Internet Safety & The Law

Written by Peter Davies on .

Aim: Critically examine how the law can be used to improve Internet safety and security for all its users. This report will explore and analyse how the law can be used to improve internet safety and security for all its users focusing directly on current UK law and security issues. The first part of this essay will highlight present-day safety concerns, scrutinising the laws that have been introduced to preserve our perception of security in cyberspace. It will also discuss that as a global communication medium based around the rudimentary concept of “free speech”, it can be argued that no single law can protect users of the Internet given the millions of computers spanning multiple continents, each country with their own laws governing publication, trade and communication. From this discussion, a conclusion will be drawn demonstrating that the roots of the Internet will inhibit the development of cross-border laws, over-ruled by the Internet’s own design: being a forum for free-speech.

In the year 2000 it was estimated that 384 trillion dollars [1] was transferred electronically throughout Europe alone. Although this is an enormous figure, retail electronic commerce (e-commerce) barely generates a quarter of a percent of this global sales amount. Despite the ‘dotcom bomb’ of the late nineties, a steady increase in the number of users online over the next few years resulted in a huge surge of electronic purchases which could mainly be attributed to the fact that we now have fifty-five percent (12.9 million) of Britain’s households connected to the Internet [2]. The same National Statistics Omnibus Survey (2005) reported that sixty-three percent of people aged 25 to 44 had bought or ordered goods, tickets or services online. As well as this mammoth increase, these new users are becoming more and more aware of security threats to themselves, and more importantly, the security of the information such as credit card details they leave with online retailers (e-tailers). This is confirmed by a recent survey by the Information Commissioner’s Office [3] (April 2006) stating that 84 percent of people lack confidence in the way internet sites handle their personal information. It was also reported that without prompt, 52 percent of the respondents believed that their details might be passed onto unknown organisations. This would appear to be a common opinion through-out Britain pointing towards a nationwide lack of trust when using the Internet.

Not only is our safety at risk when purchasing goods online, we now have a growing concern that any conversation we have with other people on the Internet could be monitored, or even worse, that the person we believe we are talking to is not who they say they are. What makes the Internet function as an entity is an imperative collaboration between technology and users. The weakest link in this amalgamation is the human element. It is human nature to lie to get what is necessary, and this is facilitated by the semi-anonymous persona of the Internet. This deficiency of security means that parents can no longer be assured who their children are communicating with within what could be described as the digital playground of the 21st century.

Internet ‘grooming’ has become synonymous with online chat rooms where children have been coerced into meeting with people they have talked to online. Over the past few years, the Government has recognised that more and more children use the Internet and that they are a potential target for paedophiles and sex offenders. Older UK Laws covered grooming as an “incitement to commit a sex offence” which is from the legislation of Section 1 of the Indecency with Children Act 1960 [4] and subsequently improved by the Protection of Children Act 1978 [5]. Recent publicity relating to the Internet’s strong ties to paedophilia and child grooming have resulted in the Government becoming more proactive in their approach to the subject. It was apparent that existing legislation was grossly out-of-date and required substantial evidence for successful prosecution, so the Sexual Offences Act 2003 [6] was introduced (May 2004) to explicitly cover all aspects of modern forms of sexual offences [7]. These legislations have been a key prosecuting tool in many cases including a recent ruling R v W sub nom Attorney-General's Ref. (No.42) (2003) where a man in his mid-thirties used numerous internet chat rooms to solicit unlawful sexual intercourse with several young girls. The outcome of the case was the recommendation that the offender receive the maximum penalty for carrying out such crimes as prosecutable by the Courts. So, in summary, the laws relating to Internet grooming are slowly catching up with the pace of technology, helping to remove loop-holes introduced by the narrow scope of existing laws.

What is required to make the Internet a safer place, is the collaboration of every country to develop a standardised governing law controlling Internet content. This though creates levels of monitoring that undermine the principles of free-speech. It is also extremely unlikely that multi-national corporations would agree to the implementation of ‘black boxes’ within their organisation to pass on potentially sensitive information to the necessary authorities. Having said this, the UK has its own regulation stating that if requested, any Internet Service Provider (ISP) has to surrender access [8] to their systems so that evidence can be gathered under the Regulatory Information Powers Act 2000 [9] (RIPA 2000). This Act, mostly unknown to the UK population requires that ISP’s with more than 10,000 subscribers enable the facility for communication interception (given warrant) for any specified user [10]. Even more worrying is the idea that an ISP can be held somehow responsible for the content that its subscribers or it as an ISP might inadvertently publish. This was argued in a recent case John Bunt v David Tilley & 5 ORS (2006) regarding postings that had been “cached” by an ISP. It was quoted:

“As a matter of law, an internet service provider that performed no more than a passive role in facilitating postings on the internet could not be deemed to be a publisher at common law, Godfrey v Demon Internet Ltd (1999) 4 All ER 342 considered.”

