 21 percent of people thought e-crime was the type of crime they were most likely to encounter, and that e-crime was feared more than mugging, car theft or burglary. These findings are clearly out of proportion to the real risk—but it may be that the Government's well-intentioned efforts to raise "awareness" of e-crime, without paying enough attention to the ways in which individuals or businesses can protect themselves against it, are actually making the problem worse.

Sources of information and advice

6.16.  To meet the challenges of public understanding, according to the Government, "simple, clear advice from one source is required". They go on to identify the "Get Safe Online" website, bringing together Government, industry and law enforcement, as providing such a source. However, a few paragraphs further on, the Government also note that "There are a range of public and private sector initiatives underway to raise public awareness of e-crime and the basic steps users can take to protect themselves. These include Get Safe On Line (GSOL) [sic], Bank Safe On Line, IT Safe and Fraud Alert" (p 5).

6.17.  There is thus a contradiction in the Government's position. On the one hand they are rightly conscious of the need to provide a single, integrated source of information and advice on Internet security—Vernon Coaker described co-ordination of information as "something we need to become smarter at" (Q 893). But at the same time the sources of information are diverse and overlapping:

• Get Safe Online[27] is the closest thing in this country to a comprehensive, unified source of information on online security and safety. It is sponsored jointly by the Government, the Serious Organised Crime Agency, major IT companies such as Microsoft and BT, and companies from the financial services sector such as HSBC.
• The Government also provide other services, including IT Safe[28], which sends email alerts to home and business users, and a Home Office website dedicated to identity theft[29].
• The banking industry, through payments service APACS, sponsors Bank Safe Online[30], as well as a separate website devoted to card fraud, Card Watch[31].
• The Metropolitan Police Service has created the Fraud Alert site[32], to which victims of e-crime can forward complaints and fraudulent emails—though this is directed primarily at residents of London.

6.18.  The Internet is open to all—it will never be possible wholly to prevent the multiplication of sources of advice on security. However, it is clear that the Government should be seeking, in collaboration with public and private sector partners, to provide a single, coherent source not just of information, but of realistic advice on the practical steps that individuals can take to manage risk. In many respects the Get Safe Online website already provides such advice in exemplary fashion. However, since its launch in late 2005 a number of the original sponsors (including companies listed in the Government memorandum, such as Lloyds TSB, Dell and MessageLabs) appear to have withdrawn their sponsorship. This is worrying: the site needs a higher profile and the authority that would come from a wider range of private sector sponsors. To achieve this it needs stronger, high-level political endorsement.

The role of Ofcom

6.19.  The regulator of the communications industry, Ofcom, is notable by its absence from the list of sponsors of Get Safe Online, despite the fact that Section 11 of the Communications Act 2003 gives Ofcom a statutory duty to promote "media literacy". Ofcom defines media literacy as "the ability to access, understand and create communications in a variety of contexts" (p 322)—a definition with which we have no quarrel. However, Ofcom's action hitherto appears to have been limited to a "media literacy audit", focusing on issues such as attitudes to the disclosure of personal information online and the blocking of inappropriate content. Ofcom's evidence did, however, state that "in 2007-08 Ofcom will place a much greater emphasis on media literacy" (p 323).

6.20.  In oral evidence Tim Suter, Ofcom Partner for Content and Standards, accepted that it was part of the regulator's remit "to help consumers to both access and understand the communication services which are available to them and that will include making sure, as far as possible, that they know of the tools which are available to help them manage that environment in a way they want to manage it" (Q 1025). But when pressed on how Ofcom had in fact gone about this task, he referred only to the survey and to the new kite mark on content control software (for which see above, paragraph 3.17).

6.21.  Thus Ofcom's formal definition of "media literacy" ("the ability to access, understand and create communications in a variety of contexts") is extremely broad, and would certainly encompass technical security online (for example, the ability to spot a phishing email). Yet its interpretation of "media literacy" in practice is far narrower, and wholly content-focused. It appears to have take no steps at all in the area of technical Internet security. Not only does it not sponsor Get Safe Online, but anyone seeking information from the Ofcom website on, for instance, spyware, will simply be told to "ask your ISP for more advice"[33].

6.22.  Ofcom's narrow interpretation of "media literacy" is puzzling. Section 11 of the Communications Act 2003 defines "media literacy" in terms of the public's understanding of "material published by means of the electronic media". Material is further defined as being "published" if it is "distributed by means of an electronic communications network to members of the public or of a section of the public".

