The Institute of Directors – talking net neutrality, compliance and breach notification with Richard Swann
Richard Swann is head of IT at the Institute of Directors (IoD), an organization that needs no introduction to anyone in the UK. To non-UK readers it is a non-party political (yet highly political) independent body formed by royal charter to foster excellence in business – and its members include 43,000 of the UK’s leading businessmen. Given the IoD’s pre-eminent position as a champion of all business and an influencer of government, I asked Richard if he would talk about some of the more contentious business/computing issues of the day. He agreed; and we started with ‘net neutrality’.
“We’re in favour of net neutrality,” he said. We try to represent business to the government, and we have a fear that loss of net neutrality could discriminate against small businesses if the big boys are able to buy, shall we say, advantageous service.” Richard has other concerns: how, for example, would ISPs decide which traffic to restrict? In the USA, the country’s largest ISP famously, or infamously, started to restrict the bandwidth for P2P traffic. Other companies apparently also use deep packet inspection to be able to recognise and discriminate against P2P. It’s a slippery slope. “We’re talking about examining the data that you’re passing. That leads to the possibility that some entities could decide for themselves, well this looks a bit iffy, we should maybe examine things a bit closer on who is originating this traffic, and do something about it.” That’s a dangerous direction.
But if we’re talking about deep packet inspection, what, I asked him, about behavioural advertising? “That’s a difficult one to answer,” he replied. Bear in mind that the IoD has to represent the interests of all of its members – and that includes those perfectly legitimate companies that would dearly love to have access to, and would use responsibly, behavioural data in order to market their products. “Not speaking for the IoD, but from a purely personal point of view, I don’t have too many problems with behavioural analysis – provided that it is consensual; provided that the user can clearly opt in or out of the process.”
We turned to one of the issues that bothers me considerably: the increasing and arbitrary powers of the police in the UK. One current debate is happening with Nominet, the UK company that maintains the official register of .uk domain names. SOCA, the UK’s Serious Organized Crime Agency, requested that Nominet take down .UK domains on its own say so. “The rate of change brought about by the internet has been phenomenal,” said Richard, “but at the same time it has brought about an increasing amount of criminal and fraudulent activity. We will support any effort that will provide a consistent and controlled response leading to the take down of fraudulent and criminal sites; but there has got to be judicial oversight. A police force or a police body cannot set themselves up as being the deciding factor. It’s a bit like a search warrant,” he continued. “The police cannot just turn up and search a private property without justifying themselves to the court and getting a search warrant signed by a judge. So, to me, yes, by all means if they have the evidence they should be able to get a website taken down – but there has got to be that judicial oversight.”
It is, of course, not simply the police who want a greater say in what can and cannot happen on the internet. Increasing government regulation has spawned an entire new security industry: compliance – complying with legal requirements for the use and storage of data. Is this, I asked Richard, a problem for business in the UK? “That’s a funny one, actually, because I’ve just been speaking to our policy expert who deals with this area. It’s true that we are very much in favour of cutting red tape and making life easier, especially for the SMEs; but one of the things he said to me was that compliance with things like data protection doesn’t seem to be much of an issue with our members.” This did surprise me. I had expected that since so many of the regulations fail to define what you have to do, only what you have to achieve, that this would require business to spend more time and effort than might strictly be necessary. But no. “I think the principle behind these laws, the need to protect people’s privacy, the need to prevent bribery, are so well accepted that most businesses don’t have a problem with them.”
Which just left my final question: breach notification. Take Sony, I suggested. It took the company rather a long time before it came clean about the breach. Should this be allowed? Should we have a law requiring that as soon as a breach is discovered, anyone affected must be notified immediately? “I think we should,” said Richard. “In this instance the number of people concerned is incredible; and in that week before the loss was publicised, think of the damage that could be done. The sooner people know that their financial details might have been compromised, then the sooner they can do something about it. If that was my personal details, I would want to be protecting myself as quickly as I possibly could.” And while we both believe we need a European Data Breach Notification Directive, neither of us could see why we haven’t got one. “In fact,” added Richard, “from a personal point of view you would think that it would be quite easy to implement – it would only take a relatively small addition to the existing act that requires us to protect the data in the first place.”