Memorandum by Microsoft
1. Our submission sets out our experiences
with the risks and mitigations associated with personal use of
the Internet. We have considerable experience in this area: Microsoft
is one of the most attacked platforms on the planet and we have
learned a great deal about the risks and threats for both us and
our users on the Internet.
2. We have worked globally to establish
a three-part model to tackling many of the issues faced around
through initiatives such as Get Safe Online;
technological practices and improvementssuch
as anti-malware tools, anti-spyware, anti-phishing filter technology
in Web browsers, parental controls (to limit the risks of exposure
to minors of unsuitable content and/or contact with parties unknown)
and the "identity metasystem" (which aims to improve
the quality and consistency of identity on the Internet); and
for example the Global Phishing Enforcement Initiative.
3. All three of these areas need to be developed
in partnership to impact the problem of ensuring personal security
online. Internet security and online safety require an end-to-end
4. Against a constantly challenging and
evolving threat landscape, the industry has continued to make
good progress, partly as a result of placing trusted computing
at the centre of software design. At Microsoft for example our
Trustworthy Computing initiative has had a major impact on reducing
software vulnerabilities, as evidenced in independent assessments
such as UNIRAS/UNICERT. This has been particularly true since
the launch of Windows XP SP2 and will be taken significantly further
when Windows Vistathe next release of our operating systemis
made available in the next few months.
5. Whilst much of the evidence from ourselves
and other contributors may well be a disheartening read, we do
have a passionate belief in the truly transformational and positive
impacts of the Internet. From the obvioussuch as e-commerce
and e-governmentall the way through to the pervasive computing
age, which will enable us to live longer, more fulfilled lives
in our own homes and communities.
6. This is why we believe it is important
for us to work collectively on addressing the issues that threaten
the Internet and its positive potential. The Internet is far more
than just Web browsers and email: we need to understand, monitor
and manage the risks as the Internet increasingly enables new
areas, such as TV on demand and home healthcare monitoring devices.
7. The Committee has highlighted several
areas that it aims to consider in its current inquiry, namely:
What is the nature of the security
threat to private individuals and what is the scale of the problem?
How well do the public understand
the nature of the threat they face?
What can be done to provide greater
personal Internet security? How much does this depend on software
and hardware manufacturers?
Is the regulatory framework for Internet
How well equipped is Government to
combat cyber crime? Is the legislative framework in UK criminal
law adequate to meet this growing challenge?
We will address each of these areas in turn.
What is the nature of the security threat to private
individuals and what is the scale of the problem?
8. Threats to online safety and security
continue to escalate. This can range from the innocuous but irritating.
It includes the likes of spam messages (of which we block over
3 billion a day in Hotmail/Windows Live Mail), through phishing
attacks (aiming to fool users into handing over important personal
information, such as online banking details, that will ultimately
lead to a financial fraud) to malware, spyware, trojans, viruses
9. Such attacks can lead to anything from
release of personal information from a user's computer or online
services, to destruction of all data on a computer, to the launch
of denial of service (DoS) and other malevolent attacks on third
parties. Building in software-based counter measures to these
threats through tools such as anti-phishing filters and anti-malware
protection has been a high priority. The recent release of Internet
Explorer 7which includes such featuresis a step
forwards in tackling these issues. But we also recognise that
there will be a need to continue to innovate as the nature of
online threats itself evolves and changes.
10. There are also more fundamental issues
to consider. For example, more and more home Internet users are
utilising broadband (always on) connectivity and wireless networks
within the home. Configuring both the broadband and wireless links
to ensure adequate security can be a demanding task for users,
and presents a challenge in terms of ensuring that no third parties
can access their systems. We have ensured that the firewall provided
in Windows XP SP2 and in Windows Vista is on by default to help
with protecting consumer's PCs in these increasingly common types
11. Outside of the physical infrastructure
of the typical domestic network, typically protected with firewalls
and encryption for wireless networks, phishing provides one of
the main attack methods to fool people into handing over personal
information that can then lead to an identity fraud related crime
and other crimes, such as financial fraud. Some estimates concerning
phishing indicate a compound annual growth rate of 1,000 per cent.
