Memorandum by Eurim
1. WHO ARE
WE?
EURIM is a UK based Parliament-Industry Group.
It brings together politicians, industry and officials to secure
action on issues not already well addressed elsewhere. Debate
over the need to greatly improve the safety and security of the
Internet goes back more than a decade to when it began being used
for business and consumer purposes. There is confusion and conflict
over objectives as well as what is practical or economic and the
responsibility and ability to take effective action are fragmented.
EURIM welcomes the focus of this inquiry on addressing the needs
of the most vulnerable, believes it asks the right questions.
This response is structured around those questions
and is intended to provide an introduction to the issues, using
material and recommendations already on file and agreed. We have
asked our members to respond direct to the Committee in more detail,
especially on areas where there is disagreement between industry
players. We are also consulting them on additional recommendations
where we believe there might be pan-industry agreement and will
report the results separately. There is much additional material
on www.eurim.org.uk.
2. DEFINING THE
PROBLEM
You will receive many definitions of the "problem"
and we believe these reflect an over-arching failure to connect
the debate over the promotion of the Internet and the many benefits
that it brings with that on the need to improve safety and security.
Even when the same organisations are involved in both debates,
they are commonly represented by different individuals, from different
departments, with different terms of reference.
The debates should be seen as two sides of the
same coin. Promoting confident, secure and socially inclusive
access to the global information society requires joined up thinking.
It also needs to be seen in context, as part of a wider debate
on the need to promote also the safe and secure use of the Internet
by business and government—including along supply chains
and across markets. One aspect of this is the need for government
itself to follow good practice in ensuring that its own systems
are both adequately secure and also accessible and "user-friendly".
2.1 What is the nature of the security threat
to private individuals? What new threats and trends are emerging
and how are they identified?
The Internet is an open-access network of networks
with security and authentication added according to the expertise
and budgets of those paying for access. It is a great force for
good, but like all great forces it can also be misused. Over 10%
of mankind is now on line, but so are at least 10% of the world's
literate criminals. The scale and sophistication of computer-assisted
malpractice is increasing dramatically, with the Internet used
to automate the identification and exploitation of prospective
victims over the converging media (fixed and mobile, voice, data
and video). So too is the use of the Internet and mobile communications
at every level of anti-social behaviour. From teenage gangs to
international terrorism, from text-bullying, on-line paedophile
grooming and cyber-stalking through impersonation, fraud and extortion
to sophisticated attacks on critical infrastructures (especially
payment systems), delinquents and criminals appear well ahead
of law enforcement in their use of new technology.
Emerging threats are commonly identified first
by the customer protection and security teams of the main service
providers (eg BT or Vodafone), e-commerce players (eg Amazon or
e-Bay) and those who provide them with attack monitoring and traffic
filtering services (eg Symantec or Mark Monitor). Government Regulators
and Law Enforcement commonly lack perspective because they are
overwhelmed by ad hoc reports. They need to make better
arrangements with the private sector to accept collated inputs
and then to act on reports of situations where individuals are
at personal risk. Recent progress with regard to global co-operation
on child protection indicates how this might be progressed in
other areas as well. Where individual users or customers identify
a problem they are often unable to alert others quickly because
of the problems identified in the next paragraph.
2.2 What is the scale of the problem? How
are security breaches affecting the individual user detected and
recorded?
The near impossibility of reporting individual
incidents to someone who will accept the report, let alone help
the victim obtain redress, undermines the chance of acting on
"early warnings" and it also means the actual impact
is unknown. However, the incidence of phishing and spam and the
growing publicity for the consequences of fraud and abuse, is
clearly affecting confidence in the Internet as a safe place to
do business, let alone for our children to learn and play. A consequence
is regular proposals for new reporting mechanisms to replace those
that are not working. Public pressure for Government(s) to "do
something" leads directly to proposals for legislation or
regulation—but such processes take a long time and often
end up being inadequately targeted. Most such proposals do not
address the root causes of failure. In addition, no one has an
incentive to report incidents merely for statistical purposes
or to accept reports to which they can respond only by admitting
ignorance or inability to help.
Individual phishing attacks may not justify
the use of scarce investigative resource but analyses by global
private sector monitoring organisations indicate that a large
proportion of malpractice originates from a relatively small number
of loose-knit criminal networks, many of whose members could be
tracked, traced, removed and blacklisted ("the e-death penalty")
by the main communications operators for breach of service conditions.
