House of Lords - Science and Technology

Hansard

Archives

Research

HOC Publications

HOL Publications

Committees

Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 760 - 778)

WEDNESDAY 14 MARCH 2007

MS CAMILLE DE STEMPEL, MR MATTHEW HENTON, MR JAMES BLESSING, MR JOHN SOUTER AND MR MALCOLM HUTTY

Q760 Earl of Erroll: Will there be a problem therefore because BT is buying its 21st CN routers from China; it is Hawaii technology. Will that be a problem?

Mr Blessing: No, because they will adopt the standards. The problem is we do not know when they are going to get them into development.

Q761 Earl of Erroll: Is this actually quite vital, because at the moment if you have got a man-in-the-middle attack, a phishing attack using a man-in-the-middle attack, one of the ways you can check as to whether there is something going on is to ring up the bank or whoever to find out whether it was genuine or not, but if you have a vishing attack at the same time, simultaneously, they could be interrupting that man-in-the-middle attack as well, so if we do not have proper security of these layers, someone could be totally vulnerable, there is no second channel over which you can all hope to get an electronic communication. Is that a problem?

Mr Blessing: You are saying—

Q762 Earl of Erroll: When you have VoIP telephony—21st century telephony is VoIP—that will be vulnerable to the same sort of attacks as man-in-the-middle attacks on the rest of the Internet, so when you try to authenticate by ringing up, that telephone call can also be hijacked I presume.

Mr Hutty: That is not necessarily true but it is possibly true depending on the implementation. As things stand it is possible to prevent those sorts of man-in-the-middle attacks. There is a balance of convenience that the banks or an eCommerce site has between allowing their customers to use their site easily and readily without going through the rigmarole of setting up and authenticating it against the security of this. The technical systems are available for them to use that will prevent a man-in-the middle attack; the technical systems are available for deployment against other applications and that would include VoIP. I am not going to speak to the 21CN thing because I do not think it is appropriate, you would need to speak directly to BT about that, but in principle the broader question is that man-in-the-middle attacks are a solvable problem; but they do entail a balance between security and ease of use at the moment.

Q763 Lord Paul: The Government wants consumer ISPs to block access to child abuse image websites. Is this practical and will it work?

Mr Henton: The Home Office has made its intention clear that by the end of 2007 it wants all ISPs offering broadband Internet connectivity to the UK public to have implemented systems for blocking access to child abuse images and child abuse websites. A good many ISPs have already implemented a form of blocking technology which does block those images that are identified by the Internet Watch Foundation and put onto their child abuse database. In that sense you could argue that it is practical because it is being done. My own company Brightview implemented this back in 2004, but I do not think content blocking in this way should be seen as a panacea. We need to make an important distinction between a deliberate concerted attempt to distribute and to access paedophile material and an accidental downloading of a piece of material. Blocking the IWF list will protect consumers who might accidentally go onto a website where such images exist; it is unlikely to stop a determined paedophile because they are always going to find a way around such blocking technologies; it is difficult to circumvent them and, in fact, there is a very strong argument that employing blocking technologies will actually drive paedophile activities underground into the so-called dark net where it is impossible to actually trace their activities. That could have consequences in terms of trying to secure prosecutions against those people.

Q764 Lord Paul: What other sorts of traffic would these systems block and how does the "end-to-end principle" interact with the blocking system?

Mr Blessing: In theory it can block anything as long as you know what you are blocking. If you can come up with an absolute list that says this must be blocked, you can block it, but unfortunately doing that completely destroys the end-to-end principle; it means that people could potentially put controversial things—we have this protest going on outside at the minute about weapons of mass destruction and, potentially, a website discussing that particular topic could end up on that block list, at which point no one could view it if that block list was enforced. It completely destroys the point. The other thing it does is it adds a layer of complexity to the network. Something that has been discussed a number of times by different people is potentially it would revoke the mere conduit status of an ISP and make them liable for blocking stuff they do not know about, which has not been decided one way or the other because no legal advice will come down on one side or the other.

