Written evidence submitted by PhonepayPlus
(Malware 20)
SUMMARY
1. PhonepayPlus, the UK regulator of premium
rate services (PRS), welcomes the opportunity to provide written
evidence to the Science and Technology Select Committee for its
inquiry into malware and cyber-crime.
2. In our submission, we wish to highlight to
the Committee the following:
Growing
threats to consumers from potentially harmful apps
- we are aware of growing risks from rogue apps (software applications
for smartphones). This potential consumer harm spans a spectrum,
from technically defined "malware" (such as Trojans)
to misleading downloadable software that can significantly harm
consumers. In recent months, PhonepayPlus has identified through
proactive monitoring and consumer complaints apps that charged
customers for a premium rate subscription service without their
knowledge or consent. We have taken robust action within our regulatory
remit against the providers of these apps, shutting down the services
and fining substantially.
The
role of regulation in helping to combat threats to consumer confidence
in the digital market place - PhonepayPlus
is the UK regulator of PRS. PRS (sometimes called phone-paid services)
share in common a micropayment mechanism that allows consumers
to pay for content or services by an additional charge to their
phone-bill or pay-as-you-go account. PhonepayPlus' Code of Practice
defines important outcomes that providers must achieve for consumers.
In the cases where we identified apps that were charging without
consumers' consent, we used our full enforcement powers to quickly
stop consumer harm, immediately shutting off the service. Following
a thorough investigation, the independent Tribunal substantially
fined the providers. However, PhonepayPlus is a civil regulator
and as such our powers are limited. For example, where criminal
activity is involved in malware on smartphones, law enforcement
bodies need to pursue and prosecute such matters as appropriate.
It is integral to any developments in this area that bodies such
as the Serious and Organised Crime Agency give sufficient priority
to this growing threat.
The
need for consumer and industry awareness
- as a proactive, collaborative regulator, PhonepayPlus aims to
pre-empt problems that harm consumer confidence and damage the
market before they occur. We believe that it is essential that
these new threats in the digital sphere are brought to the attention
of both consumers and the industry we regulate. With this in mind
we have developed an award-winning consumer literacy campaign
to help consumers, in particular young people, understand PRS
and the costs involved with services such as apps. We have also
issued a consultation with the PRS and digital industries around
the issue of in-app billing in which we clearly define the need
for clear consumer consent to be billed. The consultation also
includes a range of other measures designed to protect consumers
and ensure confidence in the digital market.
Rapid
market developments - the rapid change
in mobile technology, and the increasing adoption of smartphones,
means that more and more people, including children, are using
their mobile phones to purchase digital content. We believe that
it is essential that the Government understands the potential
risks to consumers in the fast-moving digital, micropayment market,
and that there is cross-agency working to help reduce these risks.
3. PhonepayPlus is doing further research on
potentially harmful apps and malware on smartphones and will keep
the Committee informed of this work in due course.
INTRODUCTION
4. PhonepayPlus is the independent, industry-funded
regulator of PRS - the goods and services that you can buy by
charging the cost to your phone bill or mobile pre-pay account
- in the UK. A current and popular example is text charity donations
or TV show voting. We have over 25 years' experience of regulating
PRS through a Code of Practice, which is approved by Ofcom.
5. Where providers transgress our Code, we have
strong enforcement powers, including the ability to issues fines
of up to £250,000 per breach. However, we take proactive
steps to prevent harm and empower consumers with targeted information
so that they and their children can use PRS with confidence and
without complaint.
GROWING THREATS
TO CONSUMER
FROM POTENTIALLY
HARMFUL APPS
6. In recent months, PhonepayPlus has identified
and taken robust action against apps that would charge consumers
for a premium rate subscription service without their knowledge
or consent.
7. In one example, PhonepayPlus received 78 complaints
in relation to a free battery saver app that would automatically
sign up the user to a subscription-based video clip service operating
on a premium rate short code. Complainants stated that having
downloaded the "Battery Booster UK" app, they were subscribed
into a premium service charged at £4.50 per month.
8. PhonepayPlus found that the app contained
code that would access the phone's text message function once
it was installed, allowing texts to be automatically sent to a
premium rate subscription service without the knowledge or consent
of the consumer. PhonepayPlus immediately shut down the service
for breach of its Code, and following a full investigation, our
independent Tribunal imposed a fine of £135,000.
9. A full copy of the Tribunal's adjudications
in relation to apps found to charge consumers without their knowledge
or consent has been attached at Annex 1[28]
and is published on our website in accordance with our Code.
10. As part of our on-going monitoring, PhonepayPlus
has commissioned follow-up research to look into malware threats
to UK smartphone users and fraudulent use of premium rate billing.
