The Infocomm Development Authority of Singapore (IDA), on behalf of the National IT Committee, has released a set of guidelines to safeguard public interests when Internet Access Service Providers (IASPs) conduct preventive security scanning exercises (see Annex A). The need for such guidelines was...Singapore, 6 January 2000 | For Immediate Release
The Infocomm Development Authority of Singapore (IDA), on behalf of the National IT Committee, has released a set of guidelines to safeguard public interests when Internet Access Service Providers (IASPs) conduct preventive security scanning exercises (see Annex A).
The need for such guidelines was heightened following an incident in May 1999 when SingNet scanned 200,000 subscribers' computers without informing them. The government had stressed that such computer scanning without permission is wrong, and that more clarity is required in the approach to such scans. Public awareness of the importance of computer security must also be heightened.
The Guidelines for IASPs on Scanning of Subscribers' Computers were developed by the IDA in close consultation with all the players in the Internet access services market. The guidelines were based on international best practices in the areas of consumer privacy and protection. In line with international practices, an industry self-regulation approach has been taken in the formulation and implementation of the guidelines.
The guidelines articulate the importance of accountability and transparency when security-conscious IASPs conduct scanning exercises to ensure that their subscribers' computers are safe and are not infected by malicious software or viruses. In particular, consent by IASP subscribers should be explicitly obtained before such exercises can be conducted. Scanning activities must be non-intrusive, and the IASP must inform its subscribers on how their privacy will be protected during such activities.
The Internet has brought tremendous benefits and convenience to users. However, being connected to the Internet also exposes one's computer to the risk of malicious attacks and viruses. Computer scanning, while unpopular with Internet subscribers, is effective in exposing potential vulnerabilities to malicious attacks.
The IDA believes that the responsibility of safeguarding one's computer must ultimately rest on the owner. In this regard, the guidelines encourage IASPs to raise their subscribers' awareness of IT security issues. At the same time, the guidelines serve to assure Internet subscribers that security scanning by the IASPs will be guided by a code of ethical practices.
The guidelines will take immediate effect. The IDA, together with the IASPs and other relevant government agencies, will continue to monitor local and international developments, and review the guidelines if necessary.
INFOCOMM DEVELOPMENT AUTHORITY OF SINGAPORE
Annex A : Guidelines for IASPs on Scanning of Subscribers’ Computers
While the Internet provides a rich source of information and services, there are also undesirable effects such as viruses and trojan software being widely propagated. Viruses and trojan software have the capability to compromise data and software in an infected computer. Therefore individuals should protect their computers against infections of such software when using the Internet.
IASPs may choose to scan their subscribers' computers connected to their network to determine if the computers are infected with viruses or trojan software. This can help to prevent such software from being propagated to other computers in the network.
Definition & Intent
For the purpose of these guidelines, scanning shall be defined as activities conducted by IASPs to elicit information on the security vulnerabilities of their subscribers' computers via network connections. This form of scanning does not require the subject, i.e. the subscriber, to execute any specific application in addition to those that are necessary for the operations of the subject's computer.
The objective of the guidelines is to ensure proper conduct of the scanning activities by the IASPs and protect the privacy of data and software in the subscribers' computers. The guidelines are not intended to be exhaustive nor prescriptive. The IASPs should not be restricted to implement alternatives to enhance the security of their subscribers' computers and their network.
IASPs should adhere to the following guidelines when scanning their subscribers' computers:
To ensure that there is no unauthorised or rogue scanning being done in the name of an IASP, a management level representative must be appointed to supervise the scanning activity.
b. Subscribers' Consent
The subscribers' explicit consent must be obtained before the scanning activity can be initiated. Provisions must be available for the subscribers to opt out of the scanning activity. The subscribers should be given sufficient advance notice on an impending scanning activity for them to undertake any necessary precautions. A non-response should be deemed as no consent.
c. Transparency of Activity
Subscribers must be provided with pertinent information prior to the scanning activity so that they can surmise when and how the activity would be conducted. Subscribers must be provided with the relevant scanning results in a timely manner.
The scanning activity must be designed and implemented such that it does only what is necessary to ascertain the set of vulnerabilities and only elicits minimum information from the subscribers' computers to form an assessment. Subscribers should have access to information on how their privacy is being protected in such activities.
The scanning process must at no time result in the ability to capture, store or record information pertaining to the sites or data that the user is currently accessing or has accessed in the past. It should not permit the interception or viewing of user electronic communication such as electronic mail or web browsing.
It is recognised that a well-informed subscriber will provide more sustainable protection for himself and the IASP's network than any scanning exercise. IASPs should thus put in place IT security awareness programmes to better inform and enhance the general understanding of relevant issues among their subscribers.