Select Committee on Science and Technology Minutes of Evidence


Memorandum from the Society for Computers and Law—Internet Interest Group and Privacy and Data Protection Interest Group

INTRODUCTION

  1.  The Society for Computers and Law was created in 1973 to encourage and develop IT for lawyers and IT-related law. Lord Saville is the Society's President. The Society is, literally, "Where Computers and Law meet", and provides a forum for members to meet and exchange information and ideas or raise issues of concern with others. Through its membership, its widely acclaimed magazine Computers & Law, regional meetings and national conferences, the Society promotes issues of importance to both IT Law and the implementation of IT within legal and related practices.

  2.  The Society for Computers and Law welcomes this opportunity to respond to the House of Lords Science and Technology Committee Call for Evidence and to contribute to the important debate concerning personal Internet security.

  3.  We understand personal Internet security to be about the information security and integrity of private domestic end-users' systems, networks and other terminal devices accessing the Internet via the publicly available services of electronic communications service providers. We recognise that such access is principally achieved in the UK by end-users obtaining the services of a fixed electronic communications network Internet Services Provider (ISP). However, the Society recognises that the development of mobile telecommunications such as "2.5G", Edge and 3G, together with other wireless access technologies such as WiFi and WiMax, will have an increasing impact on the way end-users obtain access to the Internet.

  4.  The Society for Computers and Law is the major UK organisation for IT lawyers. It has over 1,600 members and includes within its membership the leading IT lawyers from the various UK jurisdictions as well as leading members of the legal profession with an interest in IT law. The Society is not however a trade association or survey body and we cannot therefore produce our own statistics or analyses of trends to support our views set out in this response. However, we hope our views, which have been prepared by a committee of our members, assist the Committee in its consideration of this important topic. We will set out our views against the questions set by the Committee in its Call for Evidence, where appropriate.

DEFINING THE PROBLEM

What is the nature of the security threat to private individuals? What new threats and trends are emerging and how are they identified?

  5.  We believe that the Internet does not provide any new threats to citizens in terms of endangering citizens in new ways. Instead, we consider that the Internet merely facilitates the commission of a larger and broader range of "traditional" crimes by the criminally-minded. For example, whilst "identity theft" as defined by the Home Office Identity Fraud Steering Committee[1] may not of itself be a criminal act, dishonest use of identity information to obtain property would be theft under the Theft Act 1968, even before considering potential offences under the Computer Misuse Act 1990 for any unauthorised access to a computer to obtain the relevant identity information.

  6.  We recognise, however, that certain criminal activity that was prior to the Internet relatively controlled, such as the distribution or possession of child pornography (offences under section 1(1)(b) and (c) of the Protection of Children Act 1978), has exploded with the ease of access to child pornography facilitated by the Internet.

What is the scale of the problem? How are security breaches affecting the individual user detected and recorded?

  7.  We have no independent research on these matters. However, for a recent analysis of threats and their prevalence, we commend to the Committee the research carried out by the BBC reported during the week 9-13 October 2006[2] and the research of the Honeynet Project[3].

How well do users understand the nature of the threat?

  8.  Whilst we do not have any statistics to back our assertion, we feel that there is a low level of understanding of both the threats posed to end-users by the Internet and the tools available to end-users to protect themselves. We suspect that it is this general ignorance that is feeding the high level of fear that end-users are reporting in surveys about Internet use (for example, the survey reported by the Government's Get Safe Online initiative on 9 October 2006 stating that 21percent of a survey of users feared "e-crime" more than mugging, burglary or car crime.[4]

TACKLING THE PROBLEM

What can and should be done to provide greater computer security to private individuals? What, if any, are the potential concerns and trade-offs?

  9.  In our view there are only three groups that can have an impact on computer security for private individuals: end-users themselves, ISPs/Internet access providers and manufacturers/suppliers of terminal devices and software. Taking each in turn:

  End-users

    —  We believe that there is a requirement for greater education of users about the security threats posed to them by the Internet and the potential solutions that are available to them for self-protection. Whilst we support initiatives such as the Government's Get Safe Online, we are concerned that education alone is not a sufficient response, given the fact that providing consumer advice and information does not always appear to be effective. Many consumers appear to be inefficient at implementing the technical protection measures that are available to them, even when they are aware of the general security risks.

    —  We note the experience of MasterCard International in the United States of America, which reported a security breach to the Federal Bureau of Investigation on 17 June 2005 and subsequently went public on the breach. We are not aware of consumers cancelling MasterCard credit cards in significant numbers after the breach was publicised. We therefore consider that, even when consumers are presented with the relevant information, they do not necessarily respond in the way one might expect, and which might be desirable or even essential.

