Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 580 - 599)

WEDNESDAY 21 FEBRUARY 2007

MR GARRETH GRIFFITH, MR ALASDAIR MCGOWAN, MR MICHAEL BARRETT AND MR JEREMY BEALE

  Q580  Chairman: That is an issue. I cannot remember whether it comes up in the questions, but are you heavily involved in prosecutions over your own logos? The incorrect use of your own logo?

  Mr Barrett: Typically speaking, we find it more useful to prosecute these criminals for straightforward fraud rather than to go after them for IP infringement.

  Chairman: Let us get back to our questions. Lord Young?

  Q581  Lord Young of Graffham: Our inquiry here is really concerned with personal Internet security. Who do you think should take responsibility for it?

  Mr Griffith: In my opinion, it is a broad range. I think that we all need to take responsibility for it. By that I mean law enforcement, the Government, industry, as well as the individual. I often liken it to offline analogies of driving a car, where the car manufacturer has responsibility; the people who make the roads have responsibility; law enforcement have responsibility; and the individual behind the wheel also has responsibility. I guess we would be maybe likened to the car manufacturer or even maybe the council, taking care of the roads. However, if it has a seat belt in it but no one knows how to use the seat belt or what it does, it is ineffective. I really believe it is across the board. We strongly believe in partnerships. We work closely with rights owners, with law enforcement around the world globally, with people in the Government. You name it, we work very closely with people. I cannot believe that just one entity, standing alone, can make a significant impact. I think that it is all about partnership. That is why we are heavily involved in Get Safe Online. We saw that as a great way to initiate that partnership with government, law enforcement and industry, to start trying to make a difference on education as well as other things.

  Q582  Lord Young of Graffham: Partnership is no consolation if I have just lost something as a user and I cannot distinguish, or will not distinguish, between the software vendor, the hardware vendor, the ISP or eBay—whoever it is. In some instances it might be my fault, but how do we distinguish between that and liabilities? Who between you all is going to come to me and say, "We will recompense you for the loss you have suffered"?

  Mr Barrett: At least on the PayPal side, if the customer's PayPal account was tapped into illegally then we make the consumer whole. So they bear no financial cost, and that goes into the 41 basis points that I talked about earlier. The issue is simply that for too many of them the experience is so wholly repugnant, and it is kind of like being burgled, that they do not want to have anything to do with the Internet again—and I am not sure whether you can entirely blame them.

  Q583  Lord Young of Graffham: So that is really something which is going to hold back the development of the Net altogether.

  Mr Barrett: That is one reason it is such a strategic priority for us to address this issue.

  Q584  Lord Mitchell: Can I just come back to your survey very quickly? Was this UK or was it international?

  Mr Griffith: UK.

  Q585  Lord Mitchell: Is it possible to get hold of a copy of that?

  Mr Griffith: I was going to say, we would be very happy to send you one. That would not be a problem at all.

  Q586  Lord Young of Graffham: Finally on this, are you in favour of holding software vendors responsible for flaws in their security?

  Mr Griffith: Yes, I think so.

  Q587  Lord Young of Graffham: There is a lot of implication about development of software and everything else, if you are going to hold them responsible.

  Mr Griffith: It is a difficult question, because I do believe responsibility sits squarely across the board. So who is responsible for helping the user to understand what the software is about, how to install it and how to use it? Then who is responsible for them making different choices when an email comes in on whether to click on that link or not? I do believe that we are all responsible. I think that we take a lot of responsibility at eBay for the behaviour of our users and whether or not we have educated them or empowered them with tools. I do not want to speak for the software manufacturers, but I would say that if I were them I would want to take responsibility for the flaws in their system.

  Mr McGowan: I think that there is one other issue here. That is the role of education in educating consumers about the need to update software continually. That is part of what Get Safe Online is about: educating consumers, so they know it is not enough just to buy an anti-virus software, a firewall, install it, and then everything will be fine; because the fraudsters and the hackers out there will always be trying to find new ways of breaking through the systems.

  Mr Barrett: I think that one of the thorny issues in this particular field if one talks about software vendor liability is what is the statute of limitations on that, effectively. Picking on Microsoft—because everybody likes to!—you get this issue of, "Okay, there's Windows 98 and Windows ME, and so on", so where should they be no longer held liable for software flaws in that software? Despite the fact that we still have 1½% or so of our customers using Windows 98, despite the fact that it is now close to a decade old, it is completely out of support, and potentially quite dangerous for them to be doing that. One of the things we try to do is essentially to nudge our customers on to more modern and safer operating systems and browsers, but we cannot, in the final analysis, actually force them to do so.

  Mr Griffith: I think that there is something around "reasonable endeavours". I would hold all companies responsible that they are reasonably doing everything they can.

