Dutch Consumer Organisation Wants Embedded Security in Internet Products and Services
The Dutch consumer organisation (Consumentenbond) started a petition on its website demanding that computer suppliers, Internet providers and companies providing services on the internet must offer secure products and services. They advocate that such suppliers and providers offer embedded security into their products and services, just like car manufacturers offer safe cars and microwave manufacturers sell safe ovens.
The Dutch consumer organisation argues that consumers increasingly make use of their computer and the Internet for e-banking, e-mail, and e-commerce. However, it seems that their personal data are relatively easy to abuse. Security software (virus scanner, spywarefilter, firewall) is often too complicated for an average consumer. A security software that is “ok” one year isn’t “ok” anymore the next year. According to the consumer organisation this means that the consumer would constantly have to change his security software. They agree that consumers still need to take care of safe behaviour on the Internet and maintenance of their security software.
I think that the discussion about what can be “reasonably expected” from service providers as "good housefather" (“bonus pater familias”), but equally also from customers, is becoming increasingly important. Security is not a new legal obligation: it’s already a legal issue for all EU companies since the early nineties; of course a lot depends on the applicable legislation.
On the one hand the knowledge of the average consumer about computers and the Internet is increasing. Therefore one can also reasonably expect an increased knowledge of the security issues involved, such as spam, hacking, phishing, pharming, virus etc. Private companies such as banks, e-banking and e-business providers are constantly warning their customers for security issues. Governments are also publicly warning for Internet related security issues. Just like the average consumer knows he has to fasten his seat belt when driving his car and knows the “don’t try this at home” stuff, I can imagine that almost every “average consumer” receives spam and phishing e-mails in his mailbox but knows by now that he shouldn’t click on every pop-up, hyperlink or attachment he receives.
On the other hand the security attacks become more and more sophisticated and are - as far as I can understand it - sometimes even difficult to spot for professional IT and security people, and the average user is not an IT or security expert. There is also an increase in politically motivated attacks.
So the question is: where is the balance between the “reasonable obligations” of the service/product provider on the one hand and “reasonable obligations” of the user on the other hand?
I believe we can expect from an average user that he knows the difference between leaded and unleaded gasoline, but can we expect that he really grasps the impact on his engine of the difference between 95 octane and 98 octane? The average user, consumer or professional user, does not want to think about security or technology: what really counts is what the technology does for him. However, this average user can’t be regarded as a totally security ignorant user either. The “reasonable security awareness” of the average user is increasing, and it should by now. He should understand that he needs a regular update of his security software, just like he goes to his garage to have his car serviced, and he should take care of safe behaviour on the Internet, just like he tries to avoid traffic accidents.
When there is a breach of security and this breach is the cause of damage for a user, the matter shall be decided on a case-by-case basis. Generally speaking and making abstraction from certain country or sector specific legislation, both service provider and user (consumer and professional user) can then be judged with the concept of “bonus pater familias” in mind. The case doesn’t necessarily have to be tried in court but can also be solved by mediation or other alternative dispute resolution methods.
I am not an IT-security expert but I am confident that the private sector will do a good job of finding a way to reduce security issues. I prefer this instead of more government regulation.
The Dutch consumer organisation argues that consumers increasingly make use of their computer and the Internet for e-banking, e-mail, and e-commerce. However, it seems that their personal data are relatively easy to abuse. Security software (virus scanner, spywarefilter, firewall) is often too complicated for an average consumer. A security software that is “ok” one year isn’t “ok” anymore the next year. According to the consumer organisation this means that the consumer would constantly have to change his security software. They agree that consumers still need to take care of safe behaviour on the Internet and maintenance of their security software.
I think that the discussion about what can be “reasonably expected” from service providers as "good housefather" (“bonus pater familias”), but equally also from customers, is becoming increasingly important. Security is not a new legal obligation: it’s already a legal issue for all EU companies since the early nineties; of course a lot depends on the applicable legislation.
On the one hand the knowledge of the average consumer about computers and the Internet is increasing. Therefore one can also reasonably expect an increased knowledge of the security issues involved, such as spam, hacking, phishing, pharming, virus etc. Private companies such as banks, e-banking and e-business providers are constantly warning their customers for security issues. Governments are also publicly warning for Internet related security issues. Just like the average consumer knows he has to fasten his seat belt when driving his car and knows the “don’t try this at home” stuff, I can imagine that almost every “average consumer” receives spam and phishing e-mails in his mailbox but knows by now that he shouldn’t click on every pop-up, hyperlink or attachment he receives.
On the other hand the security attacks become more and more sophisticated and are - as far as I can understand it - sometimes even difficult to spot for professional IT and security people, and the average user is not an IT or security expert. There is also an increase in politically motivated attacks.
So the question is: where is the balance between the “reasonable obligations” of the service/product provider on the one hand and “reasonable obligations” of the user on the other hand?
I believe we can expect from an average user that he knows the difference between leaded and unleaded gasoline, but can we expect that he really grasps the impact on his engine of the difference between 95 octane and 98 octane? The average user, consumer or professional user, does not want to think about security or technology: what really counts is what the technology does for him. However, this average user can’t be regarded as a totally security ignorant user either. The “reasonable security awareness” of the average user is increasing, and it should by now. He should understand that he needs a regular update of his security software, just like he goes to his garage to have his car serviced, and he should take care of safe behaviour on the Internet, just like he tries to avoid traffic accidents.
When there is a breach of security and this breach is the cause of damage for a user, the matter shall be decided on a case-by-case basis. Generally speaking and making abstraction from certain country or sector specific legislation, both service provider and user (consumer and professional user) can then be judged with the concept of “bonus pater familias” in mind. The case doesn’t necessarily have to be tried in court but can also be solved by mediation or other alternative dispute resolution methods.
I am not an IT-security expert but I am confident that the private sector will do a good job of finding a way to reduce security issues. I prefer this instead of more government regulation.
posted by Edwin Jacobs at 21:52
<< Home