Legal loophole in email screening service

A new network-based mail-screening service that allows customers to set their own security policies has been labelled of questionable value by experts.

Richard Barber, of security specialist Integralis, said the concept of the service was good. But he questioned whether customers would have legal recourse to the US-based company if there was a breach of the UK's intellectual property laws or the RIP Act was violated.

"I don't see a contract, and companies wouldn't want their emails crossing the water [to the US] either," he said.

The XO-Screen service has been launched by internet connectivity provider XO Communications, but analysts questioned whether the low-cost service would add security for its target mid-sized business market.

In addition to providing standard virus and worm checking, it allows users to define incoming and outgoing mail policies, which are managed through XO's Security Operations Centre (SOC).

"Companies are very nervous about outsourcing their security," said Grant Farquhar, head of security and access products, XO Communications.

"Some larger companies are handing security over to third parties but they can't always be trusted and often [further] outsource this themselves."

He said that E-Screen was provided without XO having direct access to customers' systems.

But Farquhar said the SOC was in London's Docklands with UK-based back-up facilities, so no mail would leave the UK. He said that no company offered SLAs [service level agreements] for email virus control.

A particular problem for smaller companies is a lack of in-house expertise or resources to handle security, and a study of early E-Screen adopters showed that they were medium-sized companies of 50-500 people.

But Barber said that security companies such as Sophos and F-Secure provided automatic updating of their internal virus software - and that this overcame the problem without compromising security.

The service costs £1.50 per user per month and, according to Farquhar, is very easy to use.

"Questions are self-asked on screen. For instance, you can have an attachments policy. VB scripts rarely have a business requirement but they carry a lot of viruses so could be blocked, while attachment sizes can be limited with larger files placed in quarantine. Outgoing mail can have a disclaimer annotated," he said.

The service currently recognises 135 different file types that can either be blocked or diverted for closer examination. Denial of service, spam and profanity can also be blocked.