MR NICHOLAS LANSMAN, MS CAMILLE DE STEMPEL AND MR MIKE GALVIN

18 MARCH 2008

  Chairman: I welcome to the second part of this morning's session Nicholas Lansman, Secretary-General of the Internet Service Providers' Association, Camille de Stempel, a council member of ISPA and also Director of Policy at AOL, and Mike Galvin, Managing Director of Customer Experience at BT. Alan Keen will begin.

  Q201  Alan Keen: I presume that you favour quite a lot of self-regulation on the issue about which we are speaking today. Where should the dividing line be in relation to self-regulation?

  Mr Lansman: Perhaps I may start by giving a little bit of backdrop to self-regulation. ISPA has always been very supportive of self-regulation in certain circumstances. In the very fast-moving world of the Internet and all the changes mentioned this morning in terms of social networking sites—just changes generally in the Internet and how it has been used—self-regulation has proven to be an effective way to regulate in certain circumstances. A good example of that is that 11 years ago ISPA was a pioneer in the UK's Internet industry in creating a code of practice that I am proud to say has been adopted in other countries in the world. Those codes of practice have been useful to an extent. One part of the code was for the industry to set up the Internet Watch Foundation in the first place. I think everyone will agree today that that has been a tremendous success. However, self-regulation can go only so far. We have seen examples today where regulation is needed sometimes. It is needed, for example, with computer-generated images to give clarity in that field. We have talked about extreme pornography. It is possibly needed there as well. However, care must be taken that this regulation offers what is required to the police to give clarity and the regulation must be implementable; in other words, it must do the job and be enforceable and useful. Care must be taken that when new laws are needed they come about in the appropriate way. I know that ISPA and my colleagues here have been very much involved with various Government departments when new legislation has been put forward to make sure it can be put into practice properly.

  Mr Galvin: I do not think you would have seen the pace of our co-operation with legislation because inevitably it goes more slowly. Self-regulation has accelerated to the point where you get a much better view of what is possible in the industry; in particular, you develop a set of best practice. You heard Jim Gamble talk about best practice earlier. I think that self-regulation can take you to that point. The important issue for legislation is clarity of what is right and what is wrong because ultimately all self-regulation looks back over its shoulder to the law to say what is right and what is wrong. That is where there is a role for legislation.

  Q202  Alan Keen: You mentioned the Internet Watch Foundation which provides a list of banned websites. It led us to believe that 100 ISPs do not take any notice of that. Why? Does that not damage self-regulation?

  Mr Lansman: You are talking about the blocking of certain URLs by the Internet Watch Foundation. Of the large consumer-facing ISPs in the UK I am not aware of any that do not take the list provided by the Internet Watch Foundation. The source of that list is trusted and the ISPs receive it twice a day. Mr Galvin can probably go into this in a bit more detail in a moment. There are ISPs that provide purely business services and would argue that their audience is so different that they provide their own mechanisms to protect their staff. These are early days in terms of the concept of blocking. It seems to be working very effectively. There is encouragement on the part of ISPA to make sure that as many ISPs as possible take the list. I believe that work is taking place with ISPA and the Home Office to encourage ISPs to develop mechanisms to do so.

  Q203  Alan Keen: Everything moves so fast in modern technology and the habits of individuals who use it. I well understand that self-regulation can move quicker than anything else, but where do we need more regulation? In this fast-moving world what do you understand to be the areas where regulation needs to be imposed from above?

  Mr Galvin: Let us take the example of the IWF list that we have just talked about. That list is founded on the Protection of Children Act which has, unusually for UK law, an exceptionally clear definition of what is and what is not legal in terms of child abuse images and makes actual possession of such images illegal. There are very few other such things in our law that are treated so severely as possession. In those circumstances it is possible for the Internet Watch Foundation to develop a list of what in their opinion—after all, they are only an industry body—would constitute illegal images and it is possible for them to distribute that list and for ISPs to blacklist those sites on the basis of the IWF list. If you then step back from child abuse images it is very difficult to find other parallels where there is so much clarity about what is and what is not legal. I cannot think of any now. It would be so much easier to produce a list if the law was clear in different areas. There is a role for the law to make much clearer what is and what is not acceptable. If you turn to almost any other area and look at other laws there is always an element of doubt. Setting up a site with these images and downloading them may be legal but what you do with them after they are downloaded may be illegal. Therefore, the law lacks clarity. There is a role for law and regulation to provide a much greater degree of clarity in the online world to enable people to act on what is right and what is wrong.

