Personal safety online
6.33. We began this Report by distinguishing
between Internet securitythe means of controlling the uses
to which PCs or other interconnective devices, and the information
stored on them, are putand Internet safetythat is,
personal safety, the avoidance of direct physical or psychological
harm that may affect individuals as a result of their actions
online. The first of these issues was from the start the focus
of this inquiry, and of most of the evidence we received. However,
we also received evidence on the second issue, which is discussed
briefly in the following paragraphs.
6.34. This distinction is of course to some extent
artificial, as any victim of crime, including online fraud or
identity theft, may suffer personal harmstress and anxiety,
at the very leastin addition to financial loss. At the
same time it allows us to separate out from the main subject-matter
of this Report particular issues to do with online behaviour,
child protection, and social networking online.
6.35. The first point to be made is that the
Internet has been of enormous value in facilitating new forms
of communication. No-one would have predicted 20 years ago
the way in which email has become a mainstay of social interaction;
in the mid-1990s few had heard of SMS, now an industry worth over
$80 billion per annum; five years ago no-one would have predicted
the explosion of social networking, Instant Messaging and VoIP.
New technologies and opportunities continue to emerge.
6.36. But this rate of innovation has also been
bewildering. It takes time for people to develop norms of behaviour
appropriate to new forms of communication. In the physical world
many such norms are well-established: when meeting someone for
the first time, an individual identifies various signals to do
with facial expression, eye contact, tone of voice, or physical
gestures, and, according to the particular cultural context, knows
how to react appropriately. Or, when crossing the road, the individual
observes familiar rules to avoid accidents. Although norms have
evolved in the online world, they are nothing like as sensitive
or as effective. The risk of misunderstanding, misrepresentation
or exploitation is constant.
6.37. Moreover, even though we live in an era
of increasing concern over data protection and privacy, the wholesale
disclosure of personal information online has become commonplace.
Although attention hitherto has focused on the risk to children
of such indiscriminate disclosure of personal information, in
reality every Internet user, young or old, faces a degree of risk
that this information will be abused by others.
6.38. Software designers are increasingly focusing
on the issue of identity management online. In the course of our
visit to Redmond we met Kim Cameron, Microsoft's Identity and
Access Architect, and discussed Windows CardSpace, which seeks
to provide a unified system for online identity management via
end-user machines. This is now available in the Windows Vista
operating system. The evidence submitted to this inquiry by the
small software development company Edentity Ltd outlines a web-based
system of identity management known as "Personal Information
Brokerage"while also lamenting the lack of interest
in the concept shown by the Government.
6.39. But notwithstanding the technological solutions
that might be developed to facilitate identity management online,
fundamental aspects of online behaviour will also need to change.
The key contributors to online risks were usefully summarised
in private briefings given to us by Internet safety consultant
- Lack of knowledge;
- Unintentional exposure of or by others;
- Flaws in technologyfor instance, in the
services offered online;
- Criminal acts.
6.40. Linda Criddle was emphatic that the IT
industry and businesses operating online should take their share
of responsibility for reducing risk in all these areas. Even risks
arising from carelessness, which might seem to be a purely individual
responsibility, could be mitigated if software products were designed
with detection tools that could spot and alert users to characteristic
acts of carelessness, such as disclosure of personal information
without adequate security. The key was that products should be
developed in such a way as to educate consumers about risks and
to provide them with the tools to manage these risks.
6.41. Ms Criddle's most scathing criticisms of
corporate failure were directed at social networking sites. For
instance, she identified several points in the sign-on process
for social networking site MySpace (now owned by News Corp), which
appeared to encourage or reward the disclosure of personal informationreal
names, email addresses, photographs, and so on. But social networking
sites were not the sole offenders. Security tools on the Microsoft
Network (MSN) were also inadequatefor instance, content
filtering offered by the MSN network screened only external content,
not content generated by the network itself.
6.42. The sorts of issues raised by Linda Criddle
are of particular concern to parents. Jim Gamble, Chief Executive
of CEOP, noting that "a parent may not understand what a
social networking site is", asked, "would you allow
your child to wear a billboard
with their home telephone
number, all of their personal details on it, and some handout
photographs that they would walk from Victoria Station down to
Oxford Street with whilst every Tom, Dick and Harry in the street
could see them? You would not." He too argued that the solution
was education: "educating people and simplifying and demystifying
the technology" (Q 222).
6.43. Jim Gamble focused in particular on the
formal education system. CEOP has not only developed extensive
links with schools, but has also rolled out an education campaign
targeted at one million pupils. John Carr, Executive Secretary
of the Children's Charities' Coalition on Internet Safety, also
focused on schools, though highlighting the difficulties in reaching
parents by this means, and concluding that "we also need
to find other ways of reaching parents" (Q 243). We
agree. It is essential to reach young people through schools.
However, we also believe that the more holistic approach described
by Linda Criddle, building education into the products developed
by industry and business, is vital to supplement formal education.
6.44. We are pleased to observe that to some
extent the Government are already moving in this direction. For
example, we have previously noted that the regulator Ofcom, with
Government backing, has developed a BSI kite mark for content
control software, and we have recommended that further kite marks
be developed for secure Internet Services. This approach, emphasising
industry self-regulation, but providing incentives by means of
formal recognition of best practice, could also be extended in
the field of personal safety online.
6.45. The Government's view, summarised by Tim
Wright, is that "self-regulation is the best approach"
(Q 203). John Carr also argued that "self-regulation
is always going to be a better approach because it is more flexible
and quicker"though conceding that if self-regulation
did not deliver, "the Government will step in and legislate"
(Q 248). We agree. Governments are not well-placed to intervene
directly in an area as fast-moving and diverse as social behaviour
onlinethey cannot design or identify technological solutions,
and they cannot judge the rights and wrongs of the personal behaviour
of individuals. However, they can collaborate with industry in
agreeing general standards of best practice in such areas as the
design of social networking sites, and in awarding recognition
(in the form of kite marks) to those that observe these standards.
6.46. The Government-sponsored Get Safe Online
website already provides useful information and practical advice
to Internet users, but its impact is undermined by the multiplication
of other overlapping websites. We recommend that the Government
provide more explicit high-level political support to the Get
Safe Online initiative and make every effort to recruit additional
private sector sponsors. If necessary, the site should be re-launched
as a single Internet security "portal", providing access
not only to the site itself but acting as a focus and entry-point
for other related projects.
6.47. We agree with the Minister that there
needs to be a "step change" in the way the regulator
Ofcom approaches its duties in relation to media literacy. We
recommend that Ofcom not only co-sponsor the Get Safe Online project,
but that it take on responsibility for securing support from the
communications industry for the initiative.
6.48. We further recommend that, in addition
to the new kite mark for content control software, Ofcom work
with the industry partners and the British Standards Institute
to develop additional kite marks for security software and social
networking sites; and that it continue to keep under review possible
areas where codes of best practice, backed up by kite marks, might
6.49. We recommend that the Department for
Children, Schools and Families, in recognition of its revised
remit, establish a project, involving a wide range of partners,
to identify and promote new ways to educate the adult population,
in particular parents, in online security and safety.
26 The Internet in Britain: The Oxford Internet Survey
(May 2005), p 51: http://www.oii.ox.ac.uk/microsites/oxis/. Back
Get I.T. safe: Children, parents and technology survey 2006 (NCH)-see
See http://www.childnet-int.org/kia/default.aspx. Back