Examination of Witnesses (Questions 720
- 739)
WEDNESDAY 14 MARCH 2007
MS CAMILLE
DE STEMPEL,
MR MATTHEW
HENTON, MR
JAMES BLESSING,
MR JOHN
SOUTER AND
MR MALCOLM
HUTTY
Q720 Chairman:
You do not think, even if an ISP knows the source of information
or data is fraudulent, or the players are up to perpetrating some
crime, that the ISP is immune from responsibility if they pass
that information or communicate between the criminals and the
user, that the ISP has no responsibility?
Ms de Stempel: We have very strong terms of
service so all our organisations offer very strong terms of service
and if something is reported to us that is in breach of our terms
of service we will take action against that particular consumer.
Q721 Chairman:
Do terms of service include some validation of the honesty of
your suppliers of information, for example?
Ms de Stempel: I wish we could validate the
honesty of everyone, but we are trying to ensure that the consumers
are aware of their rights and responsibilities as well as trying
to verify as much information as we can to give them a good on-line
experience with good content.
Q722 Lord Mitchell:
I feel very unconvinced by what you are saying, to be honest.
They are nice platitudes, but I want you to answer this question
for me. Imagine that you or I are parents, unsophisticated in
computers, that our child has a computer, say, from school, it
takes it home. I would like to know what your industry is doing
to make me aware of the dangers—not how you inform other
people, but how do I know the dangers that exist on the Internet?
Ms de Stempel: On AOL specifically what we will
do is that every time somebody creates a screen name we will make
you go through a whole process where you have to choose the age
of the person that is on line and we direct you towards parental
controls where you have to either accept or not to put those parental
controls on.
Q723 Lord Mitchell:
Parental controls; that is an old problem. We are talking about
blogging, we are talking about chat sites, we are talking about
all the dangers of the Internet. How do I know about those, who
is telling me?
Ms de Stempel: The media will tell you some
and we also make sure that products are age-appropriate, so we
do not direct children to the wrong areas, and that is how we
are going to work with the media, with education, with the DfES,
with the DTI to make sure that we raise awareness as to the great
potential the Internet has, but also some of the dangers that
exist.
Q724 Lord Paul:
The Internet was built without any identity layers, that is without
any means to know who and what are you connecting to. Can or should
this omission be rectified?
Mr Blessing: The simple answer is that it would
be incredibly difficult to rectify that problem because you are
talking about rewriting, on a global scale, the entire Internet.
The whole concept of identity belongs at the application layer
and whatever thing you are using on the Internet should be the
thing that tells you what it is you are talking to. The problem
seems to be that a lot of applications are hiding that information,
or making it nice and friendly so you do not see it any more,
so people thing that looks right, that is fine, because they are
not seeing the full details of what is going on because, to be
honest, in a lot of cases it would scare them. It is an application-based
issue and it is part of the whole education piece to make sure
that people understand how to check someone's identity. You have
a room full of people here and the only thing I have got to tell
me who you are is a bit of paper in front of you; it is the same
thing with the Internet. I have to go and do my research to find
out who all of you are.
Q725 Lord Paul:
The evidence from LINX highlights the "end-to-end principle"
and the principle of "abstraction of network layers".
Can you explain these principles, please?
Mr Hutty: Let me take that. Briefly, the end-to-end
principle is the idea or the argument that complexity, such as
things like identity management, belong at the edges of the network
and not in the core of the network. By doing that they can be
changed, upgraded and so forth entirely independently of the network;
the network is not aware of what checks and other services are
being done, whether that service is a simple identity check or
an authorisation, or something like that, or whether it is something
very sophisticated like the web or Voice over Internet Protocol
or something like that. The end-to-end principle allows you to
change what is provided at the edges without having to change
the whole of the network by changing the core of the network.
The linked principle of the abstraction of network layers works
in the same way; instead of looking at it from the point of view
of one network versus another, an edge versus the network core,
it looks at it in terms of the layers on which the network is
built up, so you start off with the physical layer, the wires
themselves, and on top of that the networking that substantially
transmits the information and on top of that the applications
that provide you with basic services. By keeping all these things
separate and by keeping all the complexity at the edges, we are
able to create new services and to upgrade existing services over
time, without having to rewrite everything and without needing
the co-operation of every single party in it, it keeps things
separate so that things can be done in the place where it is most
effective to work. This, to our mind, has been the principle reason
why the Internet has been so successful compared to other developments,
because it allows everybody to bring along their own contributions
without needing everybody else's co-operation.
Q726 Lord Paul:
Are not these principles just an abnegation of responsibility
for managing the content that travels across the Internet?
Mr Hutty: In order to apply these principles,
these principles are essentially engineering principles, they
are where particular tasks are done. For example, taking up your
identity question, the task of identity management is performed
by a server, for example a bank, and by your own computer. In
order for that to happen, in order for that to allow people to
arrange between themselves how things will be done and what services
will be provided, it is therefore necessary from a policy point
of view that the network itself is not held responsible for the
traffic that passes over it because it is not in control of it.
The only way of making the network legally responsible for the
traffic it carried would be to place the network practically in
control of the traffic, because that is the only way to discharge
that legal responsibility. The consequence of that would be that
the innovation we see in the Internet would no longer be possible.
Q727 Earl of Erroll:
Do you see any merit or usefulness, therefore, or a way forward
on this issue is Kim Cameron's InfoCard initiative? Do you know
of it?
