Memorandum from the Society for Computers
and LawInternet Interest Group and Privacy and Data Protection
Interest Group
INTRODUCTION
1. The Society for Computers and Law was
created in 1973 to encourage and develop IT for lawyers and IT-related
law. Lord Saville is the Society's President. The Society is,
literally, "Where Computers and Law meet", and provides
a forum for members to meet and exchange information and ideas
or raise issues of concern with others. Through its membership,
its widely acclaimed magazine Computers & Law, regional meetings
and national conferences, the Society promotes issues of importance
to both IT Law and the implementation of IT within legal and related
practices.
2. The Society for Computers and Law welcomes
this opportunity to respond to the House of Lords Science and
Technology Committee Call for Evidence and to contribute to the
important debate concerning personal Internet security.
3. We understand personal Internet security
to be about the information security and integrity of private
domestic end-users' systems, networks and other terminal devices
accessing the Internet via the publicly available services of
electronic communications service providers. We recognise that
such access is principally achieved in the UK by end-users obtaining
the services of a fixed electronic communications network Internet
Services Provider (ISP). However, the Society recognises that
the development of mobile telecommunications such as "2.5G",
Edge and 3G, together with other wireless access technologies
such as WiFi and WiMax, will have an increasing impact on the
way end-users obtain access to the Internet.
4. The Society for Computers and Law is
the major UK organisation for IT lawyers. It has over 1,600 members
and includes within its membership the leading IT lawyers from
the various UK jurisdictions as well as leading members of the
legal profession with an interest in IT law. The Society is not
however a trade association or survey body and we cannot therefore
produce our own statistics or analyses of trends to support our
views set out in this response. However, we hope our views, which
have been prepared by a committee of our members, assist the Committee
in its consideration of this important topic. We will set out
our views against the questions set by the Committee in its Call
for Evidence, where appropriate.
DEFINING THE
PROBLEM
What is the nature of the security threat to private
individuals? What new threats and trends are emerging and how
are they identified?
5. We believe that the Internet does not
provide any new threats to citizens in terms of endangering citizens
in new ways. Instead, we consider that the Internet merely facilitates
the commission of a larger and broader range of "traditional"
crimes by the criminally-minded. For example, whilst "identity
theft" as defined by the Home Office Identity Fraud Steering
Committee[1]
may not of itself be a criminal act, dishonest use of identity
information to obtain property would be theft under the Theft
Act 1968, even before considering potential offences under the
Computer Misuse Act 1990 for any unauthorised access to a computer
to obtain the relevant identity information.
6. We recognise, however, that certain criminal
activity that was prior to the Internet relatively controlled,
such as the distribution or possession of child pornography (offences
under section 1(1)(b) and (c) of the Protection of Children Act
1978), has exploded with the ease of access to child pornography
facilitated by the Internet.
What is the scale of the problem? How are security
breaches affecting the individual user detected and recorded?
7. We have no independent research on these
matters. However, for a recent analysis of threats and their prevalence,
we commend to the Committee the research carried out by the BBC
reported during the week 9-13 October 2006[2]
and the research of the Honeynet Project[3].
How well do users understand the nature of the
threat?
8. Whilst we do not have any statistics
to back our assertion, we feel that there is a low level of understanding
of both the threats posed to end-users by the Internet and the
tools available to end-users to protect themselves. We suspect
that it is this general ignorance that is feeding the high level
of fear that end-users are reporting in surveys about Internet
use (for example, the survey reported by the Government's Get
Safe Online initiative on 9 October 2006 stating that 21percent
of a survey of users feared "e-crime" more than mugging,
burglary or car crime.[4]
TACKLING THE
PROBLEM
What can and should be done to provide greater
computer security to private individuals? What, if any, are the
potential concerns and trade-offs?
