rose to move, That this House takes note of the reports of the Science and Technology Committee on Personal Internet Security (5th Report, Session 2006-07, HL Paper 165-1) and Personal Internet Security: Follow-up (4th Report, HL Paper 131).
The noble Lord said: My Lords, those of us who are regular computer users—I think that we are now a majority, even in this House—have for some years been watching with alarm the increase in the criminal use of the internet, and have been especially worried about the impact that this has had on non-expert users.
In 2006 that concern led the Science and Technology Select Committee to decide to conduct an inquiry into personal internet security. The report from the inquiry was published in August 2007. In October 2007, we received the Government’s response to our report, which we were disappointed to find was extraordinarily complacent. Few of our recommendations were accepted and, indeed, the Government did not even agree with us that abuse of the internet was a significant problem.
As the committee was not satisfied with this response, a follow-up inquiry was launched in February 2008. It was chaired by my noble friend Lord Sutherland. As part of this follow-up, the committee asked those who had given evidence in the original inquiry to comment on the Government’s response. After receiving these comments it took evidence from two Ministers involved in policy on internet security: Mr Vernon Coaker, then Parliamentary Under-Secretary of State for Crime Reduction in the Home Office—I would like to congratulate him on his recent promotion—and the noble Baroness, Lady Vadera, Parliamentary Under-Secretary of State for Business and Competitiveness at BERR.
We were gratified to learn from the Ministers that the Government’s view had changed and that they were now taking a more positive view on our recommendations. Mr Coaker acknowledged that the follow-up report had prompted them to rethink their response. He said that the report had helped to drive the agenda forward and that reconsideration of the evidence had reinforced progress.
However, it was clear from the input we received from the witnesses that there was still much to be done. In this connection we were pleased that Mr Coaker offered to keep the committee informed every two months. We were grateful that he held to this commitment and the committee was pleased to receive his reports in July and September. On behalf of the committee I would like to thank Mr Coaker and the noble Baroness, Lady Vadera, for working so constructively with the committee.
Before moving to the substance of my remarks, I would like to thank those who supported our inquiry. First, I acknowledge and thank Dr Richard Clayton, our specialist adviser, who is one of the world’s leading authorities in this field and who has the added talent that he can explain the complexities of the internet in terms that non-experts can understand. His advice and his contacts were invaluable to us.
I also thank Christopher Johnson, who was clerk to the original inquiry, and Christine Salmon, who was clerk to the follow-up inquiry, and the staff of the committee who expertly co-ordinated the taking of evidence and organised our visits, especially the very valuable visit we made to the USA, and who wrote the clear and concise drafts from which the final report has emerged. I also acknowledge the contribution of committee members who participated in these inquiries and who brought a broad range of expertise to bear on the issues, some of which were of a highly technical nature.
I do not intend to go through all our observations and recommendations—they are laid out clearly in the report—other than to say that we still support all of them. I will instead concentrate on those I consider most important and that remain outstanding. Last week the committee was pleased to learn that the Government were going ahead with our recommendation to establish a specialist e-crime police unit, although it is not clear how the £7 million that is to support this unit is to be spent. We would appreciate the Minister telling us more about that. I seek reassurance that the important expertise that this unit will provide will be available to police throughout the UK, and that something along the lines of the regional centres of expertise set up by the FBI in the USA will be replicated here.
Important issues remain unresolved, such as the responsibilities of the banks. It is anomalous that the banks in the UK are not obliged by law to refund those who have been defrauded by electronic means. The banks set up schemes to avoid fraud, but when these fail they determine whether you have been defrauded. It is true that in the majority of cases they refund the money of people who have been defrauded, but they do this only under the voluntary Banking Code. Why are they not obliged to do this by law? In effect, we are being asked to put the banks in the special category of trusted institutions. In today’s environment this is scarcely appropriate. I suggest that we should watch them closely and regulate their responsibility to pay up when their anti-fraud schemes fail. We should introduce legislation equivalent to the Bills of Exchange Act 1882, which specified that if a bank honoured a forged cheque, the bank, not the customer upon whose account the cheque had been drawn, was liable.
The Government tell us that when we are defrauded we should report not to the police but to the banks. This is aimed, apparently, at reducing police bureaucracy. However, it is not in the banks’ interests to draw attention to the fact that their anti-fraud systems have failed, so they hope that the volume of fraud will not be too high and that they can absorb the losses. They remain silent and the crime is seldom, if ever, reported to the police.
I tabled a Question for Written Answer on this topic that was originally aimed at discovering the fraction of cases of electronic fraud reported by customers to banks that the banks had passed on to the police for investigation. I was told that this Question could not be answered because the Government grouped together online credit card and cheque fraud and did not separate out fraud reported by banks from that reported by individuals and merchants. Therefore, the noble Lord, Lord West, gave me the total number of cases of fraud from all sources reported to the police, thereby revealing that the Government have no comprehensive data on online or credit card fraud.
If you are defrauded via your credit card in the USA, your bank will not consider your case until you have reported it to the police and have sent it a copy of the police report. This enables the police to record and collate the information. If it is established that you have been the victim of fraud, under law the bank must refund you all but the first $50. In practice, they refund everything. The bank sends the information to the Federal Trade Commission, thereby ensuring that the Government have a record of all such electronic crimes and can monitor their growth or decline.
The Government rejected our recommendation that a cross-departmental group, bringing in experts from industry and academia, should be established to help gather and classify all forms of e-crime. In practice, data exchange over the internet and the storage of data are highly technical matters; they are so technical that very few people understand all the complexities of routing, encryption and decoding, and are therefore in a position to predict where the criminal experts are likely to practise their art.
Why are the Government resisting our recommendation? Do they think that they can do it themselves? The number of cases in which there have been losses of data from government and military organisations has been so large—there has been yet another today—that surely, had it occurred in the 1880s, it would have been the plot for a Gilbert and Sullivan opera. Do they really think that they can cope without advice? Why have they not accepted our recommendation to set up the expert group? I reinforce our recommendation that a data security breach notification law be introduced. The Government, fortunately, seem eager to admit their losses, but this is not the case with the banks and with industry. They, too, should be required under law to inform people when their personal data have been lost and they are therefore put at risk.
Finally, I will talk about the responsibilities of the network providers and the internet service providers. We recommended that the Government and Ofcom engage with the network operators and the ISPs to develop higher and more uniform standards of security in the industry. In particular, we recommended the development of a BSI-approved kitemark for secure internet services. Their response was that kitemarks were for products, not services, an out-of-date distinction in my mind, and went on to say that in any case this was up to industry, not government, and besides it was clear that the review of the EU regulatory framework for communications providers would address security and consumer issues and it would be unwise to do anything before the requirements of the European legislation had been clarified. Has there been any progress in Europe? How long are we prepared to wait before we do something ourselves?
Another aspect of the responsibilities of ISPs is whether they should be held responsible for the consequences of passing on false and damaging information. Sir Timothy Berners-Lee recently expressed concern over such misuse of the web. He was troubled by its use to spread fears that flicking the “on” switch of the Large Hadron Collider could create a black hole that would swallow up the earth. He had also been troubled by the misinformation that had been spread over the web that the MMR vaccine was harmful. He told BBC News that there needed to be new systems that would give websites a label of trustworthiness once they had been proved to be reliable sources. The label sounds rather like a kitemark to me.
He went on to discuss the difficulties that this would present, but none the less he felt that it was important to find a solution to this problem. Sir Tim’s World Wide Web Consortium, which has been strongly opposed to any controls being placed on the web, has changed its position on this. This is another example of how the headlong pace at which the web is growing challenges existing norms and requires new mechanisms for control. Can the Minister reassure us that the Government are putting in place the capability to react in time to threats that the relentless increase in the use of the internet presents, both with regard to the spreading of misinformation and ensuring that personal data are held securely? I beg to move.
Moved, That this House takes note of the reports of the Science and Technology Committee on Personal Internet Security (5th Report, Session 2006-07, HL Paper 165-1) and Personal Internet Security: Follow-up (4th Report, HL Paper 131).—(Lord Broers.)
My Lords, the response of Whitehall and of the Government to the Personal Internet Security report demonstrates a fundamental weakness in our system of government. The Members of your Lordships’ House who sat on the investigation are highly experienced, and the witnesses who we saw, both here and particularly in the United States, have tremendous knowledge and expertise. The costs that we incurred and the time that we spent in our deliberations were significant. We produced an outstanding report on a crucial topic, of which all of us should be proud. Yet the Government’s response to our original report was hugely disappointing. I would be the first this afternoon, but certainly not the last, to thank our chairman the noble Lord, Lord Broers. He has a powerful CV and he led us with great skill, determination and technical insight. I must also thank him for pushing hard to secure this debate.