In summary, the case was a perfect example of the correct implementation of The Electronic Commerce (EC Directive) Regulations 2002 [11] describing how the ISP provided only a passive role in facilitating postings on the Internet, and that it could not be deemed a publisher in the context of defamation proceedings. The case in question referred to another case: Godfrey v Demon Internet Ltd (1999) 4 All ER 342 [12] which was heard prior to the introduction of the 2002 EC Directive, was unique in that the judgement ruled that the ISP was in breach of the Deformation Act 1996. In the case of Bunt v Tilley, the judge ruled that having considered Godfrey v Demon it was still prevalent to abide by the newer EC Directive regulations.

The majority of household users are unaware of the security technology in place when purchasing goods online but understand that when the browser has a ‘padlock’ in the bottom right-hand corner their transaction is secure. On completion of a purchase online, the merchant has faith in that the credit card details they obtained will be captured and processed securely, but at no point can the merchant ‘prove’ that a user has entered their own card details. It is also evident that the merchant can’t guarantee the security of the machine that contains the credit card details. Deloitte’s 2004 Global Security Survey [13] revealed that eighty-three percent of e-commerce survey respondents acknowledged that their systems had been compromised in the past year, compared to thirty-nine percent in 2003. Furthermore, forty percent of respondents whose systems were attacked said they sustained financial losses. By implication it can be seen that there is a clear requirement for mechanisms for dealing with electronic theft not only in the UK but across the entire globe.

In the UK, the Data Protection Act (DPA 1998) commenced on 1st March 2000, and attempts to solve some of these issues by dictating that data providers must manage the information on their systems securely. As well as dictating how the collected information should be processed through eight principle rules [14], the DPA is responsible for prosecuting data controllers or individuals if they commit an offence under the act. In relation to the safety and security of Internet users, the DPA provides a set of standards for businesses and individual’s on how data should be managed. As a simple mechanism for determining how data should be protected, it needs separate laws like the Computer Misuse Act (CMA 1990) to implement procedures for prosecuting if this information is electronically stolen. The CMA was directly passed to deal with the increased numbers of computers being hacked [15], as prior to this act it was difficult to prosecute criminals who wrote viruses, attacked remote networks or accessed large amounts of commercially sensitive data. Unknown to the majority of businesses and home users, this Act is probably the most effective deterrent against being a target of computer crime. All security professionals and hackers alike will be aware of the CMA and that it stipulates the process of attempting unauthorised access to a system, specifically dealing with questions of jurisdiction and extradition [16]. Of course, if the user is aware of what they can and cannot do, it is a simple process for an accomplished professional to circumvent the procedures in place to detect unwanted access to data. This in essence demonstrates that the laws are only effective after detection measures are in place. Potential criminals are usually deterred by the judicial laws present within their country, but with computer crime the deterrent for committing such crimes is often not well known (or easily ignored). As with the day to day laws we break, for example, when we speed in our cars, computer crime is often seen as one of these “acceptable risks”. This is also common in the household; most home users will be aware of pirated software on their computer systems but accept the risk as the gain from using the software outweighs the potential consequences. It is often thought that as home users it is highly unlikely they will be prosecuted as it is more common that law enforcement agencies will target the distributors.

Given the scope of the initial essay title it is very difficult to summarise the security and safety of the Internet to any single law. This is because the laws that govern the individual countries are not consistent and in the majority of cases are inoperable with one another. In the UK, Simon Janes a former head of Scotland Yard’s Computer Crime Unit described in a 2004 article on cybercrime that [17]:

“the police are currently ‘woefully’ under-resourced and are a long way from effectively and efficiently investigating and solving computer crimes.”

In conclusion we can understand that without law people would be free to commit any act of violence or crime resulting in chaos. In a present day parallel, the Internet can be seen as a global entity with no single governing body, relying on the local Governments of each country to dictate what is acceptable to be published. The issue here is with the evolution of each country, some are more developed than others making provision for such publication, criminal and terrorism related Laws. This mismatch in evolutionary continuity provides loop-holes that criminals can exploit allowing them to be undetected and subsequently undeterred by any external Government policy. It has been argued from the dawn of the Internet that content on it should be freely available to whomever needs to access it, but without some degree of moderation paedophiles for example would be able to get away with trading images and provide no barrier for child grooming in chat rooms. So, this is where legislation and freedom of speech can be visualised at opposite ends of the process of moderation and content control; where a compromise in both sides is required to maintain safety and security in an invaluable resource such as the Internet.

