Examination of Witnesses (Questions 201-219)|
18 MARCH 2008
Chairman: I welcome to the second part
of this morning's session Nicholas Lansman, Secretary-General
of the Internet Service Providers' Association, Camille de Stempel,
a council member of ISPA and also Director of Policy at AOL, and
Mike Galvin, Managing Director of Customer Experience at BT. Alan
Keen will begin.
Q201 Alan Keen: I presume that you
favour quite a lot of self-regulation on the issue about which
we are speaking today. Where should the dividing line be in relation
Mr Lansman: Perhaps I may start
by giving a little bit of backdrop to self-regulation. ISPA has
always been very supportive of self-regulation in certain circumstances.
In the very fast-moving world of the Internet and all the changes
mentioned this morning in terms of social networking sitesjust
changes generally in the Internet and how it has been usedself-regulation
has proven to be an effective way to regulate in certain circumstances.
A good example of that is that 11 years ago ISPA was a pioneer
in the UK's Internet industry in creating a code of practice that
I am proud to say has been adopted in other countries in the world.
Those codes of practice have been useful to an extent. One part
of the code was for the industry to set up the Internet Watch
Foundation in the first place. I think everyone will agree today
that that has been a tremendous success. However, self-regulation
can go only so far. We have seen examples today where regulation
is needed sometimes. It is needed, for example, with computer-generated
images to give clarity in that field. We have talked about extreme
pornography. It is possibly needed there as well. However, care
must be taken that this regulation offers what is required to
the police to give clarity and the regulation must be implementable;
in other words, it must do the job and be enforceable and useful.
Care must be taken that when new laws are needed they come about
in the appropriate way. I know that ISPA and my colleagues here
have been very much involved with various Government departments
when new legislation has been put forward to make sure it can
be put into practice properly.
Mr Galvin: I do not think you
would have seen the pace of our co-operation with legislation
because inevitably it goes more slowly. Self-regulation has accelerated
to the point where you get a much better view of what is possible
in the industry; in particular, you develop a set of best practice.
You heard Jim Gamble talk about best practice earlier. I think
that self-regulation can take you to that point. The important
issue for legislation is clarity of what is right and what is
wrong because ultimately all self-regulation looks back over its
shoulder to the law to say what is right and what is wrong. That
is where there is a role for legislation.
Q202 Alan Keen: You mentioned the
Internet Watch Foundation which provides a list of banned websites.
It led us to believe that 100 ISPs do not take any notice of that.
Why? Does that not damage self-regulation?
Mr Lansman: You are talking about
the blocking of certain URLs by the Internet Watch Foundation.
Of the large consumer-facing ISPs in the UK I am not aware of
any that do not take the list provided by the Internet Watch Foundation.
The source of that list is trusted and the ISPs receive it twice
a day. Mr Galvin can probably go into this in a bit more detail
in a moment. There are ISPs that provide purely business services
and would argue that their audience is so different that they
provide their own mechanisms to protect their staff. These are
early days in terms of the concept of blocking. It seems to be
working very effectively. There is encouragement on the part of
ISPA to make sure that as many ISPs as possible take the list.
I believe that work is taking place with ISPA and the Home Office
to encourage ISPs to develop mechanisms to do so.
Q203 Alan Keen: Everything moves
so fast in modern technology and the habits of individuals who
use it. I well understand that self-regulation can move quicker
than anything else, but where do we need more regulation? In this
fast-moving world what do you understand to be the areas where
regulation needs to be imposed from above?
Mr Galvin: Let us take the example
of the IWF list that we have just talked about. That list is founded
on the Protection of Children Act which has, unusually for UK
law, an exceptionally clear definition of what is and what is
not legal in terms of child abuse images and makes actual possession
of such images illegal. There are very few other such things in
our law that are treated so severely as possession. In those circumstances
it is possible for the Internet Watch Foundation to develop a
list of what in their opinionafter all, they are only an
industry bodywould constitute illegal images and it is
possible for them to distribute that list and for ISPs to blacklist
those sites on the basis of the IWF list. If you then step back
from child abuse images it is very difficult to find other parallels
where there is so much clarity about what is and what is not legal.
