Security group calls for 'report abuse' button on web sites

Web site visitors should be able to provide 'feedback' when they encounter a security issue

Web sites aimed at consumers should feature a 'report abuse' button as standard to alert firms to security problems on their own sites, according to the Information Security Awareness Forum (ISAF).

The ISAF said that, while some web sites do feature a button which lets users offer feedback when they encounter a security issue, many do not.

At the very least, sites should have a mechanism to report security issues, and links to external sites that provide targeted security advice. The ISAF today said that such an option should be included on all sites visited by consumers, including social networking, gaming and e-commerce sites.

"The simplest routine might be to use a button or click entry which leads to a semi-standard 'Security Advice' page with instructions on how to report to the organisation's own incident response team (if applicable), as well as generic advice and contacts," said ISAF chairman Dr David King.

"This would enable a consumer/user to inform the intended web site of issues, and for the web site to manage an appropriate response, which may include liaison with police and anti-fraud authorities."

However, some questioned the logistics of such an initiative. Clive Longbottom, service director at analyst firm Quocirca, suggested that it would be overkill, and that most firms already have such a mechanism.

"If we go down this route there's a whole heap of others that would want equal representation. For example 'This site does not abide with accessibility standards', 'This site is not HTMLvx.y/CSS compliant' and 'This page is not suitable for colour blind people'. And all of these have to be 'Talk to me now', 'IM me', 'Call back' and whatever other buttons," Longbottom explained.

"All you'd get on the front page is a button-fest. By law, all web sites have to have a contact capability, a webmaster email or some such thing. If anyone has any worries, they should just use that."

Graham Titterington, IT security specialist at analyst firm Ovum, also expressed concern about the ISAF proposal.

"If a web site has a security problem, I wouldn’t be confident about the button clicking through to the right place. If you are on a corrupted site, the damage is likely to be done, and in any case the best strategy is to get off it as quickly as possible," he advised.

"A simple email to the organisation - or even a phone call if it is important, like a banking site problem - is a better means of notifying them of the problem, and keeps you away from the insecure web site."

In related news, the ISAF and the British Computer Society (BCS) are to offer guidance for enterprises and organisations that deal with consumers' personal information. The two bodies have today jointly launched the Personal Data Guardianship Code in an effort to change the culture of organisations towards the handling of personal data.

"The BCS believes that every organisation which handles personal data should have in place specific rules and procedures that protect the rights of data subjects," the BCS said in a statement.

"Our Code aims to assist organisations in their culture change programmes by promoting best practice for all organisations, large or small, whether in the public, private or third sector."