With the leave of the Committee and at the invitation of the noble Lord, Lord Bassam, I shall speak to my amendments in this group. At the outset, I should offer my guarded congratulations and thanks to the Government on bringing forward these changes to the CMA. As the Minister is only too aware, I and others, not least the Internet All-Party Group, have been calling for some time for the legislation to be updated to make it clear that DoS attacks—denial of service attacks—are unlawful. As they stand, Clauses 39 and 40 go some way towards achieving that in a rather more coherent way than my somewhat ham-fisted Private Member's Bill of four years ago. Nevertheless, as the Minister has explained, gaps remain in the provision. In particular, the current drafting does not deal with the problems caused by botnets, zombie infections and the like.
I need not dwell too much on the nature of the problem because the Minister has explained that well enough, but it might be helpful to put this into some sort of context. For example, in 2005 the Federal Trade Commission estimated that something of the order of 150,000 computers were hijacked daily as a means of launching a criminally motivated DoS, spamming and fishing attacks. In similar vein, Gartner, the analysts firm, estimated recently that up to 70 per cent of all spam is generated by zombie machines. In monetary terms, it is estimated that these categories of DoS attack cost internet service providers $500 million every year in excess trafficand customer churn alone. Clearly, therefore, they constitute a serious threat for which adequate provision should be made in law.
Having tabled my amendments ahead of the Government’s, I can only express my gratitude that the Government have seen fit to endorse my proposition. I am indifferent as to which version finds favour with the Committee; if mine are defective, I am quite content to accept that. Be that as it may, I confess to a certain amount of embarrassment. Although drafted to deal with a specific and palpable problem, I had intended them merely to be probing in character, because I have residual and serious concerns about how effective the provisions will be in practice.
Access to IT systems can be denied for awhole host of reasons. Notwithstanding the scale of maliciously motivated attacks to which I have already referred, the bulk of such denials are attributable to wholly natural or, dare I say it, innocent causes. At the most basic level, connections to the internet can be rendered unreliable or inoperable by pure weight of traffic, as occurred with the 1901 census site when it went online. By analogy, congestion on our roadsis a considerable irritant, but it is not—so far asI am aware—criminal. By the same token, pooror inadequate server or website architecture is commonplace and gives rise to serious access problems. To state the obvious, internet and website performance is dependent on appropriate and adequate levels of quality of service, the apparent absence of which seems to be a persistent feature of government IT projects.
In passing, I cannot resist mentioning today’s media reports of significant problems with the Passport Office’s online systems. Some might even be tempted to argue that this is a particular feature of the PDVN, on which we all rely. Moreover, it is inevitable that these systemic weaknesses are exploited, deliberately or not, by the perpetrators of DoS attacks. The difficulty is that the Bill makes no distinction between those occasions when IT systems slow down and crash as a result of criminal or malicious interference and when they fail for entirely natural reasons. Indeed, that is compounded by the fact that proper analysis of any particular system crash is a profoundly technical matter, more often than not beyond the technical expertise of law enforcement and the judicial process.
An even greyer area is the status of cyber protest, or online lobbying, numerous examples of which exist, such as the pro-Zapitista group, Electronic Disturbance Theatre, or the French group, Federation of Random Action. At its most fundamental, the internet is a means of communication—a hugely powerful one, but a means of communication none the less. As such, it has enormous potential to empower, enrich and liberate the individualcitizen. To that extent, it is crucially important that internet law be drafted, so far as is possible, not to constrain freedom of expression and of association unnecessarily or disproportionately. By its very nature, cyber protest, although of course not criminally motivated, will often mimic the effects of a DoS attack. Occurrences of it will therefore be potentially prosecutable under the terms of the Bill, particularly if one considers the full implications of the drafting of Clause 40(5)(b).
By way of another example, blogging, particularly in the political sphere, is becoming increasingly popular. We should welcome that, especially in terms of public engagement with politics. But if a particularly successful blog generated so much traffic that it crashed the server on which it was hosted—an equivalent of a DoS attack—would its author and those accessing the site have committed an offence under these provisions? As I interpret it, the drafting is unclear on the point. If the answer is yes, that cannot be right. Nor do I believe, given the technical complexities involved in this whole area and thewide breadth of the existing provision, that it is appropriate to fall back on reliance on the interpretation of the courts. As legislators, we should be capable of stating our intent with much greater clarity than this.
I have a number of other, wider concerns which, conscious of time, I will merely list. First, there are huge problems associated with definitions of ““legitimate authorisation”” insofar as they relate to the online world. Secondly, there are palpable concerns about how enforceable the provisions will be. After all, prosecutions under the CMA are rarer than those for murder. Thirdly, huge question marks hang over the capacity of law enforcement and the judicial process to attend to the issue in terms of both resources and training,. It is worth noting that there is no mention of the word ““computer”” in SOCA’s recently published annual plan, notwithstanding that the NHTCU has been subsumed into it. The Bill does not attend to any of those matters.
I apologise to the Committee for having spoken at such length. As I say, I welcome the Government’s attempt to bring DoS attacks within the scope of the CMA. It is a small step in the right direction. That said, I am unconvinced that the insertion of these odd few confused clauses at the tail end of a portmanteau Bill demonstrates either adequate understanding of the complexities of the issues or firm resolve to attend to the whole corpus of internet crime. Rather, they are a desultory attempt to use no more than a sticking plaster to mend a broken leg. What is needed above all else is a wholesale rewrite of the CMA, not only to take account of how far technology has moved on since it was enacted, but also to weave in the intricacies of associated civil liberty issues. To be blunt, I fear that ultimately these clauses will create more problems than they solve.
Police and Justice Bill
Proceeding contribution from
Earl of Northesk
(Conservative)
in the House of Lords on Tuesday, 11 July 2006.
It occurred during Committee of the Whole House (HL)
and
Debate on bills on Police and Justice Bill.
Type
Proceeding contribution
Reference
684 c605-7 
Session
2005-06
Chamber / Committee
House of Lords chamber
Subjects
Librarians' tools
Timestamp
2024-04-16 21:51:46 +0100
URI
http://data.parliament.uk/pimsdata/hansard/CONTRIBUTION_336570
In Indexing
http://indexing.parliament.uk/Content/Edit/1?uri=http://data.parliament.uk/pimsdata/hansard/CONTRIBUTION_336570
In Solr
https://search.parliament.uk/claw/solr/?id=http://data.parliament.uk/pimsdata/hansard/CONTRIBUTION_336570