Mr Henton: If I could just say, the reason why the ISP industry has generally moved towards these blocking technologies with specific regard to the IWF CIA database is the trust that ISPs have in the IWF and in the authenticity of that database and what it contains. Where the ISPs would certainly lose trust would be if other types of content were to be requested to be blocked: who would be requesting them and what would be the verification process behind what would be on any other databases.

Mr Blessing: The other particular issue with the IWF as it stands is that it is generated at points in time, it is not a live system, which means that potentially the minute it is updated it becomes out of date and anybody wishing to distribute images realises this and they will basically change their content just after the update.

Mr Hutty: That goes directly also to Lord Paul's point about the end-to-end principle. The designers of the systems that we are referring to take a list that exists of addresses of content to be blocked; that list, as James has just said, inevitably becomes out of date all the time, although the IWF update it as fast as it can, but it also has the characteristic that it inherently ignores material that either does not have an address or material whose addresses are unknown to the IWF. The first category would include material that is simply passed around directly between paedophiles and the second would be something that is locked away in some secret area that you have to be a member to take part in, and that therefore is an inherent flaw in such a system meeting the policy objective of preventing paedophiles getting access to this material. If you were then to extend that principle so as to say the ISP ought as a gatekeeper for the Internet to be able to prevent access to all that kind of material, to be able to tell themselves what that material is, then quite apart from the essentially impossible nature of asking ISPs to make that kind of judgment, that would come down to a very low level to the technical question of infringement on the end-to-end principles to which you were referring specifically. If you ask an ISP to approve the traffic that is passing over its network and decide whether or not it is going to block it, based on its own criteria, the ISP would have to then say for each piece of material, this piece of material is okay, I will pass it on, this piece of material is not okay, I will block it. Then it will come up against another piece of material where it does not know, it does not recognise this, it cannot tell. If the ISP is held legally responsible for blocking access to illegal material, of whatever nature, then the only practical recourse for it as a business would be to block that material that it does not recognise. That practice would prevent people from deploying new protocols and developing new and innovative applications, including the security applications and systems that Lord Errol was talking about earlier, and also new services. As we put in our written evidence, just about everything you think of as the Internet nowadays—the web, modern email, instant messaging, video conferencing and voice—all those things have been implemented since the core so if you were to take that sort of policy decision that ISPs should be required to recognise what those things are and to make decisions accordingly, you will be preventing that kind of innovation and you will be turning it from what I would characterise as a communications network that connects end points that pass information to each other into an on-line service where you simply connect to the ISP and get whatever the ISP thinks is acceptable for you. That would be a major policy change and it is not a policy change that the rest of the world has been doing. One thing that I have not actually mentioned yet is that all this is in a global context as well.

Q765 Baroness Hilton of Eggardon: Are you always able to detect when your customers become part of a botnet and, if so, what do you do about it? You have told us some of the things you do in terms of communicating with them. Do you do other things like putting them in a sandbox or a walled garden and restricting access or do you just try and sort out the whole problem?

Mr Henton: We at Brightview sort out the problem on an individual user baser. We disconnect them from the network as soon as we are aware that a customer is infected and we then do not allow them to reconnect to the network until a technical support adviser is reasonably satisfied that the source of the infection has been removed and that steps are in place to prevent future infection. Only then will they be allowed to reconnect to our network. From speaking to my colleagues at other ISPs they have broadly similar policies in place.

Q766 Baroness Hilton of Eggardon: A sort of halfway house would be to restrict access rather than to use some aspects?

Mr Blessing: There are a number of ISPs who have developed sandboxes, walled gardens, bits that are limited, so they can have access to things like virus updates and can actually download new pieces of anti-virus software to clean them temporarily and also the ability to then see whether there is any anomalous traffic, whether the user is doing something when they say they are not actually using the machine and whether there is traffic passing to locations that look suspicious.

Chairman: That leads to Lord May's question, please.

Q767 Lord May of Oxford: Do you have any estimate of the number or proportion of UK machines that have a security problem, the zombies?