Mr Hutty: I have seen that, I am not an expert
in the specifics of that proposal, but broadly speaking I put
that in the category of issues where because the Internet allows
this form of experimentation, we can see people coming along and
it is possible for people to come along with new and innovative
approaches to those sorts of problems. You would not be able to
have something like the InfoCard approach on a closed network
that did not have the responsibility at the edges. For example,
the telephone network or the postal network or something like
that would not work in the same way. I am not a spokesman for
InfoCard or something, but I would simply say that it is part
of that glorious diversity of experimental approaches that has
made the Internet so successful.
Q728 Baroness Hilton of Eggardon:
Do you not accept any responsibility at all for filtering spam
or for viruses? Viruses, it seems to me, should lie somewhere
within your domain; I can understand you would not want to try
and filter spam, but what about viruses?
Mr Blessing: We offer the ability for people
to filter viruses and filter their spam, and these are services
they can either opt into or opt out of. The reason they do not
want that to happen is a lot of our customers are companies and
they have the morbid fear of losing an email that might be an
order for £20 million and if they lose that email and never
get back to the customer—they are really paranoid about
it. Because no spam system is absolutely perfect and you cannot
guarantee every mail you filter is span, they say send me the
mail and I will decide what to do with it. It is a question of
ISPs developing choice and allowing you to either opt in or opt
out of any particular business model.
Q729 Baroness Hilton of Eggardon:
I can understand that in relation to spam, but in relation to
viruses—
Mr Blessing: We block viruses. Unless people
deliberately say no, please send me everything no matter what,
we will actually scan for viruses. We cannot provide 100% reliability
and we tell customers that actually they should put their own
layer in there as well because the more layers doing things that
you have available, the more likely are you to catch things, and
again there is the issue of the false positive.
Q730 Chairman:
When you say "we" what do you mean?
Mr Blessing: We as a company. It is an individual
company thing. My customers are not the same AOL's customers,
they are not the same as Brightview's customers, they are all
very different, and it is up to you to come to a series of product
offerings that solve their issues.
Q731 Baroness Hilton of Eggardon:
But you do not tell us what you offer. You say that you have 170
members in your organisation.
Mr Blessing: Each individual organisation comes
up with their own particular solution to the problem.
Q732 Baroness Hilton of Eggardon:
But they do not tell the customers—or at least they do not
tell me—what they offer in the way of scanning for viruses.
Ms de Stempel: AOL does.
Q733 Baroness Hilton of Eggardon:
Your company does, but should not all ISPs offer these as an obligatory
part of setting up a connection?
Mr Souter: May I speak to that? I am prompted
to ask a question back: what would be the authoritative source
that you would mandate as the thing to check against? You want
a check to be done and certain things to be removed; where is
the authoritative source of what is to be removed?
Q734 Baroness Hilton of Eggardon:
That was not my point; my point was whether ISPs should automatically
offer virus filtering services?
Mr Souter: My response was where is the authoritative
source of what virus filtering means? I tend to agree from a personal
point of view; anyone who does not make clear what they offer
is doing a rather poor mistake, because they are probably underselling
a service that they may offer you, but if you turn the question
round and say how do you mandate that all ISPs should do that,
the very first question that arises is what is the authoritative
source of all this, what is it that you want removed?
Q735 Chairman:
I would suggest that the ISP should offer in a transparent way
that capability, so you should be offered—
Mr Souter: I think that is what my learned friends
were saying they agreed with.
Q736 Earl of Erroll:
Can I come at it from the other side, which is that I can see
that people will have different definitions of spy ware because
sometimes it is just to do advertising tracking or tracking your
progress around the website, but I would have thought there is
a fairly universal definition of what a virus is and I have not
really heard an argument publicly ever that something was not
a virus which some people declared was, or can you give us some
examples?
Mr Souter: If you take the most recent publication
of one of the popular PC magazines you will see that they examined
the efficacy of a wide range of existing software products and
found that there was an appalling diversity of capability there.
Q737 Earl of Erroll:
That is a different problem; you said what is the definition of
a virus, and that is clear. The fact that the product you may
be using is incapable of finding some of them, or because there
is a new virus out there in the wild and your heuristic checking
can not find it quickly enough in order to get the data through
is a different problem, but to say that you want a definition
of what is a virus is a little bit—
Mr Souter: I am not advocating that a definition
be produced, I am simply trying to turn the question round and
point out that the question is not such a simple question to answer.
If we stay with the point which I think you were trying to make,
which is that ISPs should make it clear what their offering is,
there is absolutely 100% agreement amongst us, and anyone who
does not do that is actually being rather foolish and Darwinism
will take care of that because their services simply will not
be purchased by people. If the underlying message is that people
should be clearer about what is being done, I do not think there
is any disagreement at all from an industry point of view.
Q738 Baroness Hilton of Eggardon:
I thought I had made it quite clear that that is what I was suggesting
and I am still not clear that your poor customer is going to know
what the level of protection is that you are actually offering.
Ms de Stempel: For AOL what we do is we make
it very clear in our terms of service that we will try to stop
spam and filter viruses; however, we are also making our members
aware that we might filter the problem email just because of the
content that it has and we might not have known of a possible
virus. We are trying to be as upfront as possible within the terms
of service as to what we do, and we offer a filtered experience.
Mr Blessing: If it is a problem I would suggest
that maybe it is time to change your ISP. That is simple advice
but from our members' point of view they are out there to provide
you with a service as a customer that you would want. If you say
I want anti-virus, I want anti-spam on my account and they do
not provide it, then they are not the ISP that you require.
Q739 Chairman:
Do ISPs report what blocking they do?
Mr Blessing: Sorry, can you clarify, when you
say "blocking" what exactly do you mean?
| 
