The UK's Office of Fair Trading (OFT) promotes and protects consumers' interests by ensuring markets work well, and that businesses act fairly and competitively. The government has asked the OFT to develop a longer term national strategy for consumer protection and enforcement on the internet. The strategy is intended to promote a safe and vibrant internet market.

As part of this strategy development, the OFT has launched a consultation on E-consumer Protection. The objectives are to improve the effectiveness of online markets and increase the level of consumer trust, so that consumers have a real option to use the internet for transactions, as equally as any other channel. The aim is also to ensure that enforcement of consumer protection online is as good as anywhere else in the world.

The main consultation document outlines some useful statistics about the UK internet economy using data from the European Commission's Consumer Markets Scoreboard 2010, the OECD and the OFT's Attitudes to Online Markets (publication due shortly). For example, 71% of the UK's retailers use e-commerce/internet sales channel for retail, and internet/online accounted for 9.5% of UK retail trade (£38 billion) in 2009. Apparently UK consumers have a high level of trust in UK sellers/providers' protection of their consumer rights and that they are adequately protected. However, it is not all good news as almost 20% of UK internet users are not transacting online, with a third of these stating concerns about the security of their personal and financial information as the reason. Overall, two-thirds of all internet users are worried about unauthorised access to their personal information. There are also concerns about being conned by companies online. The consultation document outlines how consumers may be becoming complacent about security but that they lack awareness of issues such as mis-use of cookies and behavioural advertising.

The OFT suggests these problems reduce confidence, lead to lower levels of demand, and consequently lower levels of supply. Households can miss out on potential savings and this is especially problematic for low income households (LIH). The consultation document proposes that agencies should work together to empower consumers, promote business compliance and develop effective enforcement. It proposes a number of high-level actions under the themes of consumer education, tool provision and hardening, business information, cooperation and deterrence, and enforcement capability building, coordination and leveraging intelligence.

The outcome of this consultation will have a large impact on organisations in the business-to-consumer (B2C) sector (there is also some discussion of whether C2C should also be addressed). If you are an online retailer, perhaps get in touch with your trade organisation and ask them whether they are responding, or do so yourself.

There are five general response questions, and further more-detailed questions about the high-level actions and monitoring proposed. Responses can be submitted online, by email and by post. The consultation period closes on 13th October 2010.

Sometimes when I'm out socially and people ask what I do, the conversation progresses to concerns about their own web site. They may have a hobby site, run a micro-business or be a manager or director of a small and medium-sized enterprise (SME)—there's all sorts of great entrepreneurial activity going on.

It is very common for SMEs not to have much time or budget for information security, and the available information can be poor or inappropriate (ISSA-UK, under the guidance of their Director of Research David Lacey, is trying to improve this). But what can SMEs do about their web presence—and it is very unusual not to have a web site, whatever the size of business.

Last week I was asked "Is using <company> okay for taking online payments?" and then "what else should I be doing?". Remember we are discussing protection of the SME's own web site, not protecting its employees from using other sites. If I had no information about the business or any existing web security issues, this is what I recommend checking and doing before anything else:

• Obtain regular backup copies of all data that changes (e.g. databases, logs, uploaded files) and store these securely somewhere other than the host servers. This may typically be daily, but the frequency should be selected based on how often data changes and how much data the SME might be prepared to lose in the event of total server failure.
  • check backup data can read and restored periodically
  • don't forget to securely delete data from old backups when they are no longer required
• Use a network firewall in front of the web site to limit public (unauthenticated user) access to those ports necessary to access the web site. If other services are required remotely, use the firewall to limit from where (e.g. IP addresses) these can be used.
  • keep a record of the firewall configuration up-to-date
  • limit who can make changes to the firewall
• Ensure the host servers are fully patched (e.g. operating system, services, applications and supporting code), check all providers for software updates regularly and allow time for installing these.
  • remove or disable all unnecessary services and other software
  • delete old, unused and backup files from the host servers
• Identify all accounts (log in credentials) that provide server access (not just normal web page access), such as used for transferring files, accessing administrative interfaces (e.g. CMS admin, database and server management/configuration control panels) and using remote desktop. Change the passwords. Keep a record of who has access and remove accounts that are no longer required and enable logging for all access using these accounts.
  • restrict what each account can do as much as possible
  • add restrictions to the use of these accounts (e.g. limit access by IP address, require written approval for use, keep account disabled by default)
• Check that every agreement with third parties that are required to operate the web site are in the organisation's own name. These may include the registration of domain names, SSL certificates, hosting contracts, monitoring services, data feeds, affiliate marketing agreements and service providers such as for address look-up, credit checks and making online payments.
  • ensure the third parties have the organisation's official contact details, and not those of an employee or of the site's developers
  • make note of any renewal dates
• Obtain a copy of everything required for the web site including scripts, static files, configuration settings, source code, account details and encryption keys. Keep this updated with changes as they are made.
  • verify who legally owns the source code, designs, database, photographs, etc.
  • check what other licences affect the web site (e.g. use of open source and proprietary software libraries, database use limitations).

