Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 840 - 859)

WEDNESDAY 28 MARCH 2007

MARGARET HODGE, MR GEOFF SMITH, MR VERNON COAKER AND MR STEPHEN WEBB

  Q840  Chairman: You might argue that if the disk was activated in the computer when it would not otherwise have been activated you would be correct, would you not?

  Mr Coaker: That is an interesting thought.

  Margaret Hodge: But who would you charge?

  Q841  Baroness Hilton of Eggardon: The person setting up the botnet?

  Mr Coaker: If you could find them, yes.

  Baroness Hilton of Eggardon: Certainly, that is if they are put in hundreds of thousands of people's computers.

  Q842  Earl of Erroll: Surely if launching a denial of services attack is illegal, which it now is, then for conspiring to do so or purchasing software with the intention you could get them under some form of conspiracy act?

  Mr Coaker: You could, yes, I think.

  Mr Webb: What we do not have is a blanket offence for buying or possessing them. If there is criminal intent involved, certainly that would be.

  Q843  Chairman: I would have thought it would be a positive move to make it illegal to collect together enough computers to have a substantial botnet unless you had a licence so to do. If you are doing it because you want to make calculations on climate, then you might have a licence to do it. We will get onto other questions about people who actually explore the security of the networks, but to allow people to hire out the use of a botnet to inconvenience everybody, if not to defeat service on the Internet, I would have thought should be illegal.

  Mr Coaker: Chairman, let us write to you about that. It is an interesting point. We are trying to capture the criminality by the use of the computer facility, the computer hardware, software, or whatever. We are trying to capture the criminality through its use or supply, or the adaptation, but in part the point of committees like this is to reflect on points which people make, so let us reflect on that and write to you on that particular point to see whether we can move forward.

  Mr Webb: Even with the law as it stands, the computer industry has concerns that it is potentially criminalising legitimate use.

  Q844  Chairman: I think one of the points to consider is that the person running the botnet may well be in Eastern Europe, so if somebody is caught here transferring money via their credit card, or however, to somebody in Eastern Europe who is operating a botnet which operates with half a million computers in the UK then one should be able to go after that person.

  Mr Coaker: It is an important point, though, Chairman, that the industry is concerned about the whole operation of dual usage and we do need to be proportionate and make sure that we allow legitimate business to carry on in an effective way. That is not to say that we do that in a way which means that we cannot tackle criminality, but we have been very effectively working with industry and we need to carry on with that self-regulatory and productive approach.

  Q845  Lord Young of Graffham: It is a legal business to sell knives in this country if they are part of a dining room set, or something of that sort, but it is illegal if you are selling knives knowing that they are going to be used for criminal purposes.

  Mr Coaker: That is a similar thing that we are trying to do with respect to computers.

  Q846  Lord Young of Graffham: But a botnet would be the same thing if it is actually being hired out to somebody.

  Mr Coaker: Yes, but that is the use of the system rather than the actual network.

  Q847  Lord Young of Graffham: Yes, it is the mens rea. It is the intention in fact?

  Mr Coaker: Yes.

  Q848  Lord Harris of Haringey: Do you have a record of the number of incidents there have been for people using botnets illegally?

  Mr Coaker: Again, Chairman, we can look into that, but I do not have it here. It might be useful if we write to you and you could circulate that to the Committee, if that is helpful.

  Mr Smith: I think it is almost impossible to measure that in the UK, but there are industry commentators such as Symantec who do research into this and observe the development and use of botnets, and we can certainly provide information to you on that.

  Q849  Lord Howie of Troon: Changing the subject a little, you will be aware, I am sure, that there are security breach notification laws in California and 30 or so states nearby. Have you any views on this? Would you like to see such things here?

  Margaret Hodge: I am aware of that particular bit of legislation and clearly if somebody has their identity stolen there ought to be a right of notification. It looks an enticing bit of legislation. We are looking at it and Europe is looking at it, and Europe might well come forward as part of the review of the electronic communications framework, which I think we are expecting in about July. They may well come forward with a proposition around this area. I would simply draw to the Committee's attention what I am sure you have already thought of, which is the difficulty of framing that intent in a practical way because you would have to decide what breaches would you report precisely, what is the trigger for a report, those sorts of issues, and you do not want to end up in a situation where people either become really blasé about it because they get so many reports of breaches or they become so scared that they do not take advantage of the new information communication technology. On that latter point, we already know that actually people's fear of these sorts of crimes—and I was surprised to see this statistic—is much greater than their fear of muggings or burglary. So there is quite a lot of fear around this and we do not want that to be something which leads to exclusion from all the benefits which information communication technology developments b ring individuals. It is an interesting bit of legislation. We need to examine it. The devil is in the detail and we will think about it and look at what Europe brings forward in the summer.

  Q850  Lord Howie of Troon: You say you are looking into it. I seem to have heard that several times during this session, you are looking into this, you are looking into that and you are looking into the other thing. Have you seen anything yet that is helpful?

  Margaret Hodge: I think we are doing things which are helpful in trying to curtail crime and that surround, working with the industries so that they are better at the technology to ensure that they prevent it happening in the first place. What Vernon has been talking to you about is that there is a huge amount of activity in trying to detect it. I suppose the other thing which we jointly do is that a lot of effort goes into providing education and information to individuals so that they get smarter at using technology. Phishing is a classic example. If we did not give away our bank details so readily online our behaviour could immediately halt it and wipe out one area of cyber crime.

