Select Committee on Science and Technology Fifth Report

CHAPTER 8: Summary of Conclusions and Recommendations

8.1.  In this Chapter we set out our recommendations and conclusions in full. The numbers in brackets refer to the relevant paragraphs in the text.

Overview: The Internet and Personal Security

8.2.  The benefits, costs and dangers of the Internet, are poorly appreciated by the general public. This is not surprising, given the lack of reliable data, for which the Government must bear some responsibility. The Government are not themselves in a position directly to gather the necessary data, but they do have a responsibility to show leadership in pulling together the data that are available, interpreting them for the public and setting them in context, balancing risks and benefits. Instead of doing this, the Government have not even agreed definitions of key concepts such as "e-crime". (2.42)

8.3.  We recommend that the Government establish a cross-departmental group, bringing in experts from industry and academia, to develop a more co-ordinated approach to data collection in future. This should include a classification scheme for recording the incidence of all forms of e-crime. Such a scheme should cover not just Internet-specific crimes, such as Distributed Denial of Service attacks, but also e-enabled crimes—that is to say, traditional crimes committed by electronic means or where there is a significant electronic aspect to their commission. (2.43)

8.4.  Research into IT security in the United Kingdom is high in quality but limited in quantity. More support for research is needed—above all, from industry. The development of one or more major multi-disciplinary research centres, following the model of CITRIS, is necessary to attract private funding and bring together experts from different academic departments and industry in a more integrated, multi-disciplinary research effort. We recommend that the Research Councils take the lead in initiating discussions with Government, universities and industry with a view to the prompt establishment of an initial centre in this country. (2.44)

8.5.  Legitimate security researchers are at risk of being criminalised as a result of the recent amendments to the Computer Misuse Act 1990. We welcome the Minister's assurance that guidance on this point will appear later in the summer, but urge the Crown Prosecution Service to publish this guidance as soon as possible, so as to avoid undermining such research in the interim. (2.45)

The network

8.6.  We see no prospect of a fundamental redesign of the Internet in the foreseeable future. At the same time, we believe that research into alternative network architectures is vital to inform the incremental improvements to the existing network that will be necessary in the coming years. We recommend that the Research Councils continue to give such fundamental research priority. (3.8)

8.7.  The current emphasis of Government and policy-makers upon end-user responsibility for security bears little relation either to the capabilities of many individuals or to the changing nature of the technology and the risk. It is time for Government to develop a more holistic understanding of the distributed responsibility for personal Internet security. This may well require reduced adherence to the "end-to-end principle", in such a way as to reflect the reality of the mass market in Internet services. (3.34)

8.8.  The current assumption that end-users should be responsible for security is inefficient and unrealistic. We therefore urge the Government and Ofcom to engage with the network operators and Internet Service Providers to develop higher and more uniform standards of security within the industry. In particular we recommend the development of a BSI-approved kite mark for secure Internet services. We further recommend that this voluntary approach should be reinforced by an undertaking that in the longer term an obligation will be placed upon ISPs to provide a good standard of security as part of their regulated service. (3.67)

8.9.  We recommend that ISPs should be encouraged as part of the kite mark scheme to monitor and detect "bad" outgoing traffic from their customers. (3.68)

8.10.  We recommend that the "mere conduit" immunity should be removed once ISPs have detected or been notified of the fact that machines on their network are sending out spam or infected code. This would give third parties harmed by infected machines the opportunity to recover damages from the ISP responsible. However, in order not to discourage ISPs from monitoring outgoing traffic proactively, they should enjoy a time-limited immunity when they have themselves detected the problem. (3.69)

8.11.  The uncertainty over the regulatory framework for VoIP providers, particularly with regard to emergency services, is impeding this emerging industry. We see no benefit in obliging VoIP providers to comply with a regulatory framework shaped with copper-based telephony in mind. We recommend instead that VoIP providers be encouraged to provide a 999 service on a "best efforts" basis reflecting the reality of Internet traffic, provided that they also make clear to customers the limitations of their service and the possibility that it may not always work when it is needed. (3.70)

Appliances and applications

8.12.  The IT industry has not historically made security a priority. This is gradually changing—but more radical and rapid change is needed if the industry is to keep pace with the ingenuity of criminals and avoid a disastrous loss of confidence in the Internet. The major companies, particularly the software vendors, must now make the development of more secure technologies their top design priority. We urge the industry, through self-regulation and codes of best practice, to demonstrate its commitment to this principle. (4.38)

8.13.  In particular, we urge the industry to endorse the following as best practice:

8.14.  However, efforts to promote best practice are hampered by the current lack of commercial incentives for the industry to make products secure: companies are all too easily able to dump risks onto consumers through licensing agreements, so avoiding paying the costs of insecurity. This must change. (4.40)

8.15.  We therefore recommend that the Government explore, at European level, the introduction of the principle of vendor liability within the IT industry. In the short term we recommend that such liability should be imposed on vendors (that is, software and hardware manufacturers), notwithstanding end user licensing agreements, in circumstances where negligence can be demonstrated. In the longer term, as the industry matures, a comprehensive framework of vendor liability and consumer protection should be introduced. (4.41)