There is a need to bring the current proliferation of fragmented
local and national reporting operations together into international
reporting networks that cross public-private boundaries and to
collate and route information to those who are in a position to
take action.
Proposals for new reporting agencies should
be replaced by proposals for secure information exchange, including
internationally. These should involve the abuse@ teams of the
communications service providers and reputable private sector
monitoring operations to enable (for example) collated analysis
of phishing and malware incidents to be passed rapidly to those
able to block attacks and blacklist the perpetrators for breach
of conditions of service. There is also a need to consider reporting
structures for the actions then taken by the latter.
2.3 How well do users understand the nature
of the threat?
Surveys after the Get Safe Online Campaign and
the recent Ofcom Media Literacy Survey indicate a high level of
awareness of those risks for which vendors are already promoting
"solutions" accompanied by a lack of confidence in respondents'
ability to understand or use the tools on offer or to identify
anyone competent and trustworthy to help them at a price they
can afford. The website of the Identity Theft Assistance Group[10]
(funded by US financial services players like Bank of America,
Bank of New York and Citigroup) carries a report saying that "More
than two thirds of the American public has lost confidence in
the handling of their personal information", one in four
web users had stopped shopping on-line because of perceived security
risks, more than half no longer gave personal information over
the net and 6% had changed banks to reduce their risk of becoming
a victim of identity theft. However, over 60% still trusted their
banks compared to under 30% who trusted on-line retailers. A more
recent UK survey indicated significantly lower levels of trust
with only 37% trusting their banks and only 17% trusting government.
Well-publicised stories of the theft of files
of personal details from both public and private sector to aid
impersonation and fraud and the current plagues of phishing, vishing
(semi-automated phone calls using voice over IP) and spam mean
that consumer trust in on-line transactions is increasingly fragile
and needs reinforcement. Given the growing use of the Internet
for consumer and political research of all types, it is surprising
how little consumer research has been done into what Internet
service providers' customers expect, would like, or are willing
to pay for. There is a common attitude that the Internet is too
complicated for customers to understand and decisions should therefore
be left to industry or government, advised by academic experts.
But many consumers no more wish to receive anonymous and unsolicited
e-mails than they wish to receive anonymous letters or unsolicited
phone calls. Why should they not be able to ask their Internet
Service provider to automatically return these to sender? (see
3.1 below).
Awareness of those threats from wireless interception
and from that spyware for which low cost solutions are not readily
available or promoted, appears largely confined to security professionals.
Many security breaches resulting from the use of insecure Bluetooth
mobiles, unencrypted WiFi hot spots and shared ADSL systems remain
unknown until long after the captured passwords and account or
personal details have been used.
3. TACKLING THE
PROBLEM
3.1 What can and should be done to provide
greater computer security to private individuals? What, if any,
are the potential concerns and trade-offs?
Until 2005 one of the priorities of the Internet
Engineering Task Force, (IETF), was to retrofit quality of service
and security to a previously open access, "best efforts",
academic network before the consumer backlash against variability
of service and criminal abuse brought the technology into disrepute.
The security approach being pursued would have enabled users to
refuse unauthenticated traffic and require it to be returned to
sender—with liabilities and costs loaded onto the Internet
Service provider who first accepted the traffic and thus had a
"contract" with the originator. It would appear that
the IETF gave up after a series of bitter clashes over the licensing
of patented authentication techniques. The issues and consequences
were covered by Andrea Matwyshyn at the Oxford Internet Institute
conference on "Safety and Security in a Networked World"
in September 2005.[11]
This approach, using technical facilities already
built into the routers that currently handle most of the world's
Internet traffic, could enable unauthenticated traffic to be filtered
and much spam and malware to be traced back to the 200 or so groups
said to originate most of it. Others believe it more efficient
and effective to make test purchases and follow the payment trail.
Either way, miscreants could then be held to account under a mix
of criminal and civil law—as most of the main global e-commerce
players would wish. Service providers could also contact those
whose machines appear to have been affected and "offer"
remedial action as a condition of continuing service. That process
is, however, onerous and has led to legal and other counter-attacks
in the United States. Not all service providers would wish to
follow this route and markets might well polarise with some charging
extra for filtered services to protected and monitored customers.
Another approach currently being promoted is the use of privacy
enhancing technologies with identity management systems under
user control, enabling users to examine context and site-specific
authentication credentials.
