Select Committee on Science and Technology Fourth Report


Personal Internet Security: Follow-up


The Committee's Commentary on the Government Response

Background

1.  In August 2007 we published our Report Personal Internet Security.[1] We made a number of recommendations, the underlying principle of which was that although the Internet was a powerful force for good, action had to be taken quickly to ensure that, in a period of rapid technological change, members of the public had confidence that the Internet was safe and secure and that personal data were properly protected.

2.  The Government responded in October 2007 (Cm 7234). They did not share our view that there was a public perception of the Internet as a lawless "wild west" and many of our recommendations were rejected.

3.  Given this unsatisfactory response, on 20 February 2008, we announced a short follow-up inquiry. We wrote to those who had given oral evidence to our original inquiry and asked them to comment on the Government response. We are grateful to those who replied and their replies are printed as evidence at the end of this Report. Following the written consultation, on 20 May, we took oral evidence from two Ministers involved in Government policy on personal Internet security: Mr Vernon Coaker MP, Parliamentary Under-Secretary of State for Crime Reduction at the Home Office, and Baroness Vadera, Parliamentary Under-Secretary of State for Business and Competitiveness at the Department for Business, Enterprise and Regulatory Reform. A transcript of their evidence is reprinted in this volume.

Our follow-up inquiry

4.  Follow-up inquiries, whether undertaken soon after publication of the original report or after a more substantial period of time has lapsed, are an important part of the scrutiny activity of the Science and Technology Committee. On this occasion, we were pleased that, following the disappointment of the Government's original response, Ministers were able to offer a slightly more positive view of how the Committee's recommendations were to be taken forward. We were heartened by Mr Coaker's acknowledgement that our follow-up inquiry had prompted the Government to re-consider their response—not only had the Committee's report "helped to drive the agenda forward" but "the re-submission of evidence and the re-thinking that that [had] caused" had reinforced that progress (Q 24).

5.  Whilst we welcome this comment, the evidence we received during this short follow-up inquiry indicates that there is still much work to be done, and that the Government's assertion that they are driving forward the personal Internet security agenda is more a matter of promises for the future than achievements in the present.

6.  We draw in particular the following areas of concern to the attention of the House.

RESPONSIBILITY FOR PERSONAL INTERNET SECURITY

7.  In our Report we concluded that that the emphasis of Government and policy-makers upon end-user responsibility for security bore little relation either to the capabilities of many individuals or to the changing nature of the technology and the risk. We recommended that the Government should develop a more holistic understanding of the distributed responsibility for personal Internet security (Recommendation 8.7).

8.  We welcome Baroness Vadera's clarification that it was not her department's view that consumers had "ultimate responsibility" (Q 2) and also her acknowledgment that the Government needed to show "some leadership" in this area (Q 3). It remains disappointing however that despite the Government's commitment to work with the industry to promote consumer confidence in the role of Internet Service Providers (ISPs) in ensuring personal Internet security, we heard no evidence from the Government of any concrete developments. We take some comfort from Baroness Vadera's agreement that measures need to be introduced to protect the consumer against e-crime, demonstrated by her expression of interest in kite-marking and a code of conduct for ISPs. We look forward to positive achievements in this regard in the near future.

SOFTWARE VENDOR LIABILITY

9.  In response to our recommendation (Recommendation 8.15) that the general principle of software vendor liability should be explored, the Government suggested that there was scope for this matter to be raised during discussions at the European level on the Review of the Consumer Acquis. We asked Baroness Vadera for a progress report. We were disappointed to be told that software vendor liability was unlikely to be taken up in those discussions (Q 7). This answer however came as no surprise since we had received evidence from Nicholas Bohm, one of the expert stakeholders accredited to the European Commission in connection with the Consumer Acquis review, that he had not been aware of any discussion about changing the liability model applying to vendors, either at the European level or in meetings between United Kingdom stakeholders and the Ministry of Justice (p 22).

10.  We acknowledge that steps to establish software vendor liability should be taken internationally, rather than by the United Kingdom alone. We therefore press the Government to indicate how they intend taking this recommendation forward if their original intention with regard to the Consumer Acquis discussions have proved unfruitful.