This will help us to better gauge and understand the threats posed
to UK consumers at present and in the near-future. PhonepayPlus
would be happy to make available the research to the Committee
when it is published in early 2012.
11. PhonepayPlus is also working with the Get
Safe Online initiative to increase awareness of the threats associated
with rogue apps.
THE ROLE
OF REGULATION
IN HELPING
TO COMBAT
THREATS TO
CONSUMER CONFIDENCE
IN DIGITAL
MARKET PLACE
12. PhonepayPlus has developed and implemented
a successful regulatory framework over the past 25 years, giving
swift and effective protection for consumers, whilst allowing
the industry to innovate and grow. The scale of this achievement
can be measured by the fact that the UK enjoys the most stable
and sustained market for PRS in the world.
13. We regulate PRS against a Code of Practice
which is designed to ensure important outcomes are achieved for
consumers. It is our expectation that in delivering these outcomes,
that providers will comply with all relevant law. Whilst it is
a breach of our Code to deal with services that breach relevant
law, we recognise that especially where the criminal law has been
breached, that as a regulator with civil powers, there is a limit
to what we can do and that the law enforcement bodies are best
placed to prosecute such matters. Therefore it is integral that
any developments in this area that bodies such as the Serious
and Organised Crime Agency give sufficient priority to this growing
threat.
THE NEED
FOR INDUSTRY
AND CONSUMER
AWARENESS
14. As a proactive regulator that aims to pre-empt
consumer harm and damage in the growing apps market, PhonepayPlus
issued a public consultation, on 26 September 2011, on proposed
guidance for app-based mobile payments. The aim of the guidance
is to intervene early to ensure that hidden threats from apps
do not have a detrimental impact on consumers, children or the
many legitimate providers of new digital services. A copy of the
consultation has been attached at Annex 2.[29]
15. Key recommendations in the proposed guidance
include: consumers' consent to charge must be clear and the requirement
for password protection for stored applications to prevent children
purchasing digital goods without the owner's permission.
16. PhonepayPlus believes that the best and most
cost-effective way to help consumers get the most out of PRS and
prevent consumer harm is to help them help themselves. Our consumer
literacy programmes have been designed to give consumers the knowledge
they need to make informed choices about the PRS they use.
17. Drawing on research into our consumer engagement
with PRS in 2009-10, we have developed an award-winning schools
literacy programme entitled PhoneBrain to help young people understand
phone-paid services.
18. As part of the campaign, we produce and promote
to schools and youth clubs in England and Wales curriculum-friendly
lesson plans for ICT and enterprise courses at GCSE level. These
lessons draw on young people's natural enthusiasm for technology
with the option to enter a competition for developing an app that
would benefit their communities. Winners will receive an award
of up to £500 from Live UnLtd, the social enterprise charity,
to help them turn their ideas in to reality.
RAPID MARKET
DEVELOPMENTS
19. The rapid change in mobile technology and
the increasing adoption of smartphones, including by children,
means that more and more people are using their phones to purchase
digital content including app-based mobile payments.
20. According to latest research published by
Get Safe Online, 17% of smartphone users now use their phone for
financial transactions, including online banking, shopping or
social networking.[30]
This form of transaction is typically and loosely defined as a
micropayment, where digital content could be purchased for a very
small sum of money.
21. At PhonepayPlus we welcome innovation and
investment in the PRS market worth in excess of £800m annually.
However, experience of regulating PRS in a fast-changing market
that has taught us that innovation and technology can move faster
than most consumers - or their children's - ability to grasp the
consequences of their purchase decisions.
22. If consumers are left confused or disempowered,
this will reduce confidence in use of PRS, smartphones and micropayments
generally. Therefore, it is important to move quickly to ensure
consumers can use services with complete confidence and that markets
are not damaged by rogue providers.
23. In recent years we have seen market developments
that lead us to believe it is important for the Government to
consider whether or not we have a regulatory framework in place
that provides effective consumer protection and is ready to support
growth in new and emerging services, such as micropayments. One
recent estimate suggests global growth in micropayments from $320
billion to $680 billion by 2016.[31]
24. PhonepayPlus believes the Government's wide-scale
review of the regulatory framework supporting the UK communications
sector provides an important opportunity to look at this area
in more detail to ensure the UK can meet its ambitions to be a
global high-tec hub for growth and innovation.
PhonepayPlus
November 2011
28 Not printed. Back
29
Not printed. Back
30
Trend Micro's Threat Spotlight, August 2011, based on data collected
in 2011, Get Safe Online. Back
31
The Advanced Payments Report 2011, Edgar, Dunn & Company,
February 2011. Back
|