  Lord Young of Graffham: But it is no consolation to me that all companies are responsible; I need someone specific to go for. This is where the difficulty really comes. It might be that overall everybody should work better together, but that is not the way the world works. There is a point. If it is a software flaw and somebody breaks in—a phishing exercise or whatever—and I lose my PayPal account and I lose my eBay account, it is not my responsibility. Unfortunately, it is not really your responsibility but it is your liability. That is where we are at the moment.

  Q588  Earl of Erroll: Surely Windows 98 is fairly safe now, because no one bothers to attack it any more? The real problem is, if I go into an eBay site or a PayPal site, how do I know that that is PayPal or eBay? Surely you should be authenticating yourselves back to the user, possibly through a second channel and not through the same line as they have come in, in order to make sure it is absolutely secure? So to a large extent the software we are talking about, and the people who perhaps are producing the defective software, are yourselves.

  Mr Barrett: There was an initiative that came out recently, which goes by the incredibly dull name of "extended verification SSL certificates". Essentially, what it does is, when a website communicates to a web browser, it uses this secure socket layer, encrypted session.

  Q589  Earl of Erroll: In other words, IE7.

  Mr Barrett: Exactly right. So as part of Internet Explorer 7 there was support built in that, if a website is using an extended verification certificate, their URL address bar will glow green. We were very keen when that facility was enabled in Internet Explorer that both PayPal and eBay sites should be fully enabled for that. That was launched about two weeks ago and we were indeed one of a decent number of e-commerce sites that was already enabled for that. It is also worth noting that 30% of consumers are now using Internet Explorer 7. So there is actually a fairly good fraction of consumers that now can tell very straightforwardly whether they are in fact on the legitimate PayPal and eBay websites.

  Q590  Earl of Erroll: Can I say that, unfortunately, Parliament is not—because of other issues in the system? There must be quite a lot of other corporates, because there are incompatibilities, I believe, with other components in the system. Also, for instance, IE7 will not communicate with the Thomson SpeedTouch router; you have still to use IE6. Until people are upgraded across the board, you cannot necessarily rely on the latest technology—as you have already said—being deployed. So should we be looking at things which are technology-independent?

  Mr Griffith: I have one addition to what Michael was saying. We have had our toolbar—what we call our eBay Toolbar with Account Guard—for about four or five years now, which is downloadable onto any version of Internet Explorer. It effectively does what Internet Explorer 7 now does, and has done for a few years now, namely if you are on a site that is not eBay or PayPal, you basically get a pop-up; it flashes red, and there is no way of missing that you are not on it. The simple way to look at it is, if it does not go green you are not on eBay or PayPal. Fundamentally, it turns green if you are on our site. If you are on any other site on the Internet—Microsoft, Amazon—it does not. We have had that for a while. On the email front we have this address spoof@eBay.com or spoof@PayPal.com, and if you send any email to that address and just wait a few minutes, we will tell you whether it is real or not. So we have pretty robust ways of helping you know if you are on the right site or if the email is rigged.

  Mr McGowan: And it is free to download.

  Earl of Erroll: I think that you should publicise that email facility better, because I certainly know my wife does not know about it.

  Q591  Chairman: Does that operate on FireFox as well?

  Mr Griffith: The toolbar does now. A while ago it was not, but now it is functional on FireFox.

  Q592  Chairman: Mr Beale, can I ask you what the CBI position is on holding software companies liable for faults in security in their software?

  Mr Beale: The simple answer is that we do not have a formal position; but, to give you something a bit more informative, we hold the view—as the other speakers have today—that this is a mutual responsibility amongst a number of different actors. Having said that, I also take Lord Young's point that if everyone has a responsibility no one in particular has the responsibility. I think what needs to be done is a much clearer working-out of where responsibility lies for different actions along the chain of supply, according to what one's capabilities are in that chain of supply. This has never been systematically done, and I think it would be helpful. I should add that there are also existing laws that cover liability, neglect, et cetera, which are probably quite adequate in many cases. So I am not advocating some great new legal framework for this. I think—and this will underline a point that I will make a number of times in terms of the questions that I have had presented to me—that what is really needed is, as we term it, a national information security strategy. By that we mean an educational programme that is given high priority; that is linked to a training programme; that is also linked to an improvement in enforcement capabilities. So a significant national campaign, but part of that would be the development of a better understanding of what different groups, including software groups, can and cannot do in terms of providing security, and of course including individuals.

  Q593  Lord Mitchell: The CBI evidence says that companies are leaving themselves open to attack by failing to implement adequate security measures. What should be done about it? Could I add, would you prefer to see these problems being addressed by regulation or by the creation of efficient incentives, or should companies simply be left to get on with it?