PROTECTION OF PERSONAL DATA

11.  The protection of personal data was national news in November 2007 when it became public that there had been a serious security breach at Her Majesty's Revenues and Customs (HMRC). Two computer disks containing HMRC's child benefit database were sent to the National Audit Office but went missing in transit. Personal data, including bank account details, affecting about 25 million people were lost. In a recent report by the Joint Committee on Human Rights (JCHR), further lapses in personal data security by the Government are enumerated. They include, for example, "the theft of a Ministry of Defence laptop containing personal information relating to around 600,000 people, most of whom had expressed an interest in joining the Royal Navy, Royal Marines or the Royal Air Force" and "the loss of two disks in transit from the Driver and Vehicle Agency in Northern Ireland to the Driver and Vehicle Licensing Agency in Swansea, containing the unencrypted details of 7,500 vehicles and the names and addresses of their owners".[2] The JCHR concluded that "it would be wrong to see these errors and lapses as unfortunate 'one-off' events. In our view they are symptomatic of the Government's persistent failure to take data protection safeguards sufficiently seriously … The rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards."[3]

12.  Baroness Vadera's view that the HMRC incident was "a bit of a wake-up call" (Q 13) seems to us to be an understatement of the seriousness of what has been happening within Government. In his follow-up submission, Nicholas Bohm comments that "the Committee's concerns have turned out to be well-founded; and the Government's denials that losses of personal data were increasing or that it was indifferent to them have been cast into the awkward light of reality by the deluge of reported data losses that began to emerge in such quantity not long after its reply was published" (p 22). More positively, the Metropolitan Police Service suggests that "the benefit of these recent catastrophic losses may be to force industry to examine their own protection systems and processes" (p 29).

13.  We regret that what in fact appears to have been a level of indifference on the part of the Government has now been dispelled only as a result of recent incidents involving serious losses of personal data. As Mr Richard Thomas, Information Commissioner, told the JCHR: "it should not take a train crash to prevent casualties on the railway, but we have had a train crash and that has served as a wake-up call".[4]

14.  The Government set up a number of reviews to improve their performance with regard to personal data security: the Cabinet Secretary, Sir Gus O'Donnell, established a review into data protection and security procedures within government;[5] Kieran Poynter, Chairman and Senior Partner of PricewaterhouseCoopers LLP, carried out a review of data handling in the HMRC;[6] Sir Edmund Burton, Chairman of the Information Assurance Advisory Council, carried out a review within the Ministry of Defence,[7] and the Information Commissioner and Dr Walport, Director of the Wellcome Trust, are looking at the framework for the use of information in both the private and public sectors. In a letter dated 3 June, Baroness Vadera provided further information about the reviews: "the Government", she says, "will take a considered view on what further measures it needs to take to strengthen the protection of personal data in light of the recommendations" of the four reviews. The letter is printed with this Report (p 14).

15.  As for action by the private sector, we note that in their follow-up submission, the Association for Payment Clearing Services (APACS) indicates that their members and the wider banking community are also involved in initiatives to strengthen the arrangements for the protection of personal data. Baroness Vadera, however, speaking more generally about businesses, was less upbeat: although there was a trend of increasing spend on IT security, about 20 per cent of companies, she said, spent less than one per cent of their IT spend on security. She concluded that there was more to be done (Q 13), and we share that view.

16.  We look forward to an early report to the House about the measures that will be put in place by the Government, in light of the outcome of the various reviews that have been undertaken, to strengthen personal data security both within Government departments and also within the business sector.

17.  In our Report we also recommended that the Government accept in principle that a data security breach notification law was needed, and that they should begin consultation on its scope (Recommendation 8.18). We characterised this as being "among the most important advances that the United Kingdom could make in promoting personal Internet security". The majority of the follow-up submissions comment upon our recommendation, with many concerns being expressed about the potential scope, but equally noting that we had already been careful in Recommendation 8.19 to address some of the potential pitfalls. Baroness Vadera's view was that it was very difficult to draft legislation or regulations that would set the correct level at which individuals should be informed about a breach—it was "really about proportionality and significance" (Q 16). She also told us that this issue would be considered as part of the reviews of Government data security.

18.  We entirely agree that setting the correct level of notification is absolutely key, but we hold to our view that data security breach notification legislation would have the twin impacts of increasing incentives on businesses to avoid data loss, and should a breach occur, giving individuals timely information so that they can reduce the risk to themselves.

CONSUMER PROTECTION

19.  We recommended (Recommendation 8.17) that legislation should be introduced to establish the principle that banks be held liable for losses incurred as a result of electronic fraud. The Government responded that this would be an inappropriate approach to securing liability and that the Banking Code offered sufficient protection against losses arising from fraud, a point also taken up by APACS (p 18).

