Examination of Witnesses (Questions 957
WEDNESDAY 18 APRIL 2007
Welcome, Professor Zittrain and Mr Cormack. Thank you very much
for coming to talk to us and to answer our questions and a welcome
to those of you from the public and the media who are here. To
open, would you like, please, to introduce yourselves and to make
any opening statements you might want to make?
Professor Zittrain: Yes. Thank you, Lord Chairman.
My name is Jonathan Zittrain. I am the Professor of Internet Governance
and Regulation at Oxford University, where I work at the Oxford
Internet Institute, and I am co-founder of the Berkman Centre
for Internet & Society at Harvard Law School, where I am the
Jack N. and Lillian R. Berkman Visiting Professor for Entrepreneurial
Legal Studies. I have had an interest in Internet security for
at least ten years and my interest has increased in the past four
years or so. Many of us are aware that the way the Internet was
built was to be able to carry data from one arbitrary point to
another without any gate-keeping in the middle. It has been a
wonderful feature, so-called end-to-end or network neutrality.
This design principle means that any desire to control the flow
of data, including data which might be harmful data, is not very
easy to effect on today's Internet. There were other networks
which the Internet out-competed, so-called proprietary networks,
for which, whatever other disadvantages they had, would have had
a leg up in battling the kinds of problems the Internet is now
facing. There is a parallel problem for Internet end points, things
like the general purpose personal computer, which is still the
primary device hooked up to the Internet. That PC will run any
code you hand it and just as it is great to have a network which
will carry any bit from one place to another, it has been the
signal event, in my view, of the information revolution that there
has been an eco-system primarily comprising general purpose PCs
which can run executable code from anywhere. No gate-keeping,
including by the vendor of the PC, is in a position to easily
stop it. That is because even vendors like Microsoft, who are
known to have so-called proprietary operating systems which cannot
be changed very easily by third parties, are still putting out
so-called generative operating systems where any code can be built
by anyone to run on it. However, that benefit, which has so many
good implications, is also to my mind the fundamental security
problem. Indeed, it is not so much a problem in the network so
much as it is in the end points and the problem is not one of
Windows versus Linux versus Apple, it is a problem that so long
as the user is given the freedom to run arbitrary code from somewhere
else then that user can make, and will make, poor choices about
what code to run. The implications of a bad choice can be devastating
to the user of the computer and it can have spill-over effects
to anybody nearby on the network (and nearby on the network need
not be nearby in physical space). I believe, Lord Chairman, our
central challenge is to figure out how to preserve the best generative
aspects of the network and the PC, the ability to run code and
data from third parties without undue intervention, while taking
on the very real problems which are now starting to flow from
exactly that same characteristic. Thank you.
Mr Cormack: My Lord Chairman, my name is Andrew
Cormack. My job title is Chief Regulatory Advisor at UKERNA. UKERNA
is the company which runs the JANET network, which connects together
all universities and colleges in the UK. We also connect schools'
regional networks. In the case of the universities, colleges and
research centres we also connect them to the Internet. As far
as they are concerned, we are the Internet. I started off as head
of the Technical Incident Response Team eight years ago, so I
spent four years dealing with the consequences of people's bad
choices for themselves and for universities. More recently, I
have moved to looking at new uses of the network, whether that
is new technologies, new user groups, new end points, new devices,
IP telephony, the use of telephone converging onto the same network
as dataall these sorts of issuesto try and spot
any problems, whether they come from people, from technology or
from regulatory issues, and to propose solutions, whether those
be technological, policy, advice or occasionally regulation.
Thank you. Let me ask the first question, which we might put in
the context of your description of the system and its difficulties,
which I think we have a fair understanding of, but given all of
that, who should be responsible for personal Internet security
and how can they be made to shoulder their responsibility?
Professor Zittrain: A set of short and medium
term answers are that everybody needs to pitch in a little bit.
I believe that with Internet service providers who find it convenient
to maintain the idea of end to end for these purposes and say,
"Hey, we just carry the data. It's not up to us whether the
digital box we're delivering has a ticking sound coming from it,"
there are some narrow circumstances in which those Internet service
providers can be helpful. At the moment there are some clear tell-tales
when, for example, a PC on the network has been compromised, has
basically slipped the lead of its owner and is spewing viruses
and spam. Interestingly, right now the Internet service provider
which hosts that machine will generally not take any action because
it creates a customer service event which they then have to deal
with, it makes for an upset customer who finds that his network
connectivity has been disrupted by the ISP and they do not want
to take ownership of it because there is no other economic reason
for them to do so. So that is one quick answer. Another answer,
which I imagine Mr Cormack will get into as well, is that users
themselves can take some responsibility, but they need the tools
to be able to responsibly do it, and right now they do not have
those tools. There is not even a basic way to know the data which
is going into and out of one's machine and without any ability
to easily audit it and make sense of it, it is very difficult
for the user to say, "Something isn't working so well,"
and to be able then to take some proactive steps to fix it.
Mr Cormack: I think I would very much agree.
I would add that I think people on both sides of ISPs, users certainly,
believe that the Internet will become part of normal society.
In normal society, individuals are ultimately responsible for
their own security and their own safety. I would actually put
the problem even earlier in the process than Professor Zittrain
does and say that many peoplemore than 50 per cent according
to a recent survey by Get Safe Onlinedo not even believe
that their own behaviour has any effect on their safety. Their
safety is somebody else's problem. That is, I think, the most
depressing thing I have read for several years because those people
are never going to be able to use the Internet as normal, it will
always be a special event. They will change into Internet mode
where "Everybody else looks after me," from the real
world mode where you take care to walk on the pavement outside.
I would agree ISPs could do more, some ISPs. On the other hand,
ISPs are now starting to advertise the measures they take, which
suggests they see them as being differentiators, things that customers
will buy. That seems a virtuous spiral where ISPs are advertising
security measures, customers are choosing ISPs which offer security
measures, therefore they get better.
You do not see a case for making them legally liable for anything?
Bruce Schneier, who talked to us in February, argued persuasively
for the imposition of legal liability from a range of parties
in fact in the industry, including the software vendors, retailers,
ISPs, and so on, and in the event that they failed to use their
best efforts to protect customers from security risks then they
should be legally liable.
Professor Zittrain: Yes, I am familiar with
Bruce Schneier's argument and I disagree with about 80 per cent
of it. There is some merit in certain circumstances to establishing
a legal framework by which in the most clear cut cases we could
see particular parties who but for the flick of a switch could
make something better are asked to do so. To me a great example
of that I have already adverted to, which is the Internet service
provider who is hosting a machine which is spewing spam and malware,
easily detectable, and they are simply neglecting to do it because
that is the way the numbers work for them. There might be an opportunity
to impose some form of regulation. The rest of Bruce's argument
to me adheres to the tricky claim that it is very easy to know
what is and what is not a software vulnerability. In the so-called
generative systems that I have been talking about, operating systems
which are meant to be able to run multiple code from multiple
vendors at the same time, it is so easy for one vendor to point
a finger at the other and the risk is that should we impose liability
on, say, the operating system maker, "Here you go, Microsoft,
the animated cursor bug has hit again. You're in trouble,"
not only would you have some issue as to how to measure and then
pay out damages, but you would also have the issue then of Microsoft
starting to build so defensively that you would no longer have
generative systems. They would start screening their vendors the
way that they do for the Xbox video game console. Third parties
can code for the Xbox, but they need a special licence from Microsoft
before they can sell their software and that greatly constrains
the uses to which that box will be put.