The Government’s response lacked depth and urgency. It failed to address many of our recommendations. Indeed, from their first response, I began to wonder whether Ministers had even read the report. My view is that government pay scant regard to parliamentary Select Committee reports, especially those from your Lordships’ House. I have encountered Whitehall departments which are almost totally ignorant of the work that we do in this House. I suspect that in many cases attendance before a Select Committee is regarded as a nuisance—an irritating distraction to the Minister’s very busy and no doubt important day. This dismissive attitude diminishes the role of Parliament.
The noble Lord, Lord Broers, was correct not to accept the Government’s tepid response and to encourage the follow-up that the whole committee recommended. Eventually the Government started to take us seriously, and my noble friend Lady Vadera, to her credit, has shown a complete grasp of the subject. I hope that she is now on our side. I am sorry for my rant but this subject truly bothers me.
I would like to try to inject a sense of urgency into this subject. The IT industry is like no other. It moves dazzlingly quickly. When I re-read the report this week, I became aware of how much was missing, not because of any omission on our behalf, but simply because much has happened in the 16 or 17 months since publication. I wish to highlight a development that my right honourable friend the Prime Minister announced in his conference speech two weeks ago. He stated that £300 million would be made available to enable underprivileged children to have personal access to laptops and the internet. This will enable all children in this country to have access to their school work at school and at home. The objective is to make Britain’s children fully trained in the use of this crucial 21st-century technology. The digital divide, as it is called, separates children across class barriers and the announcement goes a long way to redressing the balance.
I declare an interest as chair of the e-Learning Foundation, which I set up in 2001 at a time when computers in the classroom were opposed on many levels. Now we are beginning to reach our goal, which is wonderful, but even so, I worry about the dangers that children face. Now, more than ever, computer manufacturers have a duty to inform the public and children of the dangers of inappropriate internet use. Children should be able to access tuition programmes on their computers, which tell them about internet etiquette and usage. Indeed, if the analogy cited in our report of driving on a motorway is to be extended, there should be an internet equivalent of a driving test for children.
One of the biggest changes in the 16 months since this report was published has been the explosion in social networking, particularly Facebook. It is estimated that 85 per cent of American students use it, and I bet that the percentage in this country is not much less among our students. My sons have more than 700 friends on their Facebook sites. For many young people it is their primary method of social contact. They use it for digital photos, e-mail, announcement of parties and other social events. It is ubiquitous. “Facebooked” has now joined “Googled” among the young’s vocabulary. However, Facebook is a security nightmare. It is easy to access such sites, which is open season for the bad guys. I am told that university admission departments in this country access Facebook to check out new students, and recruiters trawl such sites in attempts to find out more about potential job applicants. Facebook needs to do more to protect its customers. Government needs to be more aware of the dangers.
The next major development since the publication of the report has been the astronomical growth of smart mobile phones. Today there are 1 billion PCs worldwide. By 2011, I have been informed that 3 billion smart phones will be in existence. This development means that all the security problems associated with any standard PC will be significantly enhanced now that computing is becoming totally mobile. Today, almost everything that we can do on a PC, we can do on a mobile phone. Soon we will have the ability to conduct video conversations through our phones while on the move. Once again, security issues have taken on a higher level of concern.
Associated with the mobile phone is the use of mobile VOIP—voice over internet protocol—such as Skype. My iPhone now has a new application called Fring. It enables me to make phone calls to any destination in the world practically free of charge. It is true that the software is buggy and true that I need to stand close to a wi-fi hotspot but it is an indication of things to come. In the not-too-distant future, phone calls will be made not via landlines, nor via mobile operators, but via the internet. Again, the security aspects are formidable.
My final new development is a concept called SaaS—software as a service. The internet industry has frequently witnessed the arrival of disruptive technologies, and SaaS is truly disruptive. The development of fast internet connection and the proliferation of highly sophisticated hardware devices have combined to redefine how software is used. Today’s model, whereby software vendors sell their programmes on a DVD and the customers operate these programmes on their own computers in-house, is fast-changing. SaaS uses a technology called Cloud, where the software is located remotely—even continents away—and the customer inputs his data and receives data back from Cloud. To the customer, it has many advantages. It means that he pays by usage, not by original purchase price; it means that software is always up to date; and it means that the developer has immediate feedback from its customers. It is estimated that by 2011 25 per cent of all computer usage will be SaaS-based. As a measure of growth, Microsoft says that it is installing 10,000 servers a month for its own usage solely to deal with the SaaS explosion.
Security is key. The vendors say that it is more secure to keep data on Cloud than to keep it locally, and I probably believe them. After all, that is where I keep my own personal data. On the other hand, the vulnerability of SaaS to a global strategic attack is not hard to imagine and not out of the question. Facebook, smart mobile phone growth, VOIP and SaaS barely featured in our report, yet today they are pointers of future IT developments. They are a measure of the ever-changing technological thrust that is occurring in this industry. Security issues are becoming more crucial and the consequences more frightening, yet Governments everywhere respond ponderously to this threat.
At the very least, I hope that this report and this debate inject some degree of urgency into addressing the dangers and risks of the internet.
My Lords, I, too, thank the noble Lord, Lord Broers, for introducing this debate and for the seminal part that he played in the work of the committee in this area. We were very fortunate to have him and others in our team.
Sometimes the House of Lords is represented as being at some distance from real life. That is the perception that many have of us—they see pictures of ermine and all sorts of things. I dispute that view and cite as evidence this report and the follow-up report. We hit the target. We were right on track for the central issues in our society and have raised some fundamental questions, and I want to go through one or two of them.
Of course, another criticism of the House of Lords is that it ignores the elephant in the room and concentrates on details. The elephant in this Chamber, in the Chamber down the way and in many other rooms at the moment is the position of the banks in our society. Paragraph 20 of our follow-up report reads:
“Professor Ross Anderson … and Nicholas Bohm … in their follow-up submissions are critical of the Government’s reliance on the banking industry”.
Of course, we see the wider context for that but there is also a very specific context in relation to the focus of this report. Why is that so? Internet trading and purchase, which now form a significant part of our economy, depend on confidence and trust in a variety of ways but specifically, as we informed ourselves very clearly, they depend on confidence and trust in the processes employed by the banks and in the priority that they give to personal internet security. Every purchase online, every purchase of a ticket for the theatre or a train, or every purchase on eBay depends on one’s credit card functioning well and securely. A central question which we raise here is the role that the banks must play in future in guaranteeing the security of the information that flows so regularly and freely down those channels. I quote again from paragraph 25 of our follow-up report:
“A system which depends on a decision by a bank on whether or not a customer has been defrauded is flawed by the fact that the bank has a direct financial interest in denying the customer’s claim”.
We have learnt to be more careful about the reassurances given by banks. That is fundamental. My noble friend Lord Broers made the point so well that I need not elaborate on it. That is the elephant in the room today and relates to our report and to our concerns. Do we have confidence in the systems of the banks? Would that confidence be greatly increased if the banks were to be more transparent in reporting computer and internet fraud and in reassuring customers that they had this as a high priority in the processes which they put in place?
I want to comment on the government response to the original Select Committee report. We reported in July 2007 and the Government responded in October 2007 in a written reply which I regard as something of an own goal—what Harold Macmillan taught us to call “Events, dear boy, events”. The government response was effectively a brush-off and it was complacent. Since then we have had the loss of personal data from Her Majesty’s Revenue and Customs which resulted in 25 million individuals being exposed; further revelations from the MoD today concerning 100,000 personnel, plus 600,000 potential recruits and the loss of security information; the Driver and Vehicle Licensing Centre; and so on. The record of the Government on this is not good and, in the eyes of the committee, those failings became failings in capital letters, following as they did the Government effectively saying they had no concerns or worries about the issues raised by the report.
Of course, it is a mistake to refer to these as just, “Events, dear boy, events”, out of the blue and not their fault or responsibility, because they represent massive failings by public bodies on which we, the citizens, rely with regard to the security of personal information. They are not events over which we have no control, but the point of much in our report is that the Government must take charge of this, ensure that the controls are in place and that the information that we either reluctantly, in some cases, or freely give to these government sources is protected and that our personal information does not become a matter of the public market place.