Do what you can, when you can. Once those are done, then:

• Verify the web site and all its components (e.g. web widgets and other third party code/content) does not include common web application vulnerabilities that can be exploited by attackers (e.g. SQL injection, cross-site scripting).
  • use resources such as the OWASP Top Ten and WASC Threat Classification
  • build security requirements into future developments
• Check what obligations the organisation is under to protect business and other people's data such as the Data Protection Act, guidance from regulators, trade organisation rules, agreements with customers and other contracts (e.g. PCI DSS via the acquiring bank).
  • impose security standards and obligations on suppliers and partner organisations
  • keep an eye open for changes to business processes that affect data
• Document (even just some short notes) the steps to rebuild the web site somewhere else, and to transfer all the data and business processes to the new site.
  • include configuration details and information about third-party services required
  • think about what else will need to be done if the web site is unavailable (does it matter, if so what exactly is important?)
• Provide information to the web site's users how to help protect themselves and their data.
  • point them to relevant help such as from GetSafeOnline, CardWatch and Think U Know
  • provide easy methods for them to contact the organisation if they think there is a security or privacy problem
• Monitor web site usage behaviour (e.g. click-through rate, session duration, shopping cart abandonment rate, conversion rate), performance (e.g. uptime, response times) and reputation (e.g. malware, phishing, suspicious applications, malicious links) to gather trend data and identify unusual activity.
  • web server logs are a start, but customised logging is better
  • use reputable online tools (some of which are free) to help.

That's just the basics. So, what would be next for an SME? If the web site is a significant sales/engagement channel, the organisation has multiple web sites, is in a more regulated sector or one that is targetted particularly by criminals (e.g. gaming, betting and financial), takes payments or does other electronic commerce, allows users to add their own content or processes data for someone else, the above is just the start. Those SMEs probably need to be more proactive.

This helps to protect the SME's business information, but also helps to protect the web site users and their information. After all, the users are existing and potential customers, clients and citizens.

Oh, the best response I had to someone when I was explaining my work: "You're an anti-hacker than?". Well, I suppose so, but it's not quite how I'd describe it.

Any comments or suggestions?

A draft Digital Economy Act Initial Obligations Code, regarding unlawful sharing of copyright material, has been published by OFCOM, the UK's independent regulator and competition authority for communications industries.

The draft Initial Obligations Code proposes the it will initially apply only to the seven largest ("fixed internet access service to more than 400,000 subscribers") internet service providers ("a person who provides an internet access service"): BT, O2, Orange, Post Office, Sky, Talk Talk Group and Virgin Media. However, the effects may be felt by a wider group including many web site owners. This may be as a copyright owner (a "qualifying Copyright Owner" in the code), as a website operator where users can add or share content, as as an organisation that is a subscriber to an ISP affected by the code, or as an organisation whose employees work remotely and are subscribers.

The code describes requirements for Copyright Infringement Reports (CIRs), identification of subscribers, copyright infringement lists, subscriber appeals, and administration, enforcement, disputes and information gathering.

Whatever your views are about the Digital Economy Act 2010 and whether it might be repealed by the new government, if you have comments about the Initial Obligations Code, do make them now. Responses to the consultation must be submitted by 30th July 2010.