9. In our view there are only three groups
that can have an impact on computer security for private individuals:
end-users themselves, ISPs/Internet access providers and manufacturers/suppliers
of terminal devices and software. Taking each in turn:
End-users
We believe that there is a requirement
for greater education of users about the security threats posed
to them by the Internet and the potential solutions that are available
to them for self-protection. Whilst we support initiatives such
as the Government's Get Safe Online, we are concerned that education
alone is not a sufficient response, given the fact that providing
consumer advice and information does not always appear to be effective.
Many consumers appear to be inefficient at implementing the technical
protection measures that are available to them, even when they
are aware of the general security risks.
We note the experience of MasterCard
International in the United States of America, which reported
a security breach to the Federal Bureau of Investigation on 17
June 2005 and subsequently went public on the breach. We are not
aware of consumers cancelling MasterCard credit cards in significant
numbers after the breach was publicised. We therefore consider
that, even when consumers are presented with the relevant information,
they do not necessarily respond in the way one might expect, and
which might be desirable or even essential.
ISPs
Given that we consider that educating
end-users may have a limited effect on increasing the level of
security and Internet integrity in the UK, we believe that the
group most able to influence the levels of personal Internet security
are the ISPs or other Internet access providers. We consider that
close examination should be given to whether an obligation on
ISPs to implement access controls and technical security measures
could be expected to reduce the security risks, and whether this
could be done cost-effectively.
However, if ISPs were required by
some form of intervention to improve the access controls and technical
security measures included within their services, there is an
argument that this would restrict consumer choice and would unnecessarily
increase the cost of Internet access in the UK.
Free market advocates argue that
there is adequate choice in the market; for example, consumers
with security concerns can choose an ISP that provides a high
level of security protection with its access services, such as
AOL (UK) Limited (which provides parental controls for access
to content as well as advice and McAffee® security software),
at a slightly higher cost than services that provide access onlya
non-exhaustive list of broadband ISPs in the UK is maintained
by ADSLguide.org.uk[5]
Whilst we acknowledge the free or open market arguments concerning
consumer choice, we are also aware that unlimited choice for one
user does affect other Internet users and society as a whole.
For example, users with unprotected PCs who choose to obtain access
via an ISP that has no controls or security measures are more
likely to be attacked by botnet herders, who can then expand their
botnet to the detriment of all other (protected/secure) users
of the Internet and to the public, if such botnets are used for
criminal purposes.[6]
Regulating for minimum levels of security protection can be argued
to be the Internet equivalent of requiring all drivers to wear
seatbeltsit is an infringement of drivers' liberty, but
for the mutual benefit of all road users and society at large.
Terminal Devices Manufacturers/Software Suppliers
As stated above, we consider that
the group most able to improve Internet security are the access
providers. However, we also see that manufacturers of hardware
and suppliers of hardware and software have a role to play in
supporting ISPs, as indicated in this response below. We also
consider that a simple and voluntary labelling system, similar
to the Food Standard Agency's "traffic light" system,
could be considered to identity those hardware and software products
that have "high", "medium" and "low"
levels of protection against particular classes of security threat.
We consider that a number of steps could be
taken to improve personal Internet security, as follows:
National High Tech Crime Unit
We consider that the disbanding of
the UK's only body exclusively and publicly tasked with investigating
crimes related to Internet security was a retrograde step. Whilst
we understand that the expertise developed by the National High
Tech Crime Unit will not be lost by its integration into the Serious
Organised Crime Agency, we believe that the expertise may be diluted
over time as SOCA's emphasis on organised crime takes precedence.
We also consider that the National High Tech Crime Unit provided
a useful source of public information and guidance on Internet
security issues.
"Opt Out" Security
We consider that it should be industry-practice
that, where a terminal device or software program is supplied
to a private consumer, it is supplied with the default security
settings and any parental or other controls on the device or in
the software turned on, with suitable guidance and warning to
end-users on the risks associated with reducing the security settings.
Minimum Security Standards
We believe that relevant electronic
communications network and services providers should be required
to ensure minimum standards of security and network integrity.