20.  We find this response wholly unsatisfactory. Professor Ross Anderson (p 15) and Nicholas Bohm (pp 22-23) in their follow-up submissions are critical of the Government's reliance on the banking industry. Professor Anderson says: "on consumer protection, the Government is being disingenuous in claiming that the banking industry's practices provide adequate protection". He goes on to argue that "the banking code … provides scant protection; where a password or PIN has been used, the bank often simply claims that the customer must have been negligent or complicit" although there were a variety of means by which passwords and PINs could be harvested without the customer being aware. The Financial Services Ombudsman (who "routinely backs the banks") and the courts, he suggests, do not provide adequate avenues for redress and, as a result, "dozens of victims" approach him every year "out of desperation" (p 15).

21.  Nicholas Bohm makes a similar complaint that "the banks' 'proof' that the customer colluded in the fraud or caused it by negligence is a proof by assertion not based on evidence openly produced for testing" (p 22). He goes on to point out that the banks design the systems for online banking, and "if they were forced to meet claims that they could not disprove by open evidence, they could decide whether to stand the losses or to improve the security, whichever they preferred". (p 23)

22.  We remain strongly of the view that the liability of banks for losses incurred by electronic fraud should be underpinned by legislation rather than by the Banking Code, and we urge the Government to review their response to our recommendation without delay.

23.  We also have significant concerns about the way in which complaints of online banking fraud are currently handled and, in particular, the basis on which the banks determine that an alleged fraud is to be attributed to the customer, whether by fraudulent or negligent activity. We recommend that the banks' approach to handling allegations of online fraud should be reviewed as a matter of urgency.

REPORTING PROCEDURE FOR ONLINE FRAUD

24.  In our Report we expressed surprise at the decision of the Government to issue guidelines (with effect from 1 April 2007) to police forces as a result of which those who had experienced online fraud were encouraged to make a report in the first instance to APACS who would then decide whether to forward the report to the police. We were concerned about reporting fraud in this sequence on the ground that the decision of the banks to pass a report to the police might be influenced by commercial factors. We recommended that the Government should review these guidelines as a matter of urgency (Recommendation 8.27).

25.  Nicholas Bohm expresses a similar concern: "The Government claims that where customers are not refunded they retain the ability to report these matters directly to the police, where crimes should be recorded. I am sceptical of this latter claim, and suspect that where the bank refuses to report a fraud, the police may well refuse to accept the customer's claim that there was one … A system which depends on a decision by a bank on whether or not a customer has been defrauded is flawed by the fact that the bank has a direct financial interest in denying the customer's claim" (p 23).

26.  In their original response, the Government did not accept our recommendation on the reporting procedure, arguing that the current arrangement significantly reduced police bureaucracy without compromising their effectiveness in dealing with online fraud. We are pleased therefore that the Government have reflected further on this matter and have now undertaken to review the reporting procedure to "see whether it [is] working in the way that [the Government] intended" (Q 43). Meanwhile, we reiterate our strongly held view that the current reporting sequence is wholly unsatisfactory and that it risks undermining public trust in the police and the Internet.

DATA COLLECTION AND A CLASSIFICATION SCHEME FOR RECORDING OF E-CRIME

27.  In our Report we recommended that there should be a more co-ordinated approach to data collection relating to e-crime, including the development of a classification scheme for recording all forms of e-crime (Recommendation 8.3). We proposed that the classification scheme should cover both Internet-specific crimes (such as Distributed Denial of Service attacks) and also e-enabled crimes (traditional crimes committed by electronic means or where there is a significant electronic aspect to their commission). The Government did not accept our recommendation, arguing that e-crimes are "standard offences that are facilitated by new technology, rather than new types of offence".

28.  We share with Nicholas Bohm, a member of the Law Society's Electronic Law Committee but commenting in his personal capacity, the view that the Government's response "misses the point" because "what e-crimes have in common is that they require particular skills to investigate them" (p 20). A number of others also feel that the Government should have responded more positively to our recommendation. APACS comment in the same vein as Nicholas Bohm and encourage us to "create the conditions for policy makers to better understand the impact of e-crime" (p 16). eBay and PayPal suggest that collection and classification of e-crime data would "provide a helpful tool for companies actively fighting e-crime … and would also be helpful in shedding light on the real scale of the problem" (p 26). The Children's Charities' Coalition on Internet Safety (p 26) and the Child Exploitation and Online Protection Centre (p 25) make a similar point.

29.  Given this level of disagreement with the Government response, we were pleased to hear a more encouraging response from Mr Coaker who explained that there were proposals under consideration to develop the National Fraud Reporting Centre (NFRC), announced in March 2007 following the 2006 Fraud Review, as a focus for collecting information about all frauds, both e-crime and traditional, and also about those crimes which were not fraud but were e-crime (Q 24).

30.  The availability of comprehensive and reliable data about e-crime—the scale of the problem, the risks to the public and the costs to the economy—is fundamental to developing an effective response to the problem of e-crime and to promoting public confidence in the Internet. We urge the Government to implement proposals in response to our recommendation on data collection and data classification without further delay.