  Q851  Lord Howie of Troon: You mentioned a proposal from the European Union. As we understand it, they would likely restrict notification to just telecom companies. Do you think that is adequate?

  Margaret Hodge: What they have said, as I understand it, and I might defer to Geoff on this, is that they will use national regulatory authorities (which in our case would be Ofcom) as the regulator, but I do not think there is a restriction as to who would report through to Ofcom.

  Mr Smith: That is absolutely a very fair point. In the US it is applied to all businesses and what the European Commission is saying, through the framework review proposal, is that this kind of legislation might apply to communications providers, which would be telecoms companies and ISPs. It looks slightly odd on the face of it to only be applying this kind of legislation to those providers and we could have the oddity of eBay or Amazon not being impacted by the legislation while Yahoo and Orange would be. This has to be seen, I guess, as a kind of transitory solution. It does show that European thinking is moving along the same lines as the US, but the US experience—I do not know whether you gathered this when you went to the States—has not been happy. I think the profusion of different legislations with different requirements has made a lot of lawyers rich, but I am not sure that it has actually increased security or increased consumer confidence. I fully accept the point the Minister has made. It is an interesting idea, but we have got to get it right.

  Q852  Lord Harris of Haringey: We were advised that one of the problems was because there was separate legislation in 30 different states. Presumably that is not something you are envisaging. But we were also told one of the real benefits of this was that because of the reputational impact this has on companies the result has been that they take breaches in information security, whether it is a lost laptop or messy access to their IT systems, much more seriously and it has raised it up the agenda as far as they are concerned. That, presumably, must have a beneficial impact.

  Margaret Hodge: It should be, but the danger of that is that you over-report and then you are into what levels should you be reporting to maintain confidence in people using IT generally as part of their lives, or do you over-report and then you become so blasé that they take none of it seriously? That is why the devil is in the detail of how you would frame this.

  Lord Harris of Haringey: I do not think anyone was suggesting to us that there had been a negative effect on e-commerce as a result of the breaches.

  Chairman: I think that is right, but they did say that the impact fell after a time.

  Lord Harris of Haringey: As far as individuals were concerned, yes.

  Q853  Chairman: That is correct, and so one has got to be careful not to report too much, as you say. But just having it in the background we think is very valuable in any case.

  Margaret Hodge: Yes.

  Q854  Baroness Hilton of Eggardon: If we can revert to the protection of individuals and whether the IT community industry should be doing more to look after people and prevent security breaches, do you think that would be beneficial? They kept talking to us about end-user agreements and flexibility of the system and all those other things they feel they should retain, but we were feeling that the people in between, the people who devised the software, the ISPs and so on, could do more to protect individuals. Would you agree?

  Margaret Hodge: You mean should we encourage them or should we coerce them?

  Q855  Baroness Hilton of Eggardon: Either.

  Margaret Hodge: On the encouragement, self-regulatory front, I think we would be 100% for that. There is progress in where we are today compared with where we were a year ago or five years ago. If you look at the mechanisms now that we have got for filtering spam or checking for viruses, it is all much better today than it was a few years back. We do encourage—and we do it actually through the DTI by getting partnerships between our knowledge transfer network partnerships, which bring together all the key stakeholders from academia through to industry players across the industry through to consumers, the whole lot, and they share information and knowledge and also then can access various technology research pots of money to try and work in that area. I think we ought to do more. The more we can encourage, the more we should. The only thing I would add is the point I have made before, which is that just as important is the education of consumers, which is why our Get Safe Online efforts I think, are pretty important. We probably ought to be doing more to support consumers in using their technology sensibly.

  Q856  Baroness Hilton of Eggardon: What about protecting consumers by providing them with more information when they get new computers? There is all this talk about firewalls and a various range of vocabulary which perhaps people do not understand.

  Margaret Hodge: I can tell you that as a minister you have difficulty!

  Q857  Baroness Hilton of Eggardon: That new patches need to be put on the software, and so on. That is all Greek to people and I think perhaps some simple instructions to people which went with their new computer could be helpful.

  Margaret Hodge: Before we came into the Committee hearing today I was so amazed somebody on the Committee knows, but how we ever got to "phishing" with a "ph" I do not know.

  Q858  Lord Howie of Troon: Indeed, I have often wondered!

  Margaret Hodge: That is the sort of technological obscuration which I do not think helps anybody and acronyms in this world are also very difficult. I suppose the only other thing I would say about ISPs doing more and the industry making a greater effort—I have talked about what we do at home—this is also an area where we need to cooperate, not just in Europe but globally because that is absolutely vital in combating fraud.

  Q859  Chairman: What about regulation which requires sellers with computers to state the condition in terms of time of their protective software, so that if you have got a computer which has just not been updated for six months with the latest viruses then it should state it like an out of date litre of milk, that this product is out of date, it is past its sell-by date? Why do we not do that?

  Margaret Hodge: That is an idea which I think is worth exploring. What it presumes is that people know what they are buying. I have not looked at it in this area, but I am looking quite carefully at the moment as we go for digital switch-over at consumer knowledge as they purchase new televisions to cope with the switch-over and I think there is a huge lack of knowledge—with the sales staff also, interestingly enough, not just consumers—as to what software they are purchasing. So it is a good idea, but it has got to be part of a bigger picture is probably what I would say to you on that.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007