Using the Internet: businesses

8.16.  The steps currently being taken by many businesses trading over the Internet to protect their customer's personal information are inadequate. The refusal of the financial services sector in particular to accept responsibility for the security of personal information is disturbing, and is compounded by apparent indifference at Government level. Governments and legislators are not in position to prescribe the security precautions that should be taken; however, they do have a responsibility to ensure that the right incentives are in place to persuade businesses to take the necessary steps to act proportionately to protect personal data. (5.53)

8.17.  We therefore recommend that the Government introduce legislation, consistent with the principles enshrined in common law and, with regard to cheques, in the Bills of Exchange Act 1882, to establish the principle that banks should be held liable for losses incurred as a result of electronic fraud. (5.54)

8.18.  We further believe that a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal Internet security. We recommend that the Government, without waiting for action at European Commission level, accept the principle of such a law, and begin consultation on its scope as a matter of urgency. (5.55)

8.19.  We recommend that a data security breach notification law should incorporate the following key elements:

8.20.  We further recommend that the Government examine as a matter of urgency the effectiveness of the Information Commissioner's Office in enforcing good standards of data protection across the business community. The Commissioner is currently handicapped in his work by lack of resources; a cumbersome "two strike" enforcement process; and inadequate penalties upon conviction. The Government have expressed readiness to address the question of penalties for one type of offence; we recommend that they reconsider the tariffs for the whole of the data protection regime, while also addressing resources and enforcement procedures as well. These should include the power to conduct random audits of the security measures in place in businesses and other organisations holding personal data. (5.57)

Using the Internet: the individual

8.21.  The Government-sponsored Get Safe Online website already provides useful information and practical advice to Internet users, but its impact is undermined by the multiplication of other overlapping websites. We recommend that the Government provide more explicit high-level political support to the Get Safe Online initiative and make every effort to recruit additional private sector sponsors. If necessary, the site should be re-launched as a single Internet security "portal", providing access not only to the site itself but acting as a focus and entry-point for other related projects. (6.46)

8.22.  We agree with the Minister that there needs to be a "step change" in the way the regulator Ofcom approaches its duties in relation to media literacy. We recommend that Ofcom not only co-sponsor the Get Safe Online project, but that it take on responsibility for securing support from the communications industry for the initiative. (6.47)

8.23.  We further recommend that, in addition to the new kite mark for content control software, Ofcom work with the industry partners and the British Standards Institute to develop additional kite marks for security software and social networking sites; and that it continue to keep under review possible areas where codes of best practice, backed up by kite marks, might be appropriate. (6.48)

8.24.  We recommend that the Department for Children, Schools and Families, in recognition of its revised remit, establish a project, involving a wide range of partners, to identify and promote new ways to educate the adult population, in particular parents, in online security and safety. (6.49)

Policing the Internet

8.25.  We recommend that the Government introduce amendments to the criminal law, explicitly to criminalise the sale or purchase of the services of a botnet, regardless of the use to which it is put. (7.74)

8.26.  We recommend that the Government, in partnership with the Association of Chief Police Officers and the Serious Organised Crime Agency, develop a unified, web-based reporting system for e-crime. The public face of this system should be a website designed to facilitate public and business reporting of incidents. The back-end software should have the capacity to collect and collate reports of e-crime, identify patterns, and generate data on the incidence of criminality. The website could also serve as a portal to other more specialised sites, for instance on online child abuse or identity theft. It would be an invaluable source of information for both law enforcement and researchers. (7.75)

8.27.  As a corollary to the development of an online reporting system, we recommend that the Government review as a matter of urgency their decision to require online frauds to be reported to the banks in the first instance. We believe that this decision will undermine public trust in both the police and the Internet. It is essential that victims of e-crime should be able to lodge a police report and have some formal acknowledgement of the fact of a crime having been committed in exchange. We see no reason why such reports should not be made online, processed and forwarded to the banks automatically. (7.76)

8.28.  If these recommendations are to be acted upon, the police service will need to devote more resources to e-crime. We acknowledge the good work undertaken by SOCA and on behalf of ACPO, but within the police skills and forensic capability still vary from force to force. While it is vital to raise police skills across the board, rather than just those of specialists, "mainstreaming" is only part of the answer. We therefore recommend the establishment of a network of computer forensic laboratories, under the aegis of the proposed ACPO national e-crime unit, but with significant central funding. (7.77)

8.29.  We further urge the Home Office, without delay, to provide the necessary funds to kick-start the establishment of the Police Central ecrime Unit, without waiting for the private sector to come forward with funding. It is time for the Government to demonstrate their good faith and their commitment to fighting e-crime. (7.78)

8.30.  These recommendations will all cost money. But e-crime is expanding rapidly: the choice is either to intervene now to make the necessary investment, and perhaps to keep the threat to the Internet under control, or to let it grow unchecked, and risk an economically disastrous, long-term loss of public confidence in the Internet as a means of communication for business and Government alike. (7.79)

8.31.  We urge the Government to fulfil its commitment to ratify the Council of Europe CyberCrime Convention at the earliest possible opportunity. At the same time, in order to ensure that the United Kingdom fulfils the spirit as well as the letter of Article 25 of the Convention, we recommend that the Government review the procedures for offering mutual legal assistance in response to requests for help from other countries in investigating or prosecuting e-crime. (7.80)

8.32.  Finally, we recommend that the Government take steps to raise the level of understanding of the Internet and e-crime across the court system. In particular:

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007