Mr Henton: ISPA has no such figures on the number of machines that have a security problem. However, you could argue that any computer connected to the Internet potentially has a security problem. The number of security updates from operating system manufacturers and application vendors will tell you that new vulnerabilities are being found on an almost daily basis, so the potential is there for virtually any machine to develop a security problem.

Q768 Lord May of Oxford: As I hear you, you say the problem is getting worse but you have no idea how big the problem might be?

Mr Henton: There was an IAM port (?) study in June 2006 that estimated that compromised computers send between 50 and 80% of all spam worldwide. My personal view is that it would be the top end of that estimate.

Q769 Lord May of Oxford: Could you convolve that with the number of things that are sources of spam to come to some sort of ball-park estimate of the number of computers thus compromised?

Mr Henton: We have not been able to estimate that.

Mr Blessing: Part of the issue is the fact that the traffic from those particular users is now not that different. Dr Clayton's work will help us spot some of that anomaly and we may be able to do some numbers.

Q770 Lord May of Oxford: It seems to me that the crunch question was going to be whose job is it to fix these machines but it now seems that the question is whose job is it to identify these machines and subsequently whose job is it to fix them? I find it interesting the fact that some of these things you seem to have made an almost evangelical virtue—and I can sympathise with it—of, "It is not my problem. I am just being creative. Do not interfere with me lest you screw it up." Do you not think it is somebody's responsibility to be thinking a little bit more coherently about some of these things? I am surprised that the answer to that question is, "I have no idea how many are compromised."

Mr Souter: I think we do know.

Q771 Lord May of Oxford: Good.

Mr Henton: I think the figure is very well-known. It is not talked about for the very reasons that you have just alluded do but I think a lot of large ISPs absolutely know.

Q772 Lord May of Oxford: What is it?

Mr Souter: You would have to get the collective figure from each of the ISPs to come up with a number and that is the unobtainable answer in response to your question. There is no doubt about the question.

Q773 Lord May of Oxford: If we were to ask could you follow up on that collectively to give us a written supplement, would that be a sensible question?

Mr Blessing: We could ask our members if they can give an estimate and feed those numbers back. I do not know how good the level of response you would get would be, but we can always ask.

Q774 Lord May of Oxford: I should not speak for the Committee but I think that in itself would be interesting, the two-fold numbers of what is the estimate made by those who responded and what is the percentage of those who were unwilling to respond. I think the Committee might be interested in that.

Mr Souter: I think that would be a fascinating answer. I think the trouble is in posing a question of this nature, inevitably what people are going to then do is to try and figure out why the question is being asked in the first place and what the implications are, and that will inevitably impact on their reply. We did some work on this in LINX a little while ago where we talked to only to a tiny, tiny subset of the very largest ISPs and the numbers that we are talking about are horrific. They are in the millions. Let us get that out on the table. This is slightly out-of-date information now because we did this survey a little while ago but there is no doubt that it is in the millions. Given that the most recent Ofcom figures show that there are 11 million consumers with broadband access in the UK (and that itself represents an under-estimate of the total number of PCs that are connected, it is a much bigger number than just the 11 million) then the proportion is pretty high. As Matt said, this is ever-changing because as people fix vulnerabilities those machines will disappear off the botnets and then they will be harvested again through some other new vulnerability. If there was a clear direction as to where we are going with this, then perhaps something productive might come out, but I suspect if you simply say, "What is the figure?" you can choose any scary figure you like.

Lord Mitchell: But you are the experts, you must have a feel for it?

Q775 Chairman: He has told us there are millions. Can we ask AOL how many machines do you communicate with that are compromised?

Ms de Stempel: I actually do not know but I will follow that up. I think it is a bit unfair to say that we are abdicating all responsibility. We are actually working very hard to push these network security items to all our consumers. We are trying to make people put an anti-virus on their machines. We are promoting this regularly and we are pushing it regularly. We are participating in Get Safe On-Line. We are participating to every single action that we can.