6.23.  We have already noted that the way in which information transmitted via the Internet is broken down into packets of data means that the superficially plausible distinction between "content" and what can loosely be described as "code" collapses. It follows that Section 11 can be interpreted to cover a very broad range of data distributed by means of the Internet, not just what might be loosely defined as "content". Ofcom's remit is thus in reality so broad as to encompass all aspects of media literacy—technical competence in managing operating systems and security software as well as the ability to control "content" safely.

6.24.  In light of these considerations, we can only agree whole-heartedly with the words of the Minister, Margaret Hodge MP: "Could we have a step change in Ofcom's performance around its media literacy duties? I think the answer has to be, yes" (Q 868).

Education

6.25.  There is a clear need for information and advice to be made available by means of websites such as Get Safe Online. However, the provision of such information has its limitations: as the British Computer Society commented, "Web-sites run by both Government and the private sector … are 'pull technology' and require the user to go looking for the information they contain" (p 352). Education too is needed.

6.26.  Information communications technology (ICT) is already a compulsory element of the school curriculum in Key Stages 1-4, with national qualifications, including GCSEs and a GNVQ, available at age 16—though no part of the national ICT curriculum has hitherto included a security component[34]. This omission is currently being rectified, and, as Home Office Minister Vernon Coaker MP told us, the Qualifications and Curriculum Authority (QCA) is "looking at ensuring that online safety is part of the ICT study arrangements for Key Stage 3 from September 2008" (Q 892). This is a welcome, albeit arguably overdue, development. As Mr Coaker continued, it is essential "to teach [pupils] that this is a fantastic tool which opens up all sorts of opportunities and educational possibilities, but it is also something … which can be misused".

6.27.  At the same time, it is essential that schools themselves should have secure IT systems in place, so that children are not exposed to risks in the school environment. The arrangements for achieving such security are improving, and the National Education Network (NEN) commented that the Government-sponsored agency Becta was "undertaking excellent work in moving UK schools towards a standards-based approach to the design of IT systems" (p 407). Network connections for schools are typically provided by the 10 Regional Broadband Consortia, formed as part of the Department for Education and Skills' Regional Broadband initiative. East Midlands Broadband Consortium, which submitted evidence to this inquiry, provides connectivity to 2,100 schools (p 365).

6.28.  However, NEN also expressed concern at possible inconsistencies in interpretation of network design by technical staff in schools, as well as at the implications of increased devolution of funding to local level. Andrew Cormack, who has been involved in revising the ICT curriculum, noted that "Getting teachers, not just to teach Internet security one hour a week but to themselves behave correctly, that is hard" (Q 992). As in other areas of the curriculum, achieving consistently good practice across all schools will be a huge challenge.

6.29.  Moreover, teaching online security to school pupils as part of the ICT curriculum will not in itself be sufficient. It is worth recalling that the explosion in use of the World Wide Web dates back only to the mid-1990s; anyone beyond their late 20s is likely to have learned to use the Internet not at school, but as an adult. While the QCA regulates courses in ICT targeted at adults, reaching the bulk of the adult population is a far greater challenge.

6.30.  The scale of this challenge was highlighted by a 2006 survey by NCH (formerly National Children's Homes). Focusing on child safety (an issue which we discuss in more detail below), NCH highlighted what it called "alarming discrepancies" between the level of understanding of the Internet of children and that of their parents. For instance, it claimed that a third of children used blogs, while two thirds of parents did not even understand what a blog was, and only 1 percent of parents believed their children used blogs.[35]

6.31.  Attempts have already been made to close these gaps. For instance, Tim Wright, of the Home Office, asked whether schools could run voluntary evening classes for parents, told us that "Some schools have tried but, anecdotally, take-up amongst parents has often been poor … Some parents will come and do it but they are the parents who already understand the issues. It is a good idea but we have not found a way of doing it successfully." Jim Gamble, Chief Executive of the Child Exploitation and Online Protection Centre (CEOP), which has close links to schools, was in favour of "demystifying" the technology for parents. For him the question was "how do we engage them in a way that helps them develop a better understanding?" He suggested using the technology itself to communicate with parents, for instance by sending school reports by email as well as in writing (Q 201).

6.32.  More generally, we fully endorse the statement by UKERNA (which operates the JANET network linking universities, Research Councils and regional schools networks) that "all opportunities to raise awareness, skill and confidence levels of users of all ages need to be taken". UKERNA went on to highlight the possibility that "children who learn safe practice at school should be encouraged to teach their parents and grandparents at home" (p 299). Such approaches will require creativity on the part of individual communities, schools, businesses and charities—it is not necessarily an area for direct Government intervention. UKERNA, for instance, singled out for praise the interactive "Know IT All" site developed by the charity Childnet International.[36]

Personal safety online

6.33.  We began this Report by distinguishing between Internet security—the means of controlling the uses to which PCs or other interconnective devices, and the information stored on them, are put—and Internet safety—that is, personal safety, the avoidance of direct physical or psychological harm that may affect individuals as a result of their actions online. The first of these issues was from the start the focus of this inquiry, and of most of the evidence we received. However, we also received evidence on the second issue, which is discussed briefly in the following paragraphs.

