House of Lords - Science and Technology

Hansard

Archives

Research

HOC Publications

HOL Publications

Committees

Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 740 - 759)

WEDNESDAY 14 MARCH 2007

MS CAMILLE DE STEMPEL, MR MATTHEW HENTON, MR JAMES BLESSING, MR JOHN SOUTER AND MR MALCOLM HUTTY

Q740 Chairman: I suppose they vary across the board, but does an ISP tell you that it has blocked something? There are two ways around this problem; if you block an email that you do not want blocked then presumably the ISP sends a message back to the sender of the email to say that that email did not get through—some do. I have had bank accounts where I have had a notification of a statement and that has been blocked by my ISP, but my bank then writes to me and says "Look, that email has been blocked." I find that quite satisfactory because I can then write and say "Please unblock it". I would far prefer to know that the safety precaution was there, so there does seem to be inconsistent behaviour. I would assume that ISPA has a set of rules of acceptable behaviour, does it, that you recommend to your members that you follow?

Mr Blessing: We have a series of best current practice guides that say how the industry in general should behave in particular circumstances as a policy document within the organisation. It is not a mandatory requirement that they follow those particular guides.

Q741 Chairman: You could have members who are behaving disgracefully and you would accept it.

Mr Henton: We have an ISPA code of practice as well which members must adhere to and the best common practice guidelines are bringing together knowledge from within our industry to tackle specific problems, which are not mandatory.

Q742 Earl of Erroll: We use Message Labs in Parliament and that sends you an email which says the following ones have been blocked so you can actually go to it on-line and see if they have accidentally blocked something you should have. It is very reassuring being able to see that and I can highly recommend it.

Mr Blessing: There are many different solutions as to how you represent that information to customers.

Earl of Erroll: You can send it under a subject line.

Q743 Chairman: We took evidence from Bruce Schneier and he told us that ISPs were "in an excellent position to mitigate some of the risk" to consumers, whether from spam, viruses or botnets. From a technical standpoint do you agree with that? Perhaps he was inferring that more could be done than was being done today.

Mr Henton: Could you repeat that?

Q744 Chairman: This is a quote from Bruce Schneier, that ISPs are "in an excellent position to mitigate some of the risk" to consumers, whether from spam, viruses or botnets.

Mr Henton: ISPs certainly are one part of the equation and ISPs can and in many cases do provide security solutions through security products as well as lots of security advice to consumers, but it is fair to say that ISPs are only one part of that equation. There are independent software vendors who may well be making available products that do those jobs better for certain individuals than ISPs are able to present, and there is a wider role of education. Specifically with regard to botnets, I speak for my own ISP Brightview, if we become aware that a customer's machine is compromised, usually from another ISP in fact—we would get notification that it is most likely to be sending out spam—then we would disconnect that user's machine from our network, we will contact that user and normally they would be entirely unaware that that situation had occurred and we will work with them to disinfect their machine and ensure that they are adequately protected against future infection.

Mr Hutty: My Lord Chairman, it is important to appreciate the diversity of requirements that ISPs' customers as a whole will have, and the fact that we are operating in an environment which is not static, it is changing all the time. Taking your example of sending a notice back to somebody who sent a message saying that it was blocked by a spam system, if the sender of that was a bank and it unfortunately had been blocked when it should not have been, then it is obviously ideal that they should get that message, that their message should be unblocked so they could do something about it. However, if the person who sent the message was a spammer then all that message back has done is it has confirmed that there is an active email account there that can be targeted with spam; therefore, sending that message back would actually tend to increase the amount of spam that you receive. The balance of convenience between those two is something that is a complex question that we would suggest is best weighed by ultimately the user rather than any organisation, whether it is a trade association or regulation or something, across the whole of the market for everyone. When you also take into account that whatever we do the bad guys, the people who send spam and write viruses and so forth, are finding ways around that and finding ways to exploit the very systems for protection that we might put in place, so as to increase the chances of them being able to exploit you, the user, then it is important that we have a very diverse and rapidly experimental response to these problems rather than something that is too cumbersome.

Q745 Earl of Erroll: Looking at the legal aspects of what we have just been discussing, are there actually any legal barriers to blocking spam or filtering viruses out or doing something like botnets in my spot?

Ms de Stempel: We do not think so, as long as it is made clear to consumers when they access a service as to what they are going to get and the type of filtering they are going to be subjected to, then there are no legal barriers for us to actually do that.