In particular, we consider that ISPs should maintain minimum security
levels for their community of users. We propose that amendments
to existing electronic communications law and regulation can implement
such minimum standards, as set out below.
What is the level of public awareness of the threat
to computer security and how effective are current initiatives
in changing attitudes and raising that awareness?
10. We have no independent research on this
question.
What factors may prevent private individuals from
following appropriate security practices?
11. Again, we have no independent research
we can offer the Committee on this question. However, we suspect
that the complexity of many security options may be a factor,
which is one of the reasons why we recommend an "opt-out"
security approach.
What role do software and hardware design play
in reducing the risk posed by security breaches? How much attention
is paid to security in the design of new computer-based products?
12. We believe that an "opt out"
regime for optional security measures should be implemented. We
consider that there are adequate software and hardware solutions
to the most common security threats, with a thriving market in
the development of solutions to meet new threats.
Who should be responsible for ensuring effective
protection from current and emerging threats?
13. As indicated above, we consider that
responsibility should be shared between end-users, ISPs and software/hardware
manufacturers/suppliers.
What is the standing of UK research in this area?
14. We have no information to be able to answer
this question.
GOVERNANCE AND
REGULATION
How effective are initiatives on IT governance
in reducing security threats?
15. Whilst we cannot quantify the usefulness
of Government initiatives, we believe they are an essential part
of educating end-users in the risks and promoting the adoption
of appropriate security precautions and safe Internet use. Co-
and self-regulatory initiatives, where Government look to industry
to bear the burden of regulating for good practice, should be
encouraged wherever possible.
How far do improvements in governance and regulation
depend on international co-operation?
16. Whilst the nature of the Internet requires
international co-operation, we consider that there is value in
the UK considering the implementation of regulation to improve
the quality and quantity of security protection measures in the
UK. The Internet Watch Foundation (www.iwf.org.uk) is an example
of an industry funded model of self-regulation that has successfully
removed specific types of illegal content from being hosted within
the UK and limiting access to such material when sourced from
foreign jurisdictions. We consider that whilst a "fortress
UK" is not technically feasible, or indeed desirable, we
believe society and the UK online business economy would benefit
from a more secure community of Internet Service Providers and
users.
Is the regulatory framework for Internet services
adequate?
17. We consider that the existing regulatory
framework under Regulation 5 of the Privacy and Electronic Communications
Regulations 2003 (the ePrivacy Regulations), which implements
Article 4 of the Directive 2002/58/EC of the European Parliament
and of the Council of 12 July 2002 concerning the processing of
personal data and the protection of privacy in the electronic
communications sector (the ePrivacy Directive), is only an adequate
starting point for the regulation of security for Internet services.
For ease of reference, Regulation 5 is set out below:
Security of public electronic communications
services 5:
(1) Subject to paragraph (2), a provider
of a public electronic communications service ("the service
provider") shall take appropriate technical and organisational
measures to safeguard the security of that service.
(2) If necessary, the measures required by
paragraph (1) may be taken by the service provider in conjunction
with the provider of the electronic communications network by
means of which the service is provided, and that network provider
shall comply with any reasonable requests made by the service
provider for these purposes.
(3) Where, notwithstanding the taking of
measures as required by paragraph (1), there remains a significant
risk to the security of the public electronic communications service,
the service provider shall inform the subscribers concerned of -
the nature of that risk;
any appropriate measures that
the subscriber may take to safeguard against that risk; and
the likely costs to the subscriber
involved in the taking of such measures.
(4) For the purposes of paragraph (1), a
measure shall only be taken to be appropriate if, having regard
to:
the state of technological developments,
and
the cost of implementing it.
it is proportionate to the risks against which
it would safeguard.
(5) Information provided for the purposes
of paragraph (3) shall be provided to the subscriber free of any
charge other than the cost to the subscriber of receiving or collecting
the information.
