Examination of Witnesses (Questions 580
WEDNESDAY 21 FEBRUARY 2007
That is an issue. I cannot remember whether it comes up in the
questions, but are you heavily involved in prosecutions over your
own logos? The incorrect use of your own logo?
Mr Barrett: Typically speaking, we find it more
useful to prosecute these criminals for straightforward fraud
rather than to go after them for IP infringement.
Chairman: Let us get back to our questions.
Q581 Lord Young of Graffham:
Our inquiry here is really concerned with personal Internet security.
Who do you think should take responsibility for it?
Mr Griffith: In my opinion, it is a broad range.
I think that we all need to take responsibility for it. By that
I mean law enforcement, the Government, industry, as well as the
individual. I often liken it to offline analogies of driving a
car, where the car manufacturer has responsibility; the people
who make the roads have responsibility; law enforcement have responsibility;
and the individual behind the wheel also has responsibility. I
guess we would be maybe likened to the car manufacturer or even
maybe the council, taking care of the roads. However, if it has
a seat belt in it but no one knows how to use the seat belt or
what it does, it is ineffective. I really believe it is across
the board. We strongly believe in partnerships. We work closely
with rights owners, with law enforcement around the world globally,
with people in the Government. You name it, we work very closely
with people. I cannot believe that just one entity, standing alone,
can make a significant impact. I think that it is all about partnership.
That is why we are heavily involved in Get Safe Online.
We saw that as a great way to initiate that partnership with government,
law enforcement and industry, to start trying to make a difference
on education as well as other things.
Q582 Lord Young of Graffham:
Partnership is no consolation if I have just lost something as
a user and I cannot distinguish, or will not distinguish, between
the software vendor, the hardware vendor, the ISP or eBaywhoever
it is. In some instances it might be my fault, but how do we distinguish
between that and liabilities? Who between you all is going to
come to me and say, "We will recompense you for the loss
you have suffered"?
Mr Barrett: At least on the PayPal side, if
the customer's PayPal account was tapped into illegally then we
make the consumer whole. So they bear no financial cost, and that
goes into the 41 basis points that I talked about earlier. The
issue is simply that for too many of them the experience is so
wholly repugnant, and it is kind of like being burgled, that they
do not want to have anything to do with the Internet againand
I am not sure whether you can entirely blame them.
Q583 Lord Young of Graffham:
So that is really something which is going to hold back the development
of the Net altogether.
Mr Barrett: That is one reason it is such a
strategic priority for us to address this issue.
Q584 Lord Mitchell:
Can I just come back to your survey very quickly? Was this UK
or was it international?
Mr Griffith: UK.
Q585 Lord Mitchell:
Is it possible to get hold of a copy of that?
Mr Griffith: I was going to say, we would be
very happy to send you one. That would not be a problem at all.
Q586 Lord Young of Graffham:
Finally on this, are you in favour of holding software vendors
responsible for flaws in their security?
Mr Griffith: Yes, I think so.
Q587 Lord Young of Graffham:
There is a lot of implication about development of software and
everything else, if you are going to hold them responsible.
Mr Griffith: It is a difficult question, because
I do believe responsibility sits squarely across the board. So
who is responsible for helping the user to understand what the
software is about, how to install it and how to use it? Then who
is responsible for them making different choices when an email
comes in on whether to click on that link or not? I do believe
that we are all responsible. I think that we take a lot of responsibility
at eBay for the behaviour of our users and whether or not we have
educated them or empowered them with tools. I do not want to speak
for the software manufacturers, but I would say that if I were
them I would want to take responsibility for the flaws in their
Mr McGowan: I think that there is one other
issue here. That is the role of education in educating consumers
about the need to update software continually. That is part of
what Get Safe Online is about: educating consumers, so
they know it is not enough just to buy an anti-virus software,
a firewall, install it, and then everything will be fine; because
the fraudsters and the hackers out there will always be trying
to find new ways of breaking through the systems.
Mr Barrett: I think that one of the thorny issues
in this particular field if one talks about software vendor liability
is what is the statute of limitations on that, effectively. Picking
on Microsoftbecause everybody likes to!you get this
issue of, "Okay, there's Windows 98 and Windows ME, and so
on", so where should they be no longer held liable for software
flaws in that software? Despite the fact that we still have 1½%
or so of our customers using Windows 98, despite the fact that
it is now close to a decade old, it is completely out of support,
and potentially quite dangerous for them to be doing that. One
of the things we try to do is essentially to nudge our customers
on to more modern and safer operating systems and browsers, but
we cannot, in the final analysis, actually force them to do so.
Mr Griffith: I think that there is something
around "reasonable endeavours". I would hold all companies
responsible that they are reasonably doing everything they can.
Lord Young of Graffham: But it is no
consolation to me that all companies are responsible; I need someone
specific to go for. This is where the difficulty really comes.
