An e-government unit report on “trust and security on the internet” has floated the idea of laws or regulations requiring ISPs to work with their customers in making users' computers safe from takeover as unwitting tools in spreading spam and viruses.
The unit is concerned that the “dark side” to participation in the internet, in the form of spam, viruses, other unacceptable material and internet-borne fraud, intrusion and identity theft will discourage New Zealanders from using the internet to deal with government.
It considers ways of mitigating these threats – including tactics for plugging leaky PCs, especially those always connected to the ‘net.
“ISPs with broadband consumer networks are often aware that their customers’ machines have been exploited for nefarious purposes such as sending spam but typically do not act on this information because of the effort required to convince, educate and support the customer” says a report by the unit.
"This action [spurring ISPs to deal with troublesome customers] has the potential to be highly useful in mitigating problems if it is employed world wide," the report says. However, it concedes that "some ISPs may not regard this as core business and may see an approach by government to ask them to intervene as interference. They might also find it hard to determine whether or not a compromised machine had been successfully cleaned.
"Government should approach InternetNZ and the two main telcos who own almost all the broadband connections," says the report, the "always-on" connection being perceived as the main conduit for such infection.
"There may need to be regulation or legislation," it adds.
It also suggests that tight user and agency authentication, under development for the use in e-government transactions, might profitably be adopted more widely on the internet to lessen unsourceable and possibly infected communications.
Government agencies and the e-government unit could act as leaders in this regard, setting an example to major industries in protection that moves beyond the simple user-id and password, says the report. Banks, in particular, it suggests, might take up stricter authentication. Earlier this year, the Banking Ombudsman critcised some banks’ inadequate protection of identifiers and passwords against fraud, and the plague of phishers putting up fake bank websites is well known.
The report’s authors see the complexity of end-user licence agreements (EULAs) and inadequate understanding of their provisions as another trap for users and hence a threat to the network. Spyware and trojans may be a concealed part of a software product, a fact acknowledged in a licence if read carefully. “Users need to understand what the software will do with their information and be given a more reasoned opportunity to accept or reject it.”
Laws against unfair agreements are possible, the e-government unit says, as they are in place with respect to other consumer or business goods; but, like planned spam laws, they will only have a real effect on internet misuse if adopted internationally.
Such laws are also expected to protect against “the unexpected effects of digital rights management”, including limitations on fair use of information and even the locking up of information originated by the user. The e-government unit has had to warn public-sector agencies against the latter possible effect with regard to Microsoft’s first products in the area (Computerworld, July 12.).
The New Zealand government should establish closer relationships with InternetNZ and the international governance structure of the internet, the report says. “"Government currently has very little formal participation in internet governance despite opportunities to do so. It risks decisions being taken [by the current decentralised private-industry structure] which damage its ability to use the internet for government business."