Jerry Fishenden, Microsoft's National Technology Officer (NTO) for the UK, advises the company on all aspects of technology strategy. His remit includes responsibility for developing the use of IT for local economic development, standards, interoperability, privacy, security and technical computing.
Fishenden has been closely involved with the UK's e-government programme since 1997, and was also involved in the strategic development of the Government Gateway — the UK government's national solution for user identity and transactional services.
We quizzed him on the state of the security landscape today, the challenge of fighting spam and the government's plans to bring in ID cards and create a super-database.
Q: Spam is a huge problem, and one that seems to be baffling the government at the moment. Last week you told the Lords Science & Technology Committee about the US model of Can-Spam and fining per spam. Is this model one you advocate for the UK?
A: I think it would make the [British] system a lot simpler, both in terms of deterrent factor, and of the overheads associated with prosecutions. Also, when someone like Microsoft takes somebody to court, a lot of time and effort is spent trying to prove damages caused by the spam. It's terribly complicated.
It's that usual debate about the balance of deterrents. The amount of spam some of these guys are sending is phenomenal. If we're blocking over three billion spams a day and there's a lot of money in it, then the question is, how do you deter those people?
Recent figures show that most spam is generated from the US, by US companies sending US spam from US servers. Doesn't that show that the US model isn't working?
This gets into issues about the complexities of cross-border spam and e-crime — if I get a spam from the US in my mailbox here in the UK, what do I do about it? You're right, it might come from the States, it might come from anywhere — but how do I initiate an action?
I'm fed up with pesky spam mails invading my mailbox, but which jurisdiction do I take action in? Is it where I live in west London because the PC it landed on is there? But what if a week later I'm flying round the world and I'm in Beijing, and they're hitting the same laptop there? It's horribly complicated.
Would it work to say if someone is using a server in a particular country to spam, then you should be able to go to that country's government and say look, there's a really bad problem with spam from your country. What are you going to do about it?
I suspect the reality is that you might shut down that service, but even if things moves swiftly, by the time you've got through the system of working out who's hosting it and where, the spammers would have torn that site down, gone off somewhere else and set up another one.
But couldn't you then say they're wanted in that country for spamming?
If you work out who it was, yes. Some people are slick at setting up multiple IDs, registering details, then ripping sites down. I can see why the police...