Q776 Lord May of Oxford: I may have put it too strongly. I guess to put it more fairly I would say the sense I get—and I may be alone in this—is collectively you seem to see a tension between creativity and accountability and my personal impression is that for at least to some of the answers the balance was tipped, for my taste, far too much towards the creativity rather than the accountability.

Mr Souter: I do not think that is the issue here. I do not think it is a tension between creativity and security/protection. I suspect it is an economic argument. If you think about what would be involved in the larger networks, who clearly know they have got large numbers of compromised machines on their networks and what they could do about it and the cost of doing that. Matt gave an example there: imagine a multi-session telephone call with one particular user where you guide them through the process of getting their compromised machine back to a level where it is not compromised any more and it is fit to be on the network and then it is additionally protected such that it does not get immediately compromised again; imagine with someone who is not particularly expert how many telephone conversations that is going to take and just how difficult it would be to resource that on a scale of say a million, because we have got some networks in the UK that now have several million broadband access customers. I think therefore what you are talking about is an economic issue rather than something that is to do with the things that Malcolm was pointing out about the way the network is designed. We are talking about compromised end-user machines here, not something inherit in the network at all or to do with network creativity.

Q777 Chairman: I think we are going to have to move on. We are running very short of time. Just a couple more questions is all we will have time for. Would you welcome a breach notification law? Have there been cases of ISPs losing personal data?

Ms de Stempel: ISPA would not welcome the security breach notification law nor does it see the value in having one. There are already security co-ordination centres and we believe that joined-up industry action by the various sectors affected by threats to on-line security will be the only way to usefully combat on-line security threats. The wide range of industry participants involved in the GSOL from the communications, banking and security industries demonstrates that GSOL has already started to facilitate this, but while consumer awareness has been raised there is still a long way to go in changing consumer attitude. It is something that we are working very much with all other industries to raise consumer awareness as to what they should do.

Q778 Chairman: So you are saying that if an ISP loses all of their customers' data or some of their customers' personal data that they should not be held liable? The majority of US states now have breach notification laws.

Ms de Stempel: I read the question more as security as in someone attacking your system or being aware of a fake web page that purported to be what it was not, so maybe I am misunderstanding the question.

Mr Hutty: It is important to be clear here about whose security failure it is and who is doing the notification. If an ISP loses data properly under its control, like its customer account database, then it would already probably have infringed the Data Protection Act—that is one thing—but I am not aware that is really something that happens. I am certainly not aware that there is any clamour that that is a serious problem in that it happens a lot, so maybe you have some evidence or some instances of that of which I am unaware. I suspect where this is coming from is instead the concern over people who operate web sites, who run e-commerce sites, or who do other things on the Internet who suffer security breaches. The question has arisen, I believe, out of the proposal for the breach notification law that has been proposed by the European Commission in the Telecoms Regulatory Framework, proposing that the European legislator should include such a provision within the review of the Privacy Directive in the Regulatory Framework. The problem is that that Directive applies to public electronic communications networks and public electronic communications services, so it would not apply to people like the e- commerce sites that are not taking proper care of the data. It would only apply to someone like an ISP losing their account database but, as I say, I am not aware of evidence that that is actually a problem. Certainly that is not the motivating factor behind this proposal. One thing I would certainly suggest is that the Commission have made a technical error in that proposal in including that within the Privacy Directive in the Regulatory Framework when actually with the policy question that they are attempting to address there, whatever the merits or demerits of the notification law might be, the appropriate place for that would be in a revision of the Data Protection Directive where it would apply to all data controllers.

Chairman: I think we are going to have to end it there. It has been a very useful session and we are very grateful to you. I think we understand the complexity of this topic because we have seen a lot of evidence on the dark side of the net and just what is going on there. There are literally thousands and thousands of credit card numbers and personal security information being traded and it has to come from somewhere, and that is why we are probing to see what the sources of this are because it is not satisfactory in our minds just to step back from it and say it is so complex and the Net is so complex that we cannot do anything about it. In any case, thank you very much for your evidence and, please, if you think of anything additional write to us. We have still got time to include it in our report as we will be continuing for another two or three months. Thank you all very much indeed.