We passed through the stage of thinking of them as events some way back. The government systems, as I have suggested, seem to be badly flawed. However, we are proceeding down the line. Consider ID cards and the databases required to service that policy. I am not discussing the policy of having ID cards, as that is a matter for another day and another debate, but I am simply alerting the House to something of which I am sure it is already well aware: that the protection of the information to be held in connection with that policy must have a very high priority indeed and, in view of what has happened, reassurances and words will not do. These examples—and one could add NHS information to them—indicate why the committee decided that the follow-up analysis and report were justified. The general picture is the initial report, a brush-off reply by the Government, the events—as I call them—and a follow-up hearing by the committee.
To be positive, because so far I have been critical of the Government, we had a good and, on both sides, helpful discussion with two Ministers, Vernon Coaker and the noble Baroness, Lady Vadera, on 20 May 2008. There were at least two outcomes of that discussion which I regard as positive. The first was a commitment by Vernon Coaker to write update reports every two months. We have received the first two, and they were helpful. I look for more, but they are a good start and a positive response that matches the contributions that the Ministers made to our discussion. The principle of such reports is important and is much appreciated by the committee and more widely.
More updates are anticipated. The Council of Europe Convention on Cybercrime was signed in 2001, but it has yet to be ratified by this Government. In the discussion, we were promised that ratification will take place before the end of 2008. We had our two-monthly update in September and the next is due in November. I hope that there is some indication that before the end of this year action will be taken. That is just one example. There are many examples of where updates and expansions of what we have already been told will be useful.
A second outcome is that the full Science and Technology Committee has underlined its determination to be a scrutinising committee that will hold the Government to account in those areas where science and technology affect government policy and practice. It will do that and will follow up. It will not simply send reports into the ether to be left there. This is simply a marker to the Government that, as regards this and other reports, the committee will expect responses of the desired quality.
My Lords, I thank the noble Lord, Lord Broers, for the way in which he introduced this debate and for the excellent way in which he steered the inquiry. I learnt a great deal from him, not least about the complexities of web-based navigational aids on ocean-going yachts, a subject to which I had not previously given much, if any, thought. I also want to pay tribute to the work of the committee’s Clerk, Christopher Johnson, who has now been elevated to the position of your Lordships’ Clerk of the Journals. I am not quite sure what the Clerk of the Journals does, but I hope the position makes full use of his excellent talents and skills. I also thank our adviser, Dr Richard Clayton from the University of Cambridge, who, along with the Minister, is a member of the bearded elite.
Since our report was published, much has happened. There have been well publicised data losses at HM Revenue and Customs and from other government departments and agencies. Indeed, today we heard of the loss by EDS of an MoD hard drive containing the details of 100,000 service men and women. All this confirms my view that the committee was right to call for a data breach notification law in the UK. I commend the Government for their willingness to come clean and admit problems as they emerge, but that does not alter my view that, with a few exceptions, the maintenance of information security is not a high enough priority in the minds of those in charge of public bodies or private companies. Moreover, recent reports have suggested that a significant number of major private sector losses have been reported to the Information Commissioner. For example, Virgin Media has been ordered to encrypt all portable media that it uses to move data after it lost data on 3,000 would-be customers. In another case, 1 million bank customers’ details turned up on a second-hand PC sold over the online auction website eBay. The data contained information on customers of American Express, NatWest and the Royal Bank of Scotland. It is reported to include mobile phone numbers, bank account numbers, mother’s maiden names and signatures. We have to recognise that it remains unclear whether all such losses have been disclosed, given that it will not be in a company’s commercial interest to do so.
A data breach notification law would not solve those problems, but it would certainly concentrate the minds of those responsible. We must alter the mindset. It must be clear that information security is not some optional extra, and that for every business and organisation, information security is just as important as physical security. That is about the culture within organisations. Every employee must understand the importance of maintaining data security and their responsibility for doing so.
Perhaps if people recognised the potential value of personal data, they might be less cavalier in its treatment. For many people, a stolen identity will take weeks or months of effort to sort out. The FSA estimates that the cost of identity fraud in the UK—admittedly, using a fairly wide definition—is about £1.7 billion. During the inquiry, we were told by Team Cymru that on a single server in a typical month, there were for sale the data from 32,000 compromised Visa cards and 13,000 MasterCards. The price nearly three years ago was $1 for a US card and, apparently, $2 for a UK card. Associated data were also for sale, including the cardholder’s mother's maiden name.
Perhaps if employees were told that each personal record was worth at least £100—it is probably more—they might treat a memory stick or, for that matter, the MoD hard drive containing 100,000 personal records as though it was worth £10 million. They would certainly treat it with substantially more respect. Engendering such a change in culture may require more than a data breach notification law. Perhaps we need something more akin to the framework created by health and safety legislation, where every manager would have to take personal responsibility for delivering information security in their area of responsibility or face prosecution. Perhaps we need an IT equivalent of the US Sarbanes-Oxley requirements to make people at board level take their responsibilities to heart. Nevertheless, as a first step, I ask my noble friend when he replies to reflect on whether the experience of the past few months and weeks has made it all the more urgent that we introduce data breach notification legislation.
The need for a shift in the burden of responsibility was also a key theme of the report in terms of those who should be responsible for ensuring personal internet security more generally. The underlying theme of the report was that the internet is a powerful force for good in society, but underpinning the success of the internet has to be the confidence of individual users, as we are all only too well aware at the moment. That matters. Government spending plans are predicated on the growth of e-government, with more citizens transacting with central and local government electronically. Similarly, economic forecasts are based on the continuing growth of e-commerce. If public confidence in the internet falters, the consequences are serious.
There is every reason to suppose that such confidence could falter. According to a survey commissioned by Get Safe Online, e-crime is now more feared than mugging, car crime or burglary. I believe that the Department for Business, Enterprise and Regulatory Reform contests that, but there is no question that many people are fearful of conducting transactions electronically. Moreover, as the inquiry concluded—albeit, I must say, with an eye to the soundbite—the internet,
“is now increasingly the playground of criminals”.
The government view, certainly as initially expressed to us, was that internet security ultimately rests with the individual. However, our view was that such a stance was no longer realistic and was in danger of compounding the perception that, in another soundbite from the report, the internet is a “lawless ‘wild west’”.
Responsibility for improving internet security should be shared. The committee used the analogy of road transport. Within the road transport system, the safety and security of the individual road user is protected at several levels. There is the network itself, with roads designed and engineered for safety, maintained, lit and signposted. Then there is the equipment that uses the network—in the road safety analogy, cars and other vehicles have safety features built into their design. Individual users are taught how to drive and subjected to testing and monitoring. Finally, the network is policed with a clearly defined legal framework for the use of the network, with those who breach the law risking prosecution.
As far as internet security is concerned, the network providers—the ISPs and so on—equipment manufacturers and software producers should all take some responsibility for making the network, the equipment and the programmes more secure. Similarly, businesses must have a role in making their interface with consumers safe and secure and protecting the position of those who transact with them. Finally, each user must be sensible and careful, although the Government can help by taking measures to raise IT literacy and improve understanding of security. The Government must ensure, of course, that the rules set are adequately and effectively policed.
The noble Lord, Lord Broers, referred to the value of a kite-marking security system. This is clearly necessary for equipment and software and for service providers. There should be better service advice given automatically on the first use of products. Default security settings should initially be set as high as possible. It should be an explicit decision of users to lower the settings. Security updates should automatically be downloaded, and security messages and warnings should be in clear and simple language. Let us be clear, however, that people are put at risk in a variety of ways: sometimes by their own ignorance, sometimes by the carelessness or ignorance of others, sometimes by deliberate criminal acts and sometimes by technological flaws or poor product design. This is often made worse by products that behave badly or lead people into trouble.
Why do so many commercial sites require information that is not necessary for the transaction concerned? The answer, of course, is that it provides them with useful marketing information—all the better to sell you future products. However, how well is that information protected? The impetus to complete the transaction will lead many people to provide more information that may not be strictly necessary but may be difficult not to provide, and to agree, or more likely not to disagree, to its use in all sorts of ways that in any event are probably outlined in a 20-page policy that most users will not bother to read.
As my noble friend Lord Mitchell has highlighted, of particular concern is the way in which some of the popular social networking sites encourage people, often teenagers, to reveal all sorts of personal details and information about themselves. This opens them up not only to identity theft but to sexual predators. Young people might also want to reflect on the impact on their future employment prospects when details of their wilder escapades may be readily available to would-be recruiters. The companies that run these sites have an obligation to warn people about these dangers, to enable people simply to remove material that with hindsight they wish they had not posted and to make it easier for users to report abuse and problems. Perhaps my noble friend Lord Brett will tell us in his reply whether the Government are happy to see social networking sites, which are used by so many teenagers and young people, operating so freely and in a way that could be so damaging to their users.
