House of Lords report into Personal Internet Security

[jrbarnett]

The House of Lords Science and Technology committee report into Personal Internet Security was published on the 10th August.
Its recommendations have far and wide implications for UK based ISPs, software companies and organisations that hold personal data. The recommendations include:

* ISP's to detect bad outgoing traffic from their customers
* ISP's to notify recipients of such bad traffic and to give the end users the opportunity to recover damages from the ISP responsible.
* The introduction of vendor liability for security breaches where their own negligence can be seen to be the cause of a particular security hole.
* A law requiring all data security breaches to be officially notified to a nominated body.
* The Information Commissioners office given the ability to conduct random audits of security measures in place
in businesses and other organisations holding personal data.
* Express criminalisation of purchase or use of a botnet for whatever it is used for.

For more information:

Science and Technology committee fifth report:

http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/16502.htm

Summary of conclusions and recommendations:

http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/16511.htm

Total report download:

http://www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i.pdf

Although this is only a report, such recommendations tend to end up affecting future laws in their respective areas, so it is something worth keeping an eye on.

I've posted it in this forum, although it could quite easily have been posted elsewhere quite legitimately. Comments, anybody?

John

 

[dilettante]

Not all "botnets" are evil of course. Those SETI screensaver things, etc. are basically botnets.

I'll have to read those items linked above. I'll be unsurprised if there are provisions buried there to allow government spying too. ;-)

 

[Grenage]

I don't think I'd call SETI screensavers 'botnets'. After all, they aren't being centrally controlled by someone else. It's just distributed computing.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

 

[jrbarnett]

They also require consent of the computer owner/user to install and don't attempt to conceal themselves.

John

 

[Sympology]

Some of this is pretty unworkable and totally outdated.

ISP to be liable? That will mean a simple thing. They will block ALL SMTP etc traffic to cover their backsides. You have to pay and sign a legal waiver to allow it (for a fee of course).
"The introduction of vendor liability for security breaches where their own negligence can be seen to be the cause of a particular security hole."
This will be a nightmare to prove. It will cost millions in a court of law and proberbly get thrown out every time.

The botnet one seems about the mopst sensible. Not sure how your going to convict someone in the USA, China or Russia where most of these are generated though.



Only the truly stupid believe they know everything.
Stu.. 2004

 

[Grenage]

I think that with SMTP, a new and improved spec needs to be put forward and standardised. A spec that isn't so ridiculously easy to abuse, with more authentication.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer

 

[jrbarnett]

I think it will go further than just SMTP mail traffic Stu - it seems to cover everything. Some things are easy to define as bad: anything with known viruses, spyware, malicious code; malformed packets etc.
However, what about encrypted "bad traffic" over SSL links?

For the introduction of vendor liability for security breaches - what happens in the case of open source software where there is no one vendor?
What about people like me (and many others on here) who develop one off free apps? I can't afford insurance in case one of my apps screws up somebody's system or lawyers in case I get taken to court.

Conclusion: If this aspect goes through, I'm going to have to pull them from my website.

John

 

[jwenting]

For the introduction of vendor liability for security breaches - what happens in the case of open source software where there is no one vendor?"

Most likely the liability will be placed on the easiest to hit target, the ISP responsible for giving the user access to that software or the hosting company (if in the UK) that hosts the site providing the software.

This legislation is in line with new EU rules that force ISPs to keep a complete history of all activity on their networks (including a log of every resource visited by every subscriber, with subscriber account information, and a log of who sent email to who at what time) for several years, to be supplied to any government agency without requiring a warrant.

 

[strongm]

>new EU rules that force ISPs

Er, not quite: the act requires phone companies and ISPs to retain customer data such as the time, date and location of sent and received emails and phone calls for 12 to 36 months. The content of the communications, however, will not be retained

My emphasis is there to show that the House of Lords recommendations are not in line with the EU Directive, since the recommendations are predominantly about content and the Directive definitely isn't.

 

[jwenting]

the interpretation of the rules in at least the Netherlands also include complete logs of all other data (though indeed not the data itself).

The EU directive indeed doesn't mention content explicitly, and at least in the Netherlands it has been decided to not include content after largescale protest by ISPs and hosting companies. Protest I might add that had nothing to do with the privacy issues involved but solely the cost in infrastructure that would be involved and would not be reimbursed to them.
Earlier protests based on privacy issues had failed utterly to convince the government to change their plans.