If approaches to improving authentication and
security are blocked by conflict over the licensing of software
and/or business methods patents that is an indictment of those
responsible and their use of current IPR regimes. This is, however,
a highly contentious area and agreement on any meaningful changes,
other than administrative reforms to make the current system work
better (eg tests of originality), are unlikely. Instead we should
use commercial, political and moral incentives to ensure fair
rewards, both recognition and financial, for those who contribute
to the thinking and innovation necessary to make the Internet
safe for use by ordinary human beings, with the addition of penalties
for those who do not, or who actively prevent progress, beginning
with public exposure by their peers and moving on to international
legal co-operation between those whose customers are at risk.
3.2 What is the level of public awareness
of the threat to computer security and how effective are current
initiatives in changing attitudes and raising that awareness?
See 2.3 above. Awareness is less of a problem
than conflicting and impractical advice and guidance. There is
a very real risk that further raising awareness without making
it very much easier for consumers to protect themselves and their
children and to report malpractice will lead to a serious loss
of confidence. At the very least the DfES and its agencies should
mandate that all publicly funded ICT courses and qualifications
include basic computer security and Internet self-protection.
3.3 What factors may prevent private individuals
from following appropriate security practices?
They lack the training and means to manage their
own security effectively, even if they have the necessary awareness
and incentive. Most ordinary human beings are baffled by the documentation
and "help" routines currently on offer. There is a great
deal of advice and guidance currently available but much of this
moves rapidly from the simplistic and patronising to that which
requires Masters Degrees in Information and Computer Science to
locate and understand. And even then the tools that users are
expected to install and trust appear to spend much of their time
fighting for supremacy within the system—identifying each
other as threats to be removed and expecting the user to adjudicate.
Some recommended security practices, such as never opening email
attachments, seriously degrade the usability of the Internet and
are widely ignored. The problem is compounded by commonly used
software that silently executes attachments if their internal
structure indicates that they are executable without consulting
the user.
DfES and the relevant agencies (QCA, Sector
Skills Councils etc) should ensure that all publicly funded ICT
training courses and qualifications include basic security and
self-protection. Government departments and their service contractors
should, as a matter of course, follow good industry practice and
train all users in the secure use of the computer systems to which
they have access while ensuring that this is not used as an excuse
for undermining good practice on usability and accessibility.
Cabinet Office, Home Office, DTI and DfES and
the Police and Law Enforcement Agencies should bring together
their various Internet Safety and E-Crime prevention initiatives
and link this activity closely with initiatives to open up and
promote access.
Internet Service and E-Commerce providers should
work with Government and Law Enforcement to ensure their customers
have ready access (eg well-promoted portals) to intelligible,
realistic and comprehensive sources of advice, guidance and reporting—again,
linking consideration of the advantages of technology with the
safety issues, rather than leaving it to customers to "join
things up".
There is also confusion over the scale and nature
of "identity theft", including who is liable for what,
when an individual is impersonated. The National Consumer Council
has called for an industry-funded service along the lines of the
US Identity Theft Assistance Group. However, the latter only handles
cases referred by its members. UK organisations like Experian
already have dedicated "Victims of Fraud" support teams
and provide guidance via Citizens Advice Bureaux and Crime Prevention
Officers. There is a view that while existing guidance needs to
be regularly updated and better promoted it were better to work
through existing channels than create a new one.
Those seeking to promote confidence in on-line
transactions should co-operate in producing common, well-promoted
portals that provide advice and guidance for those who believe
they have been impersonated, as well as guidance on how to reduce
the risk and contact details for those who can help remedy the
problem.
3.4 What role do software and hardware design
play in reducing the risk posed by security breaches? How much
attention is paid to security in the design of new computer-based
products?
We do not need to wait for the re-engineering
of the Internet with new generations of routers, browsers, operating
systems and addressing systems in order to make serious progress
in Internet safety, security and crime prevention. Improving the
quality and relevance of the advice and guidance on offer, including
to those using existing products to run their own on-line services,
could make a massive difference.
One suggested "quick fix" is for the
main email browsers to provide default options to disable the
automatic execution of email attachments or embedded ActiveX or
Java in emails, and also to disable html links inside email. It
is claimed that for the vast majority of users the reduction in
malware would greatly outweigh the inconvenience.