  Mr Lansman: Possibly a picture has been painted that somehow the Internet industry does not want regulation, but in certain circumstances the opposite is true. The need for clarity is quite important for the Internet service provider industry. One example is the ability to push back on "judge and jury", that is, the concept that the ISP has to interpret the law where it is not clear or there could be grey area. That has been a frustration for the Internet industry for quite some time. Sometimes regulation can clarify the position and make the job of ISPs much easier to enforce their own terms, conditions and rules.

  Q204  Alan Keen: Is there a role for Ofcom? Should Ofcom be involved or should a new body be set up to help to co-ordinate it? What do you see as the next steps to be taken?

  Mr Lansman: Ofcom is the body that looks right across communications broadcasting and indeed is the regulator. It depends on the aspects of the area in which you want Ofcom to become involved. Obviously, they would be in a better position to offer that advice. I think the issue is that if you are talking of defining content, whether extreme pornography or other areas—computer-generated images—should come within the law, it is really for Parliament to give a steer on that. There are quite a few bodies and groupings where the industry takes part with government, law enforcement, charities and Ofcom to discuss these issues on a regular basis, but ultimately Parliament should make the judgment call on whether or not new legislation is required, and opportunities like this to give our views are very helpful and will it is hoped provide information to parliamentarians to make those decisions in future.

  Mr Galvin: Currently, Ofcom does not believe that it regulates the Internet. If Ofcom or any other body were to be established to regulate the Internet you would have to give them terms of reference; you would have to say what their powers were and clearly indicate what was expected of them and what level of performance would be required from such a function. Talking for our customer base—the Internet industry and UK general public at large—I do not believe there is yet a consensus on what that level of regulation or intervention would be. That is something which Parliament would have to decide and agree upon.

  Q205  Alan Keen: You heard Mr Gamble hesitate to name names when Nigel Evans asked him about this a few minutes ago. If you were forced this morning to give us an opinion—we want your views before we put our Report together, which we hope will influence them—what would you like us to put in the Report about the extent of self-regulation as against maybe even a new body to enforce it upon those with whom he is beginning to lose patience?

  Mr Galvin: This is a fast-moving technological area. For example, Facebook was mentioned today. Even one year ago no one had even heard of Facebook. BT has been operating an Internet service since 1996, that is, only for 12 years. It is a relatively recent innovation. I believe that self-regulation has a very important role to play to ensure we can keep pace with technological changes and keep on changing best practice as new services and new threats in terms of child protection, general crime and best practice threats on the Internet come along. Legislation has a role in defining what the minimum standard is, if you like, and enshrining best practice when there is sufficient consensus around what is technically possible and what is acceptable to the UK public at large and Parliament, and legislation then has an important role in setting the gold standard. If you look at self-regulation in any aspect of industry worldwide you will always find people at the front pushing for it and saying more can be done and there will be laggards at the back who have not yet caught up. Therefore, the minimum standard will be set by legislation.

  Mr Lansman: In terms of what should be in your Report, Mr Galvin has espoused the balance between self-regulation and perhaps the need for new regulation. What Jim Gamble was calling for, quite rightly, was more resource and structure so that he and colleagues in law enforcement could do the job of policing, which is entirely correct. I think the Internet industry has always been reluctant to take on the role of policing ISPs. Companies that offer services such as websites and social networking are not the police but commercial bodies which are there to provide a service and do their best to co-operate with law enforcement, government, Parliament and so forth, but ISPA would certainly echo the need for more resources to be able to police properly and accept that some of the crimes in the offline world apply in the online world, and vice versa. That is entirely right. I believe that the co-operation the industry has offered law enforcement and government has been positive. Maybe there are one or two companies that have been less than helpful. ISPA's membership comprises just over 200 members who represent about 95% of the whole industry. If between 5% and 1% are not playing ball but the others are doing between a mediocre and very good job that is not such a bad position in which to be.