This is why the latest release of Internet Explorer has built-in
anti-phishing facilities and why Windows Defender (which helps
protect against malware) is included in the Security Center in
12. The scale of the problem can be seen
in figures from the Association for Payment Clearing Services
(APACS), which estimates direct fraud losses from online phishing
scams in the UK almost doubled in 2005 alone to £23.2 million.
13. Gartner reported that in 2005 four major
British banks delayed intra-bank payments between accounts in
an attempt to combat phishing attacks. Delays ranged from several
hours to one day.
14. One in 20 UK residents has lost money
to some sort of online scam such as phishing, according to research
commissioned by AOL UK. The survey of 2,000 net users by AOL found
that five per cent had fallen victim to scams and had lost out
15. Forrester Research believes security
fears have prevented more than 600,000 UK internet users from
16. As the Internet moves increasingly into
powering more and more of the services and technologies around
us, we need to continually assess the threat landscape. For example,
the BBC reported (2 October 2006) from the "Hack in the Box"
hackers conference in Malaysia that hackers know how to subvert
Internet-based telephony systemsincluding for example the
predicted ability to intercept call centres (hence obtaining useful
personal information that can assist with identity fraud)and
Internet-based television (perhaps leading to the injection of
rogue broadcasts, or interference with legitimate broadcasts).
With the predicted growth in home-based intelligent devices (such
as telemedicine) which will also make use of the Internet, we
all need to remain alert to the potential risks and how we mitigate
How well do the public understand the nature of
the threat they face?
17. Education is a key cornerstone in combating
some of these issues. We provide our own guidance to consumers
and also are very active supporters in the UK of the "Get
Safe Online" campaign
which aims to educate consumers on the risks of the Internet and
how to mitigate and manage them. According to a Get Safe Online
Over three quarters of the UK's population
(83 per cent) do not know enough about protecting themselves online.
22 per cent of people admitted to
opening attachments from unknown sourcesone of the most
common ways of spreading computer viruses.
Only 15 per cent of people felt they
had a personal responsibility to protect themselves from online
crimeyet almost one in five British people feel so under
threat from Internet criminals they give online crime a higher
fear factor than physical crimes like car theft and mugging.
18. To help ensure better public awareness
of the risks and their mitigations, we have helped with the sponsorship
and development of initiatives such as Get Safe Online and guidance
on our own Websites. These resources provide a wealth of consumer
education to help online users understand the risks online and
better protect their identity information and related personal
information. We have also engaged more directly, with our UK staff
visiting schools to find ways of better communicating these important
messages in ways that really connect and have an impact.
19. One of our most experienced colleagues
in online risks, Linda Criddle, has recently published a book
"Look Both Ways: help protect your family on the Internet"
combined with a Web site
that we recommend to the Committee.
What can be done to provide greater personal internet
security? How much does this depend on software and hardware manufacturers?
20. Consumers need to be well informed about
the reality of the risks presented by the Internet. This needs
to be done in practical, pragmatic ways that enable them to manage
risk in such a way that they can enjoy the benefits of the Internet,
but minimise its negative aspects. This requires continuing education
programmes of the kind already in place, perhaps supplemented
by good practice guides supplied with new equipment used for Internet
21. There is often an inherent tension between
making things simple and intuitive for users and ensuring strong
security and online safety measures. The industry continues to
make good progress in improving the layers of protection available
in both hardware and software. But the consumer is an essential
part of the solution and needs to understand the options available
and how best to deploy them. Neither is the threat landscape staticit
constantly evolves, requiring consumer education and awareness
to be an ongoing process.
22. Some of the measures we have taken at
the technical level include making anti-malware and anti-spyware
software available for consumers, adding in a firewall to our
products, working with others on tackling the problem of spam
and dropping support for online chatrooms. We have also added
in additional features to the next release of our operating system,
Windows Vista, which include User Account Control (to prevent
rogue/stealth software installing) and parental controls. We have
applied some of the same models to our other products, including
Xbox/Xbox 360 which likewise includes parental controls. We have
also focused on making it much easier for non-expert consumers
to find and use and manage these functions.
