Keep your PC clean - or we'll shut you down

Analysis When it comes to protecting our personal and financial data online, the Australian solution – of cutting off users who fail to maintain their PC security - may have a lot of appeal.

But in the week when UK consumers are asked to turn their minds to questions of online safety, the real focus may need to be not so much on technological fixes, as on the underlying legal framework – and the lack of trust that most people have for financial institutions.

First up is that Australian solution. From December, ISPs will be encouraged to alert customers when their computers are taken over by hackers. So far, so good. The sting in the tail, however, is a parallel proposal that means ISPs may – or may even be encouraged to – limit access to the net if users fail to take prompt action.

The advantages of such a scheme are obvious: early and strict intervention would go a long way to disrupting botnets, which in turn are a major source for DDOS attacks elsewhere on the net. Since the Australian government has, itself, been the target of such attacks in the last year – most notably in protest over its internet filtering plans – it is clear that many would consider this scheme to be worth pursuing.

Other governments are also expressing an interest in this approach. Yahoo reports that Obama administration officials have been meeting with industry leaders and experts to address the issue of increasing online safety and securing the internet while balancing off individual privacy and civil liberties.

White House cyber-coordinator Howard Schmidt told the Associated Press that the US is looking at a number of voluntary ways to help the public and small businesses better protect themselves online. He told AP: "Without security you have no privacy. And many of us that (sic) care deeply about our privacy look to make sure our systems are secure".

Nonetheless, the Australian model is likely to run into fierce opposition from US critics, who continue to prefer a vision of the internet much closer to the Wild West than the tame shopping mall environment favoured by much US business.

A slightly different take on this issue is likely to emerge in the UK. Consumers want protection. However, in a report (pdf) released in support of the sixth National Identity Fraud Prevention Week, which started yesterday, the somewhat depressing finding for business is that less than 10 per cent of British citizens completely trust how companies handle their sensitive data.

There is also a deep-seated suspicion that "solutions" in this area are more about protecting the backs (and bottom lines) of corporate finance, than looking after consumer interests.

Consumers may have a point. One of the earliest instances of browser hijacking occurred in the years before broadband became widespread. A virus would download on to a user’s machine, log them off – and instantly re-log them to the internet through a premium rate call service.

Although a BT spokesman told us yesterday that BT eventually refunded some customers, the line at the time was one of strong resistance: customers were responsible for what happened on their home equipment – and therefore failure to block such an attack meant they were liable for any additional charges. This led to the ludicrous situation where BT was threatening to take court action against OAPs in the UK for failing to hand over money that was destined to fill the coffers of organised crime elsewhere in the world.

Similar issues arose with unauthorised cash machine withdrawals. According to the Banking Code of Practice, customers are indemnified against unauthorised use of their cards – providing they have not been negligent (by, for instance, writing down their PIN). In theory, it was up to banks to prove negligence: many simply took the view that a breach of their cash machine security was prima facie evidence of negligence – because their security was unbreakable! – and in some instances even prosecuted the victims for fraud.

Have matters improved? The BBC reports today that an increasing number of banks and retailers are obliging or requesting their customers to sign up for online security systems Verified by Visa or Mastercard SecureCode with customers on the grounds these will offer extra protection against fraud.

However, online security experts at Cambridge University criticise these systems on the ground that they encourage individuals to key confidential information into pages that they cannot be sure are genuine - and customers could end up liable for the loss.

Once again, there is evidence of individuals who have been defrauded by this route finding that banks are as likely to treat them as suspects as potential victims.

In the end, cutting off internet users and blaming victims for their plight may be a useful stick with which to beat the population into vigilance. But if ISPs and financial institutions rely only on the stick, they may find themselves running into increasing resistance from consumers who feel that responsibility should be shared – and not downloaded on to them. ®