  Ms de Stempel: I would like to highlight some of the work that has been done. For example, through the Home Office task force we have developed some guidelines around social networking. The conversation was the most interesting bit of this debate because we could get practice out of all our competitors and then integrate them into our products and make sure they delivered what we were aiming to do. Some part of the approach we have taken allows flexibility to suit different ISPs, content providers and social networking. The aim is to protect a child but then we might have different ways to go about it.

  Q206  Mr Evans: I am Chairman of the All-Party Identity Fraud Group. Somebody from KPMG came to see me last year and told me about the deep web that operates at a different level. Those who need to know where it is can get access to it and they trade credit card details, dates of birth and passwords on it. How it operates is quite amazing. Are you aware of this? Can anything be done to block people getting onto the deep web to do this?

  Mr Galvin: There is no specific network such as deep web. One has an informal group that uses a variety of tools including open access to the Internet but backed up by sites—things like cryptography using proxies to try to disguise identities, et cetera—to swap information illegally. You see this in a number of crime areas. Financial fraud is the main one, but you also find the paedophile community taking extreme counter-surveillance activities to avoid the detection when they do this. They use facilities in different countries, hidden identities and so on. There is widespread use of cryptography. These are not networks in the sense of connected wires but people who have common applications and processes to share this data illegally.

  Q207  Mr Evans: Are you able to do anything to block them? I guess you have to find them first.

  Mr Galvin: The industry can and does co-operate very closely with law enforcement authorities to provide technical information for the detection of this activity. As an industry we are not part of the police; we do not go out and look for illegal activity and check what our customers are doing. We act as a support for the police force in that role and provide them with technical facilities for the detection of that activity. Quite often the types of activities you describe might also cross several international borders. You find that you are co-operating with your own local law enforcement authorities which are also co-operating with counterparts abroad which in turn are co-operating with industry partners in those countries.

  Q208  Mr Evans: Would it be unfair of me to summate what we heard earlier today and in the past in our inquiry that in some cases ISPs will not take action to block access to sites because basically they say they do not adjudicate on the law? If it is illegal they will take action; if not they will do so and pass the buck to Parliament. But if they were to take action on their own they would be afraid of the commercial advantages that would be won by other ISPs who did not take any action?

  Mr Galvin: I have heard of instances of ISPs outside the UK refusing to take down sites because they are not illegal. There are many examples of that. For example, you might go to a site that is freely trading MP3 material and the ISP refuses to take it down because it says that what is being done is not illegal. Within the UK that is much more unusual. I cannot think of a single example where an ISP has refused to take down a site once it has been requested to do so. Quite often these requests come via the IWF or the local police force. In some cases we have taken down sites when individuals have requested us to do so because it contains what they regard as personal information. I cannot think of a recent example over the past few years where that has happened in the UK.

  Mr Lansman: Obviously, there is a regulatory backdrop to notice and take down which is the European E-Commerce Directive which is transposed into UK law. For many years that process has not been clearly defined in UK law; it does not say who can give notice. Having said that, over the past 10 years almost it has proved to be quite a robust system in the UK in the sense that ISPs that host material do take down contents or other sites. The difficulty is that a lot of the sites about which you are probably most concerned are not hosted in the UK, so one problem is the difference in concept in terms of going through the law enforcement of other countries and getting to the ISPs in those countries. The issue is also about making decisions on what is harmful. We have talked about images of child abuse where the position is clear in law. There are other areas where the position is less clear; and there are areas of harm at which I believe the whole of this evidence session is looking. Obviously, the difficulty is deciding whether it is harmful and to whom. Is it harmful to a six-year-old child, a 16-year-old child or an adult? In addition, quite importantly you have extended the scope of this evidence session beyond content itself to things like phising, spam and other areas of abuse. I think that is an area in which ISPs have been very robust over the past several years. They have been looking at new issues such as phishing and tackling those issues. An earlier example was financial fraud. That is dealt with in co-operation with law enforcement, government, ISPs and the banking sector and it will be an ongoing battle. We have to accept that many of the issues we raise today are not ones that can be quickly solved. It will be a permanent battle based on co-operation by the Internet industry itself but lots of other sectors of society including consumers themselves to address these issues as these and new problems emerge that we cannot even think of today.