Then there is the problem of e-crime. The term is necessarily a loose one; fraud is fraud, whether it is committed using electronic means or any other means, and child abuse is child abuse, whether images of it are transmitted electronically or in any other way. However, to say that you cannot define it meaningfully does not alter the underlying issue that the way in which many crimes are committed or the ways in which they are facilitated have changed dramatically in recent years. It is therefore necessary to ensure that the police and enforcement agencies are equipped to respond effectively to this dramatic change. That is why the creation of the police e-crime unit is so important. I am grateful for the Government’s support for this and for the resources that have been made available. I pay tribute in particular to my honourable friend Vernon Coaker, who worked so hard to bring this about and has now, I am pleased to say, been rewarded by promotion to Minister of State.
The creation of a centre of excellence that provides support and policy leadership to police forces around the country is essential given the rapid pace of technological developments and the speed at which criminals exploit these developments. Such a centre cannot be the end of the process. Every police force will need to develop its own capacity in this area, and, increasingly, mainstream resources will have to be devoted to this area to reflect the changing nature and manner of crime.
My final point relates to what the report did not cover: the wider question of the national infrastructure and internet security. As a nation, the systems that are essential for our health and well-being rely on computer and communications networks, whether we are talking about the energy utilities, the water and food distribution networks, transportation, the emergency services, telephones, the banking and financial systems, and, indeed, government and public services in general. All of them are vulnerable to serious disruption by cyber-attack, with potentially enormous consequences. The threat could come from teenage hackers with no more motivation than proving that it can be done. Even more seriously, it could come from organised criminals, intent on extortion or fraud, or from cyber-terrorists, intent on bringing about the downfall of our society. We now know that, following the cyber-attacks on Estonia and the cyber-disruption suffered by Georgia earlier this year, the threat may also come from nation states.
Moreover, most of the critical national infrastructure is privately owned and operated. It may not be in the commercial interests of those owners and operators even to acknowledge to anyone outside their organisation that they have had a problem. Do I, as an operator, want my other customers to know that my security, and therefore their security, has been breached? I think not. It would certainly not be good for business. In any event, it cannot be necessarily assumed that the commercial need to maintain system security is of the same magnitude as the national interest in that security; nor can we be confident about those parts of the CNI operated in the public sector. We live in a target-driven world, and security constraints are not necessarily adequately addressed in each department’s key performance indicators, certainly when the key drivers of activity are improving the quantum of specific aspects of service delivery.
My final question to my noble friend is: are the Government really satisfied that our critical national infrastructure, which is now so dependent on the internet, is genuinely as well defended and secure as it should be?
I believe that Personal Internet Security has already had a significant impact on government thinking. However, there is still too much complacency on this issue: information security remains the poor relation of information technology and of physical security. Information security is not an optional extra. If we do not get this right, public confidence in the internet is at risk, and with it business confidence and perhaps, if we consider the reliance of our national infrastructure on electronic systems, even our national security.
My Lords, I, too, thank the noble Lord, Lord Broers, for introducing this debate and add to the cumulative thanks to all who assisted in the report’s production. They did an excellent job.
I find the report very interesting and useful because it taught me a certain amount. One of the more useful things was the philosophy behind the way we looked at things. We looked from the citizens’ point of view. Quite a lot of evidence came from large companies, including banks, and gave the large businesses’ point of view. “Oh well”, they said when in those days £33.5 million was lost through online bank fraud; but that was only the sum that the banks had not managed to offload elsewhere. From the citizens’ point of view, those were individual £500 and £1,000 losses, enough to destroy their mortgage payment for the month and to have a huge impact on their life. It is very important that it was a parliamentary committee that looked at the matter, because we are here to look after citizens, not necessarily to try to control them and tell them how they must run their life.
We also tried to think of incentives for people to do the right thing rather than having regulations. We have quite enough regulations already; they seldom prevent what they seek to forbid. They do not often modify behaviour or they only modify it in an unexpected way—the law of unintended consequences—because it is too complex to be controlled by simple systems of rules. Security economics became an interesting topic and taught me quite a bit; I want to mention that later.
One conclusion was that we should go back to good old-fashioned principles. We pass pots of laws to say that people cannot burgle houses but they still go on burgling houses. We try to deter people from doing it by locking them up from time to time or giving them mild penalties, which makes some of the newer generation decide that burglary is not a good career path. We have to be very careful that, by just looking at and analysing these issues, we do not turn Britain into a safe haven for e-crime because, though we know it is going on, there is nothing we can do about it.
Facebook has been mentioned a couple of times. The internet is changing how we have to look at things. We have work out where the dangers lie and what other things we should look at. The point of danger could be transferred to somewhere we would not expect. I shall make a couple of points on that. Online, including on Facebook, there will be records of very stupid behaviour that people may have done when they were young. Not always, but in many cases, we may be very lucky and our friends will have lost the photographs of us at a party. Unfortunately, now, such photographs will be preserved in digital form on the internet and they are probably sitting there somewhere.
We need to realise that we have a right to a moment of madness. If you are trying to hire an outgoing person who is very good with people, the life and soul of the party, good at getting contracts and getting into companies, you probably do not want someone who is so dull that they never appear at a party on Facebook. The person who may not behave quite correctly might be the person you want. For certain people, a few interesting Facebook pages might be useful.
As my children keep pointing out, there is a lot of security on Facebook. It has been hugely improved and they certainly keep their pages locked down so that only their friends can see them. They do not join generic groups, like the London group, where anyone can see their pages. Herein comes the point. Sometimes the advisers now do not understand how society has evolved and how it communicates. Children have to learn from experience, just as we did. They need to learn what looks wrong and right, how to defend themselves and what predators look like. They cannot be taught that in schools. They have to learn among themselves with help and supervision.
Most points on the report have been covered well by everyone else. Going back to us not being a safe haven for e-crime, the thing that really worried me is policing. I am delighted to see that the Home Office is injecting £3.4 million extra into a central e-crime police unit. I am worried that the Met’s £3.9 million will be taking police resources from somewhere else. There is not a full £7 million of new money going in.
Detective Superintendent Charlie McMurdie has been trying to push this forward for a very long time, at a certain sacrifice to her career. I respect her and others hugely for trying to drive this forward, so I am delighted to see that something is happening. Let us hope that this is built on and grows. It is all very well collecting, collating and analysing all these crime statistics, but something has to be done about disincentivising the rest. I echo other noble Lords when I say I hope that the APACS unit, which collects bank statistics, interfaces this new unit properly and does not just send stuff to SOCA when it thinks fit. SOCA’s remit does not cover this area. It is only concerned with large, serious, organised crime with an international flavour.
I turn to data loss and the headlines that EDS has lost a hard drive, as we have just heard. My first point on that is that all the data were on a drive owned by EDS and, therefore, was being processed by an American company, possibly in the United States. Some of our data, which we are forced to give the Government, are now processed in America. America has the Patriot Act which allows it to look at any data processed in the States, which is why SWIFT, the European banking system, removed its data centre from California to Switzerland. It got fed up with American companies getting business intelligence by putting in Patriot Act requests to look at European bank transfers.
We should take that very seriously. All sorts of interesting things could come out of it which could impact, when combined with other data, on the UK citizen. It has been suggested to me that American companies or subsidiaries operating in the UK, processing the data of UK citizens, still may be subject to the Patriot Act indirectly, possibly through Sarbanes-Oxley mechanisms or some other rules. I do not know whether that is so, but, if it is, it is extremely concerning for government contracts.
The second point about data loss is this: why did the HMRC disk go missing? Apart from various factors like the two single points of contact within HMRC, a wonderful concept which interests me, and all sorts of issues around muddle accountability, the main reason involved targets. Parliament insists that HMRC should report to Parliament every year, and the National Audit Office has to collate information from HMRC to do that. It is a career-threatening issue not to produce information for the report to Parliament, and various MPs and noble Lords would jump up and down and get cross if it did not appear. If HMRC does not get its information to the NAO, careers will suffer. On the other hand, there was no £10,000 sitting in a budget to clean up the disk when the NAO said that it did not need all the personal information on it and asked for the data to be taken off. The NAO has good people in it who would not do anything wrong with the information, and the fact that the data were going on to another outsourcer to do the real analysis was fine because they, too, were probably all right. I do not know if that outsourcer is properly vetted or cleared, but let us hope it was, and in any case, the system had worked well in the past. Someone followed standard procedure and popped the disk into an envelope because no disks had been lost for years—they normally get there and it is a very rare occurrence for these things to go missing. The chance of anything going wrong was pretty low, as was the awareness of any impact if it did. So people simply go with the flow, particularly if they are junior. They do so because the targets are the most important thing, not the security. Until we work out how to change those attitudes, I do not think we will clean this up. Perhaps we should be very careful about the targets we set.