  Mr Beale: What I have just said was a bit of a prelude to this question. The point about many companies is that they are not aware exactly of the kind of threats they face, and so are not necessarily able to evaluate what they need to do. Many large companies have that capability. Even they often do not get it right, but particularly small and medium-sized companies do not have access to the expertise necessarily, or easily or cheaply, to be able to properly secure themselves. There is also the fact that of course the threat is constantly changing. As we are probably all too aware, every time you think you have defended yourself against something, another threat appears. So I think there is a major issue here. This is why I think we need a national information security strategy to deal with that. Having said that, there is also the problem, as I have just mentioned, that technical resources are often expensive. There are not that many people available widely across the economy who can provide the expertise that will necessarily help companies, and so we need a lot more effort going into the development of that expertise. Again, large companies can afford to pay high salaries to people who are very good at information security; but it is often out of reach of small and medium-sized companies who cannot do it on an ongoing basis—and yet an ongoing basis is exactly what may be required. To come back to your second question, if you establish a regulation the only trouble is that you establish it in relation to a specific set of technologies. If the technologies change with another kind of threat, the regulation is irrelevant. Rather than trying to find a silver bullet, a regulation or a set of actors that can solely resolve this problem, we need a much greater combined effort, led by government, that will help raise awareness, help develop expertise, across the UK.

  Q594  Lord Mitchell: Do you think companies should be held liable if their systems are inadequate?

  Mr Beale: I think the answer given a bit earlier was quite good, about "best endeavours"; but, again, I go to the point that it is often very hard for companies to know what they are meant to be defending themselves against. Again, to say, "You have total responsibility for having been unprepared" can seem a bit disproportionate at times. When they are clearly being negligent, that would be a different matter.

  Q595  Earl of Erroll: Would you like to see a security breach notification law in the UK, like there is in some of the United States?

  Mr Barrett: This is an interesting question. I think that you can look at what has happened in the United States as that it has fairly effectively shone a light on to what you could describe as inadequate data custody practices; but it actually is not very helpful from a consumer perspective. If you get a letter in the mail—as I did recently myself—you look at it and say, "Okay, what am I supposed to do with that and what does it tell me about my own personal risk?". It is also very much an exercise in shutting the stable door after the proverbial horse has bolted, because a company that experiences one of those breach notification moments almost always then implements a much stronger information security programme than they had before the notification moment. The question is whether we would all be better served with uniform data custody standards. I think that is quite a difficult thing to pull off from a legislative perspective, because you also run into this problem that you do not necessarily want to enshrine in primary legislation what amount to a series of technical standards. It is then the question of how you actually set a good baseline standard, in a way that does not mandate specific technologies.

  Q596  Earl of Erroll: In which case, what you have said is, though there is an element of shutting the stable door after the horse has bolted, actually it has given the motivation to do exactly what you wanted—and which you have just said legislation would not do. Therefore, it is working in that they are, even if retrospectively, upgrading their data security standards.

  Mr Barrett: I would argue that you can achieve the same effect by enabling data custody standards. In fact, in the United States the payment card industry standards, or PCI, has been fairly effective at helping the credit card community in getting its information security posture something closer to the right level. That was not mandated by the Government; that was simply mandated by the credit card networks.

  Q597  Earl of Erroll: The problem is that they are in the business of handling money; a lot of the data thefts are actually from systems that are not, such as social security systems and traders, and people like that. One of the points made earlier is that this also means that it is reported to the authorities, so one has a handle on how big the problem is, and this would not be reported if it was not for these data breach laws. Would there be a purpose in keeping them so that we actually know the scale of the problem?

  Mr Barrett: In theory, that makes sense. I think the devil is in the details, to be quite honest, when you are discussing at this level of abstraction. You have to get a bit closer to how any proposed scheme might be implemented. In principle, I see no issue—and this is me speaking personally rather than any formal corporate position. I have never personally had a concern about the notification requirement per se; it is simply that it does not actually fix the behaviour that you want to change, which is stronger data custody.

  Q598  Earl of Erroll: Do the CBI have a view on this?

  Mr Beale: No, we do not have a formal position. We do see that having a system so that everyone understands where they stand could be useful. The reports that we get from members about the US situation is that it was introduced by politicians wanting to have a quick fix to what is clearly a problem; but that the requirement is disproportionate to the actual threat and, as a result, it is extremely costly. If anything like this were to be introduced, it would be good if it was well developed, after a lot of discussion with the various industries about what it would entail and, as I have said, as part of a broader effort to develop understanding of what was actually involved.

  Q599  Earl of Erroll: In other words, no mass mailings out to customers. Use it more intelligently.

  Mr Beale: A more focused view, yes.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007