  Q209  Mr Evans: Do you believe that things like Net Nanny and other security software are effective? One hears of examples where sometimes simply because normal sites contain certain wording—perhaps it is to do with breast cancer—they are blocked because of one word. How effective is security software in protecting people?

  Ms de Stempel: They are very effective but they are built around artificial intelligence and so, like anything, they need to learn that "Pe"re Noe­l" in French is "Father Christmas" in English. It might be blocked because the software does not know about it. That is why all the powerful controls that we offer to ISPA members have a mechanism whereby people can feed back on under-blocking and over-blocking. Something is changing; an address has been sold to some other site which was good before and now is not good. All that requires participation by users. But one of the things we have found with parental controls is that they are very robust but are under-utilised. Some of it we offer for free; some are offered for a very small charge. We advertise it; we make it a unique selling point. Although we market it there is still under-utilisation. We work very closely with Tanya Byron but also with many of the industry initiatives to see how better to educate parents as to the usefulness of parental controls, making sure it is about tailoring an online experience rather than prohibiting things. How can you get to good sites in a timely manner? If you search for "bomb" you get things about history rather than information about how to make a bomb.

  Q210  Helen Southworth: Perhaps I may ask BT how much of its annual budget is spent on online child protection.

  Mr Galvin: I do not have the answer to that off the top of my head. There is a considerable investment in online child protection with the facilities we provide within the browser.

  Q211  Helen Southworth: If it is considerable what is the approximate figure?

  Mr Galvin: You are asking me to make a quick mental calculation. One would be talking of something in the region of six figures. It would include systems like Clean Feed.

  Q212  Helen Southworth: What would be the six-figure amount?

  Mr Galvin: It is about £1 million, possibly more. You would have to take into account the fact that where we have logos on the home pages, for example, it displaces advertising revenue. It depends on whether or not you take into account that type of cost.

  Q213  Helen Southworth: I am focusing on your research and the people who are working directly on the issue of child online protection?

  Mr Galvin: We have an abuse desk which deals with issues that come from our customers.

  Q214  Helen Southworth: How is that staffed?

  Mr Galvin: It has permanent BT staff and is based in the UK. The staff vary but typically it would be in the range of 12-15 people.

  Q215  Helen Southworth: Is that seven days a week 24 hours a day?

  Mr Galvin: It is online and on mail and it is an office hours service. We also have frontline staff providing a service 24 hours a day seven days a week who are trained help desk people, if they are not trained abuse desk people. They would deal with issues that came to them and would take that to the abuse desk.

  Q216  Helen Southworth: It would be very helpful if you could let us have the annual budget for specific work on online child protection. What is the position with AOL?

  Ms de Stempel: We do not have a figure because it is integrated in any of our products. When we develop a product we look at lots of different functionalities including child protection. For example, we have a reporting mechanism for all our products.

  Q217  Helen Southworth: But you do not allocate anything specifically for child online protection; you do not have anything ring-fenced for that specific purpose?

  Ms de Stempel: For example, the equivalent to BT's Clean Feed would be part of the cost. We have law enforcement support which would be another part of the cost, but they do other things as well. If we apportion a particular cost to AOL staff, some of their work would concentrate on child protection and some on consumer protection.

  Q218  Helen Southworth: I am thinking in terms of what gets measured gets done.

  Ms de Stempel: It gets done because it is in the DNA of what we do.

  Q219  Helen Southworth: But you cannot quantify it at all?

  Ms de Stempel: No. I can ask but we look at this issue globally. For example, like other ISPs we contribute to the IWF and that would be one of the costs.