UK report questions role of ISPs in online safety
Friday, August 10, 2007; 11:19 AM
A new report on Internet safety has concluded ISPs (Internet service providers) should take more responsibility for online security since end users are often lax.
But the 121-page Personal Internet Security report, published on Friday by the U.K. House of Lords, stopped short of suggesting that the Office of Communications (Ofcom) -- the U.K. communications regulator -- should impose new rules on ISPs.
"We do not advocate immediate legislation or heavy-handed intervention by the regulator," the report said. "But the market will need to be pushed a little if it is to deliver better security."
ISPs generally argue that security is the responsibility of end users, which Ofcom has also supported. The report called it "disappointing" that the U.K. government has accepted those arguments since the reality often exceeds the capability of end users to recognize the threats.
"There appears to be still greater scope for intervention at the level of the Internet Service Provider," the report said. "They sit ...near the edges of the network, providing a link between the end user and the network."
The U.K. government has imposed one regulation on ISPs: By the end of 2007, ISPs must block Web sites involving images of child abuse as listed on a database maintained by the Internet Watch Foundation. Most ISPs already do this.
But more controversial are suggestions that ISPs should examine content flowing through their networks and apply filtering to cull malicious activity.
ISPs have maintained a "mere conduit" defense, codified in the European Union's E-Commerce Directive, which says they have no obligation to monitor content on their networks.
The report, however, suggested a tightening of how that defense works in an effort to nip emerging security problems earlier, such as sites containing malicious software.
"In particular, once an ISP has detected or been notified that an end-user machine on its network is sending out spam or infected code, we believe that the ISP should be legally liable for any damage to third parties resulting from a failure immediately to isolate the affected machine," the report said.
But the Open Rights Group, a nongovernmental group that monitors Internet-related privacy and legal issues, urged caution on issues dealing with ISP liability.
"As notice and takedown practices tied to suspected copyright infringement have shown, ISPs are not best placed to police the network, and can be expected to react to this kind of pressure by knocking users off the network without appropriate levels of investigation into those users' actions," the group wrote on its Web site.
The U.K. Internet Service Providers' Association, a trade group, said it would issue a comment on the report later on Friday.