Q746 Earl of Erroll: You can detect sometimes that there is a botnet because you can see that a particular IP address coming into you is suddenly sending an awful lot of email when it does not normally do it and you are the people who could do it; would you be able to block that or do something about them or possibly even send something to remove that botnet?

Mr Henton: To be honest, the first step there will be to contact the customer because it might be a legitimate change in their usage pattern. I know that Dr Clayton has written some software that analyses anomaly patterns from email boxes. It is research that a lot of the industry are looking at and watching because it is very helpful to be able to co-operate so that you can tell another network when you have seen anomalous traffics from their network, and there are many organisations out there c-operating and informing each other when they spot your network using their network in some way.

Q747 Earl of Erroll: But if the customer does nothing about it—you try to contact the customer, they are out at work all day and you cannot get hold of them, what do you do?

Mr Henton: In our particular case as an ISP we shut their connection down temporarily.

Ms de Stempel: So would we. It is a good step to then educate that user as to how they can best protect themselves.

Q748 Earl of Erroll: Having shut down their connection and if they are not available on the telephone during working hours, how do you get to them to tell them what to do next?

Mr Henton: If you cannot get to them before they notice that their Internet connection is not working, they will usually phone in to our technical support line, assuming that there is some kind of technical problem and then we have obviously put a note on the account so that can then be dealt with by the support teams that we have 24/7.

Q749 Earl of Erroll: As you are replying on behalf of ISPA there are one or two very large organisations which have technical support lines which are very difficult to get hold of, if they exist.

Mr Souter: I was minded to comment about that a few minutes ago in response to one of the earlier questions. The question Lord Broers put was "is anything changing?" and the underlying theme to a lot of the questions that are being asked is not just "What is the status today?", but "Is it any better than it was a year ago or at some arbitrary point in the past?" LINX took the initiative a little while ago to talk to some of its larger members who were consumer broadband access providers in the UK and I have to say retrospectively, looking at that position a few years ago, it was pretty appalling. The AUPs, the Acceptable Use Policies, that even the very largest ISPs had did not give them a lot of latitude to take pre-emptive action in the kind of way that is implied by your question. Has anything changed? What has come from the industry side today—and we are falling into the trap a little bit of hearing a picture from three particular ISPs—if you try and generalise I would suspect that if you looked at this those AUPs have tightened up and so there is increased scope now for individual ISPs to take action of the kind that is behind your question if you like. Could you say that that is universal and a hundred per cent? Sadly, I suspect not, but then there is always going to be that kind of diversity in the market anyway. There will be people, for example, who will produce an offering, just as Malcolm said, that is designed to be the lowest common denominator, you just want access and you will take over the rest yourself. Again, if you think about what was implicit in some of the questions, it was almost implicit that there is a universality of the consumer end of the problem, i.e. everyone is on Windows PCs and therefore that defines, if you like, the nature of the problem. I am sure there is a growing but significant minority who simply look at that and laugh and say "We do not use Windows PC, we do not want to pay for a service that is already aimed towards protecting Windows PCs because we simply do not care about them; we are using UNIX machines, Macintoshes." There is a growing diversity of other kinds of equipment that is connected to the network and the solutions that may be available to them will be totally different from, if you like, the very broad range—and it may be more than 90% of the market—of those other systems. The other point that was interesting, going back to this question of has anything changed, I do not want to give over-reassurance but I recall a time from personal experience where, if you contacted your ISP and foolishly said that you were in a network at home, the very first thing they would say to you in response—and I am thinking about some of my friends here—was, "We do not support that". In other words you were actively discouraged to use a router and actively discouraged to be sitting your end user device behind network address translation which provides a very crude level, a first level of defence, against the kinds of things you have brought up today and you are clearly worried about. What has changed in recent times is that now the ISPs positively encourage you to have a network at home, even if you only have one device connected, because at least then they know that the thing they are connecting to is a router and not a PC that is so easily exploitable in 2007. That definitely has changed and we are seeing some of the impact of that going on in the market. Is it enough? Is it universal? Probably not, and those may be areas that could be fruitfully explored, but it is those sorts of dynamics in the market that have changed in the last few years that perhaps would be more fruitful to study.

