Skip Navigation


House of Lords report on Personal Internet Security
Monday 13 August 2007 07:22:40 by Sebastien Lahtinen

The Science and Technology Committee of the House of Lords has published a report on Personal Internet Security which makes recommendations about the role of service providers versus individuals in ensuring the Internet remains a safe place for its users. Its key recommendation is that the responsibility for security cannot remain solely with the end user.

The report, which runs into over 100 pages (excluding additional evidence and background) reminds everyone that the Internet is becoming the 'playground of criminals' concludes that many organisations from hardware manufacturers, software publishers, retailers, Internet Service providers, police, judiciary and other stakeholders could all do more to help users protect themselves. It also acknowledges, that a "return to a world without the Internet is now hardly conceivable".

One of the key problems with the Internet is that when it was built and designed, it was not expected that it would grow to the extent that it has, or that it would be used for the applications that it is being used for today. The underlying protocols that make the Internet work are a product of an old era when it was used by the U.S. military and academics, not the entire population.

The committee recommends that ISPs should be encouraged to monitor and detect "bad" outgoing traffic (such as viruses or other attacks) from their network (originating from their customers) and that the "mere conduit" immunity (which allows ISPs to claim that they are not responsible for traffic passing through their network) should be restricted when they become aware of issues on their network. Whilst making service providers more responsible for content on their network once they become aware of it is commendable, there is also a problem with the lack of quality in many complaints directed to ISPs which could increase significantly. Who pays for the cost of processing a complaint to an ISP which relates to a service which that ISP has nothing to do with?

"The current assumption that end-users should be responsible for security is inefficient and unrealistic. We therefore urge the Government and Ofcom to engage with the network operators and Internet Service Providers to develop higher and more uniform standards of security within the industry. In particular we recommend the development of a BSI-approved kite mark for secure Internet services. We further recommend that this voluntary approach should be reinforced by an undertaking that in the longer term an obligation will be placed upon ISPs to provide a good standard of security as part of their regulated service."

"Personal Internet Security" Report of the Science and Technology Committee, House of Lord.

Criticism is not limited to service providers, with the committee also recommending companies supplying software and hardware do more to ensure that the 'default' setup is more secure. It also suggests banks should be responsible for electronic fraud.

Security on the Internet is always a very difficult subject to approach because of the diverse range in IT skills that exist in our society. Whilst this is likely to improve over the generations, there will always be some who are technically less aware than others and this will give criminals the opportunity to exploit those who are less cautious. The real question is, to what extent should the government and the organisations supporting and using the Internet be required to supervise the individuals on their network who lack the technical knowledge to protect themselves?

A question for you to ponder.. Should Internet users be required to pass a test and get a license before being entitled to order a broadband connection?

Comments

Posted by KarlAustin over 9 years ago
I can see this leading to a lot of unahppy end users if they really push it and ISPs end up responsible for customers with worms on their PCs - Because ISPs will take the easy route, just shut the customers connection down, solves the problem. With hosting companies, that's fine, once they know about it, they should take down any illegal content etc. but that's very different to an ISP and computers/networks outside of their direct control.

ISPs can be no more responsible for what a user does, than the highways agency is if someone decides to drive down the motoroway in the wrong direction.
Posted by seb (Favicon staff member) over 9 years ago
I am in a strange position of seeing both sides of the coin. As a hosting company, I believe ISPs are responsible for the actions of their users, however you have to limit that liability to keep things sensible. The idea ISPs should be there to pay lawyers to find out the likelihood of something being illegal, libellous, etc.. and then taking the risk on it, is shifting the costs.
Posted by seb (Favicon staff member) over 9 years ago
Also we need to bear in mind that as I said in the article, the number of reports (especially form semi-automated sources including software that encourages submission by those without the understanding of what they are doing) that are just not sent to the right party is a real problem when you scale up. Similarly the systems from some larger ISPs trying to detect if your report is valid also have bugs in them.
Posted by herdwick over 9 years ago
Some ISPs - Metronet - have blocked user accounts on detecting suspicious worm type traffic, putting the user into a walled garden and presenting them with a splash screen explaining what's what. I would personally be in favour of this approach as well as blocking open SMTP relays etc. I would also ban HTML mail and provide "opt out" filtering of executable attachments to emails.

The 800lb gorilla here is Microsoft and its easily exploitable operating system and applications - should they be carrying the can for activity that relies on their deficiencies ?
Posted by dougmccoy over 9 years ago
The proposition that the internet should be restricted to people who have passed a competence test fills me full of horror. The ability, and some would argue the need, to promote communication and education via the internet lies in the ability of the average person using it. Restrictions on use by competence tests would preclude many social groups and ultimately might even be counter productive.