18. Our difficulty with the ePrivacy Regulations
is that no guidance or standards are included in either the ePrivacy
Regulations or the ePrivacy Directive on what appropriate technical
and organisational security measures may be. We are also concerned
that enforcement of Regulation 5 is, by Regulation 32, by the
Information Commissioner. We comment on enforcement of the Data
Protection Act 1998 below. For the same reasons, we do not consider
that the Information Commissioner is the proper person to enforce
this provision. We believe that this should be a matter for Ofcom.
19. The Communications Act 2003 (the Act)
could be used to implement Article 4 of the ePrivacy Directive
and the minimum security levels we propose. Ofcom has a duty under
section 3(1)(a) of the Act to further the interests of citizens
in relation to communications matters. It also has the power to
set general conditions of entitlement to provide an electronic
communications network or service under section 45(1) of the Act.
20. The current General Conditions of Entitlement
were published in accordance with section 48(1) of the Act by
Oftel on 22 July 2003.[7]
They include, at Condition 2, conditions relating to communications
providers' compliance with compulsory standards or specifications,
largely concerned with network interfaces, services compatibility
and interconnection. They also include, at Condition 3, a requirement
that providers of fixed public telephone networks and/or publicly
available telephone services, amongst other obligations, take
all reasonable practicable steps to maintain to the greatest extent
possible the proper and effective functioning of the fixed public
telephone network. We propose that consideration be given to including
in the General Conditions of Entitlement a condition in the same
terms as Regulation 5 of the ePrivacy Regulations or Article 4
of the ePrivacy Directive and to require adherence to the appropriate
security standards. A draft new General Condition of Entitlement
is included in Annex A to our response.
21. In determining what appropriate security
standards may be applied by Ofcom, we suggest that consideration
should be given to BS:7799 (now BS ISO/IEC 17799:2005) "Information
technologyCode of Practice for Information Security Management"
as an appropriate internationally recognised security audit standard
and ISO/IEC 27001:2005 "Information technologySecurity
techniquesInformation security management systems"
as being appropriate standards to which communications providers
should be certified. However, we note that the generic form of
Condition 2 of the General Conditions of Entitlement, as amended
in our proposed new General Condition, can take into account all
appropriate international standards.
What, if any, are the barriers to developing information
security systems and standards and how can they be overcome?
22. A significant barrier to the universal
adoption of secure information systems is cost (or perceived cost).
As a Society we are not in a position to be able to quantify what
the costs to ISPs would be of implementing ISO/IEC 27001:2005
compliant Internet access, or what this would amount to as an
additional cost per subscriber or end-user.
23. Whilst there will be a cost to network
and services providers, which may be passed on to end-users, of
adopting minimum information security systems and standards, any
additional costs incurred by Ofcom in policing a new General Condition
can be recovered by the fees provisions of the Act.
CRIME PREVENTION
How effective is Government crime prevention policy
in this area? Are enforcement agencies adequately equipped to
tackle these threats?
24. We have no independent measure of effectiveness.
However, we are concerned that expertise concentrated in the former
National High Tech Crime Unit may be dissipated and lost. Whilst
we are also concerned that there may be a reluctance within the
Crown Prosecution Service to pursue criminal charges where the
only charges available are those under the Computer Misuse Act
1990 or the Data Protection Act 1998 for computer related crime,
we recognise that charges for offences under these Acts are brought
where the criminal behaviour in question allows other offences
to be charged at the same time.
25. We consider that the penalties, criminal
sanctions and enforcement provisions of the Data Protection Act
1998, together with the resources made available to the Office
of the Information Commissioner, continue to be inadequate to
address the other side of personal Internet securitythe
misuse of personal data. In particular, we note that the obligations
on data controllers to protect personal data with appropriate
technical and organisational measures (the seventh data protection
principle at Part 1 of Schedule 1 to the Data Protection Act 1998)
are not rigorously enforced. We are not aware that there has been
any enforcement by the Information Commissioner, whether at the
request of Ofcom or otherwise, of Regulation 5 of the ePrivacy
Regulations. We believe that the only way the Office of the Information
Commissioner will be able to enforce the Data Protection Act 1998
effectively is if it is given the power to levy penalties on defaulting
data controllers, which it would be entitled to retain to fund
its enforcement operations. However, as stated above, we believe
Ofcom should have the responsibility for enforcing Regulation
5 of the ePrivacy Regulations.