23. Windows Defender for example is a free
program that helps protect a computer against pop-ups, slow performance,
and security threats caused by spyware and other unwanted software.
It features a monitoring system that recommends actions against
spyware when it's detected and minimises interruptions. Regular
updates are made available automatically to the software enabling
it to remain responsive to new threats.
24. The new release of our operating system,
Windows Vista, has witnessed a major focus on and investment in
additional security. These features to help better protect users
Better protection against spywareThe
antispyware software in Windows Vista, Windows Defender, helps
prevent computer slow down, privacy loss, and unwanted pop-up
advertisements caused by spyware and other potentially unwanted
Safer browsing with Internet Explorer
7 Protected ModeThis Windows Vista-only feature limits
Internet Explorer 7 to just enough permissions for a consumer
to browse the Web, but not enough to modify their files or settingswhich
helps keep their computer safe from Web-based attacks.
More safeguards from Windows Security
CenterThe Windows Security Center notifies consumers and
helps them take action to correct a problem when their security
software is not up-to-date or their security settings are potentially
In Windows Vista, the Windows Security
Center is improved to include information about their antispyware
software, Internet Explorer settings, and User Account Control
More control over what programs can
doBy default, Windows Vista runs programs in a more secure
mode. When most applications attempt to perform a potentially
dangerous operation that requires administrator privileges, Windows
Vista asks the user for their active consent before allowing that
program to run. This helps reduce the impact of viruses, spyware,
and other threats.
An anti-phishing filter to help protect
online identityInternet Explorer 7 with Windows Vista includes
a filter that advises a consumer when Web sites might be phishing
in an attempt to steal their confidential information. The filter
checks a list of known phishing sites that is updated several
times an hourand can also spot suspicious sites that are
not in the database yet.
Clear Internet history with one clickThe
sites visited and the information typed when you browse the Web
are stored in many different places within a computer. In Internet
Explorer 7 with Windows Vista users no longer need to go multiple
places to remove their personal information. With the Delete Browsing
History feature a user can clear all their browsing information
with one click.
Back up and restore settings, files
and applicationsWindows Vista provides a more comprehensive
and easy backup tool than the basic backup utility included in
Windows XP. The new Windows Backup feature gives a consumer more
choices for storing their backed-up information and they no longer
have to remember to regularly back up their data. Consumers can
use a simple wizard to schedule when and where they want everything
Parental ControlsWindows Vista
introduces a rich and powerful set of parental control features
to help parents monitor, manage, and administer their children's
computer useand help keep them safe.
Review detailed activity reportsWindows
Vista can generate a detailed activity report that shows exactly
what children have been doing on the computer, including the games
they played, the Web sites they visited, and the programs they
Set Web restrictionsUsers
can use an online service that comes free with Windows Vista to
restrict the types of Web sites a child can visit. A parent or
carer can restrict Web sites by category, such as blocking all
pornographic sites or all gambling sites, or they can block specific
Web sites by URL. These restrictions work with most Web browsers.
Help control the games a child playsWindows
Vista makes it easy for a parent or carer to designate which games
their children are allowed to play. They can choose to: Allow
or restrict specific games titles, limit children's play to games
that are rated at or below a certain age level, block any games
with certain types of content they do not want children to see
Set computer time limitsWith
Windows Vista it is possible to set limits to when a child can
use the computer and for how long.
25. Many of the problems facing consumers
on the Internet have their origins in the fact that the Internet
was built without an identity layer. It is difficult for users
to establish the authenticity of remote parties that they are
communicating withand difficult to establish their own
identity when challenged to do so. Microsoft has been working
with a broad industry coalition to distil a proven, empirical
set of principles for successful identity based on the lessons
the industry has learned over the last 30 or so years. These principles
are intended to help bridge the divide between policy aspirations
and lower level technical implementation detailsand hence
provide a critical part of the overall infrastructure required
to tackle the problem of the missing identity layer of the Internet.