We need much greater co-operation to identify
and promote the best practical advice currently available, in
language that ordinary human beings can understand, and to ensure
that reputable security products and services recognise each other
and co-operate. That process includes giving much greater priority
to computer security and Internet safety in mainstream ICT education
and training at every level—from schools through further
and higher education as well as adult courses on the use of IT,
to the design, implementation, operation and support of systems
in ways that reduce opportunities for abuse.
It is almost certain that crime-prevention education
and practical guidance and support is an area where incentives
will be more effective than penalties. The core task is to persuade
security suppliers to put a proportion of their current marketing
spend and major users to put a proportion of their security budgets
into co-operative ventures to promote good practice and competence
at every level—including among their public sector customers
and partners who are often among the most complacent and vulnerable.
One of the best ways of promoting such co-operation
is almost certainly a series of awards for "best of breed",
to give the oxygen of publicity to good practice and encourage
others to join in or do better. Well publicised awards for:
— products and services with plain
language, intelligible and useable documentation, websites and
help processes related to what the user experiences (technical
merit, innovation and excellence are not enough); and
— producing, promoting and distributing
advice and guidance for target audiences (children, parents, teachers,
small firms, end-user staff in large organisations etc) in a way
that helps the user to understand opportunities and vulnerabilities
and to understand the connection between them.
3.5 Who should be responsible for ensuring
effective protection from current and emerging threats?
The issues are now too serious to be treated
as a constraint and left to law enforcement and security experts
to do their best with reactive add-ones. There is a need to involve
those affected (users and customers as well as suppliers) in well-structured
advisory groups to help formulate policy, especially when there
are splits within the industry as to what is desirable or practical
and who should be responsible.
Safety and security has to be treated as part
of the mainstream corporate social responsibility and good citizenship
programmes of all those who wish their customers, citizens and
taxpayers to make confident use on-line products and services.
In practice that means the active involvement
of the major commercial players across the converging communications
services (Internet, broadband, mobile and broadcast) plus those
running or promoting e-commerce, on-line banking and payment,
search engines, distance learning, content and electronic service
delivery by government.
Only when major players vote with their wallets,
to protect revenues and control costs in the face of changing
consumer behaviour (eg a return to branch banking), will the technical,
legal and organisational constraints that have prevented effective
action to address the problems be overcome, removed or bypassed.
3.6 What is the standing of UK research in
this area?
Most of the relevant products and services are
global. The fact that Hewlett Packard, IBM, Siemens and Microsoft
have major security research facilities and partnership programmes
in the UK indicates that we still have serious strengths. However,
their concerns with regard to the UK science, technology, engineering
and mathematics base also indicate that we have serious problems
that need to be addressed. Our neglect of multi-disciplinary research
into people processes, especially how human beings use systems—including
supposedly secure systems—is a major weakness, although
this is beginning to be addressed. Indeed it may be one of the
reasons why those turning technology into product commonly do
so outside the UK.
4. GOVERNANCE
AND REGULATION
4.1 How effective are initiatives on IT governance
in reducing security threats?
The European E-Commerce directive requires those
trading over the Internet to provide physical contact details
in addition to their on-line address. This should provide a significant
protection against fraud but many trading sites fail to do so
and, furthermore, the registration details obtained by a "who
is" enquiry are, if available at all, often those of the
service supplier who built or sold the site. The plans of Nominet
to amend the contractual conditions under which .uk domain names
are registered will help address this problem within the UK but
it illustrates the lack of impact of most government initiatives,
including EU directives.
The creation of effective frameworks for global
co-operation, using the contractual terms of the current registration
authorities and of the Internet service suppliers to protect paying
customers and remove miscreants, should have a higher priority
than the creation of statutory regulatory and governance routines.
Unless well judged, the latter not only divert resource from addressing
known malfeasance but can create more vulnerabilities than they
remove. For example one of the largest insider dealing operations
in a western nation was only possible because new regulatory rules
had enabled a compliance officer to bring together staff from
across the internal security boundaries of the organisations involved.
Meanwhile Sarbanes-Oxley mandates not only expensive
paper-chases that would not have prevented Enron but also anonymous
whistle-blowing routines of the type made illegal in France after
World War 2 because they had cost so many lives at the hands of
the Gestapo and Milice. Requirements to give regulatory or law
enforcement staff the ability to cross the security barriers of
financial services players or to demand the retention of vulnerable
data, are obvious examples of how well-intentioned initiatives
can cause responsible organisations to move key functions outside
the jurisdictions concerned. The cost of ill judged regulation
is not just money but can be increased risk, personal as well
as financial, if it makes it harder for reputable service providers
to provide realistic protection for their customers.