  ISPs

    —  Given that we consider that educating end-users may have a limited effect on increasing the level of security and Internet integrity in the UK, we believe that the group most able to influence the levels of personal Internet security are the ISPs or other Internet access providers. We consider that close examination should be given to whether an obligation on ISPs to implement access controls and technical security measures could be expected to reduce the security risks, and whether this could be done cost-effectively.

    —  However, if ISPs were required by some form of intervention to improve the access controls and technical security measures included within their services, there is an argument that this would restrict consumer choice and would unnecessarily increase the cost of Internet access in the UK.

    —  Free market advocates argue that there is adequate choice in the market; for example, consumers with security concerns can choose an ISP that provides a high level of security protection with its access services, such as AOL (UK) Limited (which provides parental controls for access to content as well as advice and McAffee® security software), at a slightly higher cost than services that provide access only—a non-exhaustive list of broadband ISPs in the UK is maintained by ADSLguide.org.uk[5] Whilst we acknowledge the free or open market arguments concerning consumer choice, we are also aware that unlimited choice for one user does affect other Internet users and society as a whole. For example, users with unprotected PCs who choose to obtain access via an ISP that has no controls or security measures are more likely to be attacked by botnet herders, who can then expand their botnet to the detriment of all other (protected/secure) users of the Internet and to the public, if such botnets are used for criminal purposes.[6] Regulating for minimum levels of security protection can be argued to be the Internet equivalent of requiring all drivers to wear seatbelts—it is an infringement of drivers' liberty, but for the mutual benefit of all road users and society at large.

  Terminal Devices Manufacturers/Software Suppliers

    —  As stated above, we consider that the group most able to improve Internet security are the access providers. However, we also see that manufacturers of hardware and suppliers of hardware and software have a role to play in supporting ISPs, as indicated in this response below. We also consider that a simple and voluntary labelling system, similar to the Food Standard Agency's "traffic light" system, could be considered to identity those hardware and software products that have "high", "medium" and "low" levels of protection against particular classes of security threat.

  We consider that a number of steps could be taken to improve personal Internet security, as follows:

  National High Tech Crime Unit

    —  We consider that the disbanding of the UK's only body exclusively and publicly tasked with investigating crimes related to Internet security was a retrograde step. Whilst we understand that the expertise developed by the National High Tech Crime Unit will not be lost by its integration into the Serious Organised Crime Agency, we believe that the expertise may be diluted over time as SOCA's emphasis on organised crime takes precedence. We also consider that the National High Tech Crime Unit provided a useful source of public information and guidance on Internet security issues.

  "Opt Out" Security

    —  We consider that it should be industry-practice that, where a terminal device or software program is supplied to a private consumer, it is supplied with the default security settings and any parental or other controls on the device or in the software turned on, with suitable guidance and warning to end-users on the risks associated with reducing the security settings.

  Minimum Security Standards

    —  We believe that relevant electronic communications network and services providers should be required to ensure minimum standards of security and network integrity. In particular, we consider that ISPs should maintain minimum security levels for their community of users. We propose that amendments to existing electronic communications law and regulation can implement such minimum standards, as set out below.

What is the level of public awareness of the threat to computer security and how effective are current initiatives in changing attitudes and raising that awareness?

  10.  We have no independent research on this question.

What factors may prevent private individuals from following appropriate security practices?

  11.  Again, we have no independent research we can offer the Committee on this question. However, we suspect that the complexity of many security options may be a factor, which is one of the reasons why we recommend an "opt-out" security approach.

What role do software and hardware design play in reducing the risk posed by security breaches? How much attention is paid to security in the design of new computer-based products?

  12.  We believe that an "opt out" regime for optional security measures should be implemented. We consider that there are adequate software and hardware solutions to the most common security threats, with a thriving market in the development of solutions to meet new threats.

Who should be responsible for ensuring effective protection from current and emerging threats?

  13.  As indicated above, we consider that responsibility should be shared between end-users, ISPs and software/hardware manufacturers/suppliers.

What is the standing of UK research in this area?

  14. We have no information to be able to answer this question.

GOVERNANCE AND REGULATION

How effective are initiatives on IT governance in reducing security threats?

  15.  Whilst we cannot quantify the usefulness of Government initiatives, we believe they are an essential part of educating end-users in the risks and promoting the adoption of appropriate security precautions and safe Internet use. Co- and self-regulatory initiatives, where Government look to industry to bear the burden of regulating for good practice, should be encouraged wherever possible.

How far do improvements in governance and regulation depend on international co-operation?

  16.  Whilst the nature of the Internet requires international co-operation, we consider that there is value in the UK considering the implementation of regulation to improve the quality and quantity of security protection measures in the UK. The Internet Watch Foundation (www.iwf.org.uk) is an example of an industry funded model of self-regulation that has successfully removed specific types of illegal content from being hosted within the UK and limiting access to such material when sourced from foreign jurisdictions. We consider that whilst a "fortress UK" is not technically feasible, or indeed desirable, we believe society and the UK online business economy would benefit from a more secure community of Internet Service Providers and users.