6.34.  This distinction is of course to some extent artificial, as any victim of crime, including online fraud or identity theft, may suffer personal harm—stress and anxiety, at the very least—in addition to financial loss. At the same time it allows us to separate out from the main subject-matter of this Report particular issues to do with online behaviour, child protection, and social networking online.

6.35.  The first point to be made is that the Internet has been of enormous value in facilitating new forms of communication. No-one would have predicted 20 years ago the way in which email has become a mainstay of social interaction; in the mid-1990s few had heard of SMS, now an industry worth over $80 billion per annum; five years ago no-one would have predicted the explosion of social networking, Instant Messaging and VoIP. New technologies and opportunities continue to emerge.

6.36.  But this rate of innovation has also been bewildering. It takes time for people to develop norms of behaviour appropriate to new forms of communication. In the physical world many such norms are well-established: when meeting someone for the first time, an individual identifies various signals to do with facial expression, eye contact, tone of voice, or physical gestures, and, according to the particular cultural context, knows how to react appropriately. Or, when crossing the road, the individual observes familiar rules to avoid accidents. Although norms have evolved in the online world, they are nothing like as sensitive or as effective. The risk of misunderstanding, misrepresentation or exploitation is constant.

6.37.  Moreover, even though we live in an era of increasing concern over data protection and privacy, the wholesale disclosure of personal information online has become commonplace. Although attention hitherto has focused on the risk to children of such indiscriminate disclosure of personal information, in reality every Internet user, young or old, faces a degree of risk that this information will be abused by others.

6.38.  Software designers are increasingly focusing on the issue of identity management online. In the course of our visit to Redmond we met Kim Cameron, Microsoft's Identity and Access Architect, and discussed Windows CardSpace, which seeks to provide a unified system for online identity management via end-user machines. This is now available in the Windows Vista operating system. The evidence submitted to this inquiry by the small software development company Edentity Ltd outlines a web-based system of identity management known as "Personal Information Brokerage"—while also lamenting the lack of interest in the concept shown by the Government.

6.39.  But notwithstanding the technological solutions that might be developed to facilitate identity management online, fundamental aspects of online behaviour will also need to change. The key contributors to online risks were usefully summarised in private briefings given to us by Internet safety consultant Linda Criddle:

• Lack of knowledge;
• Carelessness;
• Unintentional exposure of or by others;
• Flaws in technology—for instance, in the services offered online;
• Criminal acts.

Recommendations

6.46.  The Government-sponsored Get Safe Online website already provides useful information and practical advice to Internet users, but its impact is undermined by the multiplication of other overlapping websites. We recommend that the Government provide more explicit high-level political support to the Get Safe Online initiative and make every effort to recruit additional private sector sponsors. If necessary, the site should be re-launched as a single Internet security "portal", providing access not only to the site itself but acting as a focus and entry-point for other related projects.

6.47.  We agree with the Minister that there needs to be a "step change" in the way the regulator Ofcom approaches its duties in relation to media literacy. We recommend that Ofcom not only co-sponsor the Get Safe Online project, but that it take on responsibility for securing support from the communications industry for the initiative.

6.48.  We further recommend that, in addition to the new kite mark for content control software, Ofcom work with the industry partners and the British Standards Institute to develop additional kite marks for security software and social networking sites; and that it continue to keep under review possible areas where codes of best practice, backed up by kite marks, might be appropriate.

6.49.  We recommend that the Department for Children, Schools and Families, in recognition of its revised remit, establish a project, involving a wide range of partners, to identify and promote new ways to educate the adult population, in particular parents, in online security and safety.

27   http://www.getsafeonline.org/.  Back

28   http://www.itsafe.gov.uk/.  Back

29   http://www.identitytheft.org.uk/.  Back

30   http://www.banksafeonline.org.uk/.  Back

31   http://www.cardwatch.org.uk/.  Back

32   http://www.met.police.uk/fraudalert/.  Back

33   See http://www.ofcom.org.uk/consumeradvice/internet/security/spyware/.  Back

34   See http://www.nc.uk.net/webdav/harmonise?Page/@id=6004&Subject/@id=3331.  Back

35   Get I.T. safe: Children, parents and technology survey 2006 (NCH)-see http://www.nch.org.uk/uploads/documents/Get%20IT%20safe%20report.pdf.  Back

36   See http://www.childnet-int.org/kia/default.aspx.  Back