I cannot think of any now. It would be so much easier to produce
a list if the law was clear in different areas. There is a role
for the law to make much clearer what is and what is not acceptable.
If you turn to almost any other area and look at other laws there
is always an element of doubt. Setting up a site with these images
and downloading them may be legal but what you do with them after
they are downloaded may be illegal. Therefore, the law lacks clarity.
There is a role for law and regulation to provide a much greater
degree of clarity in the online world to enable people to act
on what is right and what is wrong.
Mr Lansman: Possibly a picture
has been painted that somehow the Internet industry does not want
regulation, but in certain circumstances the opposite is true.
The need for clarity is quite important for the Internet service
provider industry. One example is the ability to push back on
"judge and jury", that is, the concept that the ISP
has to interpret the law where it is not clear or there could
be grey area. That has been a frustration for the Internet industry
for quite some time. Sometimes regulation can clarify the position
and make the job of ISPs much easier to enforce their own terms,
conditions and rules.
Q204 Alan Keen: Is there a role for
Ofcom? Should Ofcom be involved or should a new body be set up
to help to co-ordinate it? What do you see as the next steps to
Mr Lansman: Ofcom is the body
that looks right across communications broadcasting and indeed
is the regulator. It depends on the aspects of the area in which
you want Ofcom to become involved. Obviously, they would be in
a better position to offer that advice. I think the issue is that
if you are talking of defining content, whether extreme pornography
or other areascomputer-generated imagesshould come
within the law, it is really for Parliament to give a steer on
that. There are quite a few bodies and groupings where the industry
takes part with government, law enforcement, charities and Ofcom
to discuss these issues on a regular basis, but ultimately Parliament
should make the judgment call on whether or not new legislation
is required, and opportunities like this to give our views are
very helpful and will it is hoped provide information to parliamentarians
to make those decisions in future.
Mr Galvin: Currently, Ofcom does
not believe that it regulates the Internet. If Ofcom or any other
body were to be established to regulate the Internet you would
have to give them terms of reference; you would have to say what
their powers were and clearly indicate what was expected of them
and what level of performance would be required from such a function.
Talking for our customer basethe Internet industry and
UK general public at largeI do not believe there is yet
a consensus on what that level of regulation or intervention would
be. That is something which Parliament would have to decide and
Q205 Alan Keen: You heard Mr Gamble
hesitate to name names when Nigel Evans asked him about this a
few minutes ago. If you were forced this morning to give us an
opinionwe want your views before we put our Report together,
which we hope will influence themwhat would you like us
to put in the Report about the extent of self-regulation as against
maybe even a new body to enforce it upon those with whom he is
beginning to lose patience?
Mr Galvin: This is a fast-moving
technological area. For example, Facebook was mentioned today.
Even one year ago no one had even heard of Facebook. BT has been
operating an Internet service since 1996, that is, only for 12
years. It is a relatively recent innovation. I believe that self-regulation
has a very important role to play to ensure we can keep pace with
technological changes and keep on changing best practice as new
services and new threats in terms of child protection, general
crime and best practice threats on the Internet come along. Legislation
has a role in defining what the minimum standard is, if you like,
and enshrining best practice when there is sufficient consensus
around what is technically possible and what is acceptable to
the UK public at large and Parliament, and legislation then has
an important role in setting the gold standard. If you look at
self-regulation in any aspect of industry worldwide you will always
find people at the front pushing for it and saying more can be
done and there will be laggards at the back who have not yet caught
up. Therefore, the minimum standard will be set by legislation.
Mr Lansman: In terms of what should
be in your Report, Mr Galvin has espoused the balance between
self-regulation and perhaps the need for new regulation. What
Jim Gamble was calling for, quite rightly, was more resource and
structure so that he and colleagues in law enforcement could do
the job of policing, which is entirely correct. I think the Internet
industry has always been reluctant to take on the role of policing
ISPs. Companies that offer services such as websites and social
networking are not the police but commercial bodies which are
there to provide a service and do their best to co-operate with
law enforcement, government, Parliament and so forth, but ISPA
would certainly echo the need for more resources to be able to
police properly and accept that some of the crimes in the offline
world apply in the online world, and vice versa. That is entirely
right. I believe that the co-operation the industry has offered
law enforcement and government has been positive. Maybe there
are one or two companies that have been less than helpful. ISPA's
membership comprises just over 200 members who represent about
95% of the whole industry. If between 5% and 1% are not playing
ball but the others are doing between a mediocre and very good
job that is not such a bad position in which to be.
