How safe is your data? - on-line or off?

Next week will see the annual Get Safe On-line campaign and also the Internet Governance Forum in Rio de Janeiro – at which the need to improve security will be a major thread. Last week the government response to the report of the House of Lords select committee enquiry on Personal Internet Safety was published. The doctrine of Ministerial Infallibily means that no department can publicly accept in full the recommendations of a committee that it did not appoint. The wording of the response is, however, such that I would expect all the main recommendations to have been adopted before the next General Election – provided they have the necessary support and commitment from industry: users as well as suppliers.

Of course the public has not yet lost confidence in the Internet. But there is a very real risk that they would, if they felt they had to themselves bear the risk of things going wrong. The 2007 Oxford Internet Institute Survey shows concern over content in parallel with a high level of satisfaction with the services provided. The convenience of on-line transactions greatly outweighs the current risk of on-line and other computer assisted fraud – provided someone else is carrying the risk. And they usually are. The cost is being borne by the Banks (card not present fraud) and Government (tax and benefit fraud). And the cost to banks is trivial compared to the cost of their on-line customers reverting to branch banking. In the case of financial services, at least, the House of Lords recommendation that liability and responsibility sit with those in the best position to take action can be seen as “merely” a confirmation of the status quo.

The House of Lords, as the UK’s final Court of Appeal has itself acted accordingly. Outlaw-Com recently carried a report headed “Lords back protection for overseas card transactions” . The Banks are quoted as saying that the over-turning of a Court of Appeal decision to make customers liable for fraudulent overseas transactions on UK-issued credit cards made no difference, because they would reimburse them anyway. The author, however, concluded: “had the ruling gone the other way it could have dented confidence in e-commerce, which relies more heaviliy than off-line business on cross-border consumer trading”. The ruling is all the more significant because the roll out of chip and pin has sharply reduced card fraud in the UK and Western Europe. Meanwhile the faudulent use of UK card details in Asia and the Americas is rising sharply, thus increasing the pressure for more effective international co-operation against on-line fraud.

Next week we can expect a hike in fear levels and messages to consumers to protect themselves on-line. But the “leakage” of personal information, including bank and card details from the data centres and websites of employers, government departments and e-tailers is a far more serious problem. Hence the recent attempt in California to make e-tailers liable to card-issuers for the cost of reissuing cards when their customor files have beeen lost or stolen or copied. Hence also the interim recommendations of the US Presidential Task Force on ID theft and the exercise that is gathering pace to review UK public sector information assurance. The Land Registry has now joined the litany of insecure on-line systems that has had to be withdrawn for lack of adrquate security.

But we must remember that the costs of e-crime and ID fraud are still insignificant compared to the damage that a “rogue” trader or “over-ambitious” Chief Executive can inflict, even on a global business. More-over the biggest risk remains “digititis” (e.g. over-centralised, inter-twined and integrated networks brought down by finger trouble during routine maintenance or upgrade), followed by mother nature (e.g storm or flood removing the power supply to data or switching centre or flu incapacitating key staff) and accident (fire, explosion or rogue JCB operator removing the centre or the landlines that connect it with the rest of the world).

We need holistic approaches to the interlinked issues of consumer confidence, information assurance and on-line security. And these need to be based on realism as to the scale and nature of the risks and much better co-operation between those who wish to see their customers deal with them on-line. Active support for exercises like Get Safe On-line should be part of that co-operation.