23 Aug 2007
Calls for business and law enforcement to take responsibility for individuals’ internet security are being met with scepticism from interest groups.
An influential House of Lords committee has recommended a series of measures designed to combat the ‘wild west’ reputation of the internet and shift accountability for online crimes such as fraud and identity theft.
‘The current assumption that end users should be responsible for security is inefficient and unrealistic,’ says the report published this month.
But industry representatives warn that many of the report’s recommendations might be unworkable.
Banks
A central proposal of the report is that financial institutions be made liable for personal losses online.
At the moment many banks bear the brunt of web fraud, but there is no legal requirement for them to do so and some leave customers to foot the bill. The banks are not keen to enshrine liability in law, maintaining it is unfair and leaves them open to fraudulent claims.
‘Banks are already doing a lot to protect consumers introducing two-factor authentication, reporting phishing web sites and handling fraud reporting,’ said a senior source in the financial services industry.
‘Why should they be penalised for what will almost always be a user error?’
Business
The Lords committee also proposed a data breach notification law under which any business holding customers’ details would have to notify the public if that information is compromised.
Many US states already have similar requirements, but lobby groups such as the Confederation of British Industry (CBI) warn that such measures could damage UK business.
‘The proposal could impose a disproportionate burden on businesses already struggling to develop effective security practices in the complex world of internet commerce,’ said CBI head of e-business Jeremy Beale.
Law enforcers are also sceptical. Firms already contact the police when they lose data, and legislation could add to red tape, Serious Organised Crime Agency director general Bill Hughes told the committee.
But not everyone is against the plan. The concept has already had ‘qualified backing’ from the Information Commissioner earlier this year. And even some banks acknowledge the benefit to customers.
‘Breach notification is a measure for informing the public rather than helping law enforcement but, given the state of UK data protection, it is a step in the right direction,’ said one major bank’s chief information security officer.
Software suppliers
Software vendors should also take more responsibility for the security of their customers, said the Lords committee.
But industry groups say proving liability would be impossible because it would have to be proved that the user had installed the product properly and downloaded all the necessary and relevant updates.
Any law would have to be so technical that it would quickly become obsolete, said Nick Kalisperas, practice director at IT trade association Intellect.
‘You could only legislate for a single point in time so it would be difficult to get anything workable,’ he said.
ISPs
ISPs are the other main industry to come under the Lords’ spotlight. ISPs should develop a BSI-approved kitemark for secure internet services, with a legislative obligation that they adhere to it, says the report.
There is some scope for ISPs to become involved in users’ security, but legislation forcing the removal of illegal content would undermine freedom of information online, said the Internet Services Providers Association (ISPA).
Even if service providers did start to take responsibility, most illegal content comes from overseas so the law would have limited effect, said ISPA.
Despite the defences of the status quo, the implications of internet security issues are too great to ignore.
Ultimately the success of the web relies on trust, said committee chairman Lord Broers.
‘The internet is increasingly perceived as a sort of wild west, outside the law,’ said Broers.
‘People are said to fear e-crime more than mugging. That needs to change, or confidence in the internet could be destroyed.’
Banks are generally not using real two-factor authentication; at least in the US, banking regulations that require "two-factor" allow banks to simply use two passwords, or a password and a browser cookie, a password and an SSN, or tons of other items.
The security industry's accepted definition of two-factor authentication requires either something you have or something you are (i.e. biometrics) in addition to something you know, or else it's not really two-factor.
That banks get away with calling things like SiteKey "two-factor" is beyond irritating; it's irresponsible.
Disclaimer: I work for a company that makes (real!) two-factor authentication software
Posted by: Steve Dispensa 23 Aug 2007
Have your say on this article
Newsletters
Latest stories from Government
Latest videos
You may also like
Government jobs
Technology Patent Wars
Staff are increasingly using their personal devices for work. Productivity may increase as a result, but the trend brings with it security risks
Case studies from large organisations across all sectors
... And rich media, and flexible working, and peaks in traffic ...
Upcoming Events
Join us for this Computing web seminar, in which the Head of BI at the Co-operative Group Nick Colebourn will be explaining just how he reigned in the Group’s sprawling database estate and how significant savings were realised and data quality improved as a result.
Date: 31 May 2012
Time: 11:00 AM
Live June 13th 11:00am: Register now. During this web seminar we will be looking at the sorts of incidents that can bring data centres grinding to a halt and what can be done about them.
Date: 13 Jun 2012
Time: 11:00 am
Receive the latest jobs direct to your inbox
Are you being paid what you are worth?
