U.K. Rejects Parliament Call for Tougher E-Crime Measure
A House of Lords committee accused the U.K. of “putting its head in the sand” by dismissing key recommendations by a parliamentary body investigating personal Internet security. The Science and Technology Committee called a “huge disappointment” the government response to evidence of e- crime and many users’ inability to protect themselves. The response was made public Tuesday.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
An August report based on the investigation strongly criticized the government’s “laissez-faire” attitude toward personal security and its joining ISPs and others in unfairly holding users responsible for online safety. (WID August 10 p2). The government response, in turn, rejected the panel’s “implication” that dangers online have hurt public confidence in the Internet. The rise of e-commerce, with some businesses seeing 80 percent annual growth, “does not support such a view,” the reply said. Moreover, the explosion in user-generated content and the launch of new and varied forms of social interaction underline interest in the technology and, “if not absolute confidence,” an acceptable level of comfort, the government said.
The government takes seriously all forms of e-crime but rejects the notion that its only response is to hold people responsible for their own safety, it said. It said shared responsibility, not legislation, is crucial. It agreed to consider the committee proposals to create a law enforcement unit to tackle computer-related crimes.
One of the report’s more controversial recommendations was that ISPs lose their “mere conduit” immunity once they detected or are told of the fact that machines on their networks are transmitting spam or infected code. But the government said it can’t selectively enforce parts of EU law that protect ISPs acting as mere conduits. That protection is not absolute, because ISPs can be compelled by court order to act, the government said. And removing protection might prevent those harmed by infected machines from seeking damages from a service provider, the government said. It also questioned the report’s assumption that ISPs don’t take appropriate action in such situations.
Lawmakers also recommended that the government enact data-security breach notification legislation. The response acknowledged that such laws elsewhere are an “interesting development” but said the government isn’t convinced it would force businesses to safeguard personal information. There’s a “strong body of opinion” in the U.S. that breach notification laws spark significant changes in corporate behavior, the government said. They actually may inure consumers to security issues and sap confidence in the Internet as a business medium, it said. The government will continue to monitor the U.S. experience to determine whether such a measure is needed in the U.K., it said.
The U.K. Office of Communications (Ofcom) agreed that Internet security is a shared responsibility, not one exclusive to the consumer, in its response to the Lords report. ISPs could contribute more to security, the regulator said, by, for example, making it a more important feature of the services provided. And there could be more openness about what security support consumers can expect and which ISPs should provide, it said.
The fundamental question is whether ISPs should have regulatory duties in relation to security risks or harmful content, Ofcom said. Laws bar Ofcom from imposing such duties, it said, but it may be appropriate to review the question, something the U.K. likely will be able to do in a European Commission review of the electronic communications regulatory framework and the e-commerce directive.
The concept of changing mere-conduit status raises issues about a part of the EU e-commerce directive that the Children’s Charities Coalition on Internet Safety considers unsatisfactory, Secretary John Carr wrote in comments on the Lords report. The directive subjects ISPs to liability only if they have actual knowledge of harmful material and fail to take it down, he said.
But “judicial comment” in the U.K. and abroad suggests that where an ISP or web host chooses to police its site by searching for material it believes breaches its terms of service, it in effect becomes the publisher of everything that remains, Carr said. This “shows a lack of understanding” of how Web-based companies work and has the perverse effect of encouraging them to do nothing, he said. He urged the government to push for a clarification to the directive to stress that ISP liability for unsuitable content requires a showing of actual knowledge.
The government also rejected lawmakers’ calls for a law holding banks liable for losses from e-fraud, saying financial institutions shouldn’t be expected to reimburse people who are negligent with credit cards or details. It also turned down a request to criminalize sale or purchase of botnet services, saying those acts are covered by the Computer Misuse Act as amended.
Lawmakers tried to look a decade ahead at what the Internet might be like, said the Earl of Erroll, a committee member. The recommendations focused on incentives to ensure that everyone heeds online security, but the government dismissed them out of hand, he said. “Their approach seems to consist solely of putting their head in the sand,” he said.