Examination of Witnesses (Questions 520
WEDNESDAY 31 JANUARY 2007
Q520 Earl of Erroll:
But even if you can define it, of course, you have got the problem
that you can go onto some websites which appear to be spyware
removal tools and actually you download something. For instanceand
I hope I get them the right way aroundLavasoft's adware
will help you. If you go to adware you will download something
which is very difficult to get rid of and download some other
Mr Chantzos: If we were to look at it from a
purely regulatory standpoint, again when you download a piece
of software and you double click on the end-user licence agreement,
the end-user licence agreement in its endless 5,000 word document
could in fact say in there that "You are accepting by installing
this software that we will be taking all your personal data, using
your machine for the purposes that we have specified," and
you will simply not read it, click "Next," "Next,"
"Next," and install the software because this is what
you want. You have downloaded the software because you want to
install it and the owner, perhaps, of the software would claim
that it has done that with your consent and this is informed consent.
This is why, for example, in the US there has been a debate around
the question of having a Good Samaritan clause (as we call it),
which would basically say that the security provider, for removing
what we have defined as spyware (or at least we are asking the
permission of the user to remove what we define as spyware), is
not incurring liability for doing that because by removing software
which I believe to be spyware I am faced with the challenge of
then the spyware owner or the alleged spyware owners turning around
and saying, "Hang on a minute, the user said that could be
installed," but actually the user never had an idea about
it and did not know.
So your answer is, no?
Mr Chantzos: The answer is, no.
Q522 Earl of Erroll:
There is one question I wish I had slipped in earlier when you
talked about eco systems, which is, are you also now working onand
this came out of MessageLabs's answeron things to deal
with what has now being called "SPIT" and "SPASMS"
and others, voice over IP and spam over SMS. Are you working on
Mr Sunner: There is "SPIM", spam over
instant messaging, which is our current focus, and again we actually
use eco systems to very much drive our road map. So right now
we see email and web are obviously very dominant forces in the
corporate world as tools. IM is close runner, whereas voice over
IP at the moment from the desktop perspective does not have quite
the same uptake as email, web or IMAXs, therefore the level of
threats also are not there yet, but as it starts to become ubiquitous
the threats will appear and that is absolutely where we will focus.
Let me ask the last question. We have almost run out of time.
One security company, Sophos, warned this month that the criminals
are increasingly turning their attention from email-based viruses
to websites hosting malicious code. Do you agree with this, first
of all, and if a legitimate website is "hacked" and
as a result visitors get infected with malware, should the website
owner be held responsible?
Mr Wood: I think certainly it is fair to say
that that trend is definitely a pattern. We have seen increased
profiling in terms of the number of attacks moving away from large
email outbreaks to smaller, more distinct outbreaks which then
will transfer the attack sector over to, say, a web mechanism
using the browser exploit. You also mentioned earlier about the
rogue anti-spyware packages, for example, and it is very difficult
for consumers to know what that actually is, whether it is a legitimate
application which they should install, is it free, for example,
and those can be installed on your machine just by visiting a
legitimate website. For example, last week My Space came under
attack where they were hosting a banner for a particular well-known
rogue anti-spyware application, which if you installed it would
install some components which it would in turn then flag up as
being critical and should be removed, but you would have to pay
money to remove that. But they were not necessarily hosting it
directly, they were just selling the space to an advertising agency,
who were then selling that space on to another company. So it
depends on where you draw the line in terms of who is responsible
and should they have taken more responsibility in understanding
which adverts were appearing on their site, or should the ad agency
have taken that responsibility? It is very difficult.
So like an awful lot of this, there are no simple answers anywhere
here. The situation is clearly highly complex and one can try
and one can make certain progress, but there are still going to
be (not a pun) worm holes through the system all over the place?
Mr Chantzos: Absolutely, my Lord Chairman.
Chairman: You have made a lot of progress
and perhaps the most important thing is to educate people so that
at least they can take the precautions they can and then get the
aid they can as well to help them. Thank you for your time. It
has been a very useful, interesting session. If you have anything
which occurs to you after this session, please write to us and
let us know. Thank you very much.