Content Copyright © 2021 Bloor. All Rights Reserved.
Also posted on: Bloor blogs
I am increasingly concerned about Trust in the cyber domain – and especially around eCommerce. Of course, millions of online transactions complete without any problems, but Trust is (in part) a matter of perception and there are an increasing number of online frauds, ransomware attacks etc. being reported. Significant numbers of people in the UK are still worried about going online and this could well impact the Future of Work. Fraud may make up a small percentage of online transactions, but the total amount involved is high [PDF download “The Economic impact of cybercrime”] (even if one thinks that fear is sometimes used to sell technology); and online fraud seems to be an almost risk-free crime, operating across global borders and sometimes even with the support of national governments.
The recent FBI sting operation is welcome, as it proactively damages the business model for criminal operations run online, but we need to do more. This means a combination of:
- Security by design, in Internet technology, applications and any application technology accessed over the Internet;
- Good practice by Internet end-users;
- Good practice by ISPs, social media hosts etc.;
- Transparency – the sharing of information about attacks; and coordinated refusal to pay ransoms (which implies insurance and support from the authorities)
- Coordinated global responses by international governments, encouraging good practice (including, but not limited to, points 1 to 4);
- Proactive attacks on cyber-using criminals (sting operations etc.) sponsored by police authorities and national governments;
- Pressure (even economic sanctions) on national governments that facilitate (or engage in) cyber-criminal activity.
A global response to cybercrime will be a journey, but we are somewhat encouraged by the drafting of the UK Online Safety Bill in May this year, although this is far from finished, and we are not sure that giving more responsibilities to Ofcom is a great idea.
Australia’ however, created an Office of the eSafety commissioner some six years ago – which it claims was the world’s first government agency dedicated exclusively to online safety. As part of this, the Australian eSafety Commissioner is now making interactive assessment tools available to tech companies, that should help to ensure that user safety is made a fundamental part of tech product design and development. It sees these two free tools, targeting start-ups and enterprises, as being “a critical step in bolstering the global effort to minimise online harms and make people safer online”. We haven’t reviewed the tools but they highlight current good practice and provide evidence-based resources and templates, including examples, workflows and videos featuring tech company leaders and guidance on ways to improve and innovate.
So far so good, but we’d see Australia’s internal internet eSafety as, ultimately, dependent on collaboration with (at least) free-world regulators worldwide and (ideally) China and Russia as well. Perhaps North Korea would be too hard. The issue is primarily political, not just technical – and, as we said, about ruining the business model for Internet abusers. How is this initiative working at that level?
Well, we put some questions to Australia’s eSafety Commissioner Julie Inman Grant:
As the world’s first government agency solely dedicated to tackling online abuse and keeping its citizens safer online, eSafety has an important leadership role to play, as other governments look to establish online content regulators. eSafety believes that legislation, governance and national online safety strategies must become internationally aligned and that a high standard for online content regulation is set, with safety considered on equal footing with security and privacy in cyber affairs. After all, the internet has no borders.”
That sounds good and she goes on to say that “Securing harmonisation across jurisdictions to avoid a patchwork and fragmentation of online safety legislation, governance arrangements and national online safety measures is a priority focus for eSafety’s International engagements”.
Nevertheless, this all has to be built on Security (or Safety) by Design, not just at the developer level (there can be no excuse these days for building insecure code with allowed “features” such as SQL injection built in), but at the very highest levels. Static code analysis is good, but it can only do so much. Grant points out that “We want Safety by Design to serve as a ‘race to the top’ in terms of lifting online safety standards for technology companies everywhere. As governments, we need to band together to counter the asymmetric power imbalance between the tech behemoths and our citizens, their users, to serve as an effective global safety net”.
As Grant describes it,
Safety by Design is a global initiative that proactively supports technology companies to incorporate safety throughout the product development lifecycle. This initiative has incorporated findings from extensive consultations with the global tech platforms, advocates, children and parents, and has received international support from Governments and industry alike. We were pleased that the recent G7 Internet Safety Principles specifically called out Safety by Design as a fundamental corporate responsibility. eSafety is actively engaged in discussions with governments across the globe on our Safety by Design initiative – to ensure to the greatest extent possible, that as other governments seek to regulate and apply standards to the digital environment, that there is harmonisation and consistency in our approaches. Equally, we are working with multilateral organisations and international organisations to raise awareness of Safety by Design across the world – and to ensure that the Principles and Tools are distributed both to industry and governments alike.”
We find this encouraging, as we think that eCommerce trust is fundamental to the world economy, even including non-capitalist economies. We think that more countries should support dedicated agencies “committed to sharing information and collaborating with governments and organisations around the globe, as they work to protect and safeguard their citizens online”, as Grant says. “We recognise that advancing online safety is a global effort, and for eSafety that means placing a focus on fundamental human rights principles, those which are in line with Australia’s democratic principles”, she continues and says that “eSafety is involved in a number of global alliances and capacity building projects and regularly contributes to global debates, discussions and projects. Through these, we seek to create safer and more responsible digital environments”.
Conventional global commerce is built on trust, developed over thousands of years, supported first by trans-national trading organisations (such as the Hanseatic League) and then by networks of international law. eCommerce is inherently global and has to catch up very quickly – we wish Australia’s eSafety initiative well, but ultimate success will depend on similar initiatives world-wide and on effective international collaboration, as well as support from ordinary Internet users. To put it baldly, will such initiatives work well? Possibly not, in the widest sense, unless “the authorities” manage to nudge us towards good practice with both sticks and carrots; because, as my colleague Fran Howarth (Practice Leader: Security at Bloor) points out, “people don’t always do the right thing just because they should”.