It might be that overall everybody should work better together,
but that is not the way the world works. There is a point. If
it is a software flaw and somebody breaks ina phishing
exercise or whateverand I lose my PayPal account and I
lose my eBay account, it is not my responsibility. Unfortunately,
it is not really your responsibility but it is your liability.
That is where we are at the moment.
Q588 Earl of Erroll:
Surely Windows 98 is fairly safe now, because no one bothers to
attack it any more? The real problem is, if I go into an eBay
site or a PayPal site, how do I know that that is PayPal or eBay?
Surely you should be authenticating yourselves back to the user,
possibly through a second channel and not through the same line
as they have come in, in order to make sure it is absolutely secure?
So to a large extent the software we are talking about, and the
people who perhaps are producing the defective software, are yourselves.
Mr Barrett: There was an initiative that came
out recently, which goes by the incredibly dull name of "extended
verification SSL certificates". Essentially, what it does
is, when a website communicates to a web browser, it uses this
secure socket layer, encrypted session.
Q589 Earl of Erroll:
In other words, IE7.
Mr Barrett: Exactly right. So as part of Internet
Explorer 7 there was support built in that, if a website is using
an extended verification certificate, their URL address bar will
glow green. We were very keen when that facility was enabled in
Internet Explorer that both PayPal and eBay sites should be fully
enabled for that. That was launched about two weeks ago and we
were indeed one of a decent number of e-commerce sites that was
already enabled for that. It is also worth noting that 30% of
consumers are now using Internet Explorer 7. So there is actually
a fairly good fraction of consumers that now can tell very straightforwardly
whether they are in fact on the legitimate PayPal and eBay websites.
Q590 Earl of Erroll:
Can I say that, unfortunately, Parliament is notbecause
of other issues in the system? There must be quite a lot of other
corporates, because there are incompatibilities, I believe, with
other components in the system. Also, for instance, IE7 will not
communicate with the Thomson SpeedTouch router; you have still
to use IE6. Until people are upgraded across the board, you cannot
necessarily rely on the latest technologyas you have already
saidbeing deployed. So should we be looking at things which
Mr Griffith: I have one addition to what Michael
was saying. We have had our toolbarwhat we call our eBay
Toolbar with Account Guardfor about four or five years
now, which is downloadable onto any version of Internet Explorer.
It effectively does what Internet Explorer 7 now does, and has
done for a few years now, namely if you are on a site that is
not eBay or PayPal, you basically get a pop-up; it flashes red,
and there is no way of missing that you are not on it. The simple
way to look at it is, if it does not go green you are not on eBay
or PayPal. Fundamentally, it turns green if you are on our site.
If you are on any other site on the InternetMicrosoft,
Amazonit does not. We have had that for a while. On the
email front we have this address spoof@eBay.com or spoof@PayPal.com,
and if you send any email to that address and just wait a few
minutes, we will tell you whether it is real or not. So we have
pretty robust ways of helping you know if you are on the right
site or if the email is rigged.
Mr McGowan: And it is free to download.
Earl of Erroll: I think that you should publicise
that email facility better, because I certainly know my wife does
not know about it.
Does that operate on FireFox as well?
Mr Griffith: The toolbar does now. A while ago
it was not, but now it is functional on FireFox.
Mr Beale, can I ask you what the CBI position is on holding software
companies liable for faults in security in their software?
Mr Beale: The simple answer is that we do not
have a formal position; but, to give you something a bit more
informative, we hold the viewas the other speakers have
todaythat this is a mutual responsibility amongst a number
of different actors. Having said that, I also take Lord Young's
point that if everyone has a responsibility no one in particular
has the responsibility. I think what needs to be done is a much
clearer working-out of where responsibility lies for different
actions along the chain of supply, according to what one's capabilities
are in that chain of supply. This has never been systematically
done, and I think it would be helpful. I should add that there
are also existing laws that cover liability, neglect, et cetera,
which are probably quite adequate in many cases. So I am not advocating
some great new legal framework for this. I thinkand this
will underline a point that I will make a number of times in terms
of the questions that I have had presented to methat what
is really needed is, as we term it, a national information security
strategy. By that we mean an educational programme that is given
high priority; that is linked to a training programme; that is
also linked to an improvement in enforcement capabilities. So
a significant national campaign, but part of that would be the
development of a better understanding of what different groups,
including software groups, can and cannot do in terms of providing
security, and of course including individuals.
Q593 Lord Mitchell:
The CBI evidence says that companies are leaving themselves open
to attack by failing to implement adequate security measures.
What should be done about it? Could I add, would you prefer to
see these problems being addressed by regulation or by the creation
of efficient incentives, or should companies simply be left to
get on with it?