Is the regulatory framework for Internet services adequate?

  17.  We consider that the existing regulatory framework under Regulation 5 of the Privacy and Electronic Communications Regulations 2003 (the ePrivacy Regulations), which implements Article 4 of the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (the ePrivacy Directive), is only an adequate starting point for the regulation of security for Internet services. For ease of reference, Regulation 5 is set out below:

  Security of public electronic communications services 5:

    (1)  Subject to paragraph (2), a provider of a public electronic communications service ("the service provider") shall take appropriate technical and organisational measures to safeguard the security of that service.

    (2)  If necessary, the measures required by paragraph (1) may be taken by the service provider in conjunction with the provider of the electronic communications network by means of which the service is provided, and that network provider shall comply with any reasonable requests made by the service provider for these purposes.

    (3)  Where, notwithstanding the taking of measures as required by paragraph (1), there remains a significant risk to the security of the public electronic communications service, the service provider shall inform the subscribers concerned of - 

      —  the nature of that risk;

      —  any appropriate measures that the subscriber may take to safeguard against that risk; and

      —  the likely costs to the subscriber involved in the taking of such measures.

    (4)  For the purposes of paragraph (1), a measure shall only be taken to be appropriate if, having regard to:

      —  the state of technological developments, and

      —  the cost of implementing it.

    it is proportionate to the risks against which it would safeguard.

    (5)  Information provided for the purposes of paragraph (3) shall be provided to the subscriber free of any charge other than the cost to the subscriber of receiving or collecting the information.

  18.  Our difficulty with the ePrivacy Regulations is that no guidance or standards are included in either the ePrivacy Regulations or the ePrivacy Directive on what appropriate technical and organisational security measures may be. We are also concerned that enforcement of Regulation 5 is, by Regulation 32, by the Information Commissioner. We comment on enforcement of the Data Protection Act 1998 below. For the same reasons, we do not consider that the Information Commissioner is the proper person to enforce this provision. We believe that this should be a matter for Ofcom.

  19.  The Communications Act 2003 (the Act) could be used to implement Article 4 of the ePrivacy Directive and the minimum security levels we propose. Ofcom has a duty under section 3(1)(a) of the Act to further the interests of citizens in relation to communications matters. It also has the power to set general conditions of entitlement to provide an electronic communications network or service under section 45(1) of the Act.

  20.  The current General Conditions of Entitlement were published in accordance with section 48(1) of the Act by Oftel on 22 July 2003.[7] They include, at Condition 2, conditions relating to communications providers' compliance with compulsory standards or specifications, largely concerned with network interfaces, services compatibility and interconnection. They also include, at Condition 3, a requirement that providers of fixed public telephone networks and/or publicly available telephone services, amongst other obligations, take all reasonable practicable steps to maintain to the greatest extent possible the proper and effective functioning of the fixed public telephone network. We propose that consideration be given to including in the General Conditions of Entitlement a condition in the same terms as Regulation 5 of the ePrivacy Regulations or Article 4 of the ePrivacy Directive and to require adherence to the appropriate security standards. A draft new General Condition of Entitlement is included in Annex A to our response.

  21.  In determining what appropriate security standards may be applied by Ofcom, we suggest that consideration should be given to BS:7799 (now BS ISO/IEC 17799:2005) "Information technology—Code of Practice for Information Security Management" as an appropriate internationally recognised security audit standard and ISO/IEC 27001:2005 "Information technology—Security techniques—Information security management systems" as being appropriate standards to which communications providers should be certified. However, we note that the generic form of Condition 2 of the General Conditions of Entitlement, as amended in our proposed new General Condition, can take into account all appropriate international standards.

What, if any, are the barriers to developing information security systems and standards and how can they be overcome?

  22.  A significant barrier to the universal adoption of secure information systems is cost (or perceived cost). As a Society we are not in a position to be able to quantify what the costs to ISPs would be of implementing ISO/IEC 27001:2005 compliant Internet access, or what this would amount to as an additional cost per subscriber or end-user.

  23.  Whilst there will be a cost to network and services providers, which may be passed on to end-users, of adopting minimum information security systems and standards, any additional costs incurred by Ofcom in policing a new General Condition can be recovered by the fees provisions of the Act.

CRIME PREVENTION

How effective is Government crime prevention policy in this area? Are enforcement agencies adequately equipped to tackle these threats?

