Online security: UK laws and regulations

I was asked yesterday about the safety of booking a flight online. This person had previously only ever made travel arrangements via a high street travel agent. Although I could give some generally known advice, there was no way I could generate the levels of confidence that walking into a well known high street store provides. At the same time I have been reading the "Personal Internet Security" report by the House of Lords Science and Technology Committee (published in August 07). It struck me that knowing about the current range of laws and regulatory bodies that may have some remit to protect the individual online actually may be detrimental to providing such confidence.

This person's primary fear about buying a flight online was the risk of being defrauded. She was worried about paying a large amount of money and ending up with no ticket. She also seamed to have a larger ill-defined worry about media intensified notions of "identity theft" and misuse of personal information. Online security is not simple to define. Here I will focus on measures to combat misuse of, and loss of control over, personal information that exist in UK regulations and laws - I'm not an expert, this is inspired by the House of Lords Report, and further information pulled together from different sources.

Quick overview of laws and regulatory bodies

Key legislation and regulations that govern or influence personal internet security, both directly and indirectly.

Data Protection Act (1998)
The primary statutory framework for protecting personal information in the UK. The act is based on 8 data protection "principles". A couple of these are particularly relevant to the online world:

  • 3. Personal data shall be adequate, relevant and not excessive in relation to its purpose. How many times do you come across large web-forms simply for registering to view information on a web-site, or to buy a product. For example, why do you need to give your gender to buy a product online when its not needed in a regular shop?
  • 5. Personal data shall not be kept for longer than necessary. There is a recent high profile case of the EC investigating google over the length of time it holds personal information.
  • 7. Appropriate measures shall be taken against unauthorised or unlawful processing of personal data. This is the key principle with regard to the requirements that your data is secure and kept safe from loss and misuse.

The principles of the Act are very good. However, good principles without sufficient means of enforcing them, do not motivate people to follow them. This act has little teeth, organisations that violate the principles of the Act must first be officially warned, and if they still don't mend their ways, they may incur a fine of £5000 (not much considering profits of internet businesses). The Information Commissioner is responsible for enforcing breaches of the Act.

Privacy of Electronic Communications (EC Directive) Regulations (2003)
This is the UK implementation of the "ePrivacay Directive" which covers issues like email spam (also see the Office of Fair Trading)

Council of Europe Convention of Cybercrime (2001)
Yet to be ratified by the UK. It has the overarching principle of creating a common cross-border approach to crimes involving computers and networks.

Financial Services Authority (FSA)
It's duties are outlined in the Financial Services and Markets Act (2000). This includes assessing whether an organisations systems and controls are adequate to prevent them being used for purposes connected with financial crime, including fraud; it also includes the adequacy of their information security measures.

Office of Fair Trading (OFT)
The UK's consumer and competition authority. It monitors and potentially enforces consumer protection and competition law. It is responsible for regulating the advertising industry, and thus spam comes under its remit.

Office of Communications (Ofcom)
Ofcom's duties are set out in the Communications Act (2003). Of particular note is Section 11, that gives Ofcom a statutory duty to promote media literacy, which includes the ability to access, understand, and create communications in a variety of contexts. This should include a duty to promote understanding of online communication and security implications (suggested by the House of Lords Science and Technology Committee report).

UK Payments Association (APACS)
Banking trade association (i.e. non governmental) that administers interaction between the member banks for payments, including electronic banking such as chip and pin. Together with your own bank, this organisation plays a key role in responding to reported fraud.

Police and Justice Act (2006)
This act introduces amendments to the Computer Misuse Act (1990), updating it to reflect the modern internet and computer use. This introduces an offence of obtaining, supplying or offering to supply a program with the intention or in the belief that it is likely to be used to commit an offence. This is not directly reverent to online security as I have defined it above, however, I mention it as it potentially makes it difficult for organisations to illegitimately test their own security. If obtaining the "latest" hacker software becomes an offence, this will make testing problematic. The interpretation of this part of the Act is still to be determined.

Why don't these provide confidence?

When I walk into a shop and purchase an item, I have some knowledge (even if its vague) of my rights involving basic consumer protection. The situation is quite different when it comes to the internet. There are multiple laws and regulatory bodies each with their own remits and some with overlapping remits. This complexity arises both as a consequence of the enormous possibilities the internet provides and the speed at which new uses of it develop. There is a need for a focus - a single entity or organisation, with a clear set or principles, understandable by an average online consumer.

However, to be fair, the opportunities the internet affords for shopping are significantly wider than your average high street. Purchases can be made from international locations where none of the UK regulators or laws apply. Terms an conditions of certain intenet companies can also be violated if UK laws and regulations are used (I won't name the big brand example I have in mind). Clearly, a more complete solution would require an international approach. Having said that, there is no reason the UK should not provide a clear focus for consumers shopping online within the UK.

UPDATE 6 October 07 - MPs call for identity fraud tsar. A potential step in the right direction?