Q750 Chairman: I would take issue with one thing you that you said. You said that there are lots of UNIX machines and Macs and that around: there are not. There are amongst the community of experts who understand what is going on and who control it all, and that is one thing that alarms me particularly; 95% of the users still have Windows PCs and so what we are trying to look at is, are the women and men in the street sufficiently protected, or is this whole system being controlled by a series of experts who have their own view of it and want the system to remain completely open so that they can go on having their capabilities. This is a difficult issue. You could go back and look at analogies of editors of newspapers and should there be some rules that control them, but your statement that there is a growing proliferation of alternatives to Windows is not true in practice; over 90% of users still use Windows PCs.

Mr Hutty: Most of the market for consumers is held by a relatively small number of large ISPs that do provide additional value added services to support the consumer. You then asked questions about "Is this universal?" or "Are there lot of others ISPs that are not doing that?" There are a large number of small ISPs that are serving, from the consumer market, a very small proportion of the market, and you correctly identified it as a very small part of the market. Indeed, Ofcom had a recent study on niche ISPs that showed something like 680 ISPs that they identified serving about 5% of the consumer market and about 30% of enterprises. The different kind of ISPs, different from the AOLs, the BTs and the Virgin Medias will sometimes be offering different services, orientated either at the techie that you were talking about or, particularly, the business that is generally much more interested in providing its own protection for its own purposes and will have separate requirements and separate sites and will require different resources to deal with it. When you talk about universality in this, then all these different requirements become important, but if you are talking about broadly speaking for consumers as a whole, then I accept your point but you would have to be looking not at what every single ISP is doing but instead what is common amongst those that are serving the consumer market.

Mr Souter: My Lord Chairman, I did not mean to imply that there was not a problem amongst the great majority at all; I take your point entirely.

Q751 Earl of Erroll: Might an idea be that if you want to have an unfiltered feed or connection to the Internet that you have to pass a certain technical competency exam? There was only one thing that I just want a very quick answer to, which is if you do block some emails from getting through to customers, do they have any legal redress or is it just bad luck?

Mr Henton: I do not think it has been taken to a court of law.

Ms de Stempel: If we are making it clear in our terms and conditions that there are some false positives, it is bad luck, but then when we are approached we learn about the kind of mail that a certain computer will send and then readjust our technology.

Q752 Lord May of Oxford: Do you think the UK spam laws are "fit for purpose"?

Mr Blessing: In one word, no. What is missing from them, to be honest, is any form of redress that will actually make an impact. At the minute the maximum fine is around the £5,000 mark and if you are a spammer and you are pumping out millions of emails, the odd £5,000 fine is not going to actually make any difference to your operation, it is just a cost of business as far as they are concerned. I do know that AOL had some fun in the States acquiring a Porsche from a spammer and then giving it away to one of their members in compensation; that has a much higher level of impact when it comes to a spammer's operation.

Q753 Lord May of Oxford: Are there a significant number of UK-based spammers and, if so, what is being done to target them, other than to take away the odd Porsche?

Mr Blessing: When you say "spammers" are you talking about the actual corporates behind them or are you talking about the sources of spam? They are two separate issues.

Q754 Lord May of Oxford: I am talking about both.

Mr Blessing: The majority of spam is coming from botnets and most of the botnets are all over the place so spam does appear to come from all countries in a varying amount, depending on the level of piracy in a country—there seems to be some direct correlation in that the greater the degree of piracy in a country the higher the level of botnets and therefore the spam generated in a country. I know people who will refuse all emails from countries like Korea and China out of principle; they just will not even talk to those countries unless it is a recognised ISP server who has signed a contract. When it comes to the actual spammers themselves, it is very difficult to identify them.

Q755 Lord May of Oxford: There is a complication in the follow-up question I was going to ask you, I was going to say do ISPs have a right to prosecute spammers in the UK in the way that Microsoft, for example, through MSN has prosecuted spammers in the USA? If so, has any use been made of this right? I conjecture from that answer that you are going to say it is all too difficult.

Mr Blessing: At the minute the only person that appears to be able to prosecute the spammer is the individual end user who has to be not using the email address for any form of business, so it has to be your own personal email address, in which case you can have a go. If you are a business you are expected to take spam.

Q756 Lord May of Oxford: In an ideal world what would you do to improve things?

Mr Blessing: To be honest, the majority of spam or the causes of spam are outside the UK. The best thing we could do is take away Windows from end users and allow us to have the ability to sue people.