The third point on data loss is the data breach notification stuff. It is an excellent idea from the point of view of trying to get a grip on the thing. How we decide what a data breach is is another matter in that if no harm is done, is it still a data breach? We have to ask whether the data are encrypted adequately and so on. I would say that that is then not a breach. But if the notification is published widely, it presents a huge phishing opportunity. Quite a lot of letters were sent out by certain illegals saying, “We notice that your data have been lost by HMRC. We would like to secure your bank account. Please send us your details”. A much wider phishing opportunity can be opened up which can catch poor innocents who do not understand all this. We need to be careful how we react to and handle these situations. It is not as simple as just informing people.
I turn now to economic issues concerning banks and the “card not present” problem. The reason I feel strongly that liability should be loaded back on to the banks for all transactions through credit cards where those cards are stolen is that the banks decide the security of the token which merchants big and small have to accept in order to conduct electronic transactions either over the telephone or on the internet. The token is not adequate because chip and pin does not work remotely. But the banks have no commercial incentive to upgrade the token because in all “card not present” transactions, the liability is offloaded on to the merchant. The big ones can cope with it, but the small ones cannot. Ridiculous situations arise such as when my wife tried to buy a ticket over the internet for my daughter and another to fly out to Thailand on holiday. She got a very good price from some people in Wembley who said, “In order to protect ourselves because you are spending £1,000, could we please have a photocopy of the front and back of your credit card and your passport so that we are covered?”. That is not good security and she did not send the details. I have internet banking, so I transferred the money. But the company had to ask for those details in order to protect itself. We are putting the liability in the wrong place. I would pop the liability back on to the banks so that they have a financial incentive to ensure that there is better tokening.
I want to wind up with two brief points. We face a new threat because we are about to be hit by what I think will be the communications data Bill, but they will not tell us what is in it. The proposal is to centralise all communications information in the UK in the Home Office so that it can more efficiently search that information for clues when a terrorist attack takes place. The information will be accessible under RIPA to all sorts of other bodies, but I shall leave that to one side because it is not what I am really worried about. Of more concern is officials searching all that data and the danger of inaccurate inferences instigating intrusive investigations into the private lives of citizens, with potentially unsafe outcomes. If officials start thinking, “Is this person this or that?”, they will eventually embark on data matching and data mining. The information will also become a possible target for foreign intelligence. If you want to find out if one company is looking at another company, what better way is there than to look at what web searches it is making? The information will include a record of web searches, what is being looked at, emails and everything else. It will not set out the content, but that is less important. It is what someone is up to, the pattern of use and the inferences to be drawn that matter. There is an opportunity not for people to lose disks, but for people inside the system who might be corrupt. GCHQ has a long tradition of security and is very careful in this area. I am not sure that the same standards are inculcated in the Home Office, but if this proposal is serious, I hope they are before it is introduced.
Finally, I am worried about the plethora of people who try to protect us as citizens—there is a surveillance commissioner, an Interception Commissioner and perhaps a couple of others. They tend to report via the heads of the departments that they are reporting on or to the Prime Minister, who is basically the head of all executive departments; he is the head of the Executive. So someone who is keeping an eye on the Executive reports to Parliament via the Executive. That is not right.
The Information Commissioner reports directly to Parliament but feels quite swamped sometimes—he is under funded, under resourced and comes under attack, some of which is quite personal. I think the idea that he had of setting up a new authority to bring together all of the services that protect personal information is quite a good one. With the right people in it, plus extra people from outside, it could make sure that people’s privacy and information are protected properly. It could consider whether data breaches should be notified more widely and so on.
I am worried about the incentives for this organisation, which I would call the Personal Information Protection Authority—or PIPA; and, because he who pays the piper calls the tune, I would make it answerable to Parliament and not the Executive.
My Lords, this is an enormously important topic and one on which the well-being of a great number of companies and families rests. The effectiveness of the report and what has been said is shown by how far the Government have travelled since their first response last year. For this contribution, the noble Lord, Lord Broers, and all the members of the committee deserve the thanks of all of us who are concerned about data security in this interconnected age.
As a society we are becoming increasingly dependent on technology, particularly the internet and communications networks; we use them at home, at work and throughout commerce and Governments across the globe. Risk, however, is less tangible in cyberspace. People know what it means to lock their front doors, but they do not have the same knowledge of what to do when online. It is not intuitive, we cannot use the senses upon which we depend in everyday life to help us.
For example, a large online gambling company was recently discovered to have had “super-users”. Certain players were able to win large sums at poker by knowing the cards that their opponents held. As those who are familiar with card games will recognise, that is a significant advantage. It became public knowledge only because customers of the company became aware of unusual play by such super-users. This triggered an online investigation by members of the internet forums and, as a result, the company concerned has so far repaid some $6 million to consumers who lost money on its site.
There are some interesting lessons here. First, the company was incorporated under the jurisdiction of a Canadian Indian tribe, the Kahnawake. The company was a respected and trusted brand. It was regulated in the same way as its competitors, and the consumer’s only regulatory remedy was through the Kahnawake gaming commission. That is not satisfactory, to say the least. Millions were effectively stolen, and yet there is no clarity about who benefited or where the money went and no data trail on who lost out. Most remarkably of all, after having announced that their software contained holes that allowed the winning of millions of dollars through underhand means, the sites concerned are still trading and still prospering.
We require a multi-layered approach to addressing these problems. That will involve building technology of higher integrity which is not pervaded by vulnerabilities to be exploited by those with malicious or criminal intent. But this will always occur. No matter how many safeguards you build in, there will always be someone with criminal intent. In turn, this means that we must make security solutions easy to use, not so difficult that users simply turn them off because they are unaware of the protection that they offer. The final step is to provide the necessary regulation and checks and balances so that we can deter misuse.
The report used the helpful analogy of the road networks to describe a shared burden of responsibilities. It makes the key point that while great responsibility rests with the road users, their safety also relies on those who design and maintain the road network, with its signs, lines and markings.
Online, I am concerned by the lack of security education on the part of software and hardware developers, business managers, civil servants and all those who have to interact with digital information. I believe we need to investigate the programmes developed by the United States; it has made it a priority to develop centres of national excellence to provide a framework and guidance for students and institutions in information assurance education. Consider the road example again: we provide awareness campaigns on specific issues and education on principles through driving lessons. Very little work has been done to understand how the computer users comprehend the risk that they are taking and what their actions or inactions actually mean.
Alongside dealing with the problems of today, now is the time to design in security for the future. Traditionally, research on e-security has been focused on specific solutions for individual problems which results in individual products for each problem. Security solutions have followed only after the discovery of security gaps, so we have had firewalls, anti-malware program, anti-phishing measures, and so on. This is not scaleable and is limited in effectiveness since we only respond as we encounter problems, as opposed to proactively planning security for the future.
We are now developing the networks and services for the next wave of technologies. We should not make the same mistake of failing to design in security from the start. With advances in mobile communications, we could soon be connected wherever we are and whatever we are doing, as noble Lords have said. Access to information and services via the internet will be as necessary as water and electricity.
The increasing number of devices that will store and hold our information also increases the potential threat to our security and even our personal safety. Consider mobile healthcare in the future: tomorrow’s pacemakers might be part of an integrated body area network able to transmit patient healthcare data to doctors and allow them to modify patient treatment. With researchers already developing wireless attacks on current pacemakers, it is easy to see how this more complex internet-connected system raises concerns not only about data privacy but the potential for risk to patient safety.
In other words, we will need to prevent new technologies and systems being attacked, and we cannot afford to wait for failures in order to plan our protection. We need to understand the changing threat and how to manage our risks dynamically and in response to it. We need to consider how to build systems to tolerate intrusions while still offering degrees of security, not have them fail. We need to develop technologies to allow individuals to have meaningful control over their information and online activities while still maintaining accountability. We need to provide tools to reduce and remove vulnerabilities and holes in our systems. We need to design the interfaces and controls of security technologies so that they are easy and intuitive to use, and so more effective when deployed. These are just a few examples of technological responses that must be researched now if they are to succeed.
