Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 300 - 308)

WEDNESDAY 10 JANUARY 2007

MR JERRY FISHENDEN AND MR MATT LAMBERT


  Q300  Earl of Erroll: One of the issues he has is that in many cases if you start playing high definition videos or DVDs, et cetera, the quality will be degraded if it is going via Vista because it has to run with certain combinations of broadband. If so, that will discredit Vista and its uptake would not be so great. Do you see that that could possibly happen?

  Mr Fishenden: Yes, and again, if it is a high definition DVD the tools in Vista are designed to deliver you the high definition experience. If you are plugging it into a high definition, 10 ATI PC with an HDMI slot that also supports high definition content protection, then you are going to see a completely seamless high definition experience in the same way that you would if you went and bought a dedicated consumer electronic device.

  Q301  Earl of Erroll: I think we need to see a technical rebuttal.

  Mr Fishenden: Sure, okay.

  Q302  Earl of Erroll: You refer to the industry-wide InfoCard initiative for exchanging identity credentials over the Internet, which might mean that some of the current rather simplistic password and user name systems change. Do you want to elaborate on that slightly?

  Mr Fishenden: What we call Windows CardSpace, which is something that is already in Windows Vista and we are making available to Windows XP users, is our implementation of what we call an identity selector. There are many third parties working on this alongside us, and it is very encouraging, having worked in the IT industry for 20-plus years, I guess, to see such a collective groundswell of focus on tackling what is a very major problem on the Internet, which is that it is pretty well designed without the identity layer. It is very hard for us to prove who we are when we are on-line and we go and visit lots of third party sites and we are not really sure whether that really is our bank that we are about to provide our details to. What CardSpace does by analogy is bring the type of experience we are used to in the real world when you go into your wallet and you see all sorts of different cards, maybe a Visa card, a Mastercard, House of Lords access card, whatever it might be, and you know which one to use in a particular context. You know if you try and enter the House of Lords your Visa card is not necessarily the best way of getting past the doorkeeper. That may sound a simple analogy but in the on-line world it has never been that easy to use identities. What we are looking at doing is providing that highly visualised environment, that when you go to certain e-commerce sites this is the card you can use securely with e-commerce, you can move away from the user ID and password problem and all that goes with it, such as phishing and pharming and the like, but when you get to a different context, and that could even be within the same e-commerce sites; maybe you have established that you are the same person that came to On-lineBooks.com or whatever it is last time, you go to pay and at that point you might want to use a different card, which could be your Visa or Mastercard or American Express card, and again it can be a simple matter of identifying and clicking on that card within the identity selector. I guess we are trying to tackle several things at once. One is the user experience, so we are trying to get a very consistent way of using identity on the Internet which is much more intuitive for users. One of my colleagues, Kim Cameron, who has been one of the driving forces behind this, has used the phrase that we have almost been taught to be phished and pharmed on the Internet. It is true in a sense that because there is no consistency in the way we provide log-on details to different websites and try to authenticate whether we are genuine. It is very hard to pick up on the cues that might alert us to the fact that actually this is a spoof site, not a real one, so a lot of the attention has been behind trying to get consistency across the industry in how we use these identity selectors. You know how they work and you know when you go to the sites how they work, and if something looks unusual then there is probably something wrong because it is not working the way it should. I do not know what the analogy might be in the real world but I guess one might be restaurants that take your credit card and disappear for 10 minutes somewhere at the back and you are never quite sure what they may or may not be doing with it. The other part is securing the identity environment, making sure that you have a much better level of assurance that the information you are sending between the PC or whatever you are working on and the site is encrypted and protected, so, if you take the worst case scenario, somebody who has got spyware sitting on their PC, how we protect the environment so that people cannot see what cards are sitting in your identity selector, and if they are trying to fool you by showing you a different wallet that would be as alien to you as opening your wallet in your pocket and seeing somebody else's bank cards and their different types of identity documents. I think it is a very encouraging piece of work. It has got to make contact with the real world yet, although this means cross-industry work going on. We are now at the chicken-and-egg situation that we have got the existing Internet as it is today with user ID and passwords, we have got CardSpace and identity selectors coming along, including some open source Java-based identity selectors, and we are now at that situation where we are going to need to find a balance of consumers and citizens seeing a benefit in using these new tools, but equally there has to be a producer push of banks, e-commerce sites and other people saying, "Here is an alternative way of you authenticating to our website", because unless we get enough of that happening at the same time people are going to find this facility available to them and no sites to support it, or vice versa, the sites start providing it and users are not aware that they can take advantage of it.