Ms de Stempel: I would like to
highlight some of the work that has been done. For example, through
the Home Office task force we have developed some guidelines around
social networking. The conversation was the most interesting bit
of this debate because we could get practice out of all our competitors
and then integrate them into our products and make sure they delivered
what we were aiming to do. Some part of the approach we have taken
allows flexibility to suit different ISPs, content providers and
social networking. The aim is to protect a child but then we might
have different ways to go about it.
Q206 Mr Evans: I am Chairman of the
All-Party Identity Fraud Group. Somebody from KPMG came to see
me last year and told me about the deep web that operates at a
different level. Those who need to know where it is can get access
to it and they trade credit card details, dates of birth and passwords
on it. How it operates is quite amazing. Are you aware of this?
Can anything be done to block people getting onto the deep web
to do this?
Mr Galvin: There is no specific
network such as deep web. One has an informal group that uses
a variety of tools including open access to the Internet but backed
up by sitesthings like cryptography using proxies to try
to disguise identities, et ceterato swap information illegally.
You see this in a number of crime areas. Financial fraud is the
main one, but you also find the paedophile community taking extreme
counter-surveillance activities to avoid the detection when they
do this. They use facilities in different countries, hidden identities
and so on. There is widespread use of cryptography. These are
not networks in the sense of connected wires but people who have
common applications and processes to share this data illegally.
Q207 Mr Evans: Are you able to do
anything to block them? I guess you have to find them first.
Mr Galvin: The industry can and
does co-operate very closely with law enforcement authorities
to provide technical information for the detection of this activity.
As an industry we are not part of the police; we do not go out
and look for illegal activity and check what our customers are
doing. We act as a support for the police force in that role and
provide them with technical facilities for the detection of that
activity. Quite often the types of activities you describe might
also cross several international borders. You find that you are
co-operating with your own local law enforcement authorities which
are also co-operating with counterparts abroad which in turn are
co-operating with industry partners in those countries.
Q208 Mr Evans: Would it be unfair
of me to summate what we heard earlier today and in the past in
our inquiry that in some cases ISPs will not take action to block
access to sites because basically they say they do not adjudicate
on the law? If it is illegal they will take action; if not they
will do so and pass the buck to Parliament. But if they were to
take action on their own they would be afraid of the commercial
advantages that would be won by other ISPs who did not take any
Mr Galvin: I have heard of instances
of ISPs outside the UK refusing to take down sites because they
are not illegal. There are many examples of that. For example,
you might go to a site that is freely trading MP3 material and
the ISP refuses to take it down because it says that what is being
done is not illegal. Within the UK that is much more unusual.
I cannot think of a single example where an ISP has refused to
take down a site once it has been requested to do so. Quite often
these requests come via the IWF or the local police force. In
some cases we have taken down sites when individuals have requested
us to do so because it contains what they regard as personal information.
I cannot think of a recent example over the past few years where
that has happened in the UK.
Mr Lansman: Obviously, there is
a regulatory backdrop to notice and take down which is the European
E-Commerce Directive which is transposed into UK law. For many
years that process has not been clearly defined in UK law; it
does not say who can give notice. Having said that, over the past
10 years almost it has proved to be quite a robust system in the
UK in the sense that ISPs that host material do take down contents
or other sites. The difficulty is that a lot of the sites about
which you are probably most concerned are not hosted in the UK,
so one problem is the difference in concept in terms of going
through the law enforcement of other countries and getting to
the ISPs in those countries. The issue is also about making decisions
on what is harmful. We have talked about images of child abuse
where the position is clear in law. There are other areas where
the position is less clear; and there are areas of harm at which
I believe the whole of this evidence session is looking. Obviously,
the difficulty is deciding whether it is harmful and to whom.
