Friday, August 10, 2007

Lords publish Personal Internet Security report

Lord BroersThe House of Lords Science and Technology Committee has just published its report (led by Lord Broers) on Personal Internet Security. Without overstating the problem, they note the growing damage that online crime is doing to public confidence in the Internet, and call for the government to better incentivise organisations' security efforts.

One of the commitee's main recommendations is that companies need to take more responsibility for their customers' safety online, with suggestions that liability should be imposed on software vendors, financial institutions and Internet Service Providers. The committee also criticises the low priority given by the police to e-crime, not least through the merger of the National High-Tech Crime Unit into the Serious Organised Crime Agency, which is focused on larger-scale criminality, and the hand-off to the banks of responsibility for reporting online financial fraud.

It's nice to see a specific suggestion on bank liability, which Nicholas Bohm, Brian Gladman and I recommended in a 2000 paper (Electronic commerce: who carries the risk of fraud?):

8.16. The steps currently being taken by many businesses trading over the Internet to protect their customer’s personal information are inadequate. The refusal of the financial services sector in particular to accept responsibility for the security of personal information is disturbing, and is compounded by apparent indifference at Government level. Governments and legislators are not in position to prescribe the security precautions that should be taken; however, they do have a responsibility to ensure that the right incentives are in place to persuade businesses to take the necessary steps to act proportionately to protect personal data. (5.53)

8.17. We therefore recommend that the Government introduce legislation, consistent with the principles enshrined in common law and, with regard to cheques, in the Bills of Exchange Act 1882, to establish the principle that banks should be held liable for losses incurred as a result of electronic fraud. (5.54)

Liability for software companies is trickier. Would Free/Open Source Software be exempt? If so, this creates a strong market incentive towards its use (which is not necessarily a bad thing.) If not, will liability fall on authors, download sites, and/or organisations such as the Apache Software Foundation — all of whom would likely react by exiting the software market? The committee suggests a "good samaritan" exemption for FOSS authors, although not aggregators and service companies such as Red Hat.

Limited liability for Internet Service Providers that fail to take reasonable steps to prevent the origination of spam and Denial of Service attacks from their networks is sensible, although the details will be hard to get right. ISPs are not the pots of gold that record companies and others sometimes claim, and have no wish to be the gatekeepers to the Internet envisioned by some lobbyists. Over-broad ISP regulation will increase the cost of Internet access and damage the government's efforts to reduce the digital divide. Lilian Edwards has some suggestions on the creation of a "security commons" that are worth considering.

Overall the report has a raft of sensible suggestions for improving the trustworthiness of the Internet in the UK. The Home Office has responded positively to the report and hopefully will consult widely over legislation to implement the report's recommendations.

1 comment:

Fred said...

I will leave it to others to comment on whether the outcome of any changes to the liabilities of software authors will cause even greater concentration of power in the hands of those major commercial players who cannot be trusted.

Instead I wholeheartedly commend the proposed update of the Bills of Exchange Act 1882. The fact that the banks currently push liability for chip & pin fraud onto the customer in their terms and conditions is the one reason why I refuse to use the system. Of course they are making life difficult for we cheque users by getting very many of their bigger customers to refuse to accept cheques. If the banks were obliged to accept liability for fraud, it would force them to take their security seriously.