These principles are currently referenced as the `laws of identity'
(laws as in scientific principles). We do not claim perfection
or any uniqueness of insight in these `laws'but do believe
they provide a constructive basis for discussion and debate on
ensuring the proper scope of identity systems that will prove
sustainable and robust in the long term. And by tackling these
issues, we will make attacks such as phishing harder to execute
26. These "laws" are included
for reference at Annex A to this paper. In brief overview, they
encapsulate the following elements of good identity system design:
identity systems must only reveal
information identifying a user with the user's consent;
the solution that discloses the least
amount of identifying information and best limits its use is the
most stable long-term solution;
identity systems must be designed
so the disclosure of identifying information is limited to parties
having a necessary and justifiable place in a given identity relationship;
the identity system must support
both "omni-directional" identifiers for use by public
entities and "unidirectional" identifiers for use by
private entities, thus facilitating discovery while preventing
unnecessary release of correlation handles;
the identity system must channel
and enable the inter-working of multiple identity technologies
run by multiple identity providers;
the identity system must define the
human user to be a component of the distributed system integrated
through unambiguous human-machine communication mechanisms offering
protection against identity attacks; and
the identity system must guarantee
its users a simple, consistent experience while enabling separation
of contexts through multiple operators and technologies.
27. A key part of our work has been ensuring
a wider industry consensus in tackling the problem. We have a
project known as CardSpace at Microsoft which aims to help provide
the missing identity layer of the Internet and which embodies
these identity principles in technology. Importantly, a project
known as InfoCard is taking place across the industry (including
across open source, Java, the Firefox browser and Apple Mac communities).
We have been working collaboratively right across the industry
to address these identity issues since they need to be solved
in partnership if we are to make significant progress on providing
the missing identity layer that the Internet so urgently requires.
The InfoCard initiative will help remove the over-dependency on
user ID and passwordone of the most vulnerable problems
on the Internetand move us towards a more secure and more
28. Alongside these industry efforts to
improve the online identity layer, we have also been making other
technological improvements, such as a new anti-phishing filter
in Internet Explorer. This helps users identify suspect Websites,
enables easier reporting of suspicious sitesand uses visual
cues to warn users when problems have been detected.
Is the regulatory framework for Internet services
29. Microsoft believes that effective regulation
of security in an online world is best achieved by promoting a
self-regulatory environment. We feel that consumer demand for
security provides enormous market-driven incentives for innovators
to work towards new solutions to security threats.
30. Promotion and support of a self-regulatory
environment in which innovators have freedom to develop appropriate
solutions to address security concerns is vital. Threats to security
evolve over time. Only where there is scope for innovation will
we see the development of new technological solutions to move
towards secure networks. Self-regulation preserves consumer choice
and ensures a progressive response to security threats, not limited
by rules that may rapidly become outdated.
31. A good example of self-regulation is
what has been achieved by Government, NGOs and the industry working
together in helping to tackle child safety online. Along with
other industry players and NGOs, we sit on the Home Office Child
Safety on the Internet taskforce which allows for all participants
to openly understand and discuss how we can best ensure child
safety online. Microsoft works closely with the Internet Watch
Foundation and uses its recommendations to block websites through
MSN and Windows Live search.
32. We also joined together with a number
of police forces around the world including the UK Child Exploitation
and Online Protection Centre (CEOP) to deliver a new technology,
the Child Exploitation Tracking Scheme (CETS), which allows police
forces to share and analyse information for investigating child
33. Our Vice President of Trustworthy Computing,
Scott Charney, published a paper entitled "Combating Cybercrime:
A Public-Private Strategy in the Digital Environment" as
a result of work undertaken with the United Nations. This paper
provides an overview of the inherent security and law enforcement
challenges of the digital age, and outlines why neither traditional
models of government protection nor a purely market-based approach
to security is sufficient in the virtual world. It also discusses
five elements of a sound public-private sector partnership strategy,
using Microsoft's experience to illustrate the roles that industry
and government can play in pursuing the strategy. We would be
happy to provide copies of this paper to the Committee if it would
How well equipped is Government to combat cyber
crime? Is the legislative framework in UK criminal law adequate
to meet this growing challenge?
