Dutch telecoms regulator wants to enforce internet safety requirements: ISPs not enthusiastic

22 November 2007

Gerrit-Jan Zwenne, Chris Erents

Internet safety is high on the agenda of the Dutch telecoms regulator, OPTA. After fighting spam with some success and an occasional failure, the Dutch telecoms regulator now wishes to enforce internet safety requirements. The Dutch Telecoms Act requires all telecoms providers to take appropriate technical and organisational measures to ensure the safety and protection of their networks and services. In doing so they have to guarantee a level of security and protection which is proportionate to the risks involved, taking into account the state of the technology and the costs.

The regulator’s view is that the ISPs have not taken enough effective steps to protect their subscribers and end-users. The regulator has therefore proposed a policy consisting of a minimum set of compulsory measures. This new policy, which is now subject to a public consultation process, was preceded by a survey carried out by an independent research bureau, Stratix. This survey showed that the main threats consist of ‘malware’ and ‘crimeware’, i.e. software that is clandestinely installed on the end-users’ PCs via viruses and contaminated websites. Infected PCs (zombies) are then used by cybercriminals for the distribution of spam, distributed denial of service attacks (DDoS-attacks), or phishing, (collecting identity details like usernames, passwords, credit card numbers etc.).

To prevent the installation of such malware and crimeware OPTA wants the ISPs to comply with the following requirements:

  • no forwarding of traffic from IP addresses that don’t belong to their own IP-series to other networks (so-called ‘egress filter’);

  • no forwarding of incoming traffic from IP blocks that are not assigned or are not in use (so-called ‘ingress filter’);

  • providing virus- and spam filters for all incoming e-mail; and

  • providing information (on a regular basis) to new and existing subscribers about concrete threats and the possible protective measures against these threats.

In a hearing to discuss this proposed policy the Dutch Consumers Association, Consumentenbond, showed some enthusiasm for the policy proposed by OPTA. The consumers’ representative expressed its appreciation of this first step by OPTA. However, the association expects that more far-reaching measures will be needed to deal effectively with current threats.

A different view was presented by the XS4ALL, an ISP well known for its commitment to digital rights and the free and uncensored exchange of information. The ISP’s representative’s view was that on the basis of current telecoms regulations OPTA may not have the authority to issue the policy, let alone enforce it. XS4ALL criticized OPTA’s approach to the threats, as their approach was exclusively directed at ISPs and not to other stakeholders, such as subscribers and end-users, hardware and software providers, e-banking services and the government. Additionally the ISP argued that most measures proposed by the telecoms regulator are already implemented by the ISPs. Their view was that this shows that the ISPs are capable of implementing necessary measures without formal regulation. On this basis the ISP characterised OPTA’s initiative as unnecessary and as overregulation.

Perhaps as a result of the ISPs’ limited enthusiasm the State Secretary responsible recently announced his intention to amend the Telecoms Act and other telecoms regulations, and include more detailed rules regarding Internet safety. The State Secretary intends to provide OPTA with the legal instruments to enforce minimum security standards. The state secretary also announced that he will establish a central coordinating point, called the National Infrastructure for Cybercrime. The aim of this body is to enable an effective exchange of information on internet security and threats.

Such initiatives may help to make the internet safer and more secure. However, when it comes to security the ‘human factor’ should not be ruled out. This was illustrated by OPTA itself when it informed more then a hundred interested parties about the results of the hearing and the consultation process OPTA sent out an e-mail message with all e-mail addresses of the recipients in the ‘to: field’ instead of the ‘bcc: field’. By doing so the regulator unintentionally revealed all recipients’ e-mail addresses, which subsequently were used by XS4ALL to bring its views on the matter to their attention.

OPTA’s consultation document regarding internet security (in Dutch) can be downloaded from www.opta.nl/asp/besluiten/consultatiedocumenten/­document.asp?id=2375; the views of XS4ALL can be found at www.xs4all.nl/opinie/2007/05/18/opta-zoekt-werkgelegenheid-deel-2