I welcome the decision of EPSRC and the Technology Strategy Board to invest in a range of projects on data security and privacy, but I believe that this can only be the beginning of such interdisciplinary research objectives. In the short term, we can focus on the current risks and make users aware of these and the techniques needed to keep them safe online. Raising consumer awareness to the dangers helps stimulate the adoption of the products and service which offer safety. At the same time, regulation has its place to play, and without teeth to remove business contracts, fines and penalties, business may decide that a lack of protection for their users’ data is a risk worth taking. The penalties have to serve as a deterrent to businesses that fail to act as well as the criminals who wish to take advantage of their weaknesses.
This has to be an international effort—I cannot see it happening within our national boundaries alone. I hope that following the judicious use of the carrot and the stick by the committee, the Government will ensure that a similar carrot-and-stick approach to regulation is a high priority in the European and global forums, in which this issue must ultimately be resolved.
My Lords, I declare an interest as a director of PayPal Europe. I applaud the diligent and painstaking work of the noble Lord, Lord Broers, and his committee, an example of the House of Lords working at its very best.
E-crime on the scale which we now see it has emerged only during the past four or five years. Before that, it was mainly a few geeky kids showing off; now we face a massive and sustained criminal attack. Many millions of emails are sent on phishing expeditions, aiming to trick the innocent into revealing their security details. Malware is infiltrated, like the creature in “Alien”, into the inner workings of our PCs to steal our most confidential personal data. Botnets, networks of ill intentioned software robots, can attack and sometimes bring down major and sophisticated entities, and sometimes ransom them. Far worse is surely to come.
The losers are not just major merchants offering products and services online and the online payment providers, but many tens of thousands of ordinary individuals who are not always protected from loss. The scale of the economic loss is now enormous. Gartner estimates the current global cost at $3.2 billion, but I suspect that that is a serious underestimate.
Who are the perpetrators? Many perpetrators have highly advanced computing skills. Some are lone wolves, who, when they get up in the morning, devote their whole day to internet crime, knowing that they are highly unlikely to be caught. But those anti-fraud experts who have most studied online theft have good reason to believe that as much as 70 per cent of economic crime on the internet is now the work of organised crime syndicates
As the noble Lord just said, e-crime is now primarily global, not national. The bulk of syndicates have home bases in Russia—which is interesting for those of us who sat through the previous debate—and elsewhere in eastern Europe and in some other identifiable nations. In all these countries, e-crime syndicates are largely ignored by local authorities. In addition, there is now an emerging black market in services. Botnets can be rented; phishing software can be bought wholesale.
How can this growing threat be countered? First, individual consumers and merchants can of course be more savvy and alert, and can be better educated to be so. Secondly, online providers can intensify their work of hardening targets, making it increasingly difficult to commit e-crime. They are developing ever more ingenious means of achieving this.
Thirdly, ISPs could stop averting their gaze from manifest criminality. Their technology is sophisticated. They can detect peer-to-peer theft. They can identify which of their customers’ PCs have malware. ISPs can pinpoint the originators of phishing expeditions sending out their millions of ill intentioned emails. But, so far, in the UK and around the world, ISPs have not been inclined to fight crime.
Fourthly, government needs urgently to focus on this mushrooming economic threat, yet the UK Government’s first response to the Science and Technology Committee’s report was deeply disappointing—and, indeed, shockingly inadequate, as almost every noble Lord who has spoken in this debate has observed.
There is a strong case for regulating and licensing ISPs and for placing requirements on them. A fit-for-purpose national agency is needed in the UK to focus exclusively on every kind of online crime. I know of one instance in which the police will not consider investigating a syndicate operating here in the UK until it has stolen more than £500,000 of goods—and one has almost done that. Imagine if the police said that about bank robbers. Britain’s police have not yet made the psychological shift from the physical to the digital world. I am sceptical that the recently announced unit will be remotely fit for purpose or of the required scale to deal with these problems. Moreover, a global and not just national approach is needed to counter a category of crime that is committed overwhelmingly across national frontiers. Here the UK Government could bring international leadership.
In recent days, weeks and months we have seen the calamitous cost to Governments and governance of failing to manage risk in the financial sector. The internet is one of the glories of the age, as I am sure we all agree, with a profound and largely beneficial impact on all our lives. Government needs rapidly to engage with managing the risks arising from the internet’s dark side before a cancer takes hold. As yet, Whitehall, too, has been painfully slow to adjust to new digital realities. Let us hope that the excellent stimulus provided by the Science and Technology Committee eventually bears fruit.
My Lords, I welcome this debate, introduced by the noble Lord, Lord Broers, on the Science and Technology Committee’s original and follow-up reports on internet security and the Government’s responses to these reports. I, too, am disappointed by the generally unenthusiastic response of the Government to the initial report and I am concerned with their response to the follow-up report. I should say that I was not a member of the committee when the original report was produced.
I share with other speakers concerns about the situation concerning bank fraud and where the responsibilities of the various parties lie. I wonder how many people have counted up how many passwords and the like they have. I did—it amounts to six PIN numbers, five passwords, two account access numbers, two security numbers and various other items. I suspect that this quantity is modest, compared with many people. But for the less able computer and card users, it is horrendous, and it is hardly surprising that people write them down or use family information and names for them and do not change them as frequently as they should. I know that I do not change them as frequently as I could because, if I do, I cannot remember them. Surely it must be possible to devise a better system than this. I am terrified at the possibilities of a key-stroke recorder residing on my computer and me being totally unaware of it. One hopes that one’s anti-virus software picks up things like that.
I shall now raise the international perspective. In June, I attended as a representative of this House the IPAIT conference in Sofia—that is, the International Parliamentarians Association for Information Technology. This was the sixth such conference, earlier ones having been held in Seoul, Bangkok, Rabat, Brasilia and Helsinki last year, which I was also able to attend. The theme of this year's conference was information technology and ethics, which is relevant to this debate today. It was attended by about 120 people from 24 countries worldwide. There are 60 members of IPAIT. The UK is only an observer member.
At the end of the conference, we issued a declaration of IPAIT's ethical aims for the future of information technology, and the internet in particular. The document is too long and verbose to read out now, but I will arrange for it and other supporting documents to be sent to members of both the Science and Technology and Information Committees, the latter committee having sponsored my attendance at the conference. I think these papers are well worth reading. The main proceedings unfortunately are in the form of four DVD discs of the televised process of the conference, and are not practical to distribute.
The declaration from the conference contains some 13 individual clauses calling for internet regulation and standards of ethics; misuse of information; measures against cyberattacks—remember both Estonia and Korea have been subject to these, and of course Georgia was mentioned by an earlier speaker—protection of children; dissemination of ethical conduct for users; requirements for internet service providers to block illegal and harmful information, and require their full co-operation in the investigation of criminal internet activities; the safeguarding of civil rights; privacy and freedom of expression in all forms of communication; and so on. I appreciate that this goes somewhat wider than the reports we are discussing. The main thrust of all this was the need for international agreement on such ethical matters, and international participation in fighting e-crime because of the “wild west” nature of the internet, to quote the noble Lord, Lord Broers.
The keynote speech was by academician Professor Kyril Boyanov of the Bulgarian Academy of Sciences. After reviewing the many benefits of information and communication technology, both to the economy of the nation and the individual citizen, he went on to discuss the benefits that technology could bring to the crisis in representative democracy occurring in many countries where we have very low turn-outs in elections. The benefits of e-voting and e-participation could go some way in providing the citizen with a more meaningful method of connecting with our democratic processes, and obviously are subject to the security issues we have already discussed.
Noble Lords may think that this has little relevance to our debate on internet security, but if you consider e-voting via the internet in particular, as is already being used in Estonia, it becomes highly relevant. This subject was much discussed at the recent EPRI conference in Dublin. EPRI looks at ICT from a parliamentary point of view, looking out to the voter and enabling him to communicate with his MP and see and understand what Parliament is doing.
Professor Boyanov pointed out that the internet is changing our lives, socially and commercially. The level of trust in the internet varies widely, ranging from 3 per cent in Brazil to 65 per cent in Korea. In the UK it is 44 per cent. Again, the level of accessibility by households varies widely throughout the world, from a high of 95 per cent in Korea to 10 per cent in Mexico and Turkey. These are figures for 2006.
With all these benefits comes the downside—the easy and widely spreading use of malicious information, co-ordination of criminal activities and unauthorised access to information, all helped by inadequate legislation on internet crime, both at national and international level. Professor Boyanov goes on to discuss the various types of security threats, of which noble Lords are all too well aware.
In conclusion, I suggest that we need national and international agreements and co-operation in fighting cybercrime in all its forms if we are to maintain public confidence and safe use on the internet.
