Close the E-crime Safe Haven - Blog by The Earl of Erroll

The authors of the House of Lords Select Committee report on Personal Internet Safety are seeking comment on the Government Response with a view to doing a follow up exercise. The Earl of Erroll, explains why, in this “guest blog”.

Our report was focussed on the threats to consumers and their children, not e-crime as a whole. The Government response was there was no hard evidence of a serious problem, they were supporting awareness campaigns, such as Get Safe On-line, it was all too difficult and they were planning to support a co-ordinating unit anyway. It is now nearly two years since the previous co-ordinating unit was disbanded and six months since the web-site for reporting “non-urgent” crime was taken off-air.

We didn’t want more talk. There’s a lack of action in the government response to our report. If someone doesn’t take some leadership, the civil service won’t have the clout to say to their masters “we need some budget to sort this out”. We want to shake things up so we are not in the same position in a year’s time. If we don’t push, nothing will happen.

We were looking at the issues from the point of view of the individual. The Banks came to us and said they were only losing £33.5m last year to fraud, but they off-load all the liability for Card Not Present transactions onto the merchants, many of them small. Most individuals are only losing £500 or £1000 a month: too small to bother to report, let alone investigate. Nobody seemed to care and there was nobody to report it to. The police say it’s too small and we haven’t got time. But that might well be the family’s mortgage repayment and large volumes of small amounts can have a huge impact. It’s a major problem. A lot of people say the next generation will know how to avoid e-crime. But there’s always going to be greedy and gullible people in every generation. Technology is not going to provide the solution because of social engineering, ever more plausible reasons to click the button or contact your supposed “new friend”. We must educate the public – but “train and blame” is not enough.

The UK is effectively a safe haven for e-crime, as there’s no risk of prosecution because each crime is too small. We need to take a random ten per cent every year and prosecute them to encourage the younger generation not to get involved in it. Small-scale fraud added together becomes large scale.

More regulations won’t work – we need incentives. Greater liability might give the incentive for greater security. Liability needs to be shifted onto those who are in a position to take effective action – that means the banks and the communications providers. That was one of our main recommendations and Government has ignored it.

We also said that Information Commissioner needs proper teeth. The problem of having to wait to shut the stable door until after the horse has bolted is completely ridiculous.

But we also need a proper police crime unit. The National High Tech Crime Unit was providing some sort of training and resource to the local police forces – perhaps not enough but at least some. Police forces are organised on a local basis because most burglars live close by. One of the challenges of the Internet is that you can have low individual value burglaries even when the person lives a long way away.

Which police force deals with this? We need a national co-ordinating unit at the very least. The sums being asked for by the police are quite small, only £1.5m to get this thing off the ground, because then the private sector will join in to help protect their customers, as in the United States. But it does have to have a government paid police core.

So why the delay over such a small sum? I cannot see any valid reason. That is why I signed the petition on the Number 10 website calling for support for the proposed police e-crime co-ordinating unit

The launch of the Information Security Awareness Forum bringing together the work of the ICT professional bodies is this area is a great idea – but government also needs to get its act together and improved awareness is not enough.

As I said earlier we need to move from debate to action. Please read the Government response to our report and then send your comments to the Clerk to the Select Committee or post them to this blog for Philip Virgo to forward.”

Merlin Erroll

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I hope Lord Errol won't mind me disagreeing with him on one point - trying to saddle the communications providers with liability is the slippery slope to a lot of bad things. Once the "common carrier" status is broken, for whatever good reason, a whole can of worms is opened that would increase the providers' liability, push up their insurance premiums, force the smaller ones out of business and, eventually, be anti-competitive and counter-productive.

My view is that communications providers need more and clearer immunity, not less. It's not their fault (in the sense they don't originate it) and there's not really that much they can do about it. To attempt to do so would impose a huge administrative burden and cost. Look at Yahoo - big resources, much trumpeted smart Spam filtering and yet loads of it still gets through because the truth is the bad guys have more motivation and resources.

There are some things ISPs, etc, can do that don't interfere with their common carrier status but which do mitigate the impact of Spam and one of its most common origins, compromised client machines ("bots").

Spam could have been dramatically reduced ten or more years ago when the discussions about email sender authentication were going on but the industry conspicuously failed to agree on a common standard. The truth is industry wants Spam but they want it to be their Spam.

As for the bots, that's largely a problem caused by software and system providers supplying machines that are insecure by design or configuration. When I installed a standard Windows XP PC on a broadband modem (as opposed to a router/firewall) for a friend a few years ago, it was attacked and compromised within five minutes.

ISPs can do inbound port blocking although firewall/router boxes have largely made this unnecessary. Ultimately, the ISPs cannot be liable for users browsing carelessly or opening email attachments thoughtlessly. Maybe, the new version of Internet Explorer will help but neither ISPs, software vendors or system suppliers can prevent people being stupid.

Above all, we must not give in to the cries of "something should be done", fuelled by eye-catching headlines, and fall into the trap of legislating in haste. There is far too much bad publicity about the Internet and not enough good publicity - it's all too easy to forget the great good that it has brought about in its 30+ years of existence. Don't let a few crooks spoil all that.




SLAUGHTER & MAY G James S Hall L Wylde - SALANS / L Rosenblatt A Gaines M Alexander


Carroll Foundation Trust - Blog / Most Wanted

CNN / Sky / BBC interview / Global News Services / The Global Website