Mr Hutty: What James is alluding to is the fact that spam, and most of what you are considering, is essentially a security issue, it is caused in large part by the exploitation of vulnerabilities in consumer devices, in Windows PCs and so forth, and in other applications that run on the PC. These are not failures in the network per se, they are the exploitation of vulnerabilities in other things that are actually not what ISPs sell, they are not what ISPs provide. It may transit over what the ISP provides and some ISPs may see a business opportunity essentially for consumer marketing in helping to protect people, very often as a reseller, very often as a reseller of third party security products or, in the business market, an ISP might go into bespoke security consultancy, but it is all more than technical guts of the communications network. My technical response to the questions has been geared very much towards the actual running of the network with the ISP, but when you speak to a consumer-focused organisation such as AOL here, you get responses that are very much geared around the consumer as a customer. That is seeing the ISP as a business role and the ISP as a network, but from the point of view that you were just addressing, my Lord, the ISP is not part of that but can contribute to the solution in partnership with other organisations. When it comes down to what can be done to fix it, better security of PCs is clearly the answer, but how you achieve that is not really for us to say because it is not really our business.

Chairman: That is one of the key issues of course and we have spent a lot of time on it. Last week we were talking to a lot of the suppliers of operating systems et cetera and having that conversation, and we do appreciate the complexities of that situation. At the moment though I am beginning to come to the view that too much responsibility is put on the end user and that there may be capabilities elsewhere that are not being exploited at all in trying to help. We heard an analogy made by one expert that we were talking to in Silicon Valley who equates this all to the supply of water and said what would happen to a water company if it supplied poisoned water to every household and required the household to provide the filters. It is perhaps not a good analogy but I throw it out, that opinion is around the place with certain people. Let us move, Lord Erroll, you have another question.

Q757 Earl of Erroll: There are a lot of attacks on Internet routing systems which redirect traffic to the wrong place so that the "bad guys" can intercept email, perform phishing attacks, man-in-the-middle attacks or disrupt normal service. There are systems such as "secure BGP", "secure DNS", "SMTP over TLS" and some of these might prevent such attacks but are rarely used. Why not? Is this an area for regulation or for incentives?

Mr Hutty: DNS-Sec and sBGP are experimental systems. If we were in an environment where regulation prescribed what protocols to use and that kind of level of detail, it is my belief that that regulation would not be requiring those systems because they are experimental, they are immature and they are still in process of argument about whether they actually work and whether they work bearing in mind certain flaws that have been identified or potential flaws that have been identified—I am thinking of particular things in DNS-Sec. I would suggest that these fall into the category of the Internet as being an environment that encourages the technical innovation and development of user systems and regulation should support and enable that diversity and experimentation because that delivers benefits. If we were to move to an environment where it was quite that prescriptive in regulation at a technical level, then that would very much preclude it.

Mr Blessing: The Internet depends on co-operation between users. The Internet is not a single thing, it is lots of other networks connected together, so where those networks connect there has to be co-operation and organisation between those two networks. If one side says "I am going to use this" and the other side will not support it, those two networks will not talk to one another.

Q758 Earl of Erroll: What you are really saying—which I would tend to agree with—is that regulation is not going to work because you will always be behind, but incentives might if in some way you were incentivised to move faster towards some of these more secure technologies.

Mr Hutty: The incentives are there. Take sBGP, the incentive in that is that it protects against an attack on your core infrastructure. What more incentive could you offer an ISP to protect themselves against an attack on their core infrastructure than the fact that if it is attacked and it fails then they have lost what they are providing? So the incentives are very much there.

Q759 Earl of Erroll: Earlier, in response to another question, you actually pointed out that the network is layered, you have an abstraction of network layers, and the fact that the routers can then be attacked was actually suggesting you are undermining that fundamental principle, so you should be addressing these areas using things such as SBGP or otherwise actually your abstraction network does not exist.

Mr Hutty: I hope you did not understand my answer, when I was saying it is experimental, to mean it is not something that is important or coming or going to happen; I was not being dismissive of it.

Mr Blessing: There is not the stable vendor support to operate those protocols.

Mr Hutty: But that will come.

Mr Blessing: That will come. People really want the network to be stable because it means you can provide the service. Therefore they are pushing the vendors to fix those problems; the vendors' hardware has to support the protocols otherwise you cannot implement them, and both sides have to support it. There is more than one vendor platform and until all the vendor platforms support it properly and inter-operate properly, people will not adopt it.