Perhaps if the ISP's were to introduce more stringent checks on the identity of their customers they might be able to limit their exposure to some of the problems were now seeing?
Posted by sjy06 over 9 years ago
Pondering your question, it is obvious that the test has to be for ISP's because it is their equipment that is actually connected to the internet and not the user's!. The real question would be "how are ISP's going to police the internet users when they charge the users for access to the internet!".
Posted by petera over 9 years ago
I would also commend Metronet's approach in blocking user accounts with suspicious worm type traffic (I am not sure it still applies now Metronet has been taken over my Plusnet, but I hope it does). If all ISPs did this it would surely be a stepin the right direction.
Petera - Metronet customer
Posted by KarlAustin over 9 years ago
It'd be a never ending arms race though, which would result in prices for consumers going up - which means ISPs not doing such, would find themselves at a price advantage. If you block one sort of traffic/technique, they'll find another, and then you'll have to buy more kit.

The best way of tackling this, will always be user education and making users responsible for what their PC does when it is online - If you drive recklesly and you crash, you don't blame the highways agency, same with your PC.
Posted by herdwick over 9 years ago
"The best way of tackling this, will always be user education and making users responsible for what their PC does when it is online" - but isn't that what our noble friends have looked at and rejected as being inefficient and ineffective ? It is after all the staus quo.
Posted by CARPETBURN over 9 years ago
The best way to tackle it is make Microsoft release secure operating systems instead of the tat they constantly churn out riddled with bugs and backdoors... As government are involved though they will always take the easy option and punish the user rather than the cause.
Posted by rpaulgamble over 9 years ago
Education is all very well but unfortunately it is not the inexperienced who are causing the issues being discussed but rather those who know more than they should. Being able to regulate these will always be very difficult unless the ISP's do the regulating and take actions against those who break the rules - this can only be a partial success until all ISP sing from the same songsheet.
Posted by CARPETBURN over 9 years ago
Not to mention it wont stop those that are deliberately out to infect networks. Even if the ISP cut them of they would just get a new ISP and continue their mallicious hacking, trojan/worm planting etc from a new ISP. When that one gets the plug pulled they just change provider again. Like anything goverment based its another hairbrained idea from fools that have no clue what they are talking about.
Posted by herdwick over 9 years ago
"fools that have no clue what they are talking about." actually it appears to be quite well researched, thought through and widely consulted with relevant experts. I'm not sure I fully agree with the conclusions but it certainly has a lot more thought and study behind it than some of the ignorant opinions one sees hurled around.
Posted by martinwguy over 9 years ago
Computer systems must be responsible for their own security; protecting insecure systems with antivirus software has always proved ineffective. This proposal is little more moving filtering of Windows viruses upstream from users to the ISPs. Remember that ISPs deal in internet data streams, which have nothing to do with Windows.
What might be effective is a kitemark for consumer devices, but no Windows system could ever pass a valid test of this kind. People have been sold mud huts and now want to force ISPs to hold up umbrellas against the rain.
Posted by martinwguy over 9 years ago
Oh dear. Quote: "The analogy that underpins the structure of this report derives from road transport." and they then go on about policing, road lighting and driving licences :( As with copyright (analogy to movable-type paper printing) and patents (analogy to production of material objects) they fail to understand that I.T. is something of a new and different nature. Analogies may help beginners grasp alien concepts but are not a basis for law-making, however comforting that may be.
Posted by CARPETBURN over 9 years ago
It isnt well researched herdwick its more goverment blub. Tell me how they are going to stop a trojan creator/spreader by just putting the problem in ISPs hands huh? If the ISP pulls the plug that same person especially in this country can just change ISPs and be back up and running doing their deeds within a few days. Even if they got banned by every broadband ISP in the UK trojans are small in size, so then they would just create the trojan offline and use one of the many local call rate dial up services to spread their evil creations, its not thought out at all.
Posted by NICK_ADSL_UK over 9 years ago
Well as a Microsoft security MVP we always take a great interest in what is going on in the world of security. You can be sure that our response times where an exploit exists is very quick and the powers to be will be fixing it. Having said that there are also a very highly skilled group of people in the world who try day in day out to bring it to the ground i say to these people you will fail as i believe our commitment and skills are greater and with our determination and strength we will succeed
Posted by CARPETBURN over 9 years ago
LMAO NICK_ADSL_UK maybe before MS release their next operating system you can spend a few more years working on it cos its clear the 5 years spent on vista are a joke when it comes to security. It has more holes than a field over-run by rabbits LOL
Posted by NICK_ADSL_UK over 9 years ago
Hi CARPETBURN
Just a reminder in that mvp's do not work for Microsoft under any circumstances and therefor unable to make any operating system secure. My role and that of other mvp's can be found here
https://mvp.support.microsoft.com/

My own personal role is the helping of the general public locally for free and via the forums i serve in
You must be logged in to post comments. Click here to login.