My Lords, I welcome the noble Lord, Lord Brett, to the first debate to which he will respond from the Dispatch Box. The whole House will be grateful for this well researched report in which the committee makes constructive recommendations. We particularly thank the noble Lord, Lord Broers.
Your Lordships will be well aware that in 2007 nearly two households in three had the internet and 53 per cent of adults purchased goods and services on it. The latest fraud figures published by APACS show that plastic card fraud losses are up by 14 per cent year on year in the first six months of 2008. We all have our pet stories. One sophisticated scam involves inviting, with a very plausible story, a user to part with her PayPal code number. I have no doubt that I am not alone in experiencing a current plague of phishes, supposedly from the major UK clearing banks, designed to obtain clients’ account numbers. However, the noble Lord, Lord Birt, chillingly reminded us that this is child’s play compared with what we can expect in the near future, and that organised crime is becoming increasingly involved.
The committee recommended a cross-departmental group involving internet security experts to develop a co-ordinated approach to collecting data on internet crime and classifying the offences. We are pleased to note that the Government have acted on this recommendation and I am sure the House will be interested to hear more from the Minister about the role of the new police central e-crime unit, announced two weeks ago, which will work with the National Fraud Reporting Centre and the National Fraud Intelligence Bureau. I hope the Government will also take account of my party's suggestion that there should be an e-crime specialty within the Crown Prosecution Service. I hope that when the Government read this debate they will note particularly the eloquent vision of the noble Lord, Lord Bhattacharyya, regarding the duties and challenges which lie ahead of us in fighting cybercrime.
The committee’s report made the further related point that there was insufficient research in this area and that one or more interdisciplinary research centres needed to be set up. Several noble Lords have made it clear that the Government’s response was inadequate and has been very badly received. However, I am pleased to note the intervention of the two new Ministers, which I hope will rectify the situation.
These Benches have made a number of criticisms of the Government's approach. In your Lordships' debate on 20 March this year, I made the point that in our view,
“the Government do not consider cybercrime to be a serious offence”.—[Official Report, 20/3/08; col. 384.]
Indeed, that sentiment has run through this debate. I make no apology for repeating our criticisms here. The National Hi-Tech Crime Unit, which was set up in 2001 in response to the threat of online crime, provided a good link with police forces and business. In early 2006 it was absorbed into SOCA, despite widespread criticism that it would leave a yawning gap between local forces and national policing. In April 2007, ring-fenced funding for computer crime units in individual police forces was cut off. Furthermore, financial fraud can no longer be reported to the police directly. That important point was made by the noble Lord, Lord Broers. It must first be reported to the financial institution concerned, which then decides whether the matter should be reported to the police for further action. He was particularly critical of that. All these issues still very much concern noble Lords on this side of the House. This all emphasises the disconnect between the police and the increasingly electronically sophisticated public.
It is hardly surprising, therefore, that nine out of 10 offences go unreported because the victims believe that the police are unable or unwilling to investigate. This view is reflected by the police, who in January 2007 reported to the Metropolitan Police Authority—I am sure that the noble Lord, Lord Harris, will be familiar with this—as follows:
“There is an issue of under-reporting across the UK. There is an unspoken public perception that e-crime is so pervasive that the police service does not have the capacity to investigate each individual allegation. The public have reported difficulties in reporting e-crime to the police. Also many organisations may be unaware of their computer being compromised, making it difficult to establish definitive annual financial harm”.
It has been our view for some time that a police national cybercrime unit should be set up, with adequate specialist support. That is why we very much welcome the setting up of the new e-crime unit, which I hope will go a considerable way towards addressing the deficiencies to which I have referred. We would also like to see the industry working towards a common standard, with the establishment of a kitemark. That was a key recommendation of the committee, which again got a very disappointing reaction. I hope that can be rectified.
The noble Lord, Lord Broers, made a point about the responsibility of the banking industry. I have had sight of a letter from Angela Knight, chief executive of the British Bankers’ Association, to my honourable friend James Brokenshire MP, in which she states that under the revised banking code,
“customers do not have any liability for losses suffered through their online banking service unless they have acted fraudulently or without reasonable care. The burden of proof always lies with the bank to provide evidence that a customer has acted fraudulently or unreasonably”.
That is refreshingly unequivocal, especially in view of the fact that I am assured by my son that a substantial proportion of online banking and credit card fraud is caused by the failure of customers to keep their passwords or PINs secure, for example, by leaving them in the vicinity of the relevant cards. The computer press recently featured articles on the steps that the clearing banks are taking to counteract cybercrime, so we can say that the banking industry is playing a responsible part in the fight. However, I entirely agree with the noble Lord, Lord Broers, that statutory control of the banks in this respect is required and that we cannot rely on the voluntary code.
We must be aware that cybercrime extends beyond fraud. I refer to denial of service, to which the noble Lord, Lord Harris of Haringey, referred, in which an external source hacks into a computer system and swamps it with incoming messages, thus making it impossible for the victim to exercise its proper functions. As the noble Lord said, that was spectacularly used in Russia’s dispute with Estonia and, more recently, during the short Russia-Georgia war. This can clearly be a problem of international proportions, especially when practised, as it clearly was in that recent incident, at government level. Theoretically, it is outwith the scope of this debate, but there can be no reason why this particular scam or operation could not be used just as easily against individuals. Are there any plans to address this potentially very large problem?
I have a number of specific questions, of which I have given notice to the Minister. First, there is the matter of ratification of the code. In their response to the committee’s recommendations, the Government stated that they were implementing changes to the Computer Misuse Act, following which they would proceed with ratification of the Council of Europe Convention on Cybercrime. That was in April, and it is now October. What is the present position, and when will the Government be in a position to proceed with ratification?
Allied to that is the lack of effectiveness of the Computer Misuse Act. A record of an average conviction rate of 15 per annum for computer fraud cases is derisory, and I hope that the Government will address the apparent anomaly that 25 offences under the Computer Misuse Act are not categorised as “serious” under SOCA. The fact that salmon poaching is categorised as “serious” is passing into folklore.
My third point—I emphasise that this is based on hearsay only from within the police service—is that inquiries and action on computer fraud are being hampered by inadequate forensic resources, which has resulted in a backlog of cases. I hope that we can have an assurance from the Minister that this subject is being addressed.
This has been a most interesting and constructive debate. I repeat the thanks from these Benches to the noble Lord, Lord Broers, his committee and staff. I look forward to the Minister’s reply.
My Lords, when I was allotted the privilege of responding on behalf of the Government to the distinguished report written by a distinguished group, I admit that I felt some trepidation. After reading the report, the trepidation increased. After hearing the contributions to the debate, the trepidation has continued to increase, but for a variety of reasons. One of them is due to the speed at which the internet develops, as has rightly been said. A number of issues raised in this debate developed after the report—indeed, after government action. That development will continue. Therefore, the ability of the human process—whether it is the legal process or the commercial process—to keep up to speed with changes is a challenge to us all.
The Government welcome the report and this debate. The report comes at a time of growing interest in the safety of individuals and their information on the internet, and is a very valuable contribution to this broad, continuing and, perhaps, endless debate. The Government beg forgiveness—at least I do—if their first response to the report was seen to be, or was thought to have been, insulting in any way. It was never meant to be. I would view this report as being a spur to the Government and a challenge for us to recognise, as a Government and an Administration, the need to protect the public.
It is clear from the take-up of broadband access across the UK, and from the growth in online commerce, that the public to a large degree is comfortable in using the technology and increasingly enjoys the services available. However, the Government are not, and cannot be, complacent about the risks to the public, and have taken legislative and organisational steps to ensure that the public can have confidence in the internet and is protected from harm. Many of the comments in this debate and in the report are requirements that we give force to that statement in terms of legislative and other measures.
The Government’s response to the threat to the safety of the public and business has grown, and will continue to grow, as the use of the internet has risen and continues to rise. The noble Lord, Lord Mitchell, vividly reminded us of that in terms of the speed of developments. It affects all areas of society. We should seek to increase protection of our population through the development of legislation, the provision of specialist law enforcement bodies and co-operative working within the UK and internationally.
The Government welcome the recognition in the report that the problems of making the internet safe cannot be addressed by government, or by any other group, alone. It is vital that all relevant sectors of society work together to ensure that the internet is as safe as possible and that information is available to the public to empower it to protect itself.
