Don't shoot the messenger

Threatening people who report online security problems with court action will harm our industry.

Threatening people who report online security problems with court action will harm our industry.

Whatever else we are able to surmise from the online security troubles at Taxchecker highlighted in this week's Computer Weekly, two things, at least, are certain: this is by no means the first problem of its kind; and it is sure not to be the last.

However ingenious and secure the online solutions we have in place today may seem, it is worth reminding ourselves that Internet technologies are still very much in their infancy, and that we are only scratching at the surface of their potential for transforming the way we communicate and do business.

It is only eight years since the maiden issue of our Internet column, Getting Wired, felt it necessary to explain the meaning of "hypertext", "electronic mail" and "browsers" to a baffled world. Eight years from now, who knows what may have become possible?

Given the rate of the Internet's metamorphosis, further security teething problems are inevitable. No organisation can ever hope to keep its systems totally glitch-free. What differentiates a pragmatic and intelligent company from any other, therefore, is the way in which it chooses to react to such glitches.

In taking remedial action to plug the security hole in its systems as soon as it was made aware of it, Taxchecker acted impeccably. The design of its site, which was structured in such a way that the database driving it was tied in to the URL, was altered immediately.

Less impressive is the consideration Taxchecker is giving to launching legal action against the individual that highlighted the problem in the first place. Certainly, he strayed into an account (or accounts) other than his own, but wouldn't anyone with a healthy sense of curiosity be tempted to do exactly the same?

When a neighbour, noticing your front door is open, pushes it further ajar in an attempt to check that it is safely on a latch, is he to be charged with illegal entry?

The Computer Misuse Act, in its current guise, is ill equipped to offer any answer to this sort of conundrum.

The situation at Taxchecker bears similarities to the recent difficulties suffered by EasyNet, the ISP whose online security flaws we reported in August. EasyNet's decision to file a complaint against the security company that first drew attention to these flaws spurred one correspondent to Computer Weekly's letters page to recommend that the ISP would do better to "divert its litigation budget towards better compliance with various security standards".

Web sites exist to serve customers. If those customers have the decency to highlight potentially damaging lapses of security, companies owe it to them to respond gracefully. Threatening them with court action is sure to deter honest people from reporting problems in future, and could result in a lot of negative PR. (In any case, such action is unlikely to be successful.) Meanwhile, the Government must act quickly to drag existing technology legislation into the new century.

If neither of these things happens, consumers will quickly cease reporting problems - and then we all lose out.

Read more on Hackers and cybercrime prevention

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.