Information in a web application could be the most valuable asset. A research study of UK executives' attitudes to data protection risks and data breaches was published by the Ponemon Institute at the end of March.

The report, Business Case for Data Protection - A Study of CEOs and other C-level Executives in the United Kingdom (and a US version), was sponsored by Ounce Labs (now part of IBM). A representative sample of 115 respondents were surveyed across a range of small, medium and large enterprises. Almost 80% of the organisations surveyed had suffered a data loss in the previous 12 months. The report lists a useful priority ranking of the six most critical types of data to business operations:

1. Financial information
2. Intellectual property
3. Non-financial confidential information
4. Employee information
5. Business customer information
6. Customer or consumer information

Of course other parties (e.g. partners, suppliers and customers) might view the last two as most important to themselves.

The findings were broadly similar to the 2009 survey. Maintaining reputation and brand was the most commonly stated important organisational goal that depends on data protection and there seemed to be many fewer organisations for which ensuring regulatory compliance was such a goal. The ranking of business functions the respondents felt needed to collaborate to achieve data protection goals changed somewhat, but generally the survey seems to add weight to the previous year's findings. Even the "average cost per compromised record" seemed to be about the same (the number is in the report if you are interested).

But determining the impacts (direct and indirect costs) of data breaches is one aspect of calculating the value of information. Recently judges in the US have been trying to determine the loss when data were stolen in the case of Albert Gonzalez for the TJX breach (who has now been sentenced).

The ICO's report on the business case for investing in proactive privacy protection, The Privacy Dividend, describes alternative aspects for valuing information—and not just from the business' own perspective. This seems to be the discussion the US judges were having.

Another report, published two weeks ago, from SAS and the London Business School on Valuing Information as an Asset discusses the internal business value. The report argues for a proactive, asset-centric, value-based approach to the management of information, rather than a security-centric approach, which could otherwise limit access to data rather than enabling its exploitation. Without placing a value on information, and therefore an economic incentive, data breaches (real breaches not lost media) will continue.

Information in web applications should add value and therefore it needs to be protected from internal and external threats. That shouldn't mean it can't be exploited to fulfill its potential (within appropriate legal, ethical and other constraints). By considering what this potential is and its values to various parties are during the design of the system, appropriate security and privacy measures can be built in that support and enhance the business functions, not detract from the organisation's goals.

A recent High Court ruling has reconfirmed the situation that pre or post moderation of user-submitted content may make a site owner liable for the material.

Whether user-generated content is unlawful, offensive or inappropriate such as comment spam (i.e. a danger to the web site, its users or their computer equipment), the advice appears to be not to do anything until a complaint is received, and then block or remove the content expeditiously. Although the meaning of content may still be an issue, the ability for users to submit links and other formatting should certainly be automatically prevented in most cases. That "just" leaves the unlawful and offensive content to deal with. Use of user registration, identity verification, logging and CAPTCHAs can help, but cannot prevent such content being added. It's still a big issue.

Most web site owners will not contemplate unmoderated user-generated content and this means that technical controls are not sufficient. The moderators need training, guidance and escalation procedures with good legal advice backup to ensure the content is suitable, appropriate and lawful. Users of the web site should understand what is acceptable and opt in to appropriate terms of use.

A full description and analysis was posted on the IT and e-commerce legal advice web site Out Law.

New proposals are likely to mean a new self-regulatory regime for UK organisations' marketing on their own web sites and non-paid marketing on other web sites such as social networking sites.

The Advertising Association has recommended to the Committee of Advertising Practice (CAP), for the extension of the non-broadcast Advertising Code in digital media to cover marketing communications on organisations' own websites. It will be administered by the Advertising Standards Authority (ASA) which welcomed the move. The ASA's online remit already covers paid-for marketing communications such as pop-up and banner ads, paid-search, viral ads, adverts in games, games that act as adverts and spots on price comparison services.

The proposals will be subject to further consultation, but are expected to come into force towards the end of this year (2010). To find out about the consultation process and the likely constraints and controls, keep an eye on news from CAP.

On Thursday the UK Government's Central Office of Information (COI) is hosting an event about auditing government websites aimed at government agencies (EAs) and non-departmental public bodies (NDPBs) that have a deadline looming in April 2010.

