Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 520 - 524)



  Q520  Earl of Erroll: But even if you can define it, of course, you have got the problem that you can go onto some websites which appear to be spyware removal tools and actually you download something. For instance—and I hope I get them the right way around—Lavasoft's adware will help you. If you go to adware you will download something which is very difficult to get rid of and download some other stuff.

  Mr Chantzos: If we were to look at it from a purely regulatory standpoint, again when you download a piece of software and you double click on the end-user licence agreement, the end-user licence agreement in its endless 5,000 word document could in fact say in there that "You are accepting by installing this software that we will be taking all your personal data, using your machine for the purposes that we have specified," and you will simply not read it, click "Next," "Next," "Next," and install the software because this is what you want. You have downloaded the software because you want to install it and the owner, perhaps, of the software would claim that it has done that with your consent and this is informed consent. This is why, for example, in the US there has been a debate around the question of having a Good Samaritan clause (as we call it), which would basically say that the security provider, for removing what we have defined as spyware (or at least we are asking the permission of the user to remove what we define as spyware), is not incurring liability for doing that because by removing software which I believe to be spyware I am faced with the challenge of then the spyware owner or the alleged spyware owners turning around and saying, "Hang on a minute, the user said that could be installed," but actually the user never had an idea about it and did not know.

  Q521  Chairman: So your answer is, no?

  Mr Chantzos: The answer is, no.

  Q522  Earl of Erroll: There is one question I wish I had slipped in earlier when you talked about eco systems, which is, are you also now working on—and this came out of MessageLabs's answer—on things to deal with what has now being called "SPIT" and "SPASMS" and others, voice over IP and spam over SMS. Are you working on those now?

  Mr Sunner: There is "SPIM", spam over instant messaging, which is our current focus, and again we actually use eco systems to very much drive our road map. So right now we see email and web are obviously very dominant forces in the corporate world as tools. IM is close runner, whereas voice over IP at the moment from the desktop perspective does not have quite the same uptake as email, web or IMAXs, therefore the level of threats also are not there yet, but as it starts to become ubiquitous the threats will appear and that is absolutely where we will focus.

  Q523  Chairman: Let me ask the last question. We have almost run out of time. One security company, Sophos, warned this month that the criminals are increasingly turning their attention from email-based viruses to websites hosting malicious code. Do you agree with this, first of all, and if a legitimate website is "hacked" and as a result visitors get infected with malware, should the website owner be held responsible?

  Mr Wood: I think certainly it is fair to say that that trend is definitely a pattern. We have seen increased profiling in terms of the number of attacks moving away from large email outbreaks to smaller, more distinct outbreaks which then will transfer the attack sector over to, say, a web mechanism using the browser exploit. You also mentioned earlier about the rogue anti-spyware packages, for example, and it is very difficult for consumers to know what that actually is, whether it is a legitimate application which they should install, is it free, for example, and those can be installed on your machine just by visiting a legitimate website. For example, last week My Space came under attack where they were hosting a banner for a particular well-known rogue anti-spyware application, which if you installed it would install some components which it would in turn then flag up as being critical and should be removed, but you would have to pay money to remove that. But they were not necessarily hosting it directly, they were just selling the space to an advertising agency, who were then selling that space on to another company. So it depends on where you draw the line in terms of who is responsible and should they have taken more responsibility in understanding which adverts were appearing on their site, or should the ad agency have taken that responsibility? It is very difficult.

  Q524  Chairman: So like an awful lot of this, there are no simple answers anywhere here. The situation is clearly highly complex and one can try and one can make certain progress, but there are still going to be (not a pun) worm holes through the system all over the place?

  Mr Chantzos: Absolutely, my Lord Chairman.

  Chairman: You have made a lot of progress and perhaps the most important thing is to educate people so that at least they can take the precautions they can and then get the aid they can as well to help them. Thank you for your time. It has been a very useful, interesting session. If you have anything which occurs to you after this session, please write to us and let us know. Thank you very much.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007