The House of Lords Personal Internet Security report warns that the government and the IT industry are too casual about security. It is true. Security may be well managed in the enterprise, but it tends to be weak in small businesses and a basket case in many homes. The Lords have come up with some controversial proposals, daring to broach the question of liability for buggy software or hardware that puts others at risk. The Lords recommend "the introduction of the principle of vendor liability within the IT industry", adding that this should override end-user licence agreements ìin circumstances where negligence can be demonstratedî.
The Lords also focused on ISPs, which so far have evaded responsibility for the content that flows through their pipes by arguing that they are only providing infrastructure. The report said, "We recommend that the 'mere conduit' immunity should be removed once ISPs have detected or been notified of the fact that machines on their network are sending out spam or infected code."
There is also the matter of data protection. The Lords observed that the Data Protection Act is weakly enforced and want to see this improved.
Just as you would expect, the industry's reaction has been defensive. "The UK internet industry has an excellent track record of making the net safer through self-regulation," bleated the Internet Services Providers' Association in its press release, describing how its members strive to educate users. It is wilfully missing the point.
"The current assumption that end-users should be responsible for security is inefficient and unrealistic," said the Lords, and they are absolutely right. There is also plentiful evidence that the webís security problems are not going away, and may be getting worse. In the industry we have come to accept this as somehow normal.
However, it is easy to find reasons why new legislation would not work, or may do more harm than good - the freedom and openness that characterise the net are key to its success. The problems are global, not national, and the risk is that the good guys will suffer while the bad guys take no notice.
The best outcome is not new laws, but a renewed vigour behind efforts to improve security without pretending that education, bundled trialware and impenetrable warning dialogs form a realistic solution. That said, some new legislation probably is necessary. It is hard to find any good reason why one-sided licence agreements should protect vendors from responsibility for negligence.
Finally, if we are serious about trying to improve internet security, the ISPs must inevitably play a bigger role than they do now.