The Government and the agencies for which they are responsible work with a number of different groups to support work on internet security. We are working with the internet crime and disorder partnerships, established through EURIM, which brings together government, Parliament and civil society. Some noble Lords will be familiar with many of the acronyms in this area. In this debate, I have heard many other acronyms used by the internet and the computer industry. When information technology meets the Civil Service, perhaps the slogan might be, “Acronyms rule OK”. Therefore, one should not seek to use acronyms, where possible; but I am afraid that on this occasion there are so many acronyms that it is impossible to do otherwise. The importance of the partnership through EURIM and the collaboration of industry, government, Parliament and civil society is that they will develop a co-ordinated approach to online crime and establish a co-operative regulatory framework for the internet, capable of adapting with the necessary speed and flexibility required in this rapidly changing area.
The challenge set by many noble Lords is to see whether the Government are capable of keeping up the speed and degree of flexibility that we require. In the eyes of the Government, it is one of a number of vital and complementary initiatives that we need to tackle general electronic crime, alongside the law enforcement response provided by SOCA e-crime, the Police Central e-crime Unit and the National Fraud Strategic Authority—three very important bodies.
The Government recently sponsored the Byron review, which considered how children can be protected on the internet and made a number of recommendations, all of which the Government accepted. The key recommendation was that the UK should establish a forum that brings together government, law enforcement, industry and the third sector to look at how the internet can be made as safe as possible for children. On 29 September, the Prime Minister launched the UK Council for Child Internet Safety. I am very pleased to report that there has been a positive response from all sectors and that well over 100 organisations have applied to join the council, showing that there is a broad commitment across society to support safety for children.
The Government strongly support the work of Get Safe Online, which brings together industry and law enforcement to provide safety information to the public and industry. We believe it is right for government to work alongside industry: by working together they will help to ensure that people are kept safe and are empowered to stay safe online. Additionally, officials from the Department for Business, Enterprise and Regulatory Reform are committed to working with representatives from the Internet Services Providers’ Association to achieve this. We hope that over the coming months we will see a serious elevation of the debate on the clear and consistent role that industry can take to demonstrate the protection it is offering, with advice on how people can protect themselves online.
In that context, there is nothing like a personal interest to bring about concentration on a piece of legislation. This morning, I received a letter from my bank telling me that in the course of an hour someone had attempted to use my details to purchase about £1,200-worth of goods in Venezuela. The impressive thing about that is that fortunately the bank refused to accept any of the transactions and has now written to me saying that it suspects fraud. Nothing like this has happened to me before, and that incident demonstrates the risk but also the comfort that can be gained from efficient and effective protection—in this case, from my bank.
Earlier this month, the Government brought into force changes to the Computer Misuse Act 1990 that increase the maximum penalty for the Section 1 offence of unauthorised access to computer material to two years to better reflect the seriousness of such offences. The changes also ensure that the offence is extraditable, which, in the international context, is very important. Similarly, we have increased the maximum penalty for the Section 3 offence of unauthorised modification of computer material to 10 years. We have broadened the definition of the Section 3 offence to clarify that all means of interference with a computer system are criminalised, and in particular to ensure that adequate provision is made to criminalise all forms of denial of service attacks—a matter raised by several noble Lords—so that they can be better dealt with. We have also created a new offence of making, adapting or supplying articles for use in computer misuse offences to discourage the market in the production and distribution of hacking tools. We believe that these changes have ensured that the legal framework to tackle offences on the internet is robust and relevant.
In 2006, the Government set up the Child Exploitation and Online Protection Centre, or CEOP, to protect children from those who would seek to harm them online. CEOP has grown into a world leader and has had remarkable success in rescuing children, arresting offenders and building relationships with law enforcement in the UK and overseas. CEOP has also developed a widespread educational programme for children and parents, which allows children to understand the risks on the internet and to protect themselves from harm.
The noble Viscount, Lord Bridgeman, raised the question of the police e-crime unit, which has now had funding approved. It will be hosted by the Metropolitan Police and will co-ordinate activity across the police service to tackle cybercrime. A theme from today’s debate is the need for interaction and co-ordination between agencies, police forces and others, so that they work together, without overlap, in dealing with this problem. The unit will provide support and advice to the National Fraud Reporting Centre on electronic fraud reported to the centre and will respond to intelligence packages produced by it. While the unit will not investigate every electronic fraud, it will work to tackle major frauds and bundles of smaller frauds that are assessed as being the work of one person or group. The unit will also work across the police service, in co-operation with the National Policing Improvement Agency, to develop the overall response to electronic crime and to ensure that police officers have adequate knowledge and training to tackle such crimes—another important point made by noble Lords.
The Government also support the SOCA e-crime unit, which is dedicated to tackling organised crime groups that operate online. We will ensure that the work of all the law enforcement groups does not overlap—a point made by the noble Earl—and I understand that the senior officers in each of those agencies communicate regularly to ensure that the work that they do is co-ordinated and not duplicated.
Much has understandably been made of data losses. I was not aware of the one reported today. We appreciate and understand the serious concerns set out in the reports regarding the loss of data by government departments. As part of the response to the losses of data, we commissioned a report to look at how data should be handled in the future. The report was delivered in June this year and contains far-reaching mandatory recommendations, which departments are already investing time and energy in to ensure that personal information is managed properly and used securely for the public’s benefit. As part of our drive for greater openness and transparency, departments have already published details of data security incidents in their 2007-08 resource accounts. Clearly, the call for higher security transparency means that we also see headlines on these unfortunate incidents.
The report recognises that the problem of cybercrime cannot be addressed by the UK alone and that international co-operation is essential to ensure that law enforcement within the UK can obtain assistance, when required, from countries where cybercriminals might be operating.
With the changes to the Computer Misuse Act now enacted, we believe that the UK meets all the requirements necessary for us to ratify the Council of Europe Convention on Cybercrime and to give effect to the EU framework decision on attacks on information systems, a point raised by the noble Viscount, Lord Bridgeman. I am pleased to say that we expect the Convention on Cybercrime to be ratified by the end of the year, or certainly in the early part of 2009.
Many points and comments were made in the debate. If I try to deal with them now, I will fail, because I have not yet learnt the paper-juggling skills required of a Minister at the Dispatch Box and, more important, some of the questions require detailed answers which I would not be able to give orally. As this is the first time that I have responded to a debate, I probably would not do justice to the questions. Given that my knowledge of the retail industry exceeds my knowledge of the IT industry, I make a once-in-a-lifetime offer to any Member who feels that the response that I have given does not cover points raised by undertaking to write to them, even if they have not asked a question.
I have identified a number of issues that were raised, which require us to make responses in any event; for example, there was a question about the resources to the Metropolitan Police and whether they are additional or taken from somewhere else. I will reply to that in writing.
I can respond on some issues. The noble Viscount, Lord Bridgeman, asked about CPS prosecutors in relation to e-crime. I confirm that prosecutors in the CPS are already trained to deal with electronic crime, but I do not think that they are identified as a separate group within that institution. There was concern about cross-departmental groups. We accept the need to co-ordinate interests across departments, and the Cabinet Office has established a forum for that purpose. We hope that it will enhance our position. However, I do not think that I can do justice to individual questions without writing.
The internet and the technology that underpins it are changing rapidly—“changing rapidly” does not do justice to the speed, which has been very much on noble Lords’ minds—and the challenge that the Government must meet is to ensure that there is a safe environment for all. For many people these are exciting changes, which bring tremendous benefit and enjoyment. However, they also bring new challenges, of which keeping up with the speed of technological change is but one. I assure noble Lords that the Government are prepared to meet those challenges as they arise.
The Government will actively consider updating legislation to ensure that the UK has sufficient legal powers to tackle crime committed on the internet. We will work with and through international partners, both bilaterally and through institutions such as the EU and the G8, to build a common approach to preventing such crimes and ensuring that there is an adequate response. The Government will work with all sectors of the UK economy to develop a safer internet and to ensure that the public can have confidence that they are free to trade, communicate and enjoy the services available to them.
The Government will continue to support the law enforcement agencies that provide protection and support to the public and tackle the criminals operating in cyberspace. Above all, with groups across the public, private and third sectors, we will seek to ensure that all of us play our part in ensuring the security and safety of the internet.
My Lords, I thank the Minister for his response, especially as it was his first one and this field is extremely complex. I am reassured to hear that there will be serious elevation of the Government’s consideration of these issues. We look forward to these issues gaining the strength that has been applied to children’s issues. Every citizen deserves the same attention on this serious matter. I congratulate and thank all noble Lords who spoke in this debate on the Select Committee’s report. The breadth of expertise and experience in this House is impressive.
On Question, Motion agreed to.
House adjourned at 2.53 pm.