POLICE CENTRAL E-CRIME UNIT

31.  In our Report we urged the Home Office to provide funding to accelerate the establishment of the Police Central e-Crime Unit since at the time when the Report was agreed (in July 2007) there had still been no funding commitment (Recommendation 8.29). This recommendation is firmly endorsed by Symantec in their follow-up submission (p 32).

32.  The Government responded positively to our view that there should be national co-ordination of policing e-crime, recognising that "such crime is not a problem that sits comfortably within local policing structures, and … historically most forces have underinvested in their capacity to respond effectively to it"; and in evidence, Mr Coaker reiterated the Government's belief that there was a "gap"—"a gap without a shadow of a doubt" (Q 33)—in the coordination of law enforcement in this area. As for funding, Mr Coaker told us that "within reason" the Home Office would "look to fund [a] law enforcement capability alongside the National Fraud Reporting Centre" (Q 33). He said that he would be meeting relevant law enforcement agencies to discuss this matter on 4 June. We understand that the law enforcement agencies present (Association of Chief Police Officers/Metropolitan Police Service, Serious Organised Crime Agency and City of London Police) reported to Mr Coaker that they had made good progress in working together to develop the law enforcement response to e-crime reported through the NFRC. The group will meet again in July to update Mr Coaker on progress.

33.  Whilst the Government appears to be moving in the right direction with regard to co-ordinating the policing of e-crime, we are concerned at the pace at which their commitment to develop a coordinated e-crime law enforcement capacity is proceeding. We invite the Government to report on the outcome of their meetings with relevant law enforcement agencies and to indicate by which date they anticipate a national e-crime law enforcement unit will be operative.

INTERNATIONAL CO-OPERATION

34.  In our Report we acknowledged that the United Kingdom was seen as a "good partner" in international action on e-crime but noted that the Government had yet to ratify the Council of Europe Convention on CyberCrime which the Government had signed in November 2001 (Recommendation 8.31). We believed this to be a matter of concern, particularly with regard to the mutual assistance provision set out in Article 25. In evidence, Mr Coaker told us that there had been some delay but that they intended ratifying the convention by the end of 2008. We welcome this commitment.

35.  We also recommended that the Government review the procedures for offering mutual legal assistance (MLA) in international e-crime cases (Recommendation 8.31). The Government's response was that there was sufficient provision made within the Crime (International Co-operation) Act 2003. However, our concern had been the slowness of MLA procedures, and this was something picked up by a number of the follow-up submissions. APACS comments "we do not feel that current arrangements for mutual legal assistance are sufficient to deal with the phenomenon of e-crime" (p 20). The Metropolitan Police Service characterises the MLA process as being "too slow to secure 'real-time' and 'short-lived' evidence", and calls for a "comprehensive review of the process" (p 30). Mr Justin Millar, Head of Computer Crime at the Home Office, told us that relevant work was going on in the G8 hi-tech crime subgroup and the Council of Europe Convention group (Q 49). We are pleased to hear that the emphasis has moved on from putting mechanisms in place, to considering whether those mechanisms are operating in a timely manner.

Conclusion

36.  We acknowledge that, following the Government's disappointing response to our Report, they have reflected further and, with regard to some of the issues we raised, there has been some progress towards meeting our concerns. What progress there is, however, appears to be slow. Given this, we particularly welcome Mr Coaker's offer to keep the Committee informed, every two months, of what is happening (Q 50). We accept this offer and look forward to the Minister's first report in July. We anticipate that we shall be returning to this topic on a regular basis.


1   House of Lords Science and Technology Committee, 5th Report, Session 2006-07 (HL Paper 165). Back

2   Joint Committee on Human Rights, 14th Report, Session 2007-08, Data Protection and Human Rights (HL Paper 72) (HC 132), p 5. Back

3   Ibid, p 14. Back

4   Ibid, Q 137. Back

5   Data Handling Procedures in Government: Final Report, Sir Gus O'Donnell (published 25 June 2008). See http://www.cabinetoffice.gov.uk/ Back

6   Review of information security at HM Customs and Revenue, Kieran Poynter (published 25 June 2008). See http://www.hm-treasury.gov.uk/independent_reviews/poynter_review/poynter_review_index.cfm Back

7   Report into the Loss of MOD Personal Data, Sir Edmund Burton (published 25 June 2008). See http://www.mod.uk/DefenceInternet/AboutDefence/CorporatePublications/PolicyStrategyandPlanning/ReportIntoTheLossOfModPersonalData.htm Back


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2008