All proposals for new regulatory regimes must
be subjected to a full systems review and impact analysis to check
how they will achieve the objectives stated and at what cost to
legitimate business, given current and prospective technologies
and business models.
4.2 How far do improvements in governance
and regulation depend on international co-operation?
There is much talk of the need for more cross-border
co-operation but debates within regional groupings like the European
Union over applicable law, including "country of origin"
versus "country of destination", indicate that little
more progress at the global level is likely over the next decade
than has been achieved at the inter-governmental level over the
past century. Most of Europe shares common legal traditions but
agreement on common frameworks is often hard won. If one then
looks wider at the clashes between Roman, Common, Islamic and
Asiatic legal traditions, let alone cultural and political differences,
including those between the EU and US, the lack of wider progress
becomes less surprising. Meanwhile the private sector has had
routines for international co-operation for over a thousand years.
The best selling book and subsequent film, The
Da Vinci Code, were largely inspired by the mythology around
the break up of one such network: that which enabled the Knights
Templar, the Venetians, the Byzantines and the Arab/Jewish networks
of the Middle East to co-operate in transmitting funds safely
from the Orkneys to Jerusalem, until the King of France reneged
on his debts. Today such routines are not only global but have
evolved via routines to handle piracy on the high seas or accidents
in space, with adjudication under whichever law and in whichever
location the relevant service contract(s) state.
The global financial services, international
payment and freight forwarding operations of today have similar
routines for handling cross-border transactions between customers
operating under very different legal and regulatory systems. Some
of these are already integrated into seamless on-line networks,
operated from a handful of regional hubs, with local access under
the legal and regulatory regime of the nation from which access
is being made: country of destination.
The Internet has a different tradition, with
regulation largely based on country of origin and remarkably little
interference from the government of the nation that, until very
recently, originated most of the traffic. Other governments around
the world are, however, loath to leave the policing of the Internet
to a cartel of global commercial players operating under the governance
of ICANN, the Internet Engineering Task Force or W3C, let alone
the ITU, IPU or other international bodies. But if that is to
be replaced by something better, not mere anarchy, they must greatly
increase the resources they provide to their domestic e-crime
law enforcement operations and develop very much more efficient
routines for cross-border co-operation—using the expertise
of the major commercial players in working with and through local
law enforcement around the world.
This will not be easy and those in the West
who argue that such routines must be democratically accountable
should remember that some of Cicero's greatest speeches on republican
virtue and civil liberties were in support of the tyrants and
organised crime bosses of his day. Inter-government agreement
on anything that is effective and meaningful is unlikely other
than between states that share political, cultural and legal traditions.
Even then it cannot be taken for granted.
The best way forward at a political level is
to support the successful work of groups like UNCITRAL (United
Nations Commission on International Trade Law) in producing model
laws for piecemeal adoption. There is also a good case for attempting
to draft a UN Treaty on Technical Assistance to enable smaller
states and organisations to make better use of the legal routines
already well established for handling international trade disputes.
This is unlikely to be agreed but a widely supported draft could
be of great value to those seeking models of good practice. We
also strongly support the approach agreed at last year's World
Summit on Internet Society, where the UK as European President
led the way in persuading all concerned that a co-operative approach
was needed, rather than "no change" or "international
control". There are those who are keen to undermine the partnership
approach, and it is important for the Industry and Parliamentarians
to work together and with Government to demonstrate the commitment
without which a partnership approach will not work—and that
would lead to fresh calls for a more rigid and bureaucratic system
and/or a breakdown of international co-operation.
4.3 Is the regulatory framework for Internet
services adequate?
The main flaw with the current regulatory framework
is that it does not reward those who seek to protect their paying
customers from abuse. Indeed it is said that those who seek to
actively protect customers risk losing "innocent carrier"
status and incur a liability for being sued when they fail. Those
who make no attempt to protect customers are immune from penalty.
Meanwhile ill-considered requirements to retain data, whether
communications or content, without providing law enforcement with
the resource to handle what is already retained, not only impose
costs on legitimate business to little or no benefit, but also
open up significant areas of avoidable risk. Again, it is essential
for industry, government(s) and enforcement agencies to work co-operatively
rather than in silos.