Bibliography

Bainbridge, D (2004, 5th Edition) Introduction to Computer Law [Book] Publisher: Pearson, ISBN: 0-582-47365-9

Casey, Eoghan (2004) Computer Crime Investigation [Book] Publisher: Elsevier, ISBN: 0-12-163103-6

Casey, Eoghan (2004, 2nd Edition) Digital Evidence and Computer Crime [Book] Publisher: Elsevier, ISBN: 0-12-163104-4

Kruse, Warren G. and Heiser, Jay G. (2004) Computer Forensics, Incident Response Essentials [Book] Publisher: Addison Wesely, ISBN: 0201707195

Maguire, M and Morgan, R and Reiner, R (2002) The Oxford Handbook of Criminology [Book] Publisher: Oxford University Press, ISBN: 0-19-924937-7

Rosenoer, J (1997) CyberLaw [Book] Publisher: Springer, ISBN: 0-387-94832-5

References

[1] Global Payments Industry Metrics, 2000 & 2010 (March 2003) Statistics for Electronic Transactions [Online] ePayNews.com. Available from: http://www.epaynews.com/statistics/transactions.html [Accessed 16th Jan 2006]

[2] National Statistics (July 2005) Internet Access [Online] National Statistics. Available from: http://www.statistics.gov.uk/cci/nugget.asp?id=8 [Accessed 18th Dec 2005].

[3] UK Legal News Analysis (2006) Survey reveals internet security concerns… [Online] LexisNexis Butterworths. Available from: http://www.lexisnexis.com/uk/ [Accesssed 26th April 2006]

[4] Childnet International (2001) Online grooming & UK Law [Online] Childnet International. Available from: http://www.childnet-int.org/downloads/online-grooming.pdf [Accessed 5th May 2006]

[5] BBC Editorial Guidelines (2005) Children & the law [Online] BBC. Available from: http://www.bbc.co.uk/guidelines/editorialguidelines/edguide/thelaw/childrenthelaw.shtml [Accessed 2nd May 2006]

[6] Crown (2003) Sexual Offences Act 2003 [Online] Crown Copyright. Available from: http://www.opsi.gov.uk/ACTS/acts2003/20030042.htm [Accessed 5th May 2006]

[7] The Crown Prosecution Service (2003) The New Sexual Offences Act 2003 [Online] CPS, Available from: http://www.cps.gov.uk/publications/communications/fs-sexoffences.html [Accessed 5th March 2006]

[8] Stevens, Paul (2002) RIPA demands push up ISP costs [Online] ZDNet UK. Available from: http://insight.zdnet.co.uk/hardware/servers/0,39020445,2118813,00.htm [Accessed April 22nd 2006]

[9] Crown (2000) Regulation of Investigatory Powers Act 2000 [Online] Crown Copyright. Available from: http://www.opsi.gov.uk/acts/acts2000/20000023.htm [Accessed 29th April 2006]

[10] Statewatch (2003) Surveillance of communications goes through the roof [Online] Statewatch. Available from: http://www.statewatch.org/news/2003/jan/11ukteltap.htm [Accessed 29th April 2006]

[11] Crown (2002) The Electronic Commerce (EC Directive) Regulations 2002 [Online] Crown Copyright. Available from: http://www.opsi.gov.uk/si/si2002/20022013.htm [Accessed 7th May 2006]

[12] Akdeniz, Yaman (1999) Case Analysis of Laurence Godfrey v. Demon Internet Limited [Online] CyberLaw Research Unit Available from: http://www.cyber-rights.org/reports/demon.htm [Accessed 4th May 2006]

[13] Deloitte (2004) Global Security Survey [Online] Deloitte Touche Tohmatsu. Available from: http://www.deloitte.com/dtt/research/ [Accessed 14th Oct 2005]

[14] Business Link (2000) Comply with data protection legislation [Online] Business Link. Available from: http://tinyurl.com/ec6ll [Accessed 7th May 2006]

[15] Superhighway Safety (2006) The Computer Misuse Act, 1990 [Online] UK Online. Available from: http://safety.ngfl.gov.uk/ukonline/document.php3?D=d10 [Accessed 3rd May 2006]

[16] Bainbrdige, David (2004) Introduction to Computer Law [Book] Pearson, page 357 ISBN: 0-582-47365-9

[17] Sturgeon, Will (2004) UK MPs urge cybercrime revisions and tougher sentences [Online] Silicon.com Available from: http://software.silicon.com/security/0,39024655,39121795,00.htm [Accessed 8th May 2006]