Internet security – Ghosts in the Machine

On one side of cyberspace we have those advocating stricter regulation and on the other, those pushing for a broader understanding of the medium, and not more red tape.

Does the internet need to be regulated by special laws? Not according to members of Eurim, the liaison group for parliamentarians and the IT industry, who attended a lunch hosted by Accountancy Age’s sister title Computing to discuss the balance between self-regulation and statutory control.

‘The internet is another means of communication, so existing laws apply,’ insists Camille de Stempel, director of public policy at AOL Time Warner.

‘Any child pornography or racist material offences are covered by existing legislation and apply to an internet service provider and its customers.

‘We remove any such material from our servers once we have been made aware of it. For AOL the existing situation is acceptable.’

Eurim members say that improved knowledge would be better than regulation.

‘The issue is knowing the risks and why people publicise false risks,’ says Roland Perry, director of public policy for the London Internet Exchange.

For example, when credit card risk on the internet became an issue Perry heard claims that 60% of card fraud was carried out over the internet.

The actual figure was 4%.

So why are people so worried, particularly when the consumer credit act protects cardholders against most fraud? There is a lot of fear, uncertainty and doubt. But there are easier ways of getting hold of credit card numbers, according to Perry.

He is also concerned that legislation reduces privacy. ‘Police don’t have access to CCTV from private premises,’ he said. ‘They need to request such footage after a crime has been committed. The proposals for e-commerce do include routine access to transactions.’

Philip Virgo, strategic adviser to IMIS, a professional body for IT managers, says: ‘WH Smith doesn’t have cameras trained on the top shelf to see what you’ve looked at or bought. But that is effectively what happens when you shop online.’

The Earl of Erroll suggests most people are not interested in online privacy. ’80 to 90% of people couldn’t give a damn, and they are perfectly right, because there is nothing that they are doing that is of interest to the authorities,’ he says.

But he points to the case of the Paddington rail crash campaigner who was checked for political affiliation by Labour party researchers. People can suddenly become of interest, and then they want privacy, says the Earl.

‘What happens when someone has increased power to access these records?

If government databases are linked properly, through biometrics, it would be much easier to pin down individuals,’ he says.

Corporate systems introduce even more complexity into the privacy debate.

‘People say that they don’t believe what’s in an email because it may have been changed on the way,’ says Perry, referring to the disclaimers that appear in many company emails. ‘There’s a sort of technophobia thing.’

Most organisations are split on the issue, according to Virgo. ‘Managers think they should be able to monitor emails and staff behaviour, so the organisation is not open to employees’ actions,’ he says.

‘But young technical staff have a different view. They think that free internet access is a libertarian right.’

The Earl of Erroll says one problem is the chance of being sued by someone who leaves the organisation. Someone leaving could get a friend to send a risque email through corporate systems, which could be used to sue the company.

Virgo says: ‘There should be no privacy over any corporate system. If they want privacy, employees should use their mobile phone.

‘If the company doesn’t allow mobiles to be used on the premises it should allow access during breaks to an unmonitored internet cafe that doesn’t belong to the company.’

Perry points out that facilities for private phone calls have to be provided by employers. ‘You’re not in prison when you’re at work. This policy has never been converged with the internet,’ he says.

Privacy at work has been driven by the Data Protection Act, which is mirrored across the European Union as a result of a 1995 European directive.

An earlier 1980s directive led Germany to introduce particularly tough laws.

According to Virgo. ‘After reunification, Germany erased the East German cancer registries because of West Germany’s tight data protection laws.

There were complaints, but the West knew best,’ he says. ‘Data protection was more important than helping protect a few thousand East Germans who were at known risk from preventable suffering and death.’

The Earl of Erroll says: ‘Five years ago, there were calls for a ban on transferring data collected under statutory authority outside the UK for entry, but nothing happened.

‘The laws are now written to try to define every circumstance that may occur. The internet is a totally resilient system for communicating if half the world blows up. But we’ve passed laws for data that just passes through the country, such as tobacco advertising.’

Virgo adds: ‘A lot of global financial organisations have long had systems that will keep running even if most of the northern hemisphere went to war.

‘To do that they had to permanently mirror their data files in the Far East, Australia or South America, even before they moved to time shifting network control, processing, helpdesks and call centres around the world according to the time of day.’

The Earl of Erroll concludes: ‘You have to handle the reality that people can store and access information anywhere in the world. We no longer live in an enclave.’

  • This is a version of an article that first appeared in our sister title Computing.

Related reading