Mr Beale: What I have just said was a bit of
a prelude to this question. The point about many companies is
that they are not aware exactly of the kind of threats they face,
and so are not necessarily able to evaluate what they need to
do. Many large companies have that capability. Even they often
do not get it right, but particularly small and medium-sized companies
do not have access to the expertise necessarily, or easily or
cheaply, to be able to properly secure themselves. There is also
the fact that of course the threat is constantly changing. As
we are probably all too aware, every time you think you have defended
yourself against something, another threat appears. So I think
there is a major issue here. This is why I think we need a national
information security strategy to deal with that. Having said that,
there is also the problem, as I have just mentioned, that technical
resources are often expensive. There are not that many people
available widely across the economy who can provide the expertise
that will necessarily help companies, and so we need a lot more
effort going into the development of that expertise. Again, large
companies can afford to pay high salaries to people who are very
good at information security; but it is often out of reach of
small and medium-sized companies who cannot do it on an ongoing
basisand yet an ongoing basis is exactly what may be required.
To come back to your second question, if you establish a regulation
the only trouble is that you establish it in relation to a specific
set of technologies. If the technologies change with another kind
of threat, the regulation is irrelevant. Rather than trying to
find a silver bullet, a regulation or a set of actors
that can solely resolve this problem, we need a much greater combined
effort, led by government, that will help raise awareness, help
develop expertise, across the UK.
Q594 Lord Mitchell:
Do you think companies should be held liable if their systems
Mr Beale: I think the answer given a bit earlier
was quite good, about "best endeavours"; but, again,
I go to the point that it is often very hard for companies to
know what they are meant to be defending themselves against. Again,
to say, "You have total responsibility for having been unprepared"
can seem a bit disproportionate at times. When they are clearly
being negligent, that would be a different matter.
Q595 Earl of Erroll:
Would you like to see a security breach notification law in the
UK, like there is in some of the United States?
Mr Barrett: This is an interesting question.
I think that you can look at what has happened in the United States
as that it has fairly effectively shone a light on to what you
could describe as inadequate data custody practices; but it actually
is not very helpful from a consumer perspective. If you get a
letter in the mailas I did recently myselfyou look
at it and say, "Okay, what am I supposed to do with that
and what does it tell me about my own personal risk?". It
is also very much an exercise in shutting the stable door after
the proverbial horse has bolted, because a company that experiences
one of those breach notification moments almost always then implements
a much stronger information security programme than they had before
the notification moment. The question is whether we would all
be better served with uniform data custody standards. I think
that is quite a difficult thing to pull off from a legislative
perspective, because you also run into this problem that you do
not necessarily want to enshrine in primary legislation what amount
to a series of technical standards. It is then the question of
how you actually set a good baseline standard, in a way that does
not mandate specific technologies.
Q596 Earl of Erroll:
In which case, what you have said is, though there is an element
of shutting the stable door after the horse has bolted, actually
it has given the motivation to do exactly what you wantedand
which you have just said legislation would not do. Therefore,
it is working in that they are, even if retrospectively, upgrading
their data security standards.
Mr Barrett: I would argue that you can achieve
the same effect by enabling data custody standards. In fact, in
the United States the payment card industry standards, or PCI,
has been fairly effective at helping the credit card community
in getting its information security posture something closer to
the right level. That was not mandated by the Government; that
was simply mandated by the credit card networks.
Q597 Earl of Erroll:
The problem is that they are in the business of handling money;
a lot of the data thefts are actually from systems that are not,
such as social security systems and traders, and people like that.
One of the points made earlier is that this also means that it
is reported to the authorities, so one has a handle on how big
the problem is, and this would not be reported if it was not for
these data breach laws. Would there be a purpose in keeping them
so that we actually know the scale of the problem?
Mr Barrett: In theory, that makes sense. I think
the devil is in the details, to be quite honest, when you are
discussing at this level of abstraction. You have to get a bit
closer to how any proposed scheme might be implemented. In principle,
I see no issueand this is me speaking personally rather
than any formal corporate position. I have never personally had
a concern about the notification requirement per se; it
is simply that it does not actually fix the behaviour that you
want to change, which is stronger data custody.
Q598 Earl of Erroll:
Do the CBI have a view on this?
Mr Beale: No, we do not have a formal position.
We do see that having a system so that everyone understands where
they stand could be useful. The reports that we get from members
about the US situation is that it was introduced by politicians
wanting to have a quick fix to what is clearly a problem; but
that the requirement is disproportionate to the actual threat
and, as a result, it is extremely costly. If anything like this
were to be introduced, it would be good if it was well developed,
after a lot of discussion with the various industries about what
it would entail and, as I have said, as part of a broader effort
to develop understanding of what was actually involved.
Q599 Earl of Erroll:
In other words, no mass mailings out to customers. Use it more
Mr Beale: A more focused view, yes.