A report on internet safety has concluded ISPs (Internet service providers) should take more responsibility for online security since end users are often lax.
But last week's Personal Internet Security report, published by the UK House of Lords, stopped short of suggesting that the UK's telecoms regulator Ofcom should impose new rules on ISPs.
"We do not advocate immediate legislation or heavy-handed intervention by the regulator," the report said. "But the market will need to be pushed a little if it is to deliver better security."
ISPs generally argue that security is the responsibility of end users, which Ofcom has also supported. The report called it "disappointing" that the UK government has accepted those arguments since the reality often exceeds the capability of end users to recognise the threats.
"There appears to be still greater scope for intervention at the level of the Internet Service Provider," the report said. "They sit ...near the edges of the network, providing a link between the end user and the network."
The UK government has imposed one regulation on ISPs. By the end of 2007, ISPs must block websites involving images of child abuse as listed on a database maintained by the Internet Watch Foundation. Most ISPs already do this.
But more controversial are suggestions that ISPs should examine content flowing through their networks and apply filtering to cull malicious activity.
ISPs have maintained a ‘mere conduit’ defence, codified in the European Union's E-Commerce Directive, which says they have no obligation to monitor content on their networks.
The report, however, suggested a tightening of how that defence works in an effort to nip emerging security problems earlier, such as sites containing malicious software.
"In particular, once an ISP has detected or been notified that an end-user machine on its network is sending out spam or infected code, we believe that the ISP should be legally liable for any damage to third parties resulting from a failure immediately to isolate the affected machine," the report said.
But the Open Rights Group, a non-governmental group that monitors internet-related privacy and legal issues, urged caution on issues dealing with ISP liability.
"As notice and takedown practices tied to suspected copyright infringement have shown, ISPs are not best placed to police the network, and can be expected to react to this kind of pressure by knocking users off the network without appropriate levels of investigation into those users' actions," the group wrote on its website.