Select Committee on Science and Technology Minutes of Evidence

Supplementary memorandum by the Department of Trade and Industry

Q 879  (third party legal actions against spammers)

  Spam is an international problem and the Government does not collect data on e-mail volumes and the nature of e-mail traffic. Available statistics on the problem vary widely but they do show that the volume of spam is increasing. For example, Symantec, a leading security software company, produce a six monthly Internet Threat Report. This is one of the most widely read documents that measures the problem on the basis of the company's large number of sensors on the internet. The latest report, issued in March 2007, estimates that spam made up 59% of all monitored e-mail traffic in the second half of 2006. This is a steady increase over the previous six months and they found that some 30% of this spam related to the financial services industry. The UK is clearly a major target for spammers but the fact that most is generated by parties outside the UK (and indeed from outside the EU) poses a significant problem in terms of enforcement.

  This is borne out by research conducted by Spamhaus[2], a UK-based anti-spam initiative. According to their latest figures, the 200 spammers named on the Register of Known Spam Operations (ROKSO) are responsible for 80% of spam. The list consists of predominately US based spammers and there is only one UK citizen who appears on the list.

  It was this background that led us to comment in evidence that we thought it unlikely that action would be taken against UK spammers in the Court. At the time of the session on 28 March, we were unaware that Microsoft had in fact brought two actions. One was against Paul McDonald whose business sold e-mail address lists for the purpose of direct marketing without the holders of those addresses having consented to the receipt of direct marketing.[3] Microsoft successfully sought relief under the Privacy and Electronic Communications (EC Directive) Regulations 2003[4] ("the Privacy Regulations"). The court ruled that McDonald had breached regulation 22 of the Privacy Regulations and that Microsoft, a provider of e-mail services, was entitled to protection under that regulation. Microsoft was entitled to compensation under regulation 30 of the Privacy Regulations for damages as a result of the breach of regulation 22 and also to an injunction restraining McDonald from further breaches.

  The second case was a claim against a person who used bulk unsolicited e-mail within the Microsoft Network to attract custom to his pornographic website. Microsoft sued him for breach of terms and conditions relating to the use of their Hotmail service. The claim was settled when the defendant undertook not to send any further unsolicited e-mails and to pay compensation to Microsoft. These actions allow us to confirm the proposition of the Committee that third party legal action is another viable approach to addressing the spam problem—at least for organisations with the resources to pursue such actions.

  We know that this approach is more prevalent in the US but that reflects both the prevalence of spammers resident in the US and the different legal system. In the US the CAN-SPAM legislation clearly enables ISPs to take spammers to court. Awards there are much higher than the UK, for example a recent Nevada based claim resulted in a fine of $11 million as repayment to ISP customers inconvenienced by a spammer. We do, however, understand that fines are rarely collected.

Q 883  (how the network and information security platform is working)

  The Network Security Innovation Platform (NSIP) is a new way of working for Government aimed at positioning business and Government closer together to generate more innovative solutions to major policy and societal challenges.

  As electronic networks increasingly become critical to society, so Network Security is seen as being a major growth area, and one where the UK is well placed to create added value, through the provision of both products and services. The real "challenge" is to bring together key Government Departments, academia and business to identify both where innovation could be used to solve specific problems and the actions needed to bring Government procurement and innovative business solutions closer together.

  The most pressing weakness in network security is the interaction between the system and the person using the system. The key aim of the Network Security Innovation Platform is to bring together technological innovation and social sciences to ultimately create systems that are secure, user friendly, trusted and respect individual privacy. The Platform will aim to place UK business at the forefront of expertise in this area and create wealth by allowing business to compete successfully for major global opportunities.

  After consultation two Initial themes were chosen to take forward the platform activities; Human Vulnerabilities in Network Security and Balancing Privacy and Consent in Network Security.

  The two areas are dealt with below, showing what activities the NSIP is undertaking, with expected deliverables, time scales and associated R&D spend.

Human Vulnerabilities in Network Security—Restricted Commercial

  Four successful Autumn 2006 Technology Programme (collaborative R&D) Proposals were selected—details below. The six month feasibility stage projects started in April 2007 and require a total grant of £350k, with follow up funding of up to £4 million available for successful proposals from 2008-10.

    —  Integrating Security Technology & Organisational Culture for Employee Risk—BAe Systems, Loughborough University, more industrial partners expected to join the full project stage if the feasibility is successful. The project will deliver a novel organisational and human factors focused network security risk assessment package.

    —  Trust Economics—Hewlett-Packard Ltd, Merrill Lynch, University of Bath, University of Newcastle and University College London; The project will deliver explore, develop and apply a predictive modelling framework within which the effectiveness and value of security policies that regulate the interaction between humans and information systems can be assessed.

    —  The Analysis of Human Behaviour from Network Communication—Chronicle Solutions, University of Plymouth; The project aims to develop the scientific basis to support a potential technology solution for the analysis of enterprise digital communications in order to identify and act on potential security threats introduced by humans to information and IT services.

    —  CatalysIS: A tool to improve risk culture and identify human vulnerabilities in Network Security—The National Computing Centre Ltd, University of Manchester; The consortium believes that a catalyst to improve attitudes towards risks both to and from information systems should be created. The deliverable is a software-based tool that provides a network security awareness programme that is tailored to the individual employee.

Balancing Privacy and Consent in Network Security

  The Identity and Passport Service (IPS) is the primary challenge holder in the area of "Balancing Privacy and Consent in Network Security—Using innovation to address privacy and consent in Identity Service Provision". The NSIP is working with the Identity & Passport Service (IPS) to develop a work package that will sponsor research and development into how to balance the intrusive nature of identity services and network security with expectations of privacy and consent.

    —  ID service provision will both create wealth and reduce fraud, by allowing secure verification of identities. The work programme will be geared to creating a new business sector in the emerging privacy enhancing technology area. A functioning but still embryonic ID services sector will emerge by 2010 and the NSIP will increase the likelihood that secure digital identities will be accepted by the public and will create opportunities for UK business.

    —  The NSIP will bring together Government Departments, large businesses, retail, banking, innovative SME's and academic partners in collaborative partnerships.

    —  A joint DTI and IPS workshop highlighted specific scenarios where NSIP activity would have best effect. This formed the basis of a scoping study to identify the key areas for the NSIP to target. The IPS funded study, conducted by PA consulting, will be delivered by July 2007 and will include a workshop to clearly define what challenges the programme should address such as;

    —  How do you implement informed consent?

    —  How do you prevent further dissemination of private information?

    —  How do you revoke consent?

    —  We expect the R&D activity to be launched in Autumn of 2007. The initial activity will be via an "Ideas Factory" Sand Pit in collaboration with EPSRC and ESRC who have committed over £3 million of co-funding.

2   Spamhaus tracks the Internet's Spammers, Spam Gangs and Spam Services, provides dependable real-time anti-spam protection for Internet networks, and works with Law Enforcement to identify and pursue spammers worldwide. See Back

3   Microsoft Corporation v Paul Martin McDonald [2006] EWHC 3410 (Ch), [2006] All ER (D) 153 (Dec). Back

4   SI 2003/2426. Back

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007