Is it harmful to a six-year-old child, a 16-year-old child or
an adult? In addition, quite importantly you have extended the
scope of this evidence session beyond content itself to things
like phising, spam and other areas of abuse. I think that is an
area in which ISPs have been very robust over the past several
years. They have been looking at new issues such as phishing and
tackling those issues. An earlier example was financial fraud.
That is dealt with in co-operation with law enforcement, government,
ISPs and the banking sector and it will be an ongoing battle.
We have to accept that many of the issues we raise today are not
ones that can be quickly solved. It will be a permanent battle
based on co-operation by the Internet industry itself but lots
of other sectors of society including consumers themselves to
address these issues as these and new problems emerge that we
cannot even think of today.
Q209 Mr Evans: Do you believe that
things like Net Nanny and other security software are effective?
One hears of examples where sometimes simply because normal sites
contain certain wordingperhaps it is to do with breast
cancerthey are blocked because of one word. How effective
is security software in protecting people?
Ms de Stempel: They are very effective
but they are built around artificial intelligence and so, like
anything, they need to learn that "Pe"re Noel"
in French is "Father Christmas" in English. It might
be blocked because the software does not know about it. That is
why all the powerful controls that we offer to ISPA members have
a mechanism whereby people can feed back on under-blocking and
over-blocking. Something is changing; an address has been sold
to some other site which was good before and now is not good.
All that requires participation by users. But one of the things
we have found with parental controls is that they are very robust
but are under-utilised. Some of it we offer for free; some are
offered for a very small charge. We advertise it; we make it a
unique selling point. Although we market it there is still under-utilisation.
We work very closely with Tanya Byron but also with many of the
industry initiatives to see how better to educate parents as to
the usefulness of parental controls, making sure it is about tailoring
an online experience rather than prohibiting things. How can you
get to good sites in a timely manner? If you search for "bomb"
you get things about history rather than information about how
to make a bomb.
Q210 Helen Southworth: Perhaps I
may ask BT how much of its annual budget is spent on online child
Mr Galvin: I do not have the answer
to that off the top of my head. There is a considerable investment
in online child protection with the facilities we provide within
Q211 Helen Southworth: If it is considerable
what is the approximate figure?
Mr Galvin: You are asking me to
make a quick mental calculation. One would be talking of something
in the region of six figures. It would include systems like Clean
Q212 Helen Southworth: What would
be the six-figure amount?
Mr Galvin: It is about £1
million, possibly more. You would have to take into account the
fact that where we have logos on the home pages, for example,
it displaces advertising revenue. It depends on whether or not
you take into account that type of cost.
Q213 Helen Southworth: I am focusing
on your research and the people who are working directly on the
issue of child online protection?
Mr Galvin: We have an abuse desk
which deals with issues that come from our customers.
Q214 Helen Southworth: How is that
Mr Galvin: It has permanent BT
staff and is based in the UK. The staff vary but typically it
would be in the range of 12-15 people.
Q215 Helen Southworth: Is that seven
days a week 24 hours a day?
Mr Galvin: It is online and on
mail and it is an office hours service. We also have frontline
staff providing a service 24 hours a day seven days a week who
are trained help desk people, if they are not trained abuse desk
people. They would deal with issues that came to them and would
take that to the abuse desk.
Q216 Helen Southworth: It would be
very helpful if you could let us have the annual budget for specific
work on online child protection. What is the position with AOL?
Ms de Stempel: We do not have
a figure because it is integrated in any of our products. When
we develop a product we look at lots of different functionalities
including child protection. For example, we have a reporting mechanism
for all our products.
Q217 Helen Southworth: But you do
not allocate anything specifically for child online protection;
you do not have anything ring-fenced for that specific purpose?
Ms de Stempel: For example, the
equivalent to BT's Clean Feed would be part of the cost. We have
law enforcement support which would be another part of the cost,
but they do other things as well. If we apportion a particular
cost to AOL staff, some of their work would concentrate on child
protection and some on consumer protection.
Q218 Helen Southworth: I am thinking
in terms of what gets measured gets done.
Ms de Stempel: It gets done because
it is in the DNA of what we do.
Q219 Helen Southworth: But you cannot
quantify it at all?
Ms de Stempel: No. I can ask but
we look at this issue globally. For example, like other ISPs we
contribute to the IWF and that would be one of the costs.