The Government must stop changes to an anti-hacking law criminalising the work of security researchers, a House of Lords Committee has said. If it does not, internet security could become an even bigger danger because 'ethical hacking' will be illegal.
The Lords Science and Technology Committee has produced a report on internet security which says that recent changes in the law make keeping the internet safe harder than ever.
"Legitimate security researchers are at risk of being criminalised as a result of the recent amendments to the Computer Misuse Act," said the report. The Committee said that Home Office minister Vernon Croaker had promised to clarify the law to exempt researchers in the coming weeks.
"We welcome the Minister’s assurance that guidance on this point will appear later in the summer, but urge the Crown Prosecution Service to publish this guidance as soon as possible, so as to avoid undermining such research in the interim," it said.
The report was critical of Government inaction over personal internet security. It said that the internet is "the playground of criminals" and the UK Government's lack of protective action is inefficient, unrealistic and smacks of "the Wild West".
"What is abundantly clear is that the underground economy living off internet crime is flourishing, and shares information openly online," said the report. "The current emphasis of Government and policy-makers upon end-user responsibility for security bears little relation either to the capabilities of many individuals or to the changing nature of the technology and the risk."
"It is time for Government to develop a more holistic understanding of the distributed responsibility for personal internet security," it said. "The current assumption that end-users should be responsible for security is inefficient and unrealistic."
The committee said that ISPs must bear more responsibility for internet security than they do now, and that to that end they should lose some of the legal protection they enjoy as simple transmitters of users' information.
"We recommend that the 'mere conduit' immunity should be removed once ISPs have detected or been notified of the fact that machines on their network are sending out spam or infected code," said the committee's report. "This would give third parties harmed by infected machines the opportunity to recover damages from the ISP responsible. However, in order not to discourage ISPs from monitoring outgoing traffic proactively, they should enjoy a time-limited immunity when they have themselves detected the problem."
The committee also recommended the creation of a law which would order any body which kept information on people which was lost or stolen from them to report that theft or loss.
"We believe that a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal internet security," it said. Such laws exist in California and other US states and are thought to have raised awareness of personal security there.
"We recommend that a data security breach notification law should incorporate the following key elements: workable definitions of data security breaches, covering both a threshold for the sensitivity of the data lost, and criteria for the accessibility of that data; a mandatory and uniform central reporting system, and clear rules on form and content of notification letters, which must state clearly the nature of the breach and provide advice on the steps that individuals should take to deal with it."
Security company McAfee welcomed the call for a security breach law. "The introduction of a UK disclosure law would be a very positive step forward," said McAfee security analyst Greg Day. "Short term consumers may see an increase in breaches as full disclosure takes effect. It would be important to educate them that this is not a sign of things getting worse, but more visibility of what is and has already been happening behind closed doors.”