Select Committee on European Union Written Evidence

Appendix B:

Article for IMIS Column in Computing—March 2000

  The new Regulation of Investigatory Powers Bill, however much amended in the course of debate, contains clear liabilities for IT managers to help the police if their systems have been used to handle criminal traffic. Such abuse can take many forms. Were your systems among those "hijacked" over the past month to help mount "denial of service" attacks on major e-traders (from Amazon to e-Bay)? Meanwhile it has been reported that analyses from some of the main US portals show that over 40 per cent of searches are initiated by adult males in search of pornography. This raises issues of privacy as well as the question of how much of this is being done at your expense.

  "Spamming" (automated, unsolicited, mass e-mailing, including to school groups) and the doctoring of search engines (including to promote material offensive to much of the population) cause concern among those who wish to see the Internet become a mass-market medium for education and entertainment. But the issues go well beyond pornography, paedophilia and censorship through hacking and the "laundering" of transmissions hacking to electronic fraud, both large and small.

  The image of the Internet as being outside the law is as misleading as is that of untraceable anonymity. "They" may not know you are a dog but "they" may well know that you are a dirty dog. It is said that over 60 per cent of software and video/music sold over Internet auctions sites is pirated and that the main reason for auctioning is to build lists of those in the market for such material and to collect their payment authorisation details, so that they can be charged whether or not they buy again. This again raises the issues of responsibility when pirated material is bought via your Corporate network.

  Those whose facilities are used to access content that is already illegal under existing UK law can (under a variety of circumstances) be held to the publishers. They may also share liability for breach of copyright, libel and slander. Ignorance as to what is being carried may not be sufficient defence for the Corporate IT Manager, let alone Internet Service Provider(s) concerned.

  The collation of analyses of Internet usage with personal information falls under the new Data Protection Directive but the routines for agreeing what is acceptable over the Internet with regard to services based in nations without equivalent Data Protection legislation are still unclear. Those who plan to use US-based services to analyse the traffic to their websites should talk to their lawyers, whether or not they have obtained the consent of their customers and also check the security of the services they plan to use. Even communications with reputable sites are not necessarily as private as you might think. One Portal has already been sued in the United States for copying and analysing the traffic it forwards to another.

  The different approaches of the various current and prospective EU Directives which might be applicable to e-commerce transactions, let alone the differences between these and the US, including state law and regulators, further complicate matters. (Visit for an update). Most regulators (Advertising, Financial Services etc) apply the same rules to products and services promoted over web-sites as they do to those advertised on paper or promoted over radio or TV. As far as Financial Services are concerned the rule of thumb is simple—do not put anything on your web site that you would not put in an advert in the International Edition of the Financial Times or Wall Street Journal.

  Security issues also need to be addressed. A number of large US organisations which used to provide direct Internet access from corporate systems have withdrawn it and now make unauthorised access a disciplinary offence. The reasons range from concerns over security to concerns over the waste of corporate time. The security concerns also cover personally owned systems which are used for corporate work. Audits of the sources of virus infection on controlled networks (which supposed used only centrally procured software and have no Internet access) have shown that file transfers from domestic systems are the most common residual cause.

  The position of the Institute for the Management of Information Systems is simple. Its guidelines (e-mail [email protected] for a copy) state:

    —  that those responsible for corporate IS policy review which members of staff, if any, need access from their place of work to the Internet, as opposed to prot4ected Intranets;

    —  that the installation or use of any unauthorised software by employees on systems owned by the employer or used for corporate work be an explicit disciplinary offence;

    —  that unauthorised access to the Internet and the unauthorised transmission or receipt of messages or traffic on systems owned by the employer or used for corporate purposes be an explicit disciplinary offence.

  This need not conflict with the call by MSF for employees to be given similar access to the Internet from the place of work as they have to a phone. In locations where telephone calls are recorded for audit or regulatory purposes (eg call centres or dealing rooms) the solution is to provide facilities for personal calls in the rest area. Similarly facilities for personal e-mails or web-access, bypassing the corporate systems, could also be provided in rest areas.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2000