Web site quality and value concerns were raised in a National Audit Office report on Government on the Internet: Progress in Delivering Information and Services Online in published in July 2007 and recommendation made in the Public Accounts Committee (PAC) Sixteenth Report. Along with their other web standards and guidelines, the COI has issued standards relating to costs, usage and quality. Version 1.1 of TG126, November 2009, on measuring website quality describes three requirements for measuring and auditing website usage:

The benefits of web site auditing were described last year by Adam Bailin on the Digigov blog.

It is very encouraging that the COI are developing standards to improve quality and value. Apart from usage measurement and audit, the quality requirements cover the topics of domain names, usability, accessibility, archival, browser testing, web site map, cost monitoring and web site closure (disposal).

But there are some areas that are not represented in these standards. A glance at something like ISO 9126 indicates other important software quality. A starting point would be to monitor some privacy and security metrics.

And of course, I'd like to see some government requiring some standards for security, which unlike privacy, has a much less firm legal guidance and regulation (for privacy these are the Data Protection Act 1998 and the Information Commissioner's Office). The most well-developed standard for web site security verification is the Application Security Verification Standard (ASVS) from the Open Web Application Security Project. It's free to download and use, and perhaps this can be incorporated or referenced by future government standards and other software security assurance programmes.

The use of particular top-level country domain names (e.g. .co.uk or .com) does add an element of trust to a visitor's impression of the site. On Thursday, the Metropolitan Police's Central e-Crime Unit (PCeU) closed 1,219 web sites selling fake designer goods.

If the fake sites had not been on .co.uk domain, they may have been less able to con consumers into parting with their money and not receiving anything or buying counterfeit products, and the PCeU would have had a harder time taking action. Providing sufficient evidence has been gained, it appears these measures were appropriate in the circumstances.

The new British Standard 10012:2009, Data Protection - Specification for a Personal Information Management System, has been published.

British Standard 10012:2009 was the subject of an earlier draft for public comment (DPC) and I worked with the OWASP Industry Committee on a response.

BS 10012 is not an alternative to the excellent guidance for organisations now produced by the UK's Information Commissioner's Office, but instead is a specification for a personal information management system (PIMS). A PIMS is a governance process for all types of personal information within a company but could also be used for other types of sensitive data. BSI's slant on this is that a PIMS, and therefore BS 10012, could help maintain and improve compliance with the Data Protection Act (DPA) 1998.

A good start and one to watch.

The Skittles.com website has been replaced by a mash-up of social networking sites and a navigational widget.

Including all this third-party content in a mashup could open Skittles.com web site visitors to many more vulnerabilities—any in the third-party content. Also, I imagine we'll see a rash of copy-cat brand sites doing the same combined with more phishing attacks replicating this approach. It will also be interesting to see the reactions to the framing of one site in another.

However, there are also some privacy concerns here. Visitors to the site are asked to provide their date of birth and opt in to a brief disclaimer:

Methods to get past this "age verification" include:

• lie about your age
• peep at what's behind the form on the screen
• go to Twitter, Facebook and YouTube directly
• fiddle with the cookies
• alter the address bar

Some screen captures of the cookie data and address bar are shown below:

But is asking for a precise date of birth really necessary? This reminds me about Don't Collect It If You Don't Need It because Mars Snackfood will have to expend effort to protect the information appropriately. Even this cookie by itself on a browser could be read by a malicious script to gain possible knowledge of the user's age. Full dates of birth are sensitive data that are also used for authentication to other websites such as online banking. Whilst the dates alone may not be personally identifiable information, it's possible these could be combined with other information cached on a (shared?) computer, or aggregated with an IP address or the details provided using the site's contact form. Simpler alternatives could have been:

• age (in years)
• opt in checkbox (I am over X years old)

depending upon what the purpose is—is it to collect marketing data, protect children or pacify the legal department? The "terms and conditions" seems to be the one sentence that "SKITTLES® isn't responsible for that stuff". Under-age visitors are presented with:

Just how accurate will this web-collected data be?

Without any clue as to why the data are being collected and it will be used for, visitors really are in the dark.