We need to remove regulation that already has
perverse consequences, not introduce more. In particular, any
initiatives that could jeopardise the ability of London to add
Internet policing and disputes resolutions to its £30 billion
a year international disputes resolution business activities must
be subjected to rigorous risk assessment. That is not just because
of the potential cost to the UK economy, but because having Internet
policing functions based in the UK will greatly improve our ability
to protect our own citizens from abuse.
There is a need for industry strength market
research into what Internet users actually want and from whom:
including by way of trade-offs between price, facilities and security.
Additional regulation should be avoided unless there is clear
evidence of market failure to provide that which users want and
are willing to pay for or unless there is a need to provide regulatory
underpinning for "best practice" as developed jointly
by the Industry, Government and Regulators.
4.4 What, if any, are the barriers to developing
information security systems and standards and how can they be
overcome?
See 3.1 above. The break-up of the academia-industry,
open source and open licence co-operation that created the Internet
has led to a mushrooming of add-on, post-event security fixes
to ever more complex and competing, commercial and proprietary
products and services. Some argue that was an inevitable stage
in the growth pains of the information society. Others believe
it was but a stage and that customer pressures around the world
will drive fundamental structural changes. Meanwhile the current
UK and European Data Protection regimes serve to neuter rights
of private action and promote tick box compliance. By contrast
the US legislation requiring disclosure to subjects of security
breaches has transformed awareness and attitudes and given strong
economic incentives to developing and deploying privacy enhancing
technologies. UK legislation makes it clear that information can
be exchanged between public bodies for purposes of crime prevention
provided this is done in a professional manner, and this concept
needs to be developed further (in both practical and legal terms)
in relation to co-operation between Industry, Government and Enforcement
Agencies.
5. CRIME PREVENTION
5.1 How effective is Government crime prevention
policy in this area? Are enforcement agencies adequately equipped
to tackle these threats?
The majority of all investigations, including
those into traditional physical crime, may now entail securing
and analysing potential digital evidence, on the computers, personal
organisers or mobile phones of victims and suspects, or from surveillance
camera footage that might have covered relevant locations. In
2005, UK business users spent about £3 billion to protect
their systems and those of their customers, including nearly £1
billion with security consultancies and suppliers. By contrast
the announced spend for all the UK computer crime units, including
the child protection and other units now included within the Child
Exploitation and On-line Protection unit (CEOP) and the Serious
and Organised Crime Authority (SOCA) was £8.5 million. More
former policemen with experience of running major computer crime
investigations now work for industry than in UK law enforcement
agencies.
Those tasked with protecting the most vulnerable
and with enforcing the law are playing catch-up, overwhelmed by
the scale of criminal and anti-social activity that may require
computing or digital evidence skills to investigate. There is
confusion as to how (and to whom) on-line incidents should be
reported and a reluctance to make it easier to report, lest the
result distorts police performance targets, whether or not the
latter are in line with public needs and expectations.
Law enforcement lacks the capacity to respond
effectively to more than a fraction of currently reported incidents.
The Internet has been described as the Wild West without six guns.
Law and order was brought to the Wild West by gunmen hired by
the railways, banks and citizen's committees to protect themselves,
their customers and their communities. A great many agencies claim
to regulate content over the Internet but most effective action
against malpractice is organised by the major Internet service,
e-commerce and on-line banking and payment providers—to
combat their common enemies and to protect and re-assure their
shared customers. They need to be further encouraged and enabled
to act rapidly and decisively, in co-operation with law enforcement
agencies, to protect the small firms and consumers whose confident
use of on-line transactions and information services is essential
to the growth of e-commerce and e-government.
Recent high profile investigations of international
paedophile networks show how the resource available to law enforcement
can be swamped by the capacity of e-crime to generate very large
numbers of incidents and information. The only way of handling
the load is through a partnership approach—involving industry
staff and civilian volunteers, working to standards and procedures
commonly recognised across public and private sectors, including
internationally, as part of joint crime prevention, reporting
and investigation operations.
There are many models around the world for such
operations: from police "reserves" and "special
constables" through accredited security firms and specialist
units to industry-funded police forces, such as the British Transport
Police. The challenge is to create frameworks that enable local
and national operations to co-operate across jurisdictional boundaries,
including with nations where the security and probity of law enforcement
cannot be taken for granted. This places limits on the ability
to use official channels. The routines established by the insurance
companies for handling piracy on the high seas and by the financial
services and freight forwarding industries for handling international
"disputes" are therefore apposite. Managing the interface
between formal legal and administrative structures on the one
hand and the Industry and informal cultures on the other will
certainly prove a real challenge, requiring commitment and engagement
on all sides.