34. Where we do believe that Government
can play a legislative role is in ensuring that they equip law
enforcement agencies with a robust legal framework and resources
to effectively tackle cybercrime.
35. In this vein, we supported the adoption
of the EU Framework Decision on Cybercrime and the update to the
Computer Misuse Act which changed UK law in line with this Decision.
What we think is extremely important is that the police are given
the resources and training to maintain the necessary technical
expertise to help them successfully pursue cybercriminals.
36. In the UK, one issue that needs addressing
is the problem that cyber crime and related fraud are not presently
priority indicators for the police as set by the Home Office.
With the changes around SOCA, the proposed re-structuring of police
forces and the disappearance of the NHTCU it is unclear how cyber
crime and reporting mechanisms are being systematically addressed.
There is no single reporting mechanism in the UK (as there is
in the US), thus, no reasonably supported statistics aside from
anecdotal information and surveys.
37. What is equally as important is establishing
a right of action for third parties. Individual users often lack
the technical expertise and financial resources to take action
against spammers and other cyber criminals. A third party right
of action could protect consumers, which could include our own
customers, by bringing damage claims that deter cyber criminals
from continuing their activities. Companies could also recover
some of the economic losses that cybercriminals cause to them
in increased security costs and reputational damage.
38. We have developed strong partnerships
with Interpol, other law enforcement agencies, government and
industry to tackle the problems of online crime.
39. Earlier this year we launched our Global
Phishing Enforcement Initiative (GPEI), which focuses on the identification
and prosecution of individuals and groups involved with online
phishing attacks. We have identified 104 phishing sites in 39
European countries. Of these sites, 31 are in English. We have
initiated 53 separate legal actions. Of these actions, 4 are in
the UK. The majority of phishers are males aged between 16 and
20. Legal actions include: criminal complaints, civil lawsuits,
court orders and settlements. The four major offenders are: Spain,
France the UK and the Netherlands.
40. It would aid consumer understanding
and more consistent evidence collecting and tracking of the scale
and growth of the problem if the topics were more consistently
described. For example, we recommend that the phrase "identity
fraud" be defined more clearly and consistently. At present,
much so-called "identity fraud" can often actually be
related to other issuessuch as benefit claimants misrepresenting
41. We also believe it is worth considering
the establishment of a UK-wide, simple streamlined system for
reporting of all cyber crime and online problems such as phishing.
This would enable much easier reporting by citizens and hence
much better insight and analysis of the true scale of the problem.
Ensure that law and enforcement agencies are appropriately resourced
to track, monitor and tackle cyber crime and related identity
42. Both the offline world and online, digital
world lack a clear identity layer. We need to work collectively
to establish a clear policy framework for identity. We recommend
the "Laws of Identity" (Annex A) as a starting point.
43. Microsoft believes criminal enforcement
against those undertaking identity theft and related fraud, including
for example, phishers is important to ensure that cyber criminals
understand there will be consequences to illegal actions. In particular,
establishing a right of action for third parties.
44. The UK should ensure it has not only
the necessary legislation itself, but given the international
nature of Internet threats, work with other countries to ensure
reciprocal arrangements are in place to curtail the way in which
criminals currently use international boundaries to impede the
process of criminal proceedings.
45. It is also important the law enforcement
agencies are provided with sufficient investment in their forensic
analysis capability to tackle Internet-based crime.
46. The evolution of the computing ecosystem
and malicious software threat landscape requires continual re-thinking
about how to make consumer computing environments more secure.
64-bit computing is already making an impact as the next significant
PC computing architecture. To support this new architecture (and
to create an ecosystem that engenders trust and accountability),
the security industry must continue to innovate on the development
of more secure solutions.
47. At Microsoft, we know we can't do this
alone and are committed to working with partners on ways to enhance
our platform and provide greater opportunity for all software
providers to build new solutions for consumers.
1 http://www.microsoft.com/athome/security/default.mspx Back