Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 957 - 959)



  Q957  Chairman: Welcome, Professor Zittrain and Mr Cormack. Thank you very much for coming to talk to us and to answer our questions and a welcome to those of you from the public and the media who are here. To open, would you like, please, to introduce yourselves and to make any opening statements you might want to make?

  Professor Zittrain: Yes. Thank you, Lord Chairman. My name is Jonathan Zittrain. I am the Professor of Internet Governance and Regulation at Oxford University, where I work at the Oxford Internet Institute, and I am co-founder of the Berkman Centre for Internet & Society at Harvard Law School, where I am the Jack N. and Lillian R. Berkman Visiting Professor for Entrepreneurial Legal Studies. I have had an interest in Internet security for at least ten years and my interest has increased in the past four years or so. Many of us are aware that the way the Internet was built was to be able to carry data from one arbitrary point to another without any gate-keeping in the middle. It has been a wonderful feature, so-called end-to-end or network neutrality. This design principle means that any desire to control the flow of data, including data which might be harmful data, is not very easy to effect on today's Internet. There were other networks which the Internet out-competed, so-called proprietary networks, for which, whatever other disadvantages they had, would have had a leg up in battling the kinds of problems the Internet is now facing. There is a parallel problem for Internet end points, things like the general purpose personal computer, which is still the primary device hooked up to the Internet. That PC will run any code you hand it and just as it is great to have a network which will carry any bit from one place to another, it has been the signal event, in my view, of the information revolution that there has been an eco-system primarily comprising general purpose PCs which can run executable code from anywhere. No gate-keeping, including by the vendor of the PC, is in a position to easily stop it. That is because even vendors like Microsoft, who are known to have so-called proprietary operating systems which cannot be changed very easily by third parties, are still putting out so-called generative operating systems where any code can be built by anyone to run on it. However, that benefit, which has so many good implications, is also to my mind the fundamental security problem. Indeed, it is not so much a problem in the network so much as it is in the end points and the problem is not one of Windows versus Linux versus Apple, it is a problem that so long as the user is given the freedom to run arbitrary code from somewhere else then that user can make, and will make, poor choices about what code to run. The implications of a bad choice can be devastating to the user of the computer and it can have spill-over effects to anybody nearby on the network (and nearby on the network need not be nearby in physical space). I believe, Lord Chairman, our central challenge is to figure out how to preserve the best generative aspects of the network and the PC, the ability to run code and data from third parties without undue intervention, while taking on the very real problems which are now starting to flow from exactly that same characteristic. Thank you.

  Mr Cormack: My Lord Chairman, my name is Andrew Cormack. My job title is Chief Regulatory Advisor at UKERNA. UKERNA is the company which runs the JANET network, which connects together all universities and colleges in the UK. We also connect schools' regional networks. In the case of the universities, colleges and research centres we also connect them to the Internet. As far as they are concerned, we are the Internet. I started off as head of the Technical Incident Response Team eight years ago, so I spent four years dealing with the consequences of people's bad choices for themselves and for universities. More recently, I have moved to looking at new uses of the network, whether that is new technologies, new user groups, new end points, new devices, IP telephony, the use of telephone converging onto the same network as data—all these sorts of issues—to try and spot any problems, whether they come from people, from technology or from regulatory issues, and to propose solutions, whether those be technological, policy, advice or occasionally regulation.

  Q958  Chairman: Thank you. Let me ask the first question, which we might put in the context of your description of the system and its difficulties, which I think we have a fair understanding of, but given all of that, who should be responsible for personal Internet security and how can they be made to shoulder their responsibility?

  Professor Zittrain: A set of short and medium term answers are that everybody needs to pitch in a little bit. I believe that with Internet service providers who find it convenient to maintain the idea of end to end for these purposes and say, "Hey, we just carry the data. It's not up to us whether the digital box we're delivering has a ticking sound coming from it," there are some narrow circumstances in which those Internet service providers can be helpful. At the moment there are some clear tell-tales when, for example, a PC on the network has been compromised, has basically slipped the lead of its owner and is spewing viruses and spam. Interestingly, right now the Internet service provider which hosts that machine will generally not take any action because it creates a customer service event which they then have to deal with, it makes for an upset customer who finds that his network connectivity has been disrupted by the ISP and they do not want to take ownership of it because there is no other economic reason for them to do so. So that is one quick answer. Another answer, which I imagine Mr Cormack will get into as well, is that users themselves can take some responsibility, but they need the tools to be able to responsibly do it, and right now they do not have those tools. There is not even a basic way to know the data which is going into and out of one's machine and without any ability to easily audit it and make sense of it, it is very difficult for the user to say, "Something isn't working so well," and to be able then to take some proactive steps to fix it.

  Mr Cormack: I think I would very much agree. I would add that I think people on both sides of ISPs, users certainly, believe that the Internet will become part of normal society. In normal society, individuals are ultimately responsible for their own security and their own safety. I would actually put the problem even earlier in the process than Professor Zittrain does and say that many people—more than 50 per cent according to a recent survey by Get Safe Online—do not even believe that their own behaviour has any effect on their safety. Their safety is somebody else's problem. That is, I think, the most depressing thing I have read for several years because those people are never going to be able to use the Internet as normal, it will always be a special event. They will change into Internet mode where "Everybody else looks after me," from the real world mode where you take care to walk on the pavement outside. I would agree ISPs could do more, some ISPs. On the other hand, ISPs are now starting to advertise the measures they take, which suggests they see them as being differentiators, things that customers will buy. That seems a virtuous spiral where ISPs are advertising security measures, customers are choosing ISPs which offer security measures, therefore they get better.

  Q959  Chairman: You do not see a case for making them legally liable for anything? Bruce Schneier, who talked to us in February, argued persuasively for the imposition of legal liability from a range of parties in fact in the industry, including the software vendors, retailers, ISPs, and so on, and in the event that they failed to use their best efforts to protect customers from security risks then they should be legally liable.

  Professor Zittrain: Yes, I am familiar with Bruce Schneier's argument and I disagree with about 80 per cent of it. There is some merit in certain circumstances to establishing a legal framework by which in the most clear cut cases we could see particular parties who but for the flick of a switch could make something better are asked to do so. To me a great example of that I have already adverted to, which is the Internet service provider who is hosting a machine which is spewing spam and malware, easily detectable, and they are simply neglecting to do it because that is the way the numbers work for them. There might be an opportunity to impose some form of regulation. The rest of Bruce's argument to me adheres to the tricky claim that it is very easy to know what is and what is not a software vulnerability. In the so-called generative systems that I have been talking about, operating systems which are meant to be able to run multiple code from multiple vendors at the same time, it is so easy for one vendor to point a finger at the other and the risk is that should we impose liability on, say, the operating system maker, "Here you go, Microsoft, the animated cursor bug has hit again. You're in trouble," not only would you have some issue as to how to measure and then pay out damages, but you would also have the issue then of Microsoft starting to build so defensively that you would no longer have generative systems. They would start screening their vendors the way that they do for the Xbox video game console. Third parties can code for the Xbox, but they need a special licence from Microsoft before they can sell their software and that greatly constrains the uses to which that box will be put.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007