United Kingdom Parliament
HOME
ABOUT
MEMBERS & STAFF
BUSINESS
PUBLICATIONS
A-Z INDEX
GLOSSARY
CONTACT
Publications & records
Advanced search
 HansardArchivesResearchHOC PublicationsHOL PublicationsCommittees
You are here: Publications and Records > Select Committees > Science and Technology > Science and Technology
Select Committee on Science and Technology Written Evidence

Memorandum by Ilkley Computer Club

INTRODUCTION

  Ilkley Computer Club is approximately 25 years old. When it started, it was the time of the first micro computers for home use; Ataris, Commodores, Sinclairs and BBCs. Membership was mainly 5th and 6th Formers from local schools. Today, the majority of members are "silver surfers" who almost always use a Windows computer. When the Club started, the Internet had not been invented. Now all members use it and at most meetings, Internet issues dominate discussions.

  The members wanted to pool their recent experiences with Internet use and to present them to the Committee in the hope that their collective knowledge—or lack of it—may aid understanding.

MAIN POINTS—PROBLEMS

    —  Home users are generally confused by "computer security".

    —  Clear directed or targeted advice is lacking.

    —  The inexperienced do not know where to go for advice.

    —  Most users don't want to spend money on "maintenance".

    —  Computers are still too complex for most users to understand.

    —  Users don't know who to complain to if something nasty happens on their computer (eg infestation with viruses).

    —  There is no understanding of the risks of connecting the home computer to millions of others all over the world.

MAIN POINTS—SOLUTIONS

    —  There must be positive Government guidance pushed to users.

    —  Government advice must be from a single point of contact.

    —  Internet Service Providers must take a proactive stance in prevention (viruses, trojans, spam, spyware, etc).

    —  Software produces must take more care when writing software to avoid bugs in the first place.

    —  Common software for the home user need not be as complex as it is at present (the rush for more "exciting features" tends to produce buggy software of no real use).

    —  If washing machines can be "kite marked" to EU or UK standards, why not computers?

GOVERNMENT RESPONSIBILITIES

  The overall feeling of members is that there is a lot going on in central government but that the efforts are dissipated around different responsibilities. Often the same general advice is given on several Departmental web sites. There should be one Government "voice" here and one which is well known through a positive marketing campaign through all forms of media.

  On a negative note, members considered that the loss of the old National High Tech Crime Unit (NHTCU) web site was a mistake. There was a lot of helpful information on it (eg a check-list on what to do if you thought you had been subjected to ID theft) which has disappeared. This is a good example of not very joined up government.

  The Government cannot do everything and must at the end of the day, rely on the home user being sensible and careful. The user must have continuing support from suppliers and manufacturers and this support needs to be presented in non-technical language. The downside is that, for many, there is a reluctance to spend any more on the computer after it is brought home. There is no maintenance schedule for computers. You don't have to take it back to the "computer garage" at regular intervals. There is no annual MOT for computers. For many home (and small business) users, the attitude is to leave it alone.

  This is certainly understandable because computers are still geeky things that are difficult to understand let alone tinker with. They are just too complex. Once you always got a thick manual with one but these have disappeared and you need to look up problems on line and this always seems more difficult than flicking through a handbook.

  It is also very difficult to know how sensible to be today because today's threats are not quite the same as the ones last week. It is also difficult to for home (and small business users) to evaluate risks, especially when messages are usually full of "doom and gloom". Too many dire warnings are a switch off. An emphasis on positive actions—the best practice approach—may yield better results.

  What are the minimum standards of competence needed to own and run a computer? Can this standard be pushed? The ECDL training package says very little about security, for example. How about an official government handbook—short and written simply—which sets out what the home use must do to be safer?

  The home use must clearly understand the risks they face when using their computer and have risk minimisation spelled out to them.

Memorandum by the Institute for the Management of Information Systems

  The Institute for the Management of Information Systems is the professional organisation for those who are responsible for managing the use of Information Technology to achieve business and social benefit. It has around 12,000 members and is UK-based but the majority of its members now live and work outside the UK; they therefore have an international as well as a practical perspective.

  IMIS is an active member of EURIM, the Parliament—Industry Group concerned with the politics of the Information Society and agrees with the points made in their submission. It may, however, be helpful to separately state those points that most affect our members' views on whether the UK is a safe and secure place to go on-line, compared to other parts of the world.

  The lack of current UK legal frameworks for effective action against those copying and selling personal data, combined with the collapse of any form of serious immigration control, means that the UK is a "safe haven" for those running much of the world's on-line fraud. Many of the world's phishing attacks may appear to come from Russia or South America but they are said to be often co-ordinated from London and the Home Counties.

    —  Lack of confidence in the security of the UK Government's own systems is a major obstacle to securing support for joined up information management. ID cards are commonplace around the world but they are "the lead standard": residents' cards for low value or risk transactions. The idea that the UK Government will create a "gold standard" without first sorting out its own notorious information security problems, the start point for much fraud against the private sector, does not command professional credibility.

    —  Lack of confidence in the security of the systems of on-line retailers is a world-wide obstacle to persuading consumers to use the Internet other than for low value transactions or those where some-one else is bearing the risk, as with UK issued credit cards.

  Those who wish to halt the erosion of confidence in the UK as a safe place to go on-line, not just in the Internet as a safe place to work, learn and play, therefore face a major challenge, unless they really do face reality and work together.

  The key points of leverage appear to be:

Rapid and effective implementation of the recommendations in the Information Commissioner's recent report to Parliament: "What Price Privacy? The unlawful trade in confidential personal information".

  The Department of Constitutional Affairs is currently consulting on "Increasing penalties for deliberate and wilful misuse of personal data". There is a need not only for action on this to be a priority in the Queen's Speech but for a high profile test case or two in which the new powers are complemented by use of the existing powers for unlimited fines and action under the Proceeds of Crime Act. We have to demonstrate that the UK is no longer a safe haven for the global trade in stolen and fictional identities.

A major review of the security of Government's own systems, followed by mandatory training in basic information governance and Internet safety for all public sector employees, akin to that done by large commercial organisations, many of whom also make the materials freely available to employees' families.

  UK Central Government has often mandated bad practice, under the guise of ease of access, social inclusion, increasing voter turn-out etc. It needs to recognise that all of these are fully compatible with good security practice, provided it accepts the necessity of using trained and supervised human intermediaries to also physically authenticate certain types of transaction. That means understanding and actively managing the risks of unsupervised, on-line activity, regardless of the security technologies used, not just assuming that its supposed cost-cutting potential will always outweigh the problems of fraud and abuse. They may—but very often they do not.

A coming together of those major players, public and private, who wish to see voters, consumers and their families confidently using the Internet to agree common good practice in using existing products and services more securely so that they can also agree on credible advice and guidance for their customers on how to respond to e-mails or access websites.

  The major e-commerce and on-line service providers and their business and government customers then need to help organise and fund, the bringing together of awareness programmes like those of "Get Safe Online" and the "Child Exploitation and Online Protection Centre" with reporting routines, like those attached to the Metropolitan Police "Fraud Alert" site and the mandatory inclusion of Internet safety and basic security in all publicly funded ICT education and training.

  Only then will the UK be able to realise its potential as not only a safe place to go on-line, but a natural location for global Internet policing, exploiting the unique strengths of the City of London, and therefore the safest place to go on-line.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index
© Parliamentary copyright 2007