Herding the sheep on-line to be fleeced

The recent hype on Cyberwarfare, alias bids for a slice of HMG’s £640 million and the rather bigger US Government pots, needs to be juxtaposed with that for the loss of credit card details from Lush. What is different about the Lush is that, being an ethical company, they came clean before they had to. Meanwhile the price of personal details on the on-line “dark market” appears to collapsed – so much is available. I do commend the OECD report by Peter Sommer and Ian Brown – but note their conclusions.  

The key is security by design – not e-sticking plasters.

For example HMG needs to ensure that its on-line services are fit for purpose, including availability, usability and resilience as well as security before getting to enthusiastic about the savings it can make. Otherwise the automation of tax and benefit fraud will far more than wipe-out any nominal savings.

It was said some years ago that the main factor preventing loss of confidence in the Internet as a safe place is that the criminal networks wish to milk the cow, not kill it. 

I probably need to update the summary of the situation and solutions that I gave in my opening remarks (to introduce the Earl of Erroll as the keynote speaker) at a conference on Privacy Enhancing Technologies some years ago. The only comment that I would add to my then comments on the different types of PET (yappy puppies, silent killers, piranha fish etc.) is that the probable main cause of  Gulf War syndrome was the organo-phosphates (the main ingredient of most sheep dips) that they sprayed on and around their tents.

Today we can see the steady spread of the on-line equivalent of Gulf War Syndrome.

The time has come to move on from the indiscrimate use of the on-line equivalent of organo-phosphates and start addressing the root causes of the problems – such as sorting out the domain name system. The technical solutions currently in prospect are complex and may well not work. The “economic” solutions, howver, appear simple. Those who register names (even on a “trial” basis) should pay, albeit with a refund, less admin charge, when they release the names. More-over chargebacks should be enforced on those registrars who regularly accept payment with false credit/debit card details.

We need to change the “business model” of the domain name administrators and registrars from “pile it high and sell it cheap” (hence the drive for top level domain names which no-one appears to want except for thsoe who want to sell them) to making serious money from helping paying customers to protect their reputations and trade-marks.  

In parallel, however, we need serious routines to protect those who wish to protect their anonymity while we, not our ISPs, can chose to decide whether to accept their communications. I recently had cause to re-read the script I used to introduce a Freedom Forum discussion on Internet Censorship ten years ago.

It was interesting to see how much and how little we had moved on – and how wrong I then was about the likely timescales for change. When it comes to Governance an Internet year appears to have 1,000 days, each with 240 hours. We are still living with forty year-old temporary fixes.