  Q303  Earl of Erroll: CardSpace is, of course, the Microsoft implementation of the InfoCard. Given your dominant position, are you finding that you are getting cross-industry co-operation on this or is it seen as a Microsoft initiative? Are there other people producing incompatible InfoCards or are you trying to steal a march by making extra facilities available in CardSpace?

  Mr Fishenden: We certainly do not want it to be seen as a Microsoft-only initiative because it will fail. Identity is a problem that everyone needs to crack on the Internet and we have deliberately been working for, I guess, two-plus years now with people you would not naturally expect us necessarily to be talking to, so people like Firefox, Apple and others, talking about what we are doing, being very open about it. All of the specifications on which we have built Windows CardSpace are open and in the public domain under the open specification promise, that anyone can use them, there are no royalties, there is no catch, if you like, to anyone taking this and building their own identity selector. On the point of view whether there are extra features in Windows CardSpace to other identity selectors, we are obviously doing our best to make our identity selector looks to be the best possible experience and most secure experience on our platform, but that certainly does not prevent anyone else from taking the specification. You can take it yourself, build your own identity selector, publish it openly if you want to or sell it commercially as a product and maybe have value added to it. There is certainly a good case to be made as CardSpace gains attraction, of looking at how it might also be used to secure data as it moves from one place to another, so we use it as a way of passing information very securely in an information-sharing environment and then using it as part of that overall architecture.

  Q304  Earl of Erroll: So will we see anyone else's implementations on a competitive platform?

  Mr Fishenden: Yes. There is already a Java open source implementation out there which has successfully been inter-operating with our system. Firefox have announced support, so their browser will support CardSpace's other identity selectors as well. All the signs are very encouraging. I guess it goes back to what I was saying about things not just being about the technology. I think we have got the technology in place. It is now trying to gain that impetus that really gets people moving from the current Internet which is lacking in sufficient identity tools to the one that is now in prospect.

  Q305  Baroness Hilton of Eggardon: I imagine this is probably a question for Mr Lambert. You draw attention to the successes of self-regulation, in particular in relation to child protection. Would you like to see more regulation from EU or national governments and, if so, in what areas?

  Mr Lambert: As you rightly say, we start from the principle that self-regulation seems to us a good system that works in many different areas, not just in these security areas. You would expect to hear that from industry people but it does actually seem to be true. There are one or two areas. One specific area the Government and perhaps the European authorities, the Commission and the Council, might want to look at is how you make it easier for ISPs and companies that have been damaged by spam or other types of cyber crime actually take direct action. It is quite difficult to be sure that third parties have a right of action, for example, against spammers. That situation here in the UK has been slightly clarified but there is no within-the-law clear set of damages for spamming. We pursue spammers all the time, for example. Last year we had a couple of very successful cases where we won damages, for example, Microsoft versus Naughty Cams. We won £45,000 worth of damages and most recently in December we had a case against a guy called Macdonald upheld in the High Court, where the judge said that we were, for the purposes of the British legislation, regarded as persons, Microsoft had been damaged. The way that he considered we had been damaged was that we are customers who have been damaged, we have had to spend a lot of money going after spammers, a lot of money on security technology to prevent spamming, and also we had suddenly to have a lot more servers that cost a lot more money because of the volume of spam. The issue there is that you can get the damages but you spend an awful lot of time going after those damages. One of the things that would be clearer would be if a spammer is found guilty you can have a clear set of damages set down in the law. For example, you have got the US legislation which gives you this concept of statutory damages in this instance, so you have a per-spam fine which can be held against the spammer. That would, I think, act as a very considerable deterrent against spammers going into that market where they perceive on the whole that it is a crime that basically cannot be brought to account; it is very low cost to them and potentially a very lucrative business for them. So I think that is one small area where you could amend the legislation. I do think that is certainly worth considering. As I say, the courts seem to have clarified that to a certain extent to say that ISPs have a right of action, which is one area we were concerned to see. In Britain at least that does seem to have been clarified by the courts although it is not obvious from the legislation that that is the case.