26. One problem is the lack of reporting
by those that have suffered a security breach. One mechanism to
address such non-reporting would be the imposition of a legal
obligation on organisations to report incidents of security breach.
Since 2003, for example, the Civil Code of the State of California
has obliged private businesses and public agencies to report if
they have suffered "a breach of the security" of a system
that contains personal information, including financial data.[8]
The stated purpose of the statute was to tackle the growing problem
of "identity theft", but it is also recognition that
the data processed by an organisation often engages the private
interests of individuals, as subjects of the processed data, as
well as public interests which may not coincide with the private
interests of the victim organisation. Such a measure is an obvious
complement to the imposition of obligations to implement data
security measures, under data protection law. We note that the
European Commission is considering such a breach notification
requirement in its proposed amendments to the ePrivacy Directive[9],
with the proposed notification obligation being both to report
breaches to the relevant national regulatory authority and to
the affected data subjects. The consultation period on these proposed
amendments expires on 26 October 2006. We also note that these
proposals have recently been endorsed by the Article 29 Working
Party established under the European Union Data Protection Directive
95/46/EC[10].
We suggest that consideration should be given to an amendment
to the ePrivacy Regulations for breach notification.
Is the legislative framework in UK criminal law
adequate to meet the challenge of cyber-crime?
27. To date the current criminal law appears
to have been effective in being able to be applied to cyber-crime,
given that in a majority of circumstances the Internet merely
provides a modern tool to those intent on committing established
offences. Where problems have arisen, or lacunae exposed, the
courts or Parliament have been able to adequately address the
issue through judicial interpretation or statutory amendment.
The courts have also begun to apply the Computer Misuse Act 1990,
prior to its forthcoming amendment, sensibly.
How effectively does the UK participate in international
actions on cyber-crime?
28. This is a matter outside the Society's
experience.
CONCLUSION
29. In conclusion, our recommendations are
that:
Communications providers be regulated
by Ofcom to ensure that minimum standards of information security
or network integrity based on industry/internationally recognised
standards are adopted;
Hardware and software that incorporate
security or other protection measures should be distributed to
consumers with the security functionality `turned-on', as the
default setting for such hardware and software;
The National High Tech Crime Unit
be reformed;
The resources for enforcement of
the seventh data protection principle (the obligation for data
controllers to implement appropriate technical and organisational
measures for the security and integrity of personal data) be increased,
possibly by a self-funding mechanism from the levying of increased
penalties for breach of the principle; and
Data controllers should be subject
to an obligation to notify security breaches to the data subjects
whose data has been compromised, as well as to the Information
Commissioner.
23 October 2006
1 see the definitions at http://www.identity-theft.org.uk/definition.htm Back
2
see http://news.bbc.co.uk/1/hi/technology/default.stm Back
3
see http://www.honeynet.org/misc/project.html Back
4
see http://www.getsafeonline.org/ Back
5
at http://www.adslguide.org.uk/isps/summarylist.asp Back
6
for a useful glossary of these and other computer security related
terms, see the BBC website at http://news.bbc.co.uk/1/hi/uk/5400052.stm Back
7
see http://www.ofcom.org.uk/static/archive/oftel/publications/eu-directives/2003/cond-final0703.pdf Back
8
Similar legislation has been adopted in 22 US states. Back
9
http://europa.eu.int/information-society/policy/ecomm/doc/info-centre/public-consult/review/staffworkingdocument-final.pdf Back
10
see http://ec.europa.eu/justice-home/fsj/privacy/docs/wpdocs/2006/wp126-en.pdf Back
|