Responsibility at the national level for educating,
advising and supporting those at most risk crosses departmental
and agency boundaries and authority over budgets, courses and
curricula is fragmented. At the international level there is much
talk but little action, except between those who have met and
trust each other, despite the processes they have to use. Meanwhile
on-line criminal activity indicates significant co-operation across
national and cultural, let alone "family" or "gang",
boundaries.
Industry (both users and suppliers) is beginning
to co-operate, including with the formation of national and international
professional groupings to educate and assess those who can be
trusted. The time has come for similar co-operation across law
enforcement boundaries (local, regional and national agencies
as well as international) with the aim of also greatly improving
co-operation with those in the private sector who are working
to protect their customers as well as themselves.
5.2 Is the legislative framework in UK criminal
law adequate to meet the challenge of cyber-crime?
Until this year gaps in the law made the UK
one of the safest places in the world from which to run a global
e-crime operation, other than one involving child abuse. It was
not an offence to defraud a machine, but that loophole appears
to have been addressed in the recent update of anti-fraud legislation.
The Computer Misuse Act needed updating with
realistic penalties enabling extradition and to address the growing
trade in computer tools designed to assist criminal operations.
This problem is being addressed in the current Police and Criminal
Justice Bill although, at the time of writing, there were still
difficulties over wording to enable dual use tools (the computer
equivalent of the crowbar/jemmy or picklock) to be supplied to
legitimate security consultants while enabling those deliberately
supplying criminals to be prosecuted. The Data Protection (Processing
of Sensitive Data) Order 2006 now enables credit and debit card
providers to receive police data so that they can withdraw cards
where their terms and conditions have been broken.
The main residual gap is with regard to realistic
penalties for the deliberate abuse of personal information, including
those working for the public sector (as staff or contractors)
who assist animal rights terrorists, benefits fraudsters, illegal
immigrants et al. Here, the Department of Constitutional
Affairs has launched a consultation to pick up the recent call
for action by the Information Commissioner, What Price Privacy?
There is a need for early test cases to check
that the amendments to UK Fraud Legislation and the Computer Misuse
Act have indeed met the objectives. There is also an urgent need
to amend UK Data Protection legislation to provide realistic penalties
for the deliberate abuse of personal information, as called for
by the Information Commissioner.
5.3 How effectively does the UK participate
in international actions on cyber-crime?
The most important UK contribution to date has
probably been to illustrate the value of close co-operation between
law enforcement and industry with regard to both domestic and
international investigations. The partnership routines being established
by the Virtual Global Task Force provide a model for what can
and should be achievable. These have greatly improved not only
the ability of children to report what is happening to them to
someone who will understand and take notice, but also the ability
of law enforcement to rapidly track, trace and identify predators.
The task force would be very much less effective without the contributions
of the industry "partners": from placing the "report
abuse" buttons on widely used websites, to providing technology
support for reporting systems and investigation, including tracking
and tracing communications. Such partnerships need to be imaginative
as well as quality controlled. Thus the UK partners include the
Football Association as well as Microsoft, AOL, BT and Vodafone.
The result is far more effective education and
protection than can be seen in nations that talk about child protection
and seek to extend legislation covering television advertising
to the Internet, under the guise of regulating video-streaming
as a TV like service. It is interesting that some of the latter
have rigid divisions which prevent co-operation between law enforcement
and industry and recurrent outbreaks of public concern (from press
campaigns to mass demonstrations) over the supposed cover-up of
widespread child abuse.
This is, however, another contentious area.
Some Internet Service Providers, targeting family and business
audiences, are happy to introduce robust traffic filtering arrangements
and to work closely with law enforcement in identifying predators.
Others believe such technologies lead to a false sense of security
and are open to abuse, eg covert as well as overt censorship.
One of the UK's potential contributions should be to ensure that
such issues are debated openly and candidly.
Because child protection is such an emotive
subject it also presents excellent opportunities to illustrate
how responsible suppliers are already working closely with law
enforcement to provide effective education and protection for
those at risk and to encourage similar co-operation on a wider
front.
10 www.identitytheftassitance.org Back
11
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=903852 Back
| 