  Q306  Lord Harris of Haringey: You note in your evidence that cyber-crime and on-line fraud are not treated as priority indicators by the Home Office or UK police forces. You note that in the US there is a more unified approach to reporting such crime. Could you give us more detail about that American approach and what sort of indicators would you like to see introduced here?

  Mr Fishenden: We believe it is necessary to have as easy a reporting mechanism as possible so that when people are victims of cyber-crime or attempted cyber-crime there is a streamlined reporting structure and ideally one body with responsibility for receiving those complaints and having appropriate resources to investigate and potentially initiate prosecutions where appropriate. As to the US (where my colleague Ed Gibson is probably the greatest authority on all things related to the US) certainly my understanding is that the United States does have a single point of reporting established by the FBI back in the late 1990s, the Internet Crime Complaints Centre, which takes some 10,000 plus complaints a year and has the authority and resources to actually look into those complaints. I note also recently in the UK the Metropolitan Police have made some public statements about the need for a consolidated UK-wide resource that could receive all reports of cyber-crime and have the resources. We are certainly very supportive of the police looking at ways of making it much easier to report. I have had that experience myself of being taken to phishing sites and the like and instantly knowing there is a problem but then of trying to find who I would flag up that information to. For someone who knows how to use the Internet quite well it took me an absurd amount of time to find some potential official reporting channels where I could flag up that sort of incident. Establishing that type of scheme, as happened in the States, would also enable us to get a much better grip on the scale of the problem in the UK. I suspect at the moment that might be somewhat fragmented because of the many different ways in which people might choose to report cyber-crime. For example, should you walk into a police station, is it going to be treated the same as any other crime? If I walked into a police station tomorrow to report on on-line phishing attack, would it be treated in the same way as an attempted pick-pocketing? Is that a model we want to move to or do we want to have cyber-crime handled at the centre?

  Mr Lambert: If you look at the case in child protection on the Internet, the Child Exploitation and On-line Protection Centre—and I am aware you had evidence from the Chief Executive Jim Gamble last week—is a good model of where you have got one place obvious to people so that if you have got a problem which relates to child safety and you need to report abuse you can go to CEOP. That works extremely well and we work very closely with them, as do many other industry and NGO partners, and that is an obvious point of contact for everybody who has a problem or wishes to help with that problem. Likewise the Virtual Global Task Force of which CEOP and the British police are a part of this worldwide protection which I think you have already heard about. Again, in that area of security and safety you are moving to a situation where there is increasingly one obvious place to go if you have a problem, and that is very helpful in that case to young people and children who are being harmed. I think that is perhaps a good example of how you could improve these sorts of systems.

  Q307  Lord Harris of Haringey: We also heard last week that electronic crimes, if we can call them that, are treated as traditional crimes just being carried out in a different way and pursued in that fashion. Obviously there are some virtues in seeing it as part of that continuum, so if there were a UK-wide simple, streamlined system as you describe how would you actually see that working in practice? Would it be separate from existing police forces and seen as just dealing with this or would it recognise that there is this gradation between more traditional approaches to fraud and the more modern phishing-type approaches?

  Mr Fishenden: That is a challenging question. I was the victim of an attempted credit card fraud over the last weekend. Somebody had obviously skimmed my card or something, but where they chose to use it was on the Internet because they could go to many sites and attempt to order different goods. I think it does make a point which was alluded to a moment ago which is I think we do need to think as we move forward about whether we make that distinction between cyber-crime and existing crime and establish parallel mechanisms or whether we recognise that it is crime enacted using the latest tools and technology, and they are going to evolve and change constantly over time and there are going to be unforeseen threats in the future around people misusing biometrics and the like as well as we move into the latest computing age, so I think you are right that we need to have a single point of reporting but then to make use of the existing police forces and resources as they exist today rather than try and build a type of parallel structure that somehow separates cyber-crime off from other crime because obviously there will quite be quite a close relationship between criminal activities happening in the digital environment, if you like, and the real world and they may all be aspects of a single criminal operation.

  Q308  Chairman: Thank you, I am going to have to cut it off there because we have really run out of time, so thank you very much for your responses and thank you for giving us your time. If things occur to you that you think we need to know after this perhaps you would write to us?

  Mr Fishenden: Yes indeed and we will pick up the earlier question as well, we will come back to you on that.

  Chairman: Good, thank you very much for appearing before us.





 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007