  24.  We have no independent measure of effectiveness. However, we are concerned that expertise concentrated in the former National High Tech Crime Unit may be dissipated and lost. Whilst we are also concerned that there may be a reluctance within the Crown Prosecution Service to pursue criminal charges where the only charges available are those under the Computer Misuse Act 1990 or the Data Protection Act 1998 for computer related crime, we recognise that charges for offences under these Acts are brought where the criminal behaviour in question allows other offences to be charged at the same time.

  25.  We consider that the penalties, criminal sanctions and enforcement provisions of the Data Protection Act 1998, together with the resources made available to the Office of the Information Commissioner, continue to be inadequate to address the other side of personal Internet security—the misuse of personal data. In particular, we note that the obligations on data controllers to protect personal data with appropriate technical and organisational measures (the seventh data protection principle at Part 1 of Schedule 1 to the Data Protection Act 1998) are not rigorously enforced. We are not aware that there has been any enforcement by the Information Commissioner, whether at the request of Ofcom or otherwise, of Regulation 5 of the ePrivacy Regulations. We believe that the only way the Office of the Information Commissioner will be able to enforce the Data Protection Act 1998 effectively is if it is given the power to levy penalties on defaulting data controllers, which it would be entitled to retain to fund its enforcement operations. However, as stated above, we believe Ofcom should have the responsibility for enforcing Regulation 5 of the ePrivacy Regulations.

  26.  One problem is the lack of reporting by those that have suffered a security breach. One mechanism to address such non-reporting would be the imposition of a legal obligation on organisations to report incidents of security breach. Since 2003, for example, the Civil Code of the State of California has obliged private businesses and public agencies to report if they have suffered "a breach of the security" of a system that contains personal information, including financial data.[8] The stated purpose of the statute was to tackle the growing problem of "identity theft", but it is also recognition that the data processed by an organisation often engages the private interests of individuals, as subjects of the processed data, as well as public interests which may not coincide with the private interests of the victim organisation. Such a measure is an obvious complement to the imposition of obligations to implement data security measures, under data protection law. We note that the European Commission is considering such a breach notification requirement in its proposed amendments to the ePrivacy Directive[9], with the proposed notification obligation being both to report breaches to the relevant national regulatory authority and to the affected data subjects. The consultation period on these proposed amendments expires on 26 October 2006. We also note that these proposals have recently been endorsed by the Article 29 Working Party established under the European Union Data Protection Directive 95/46/EC[10]. We suggest that consideration should be given to an amendment to the ePrivacy Regulations for breach notification.

Is the legislative framework in UK criminal law adequate to meet the challenge of cyber-crime?

  27.  To date the current criminal law appears to have been effective in being able to be applied to cyber-crime, given that in a majority of circumstances the Internet merely provides a modern tool to those intent on committing established offences. Where problems have arisen, or lacunae exposed, the courts or Parliament have been able to adequately address the issue through judicial interpretation or statutory amendment. The courts have also begun to apply the Computer Misuse Act 1990, prior to its forthcoming amendment, sensibly.

How effectively does the UK participate in international actions on cyber-crime?

  28.  This is a matter outside the Society's experience.

CONCLUSION

  29.  In conclusion, our recommendations are that:

    —  Communications providers be regulated by Ofcom to ensure that minimum standards of information security or network integrity based on industry/internationally recognised standards are adopted;

    —  Hardware and software that incorporate security or other protection measures should be distributed to consumers with the security functionality `turned-on', as the default setting for such hardware and software;

    —  The National High Tech Crime Unit be reformed;

    —  The resources for enforcement of the seventh data protection principle (the obligation for data controllers to implement appropriate technical and organisational measures for the security and integrity of personal data) be increased, possibly by a self-funding mechanism from the levying of increased penalties for breach of the principle; and

    —  Data controllers should be subject to an obligation to notify security breaches to the data subjects whose data has been compromised, as well as to the Information Commissioner.

23 October 2006




1   see the definitions at http://www.identity-theft.org.uk/definition.htm Back

2   see http://news.bbc.co.uk/1/hi/technology/default.stm Back

3   see http://www.honeynet.org/misc/project.html Back

4   see http://www.getsafeonline.org/ Back

5   at http://www.adslguide.org.uk/isps/summarylist.asp Back

6   for a useful glossary of these and other computer security related terms, see the BBC website at http://news.bbc.co.uk/1/hi/uk/5400052.stm Back

7   see http://www.ofcom.org.uk/static/archive/oftel/publications/eu-directives/2003/cond-final0703.pdf Back

8   Similar legislation has been adopted in 22 US states. Back

9   http://europa.eu.int/information-society/policy/ecomm/doc/info-centre/public-consult/review/staffworkingdocument-final.pdf Back

10   see http://ec.europa.eu/justice-home/fsj/privacy/docs/wpdocs/2006/wp126-en.pdf Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007