Malware and cyber crime - Science and Technology Committee Contents

Written evidence submitted by PhonepayPlus (Malware 20)


1.  PhonepayPlus, the UK regulator of premium rate services (PRS), welcomes the opportunity to provide written evidence to the Science and Technology Select Committee for its inquiry into malware and cyber-crime.

2.  In our submission, we wish to highlight to the Committee the following:

—  Growing threats to consumers from potentially harmful apps - we are aware of growing risks from rogue apps (software applications for smartphones). This potential consumer harm spans a spectrum, from technically defined "malware" (such as Trojans) to misleading downloadable software that can significantly harm consumers. In recent months, PhonepayPlus has identified through proactive monitoring and consumer complaints apps that charged customers for a premium rate subscription service without their knowledge or consent. We have taken robust action within our regulatory remit against the providers of these apps, shutting down the services and fining substantially.

—  The role of regulation in helping to combat threats to consumer confidence in the digital market place - PhonepayPlus is the UK regulator of PRS. PRS (sometimes called phone-paid services) share in common a micropayment mechanism that allows consumers to pay for content or services by an additional charge to their phone-bill or pay-as-you-go account. PhonepayPlus' Code of Practice defines important outcomes that providers must achieve for consumers. In the cases where we identified apps that were charging without consumers' consent, we used our full enforcement powers to quickly stop consumer harm, immediately shutting off the service. Following a thorough investigation, the independent Tribunal substantially fined the providers. However, PhonepayPlus is a civil regulator and as such our powers are limited. For example, where criminal activity is involved in malware on smartphones, law enforcement bodies need to pursue and prosecute such matters as appropriate. It is integral to any developments in this area that bodies such as the Serious and Organised Crime Agency give sufficient priority to this growing threat.

—  The need for consumer and industry awareness - as a proactive, collaborative regulator, PhonepayPlus aims to pre-empt problems that harm consumer confidence and damage the market before they occur. We believe that it is essential that these new threats in the digital sphere are brought to the attention of both consumers and the industry we regulate. With this in mind we have developed an award-winning consumer literacy campaign to help consumers, in particular young people, understand PRS and the costs involved with services such as apps. We have also issued a consultation with the PRS and digital industries around the issue of in-app billing in which we clearly define the need for clear consumer consent to be billed. The consultation also includes a range of other measures designed to protect consumers and ensure confidence in the digital market.

—  Rapid market developments - the rapid change in mobile technology, and the increasing adoption of smartphones, means that more and more people, including children, are using their mobile phones to purchase digital content. We believe that it is essential that the Government understands the potential risks to consumers in the fast-moving digital, micropayment market, and that there is cross-agency working to help reduce these risks.

3.  PhonepayPlus is doing further research on potentially harmful apps and malware on smartphones and will keep the Committee informed of this work in due course.


4.  PhonepayPlus is the independent, industry-funded regulator of PRS - the goods and services that you can buy by charging the cost to your phone bill or mobile pre-pay account - in the UK. A current and popular example is text charity donations or TV show voting. We have over 25 years' experience of regulating PRS through a Code of Practice, which is approved by Ofcom.

5.  Where providers transgress our Code, we have strong enforcement powers, including the ability to issues fines of up to £250,000 per breach. However, we take proactive steps to prevent harm and empower consumers with targeted information so that they and their children can use PRS with confidence and without complaint.


6.  In recent months, PhonepayPlus has identified and taken robust action against apps that would charge consumers for a premium rate subscription service without their knowledge or consent.

7.  In one example, PhonepayPlus received 78 complaints in relation to a free battery saver app that would automatically sign up the user to a subscription-based video clip service operating on a premium rate short code. Complainants stated that having downloaded the "Battery Booster UK" app, they were subscribed into a premium service charged at £4.50 per month.

8.  PhonepayPlus found that the app contained code that would access the phone's text message function once it was installed, allowing texts to be automatically sent to a premium rate subscription service without the knowledge or consent of the consumer. PhonepayPlus immediately shut down the service for breach of its Code, and following a full investigation, our independent Tribunal imposed a fine of £135,000.

9.  A full copy of the Tribunal's adjudications in relation to apps found to charge consumers without their knowledge or consent has been attached at Annex 1[28] and is published on our website in accordance with our Code.

10.  As part of our on-going monitoring, PhonepayPlus has commissioned follow-up research to look into malware threats to UK smartphone users and fraudulent use of premium rate billing. This will help us to better gauge and understand the threats posed to UK consumers at present and in the near-future. PhonepayPlus would be happy to make available the research to the Committee when it is published in early 2012.

11.  PhonepayPlus is also working with the Get Safe Online initiative to increase awareness of the threats associated with rogue apps.


12.  PhonepayPlus has developed and implemented a successful regulatory framework over the past 25 years, giving swift and effective protection for consumers, whilst allowing the industry to innovate and grow. The scale of this achievement can be measured by the fact that the UK enjoys the most stable and sustained market for PRS in the world.

13.  We regulate PRS against a Code of Practice which is designed to ensure important outcomes are achieved for consumers. It is our expectation that in delivering these outcomes, that providers will comply with all relevant law. Whilst it is a breach of our Code to deal with services that breach relevant law, we recognise that especially where the criminal law has been breached, that as a regulator with civil powers, there is a limit to what we can do and that the law enforcement bodies are best placed to prosecute such matters. Therefore it is integral that any developments in this area that bodies such as the Serious and Organised Crime Agency give sufficient priority to this growing threat.


14.  As a proactive regulator that aims to pre-empt consumer harm and damage in the growing apps market, PhonepayPlus issued a public consultation, on 26 September 2011, on proposed guidance for app-based mobile payments. The aim of the guidance is to intervene early to ensure that hidden threats from apps do not have a detrimental impact on consumers, children or the many legitimate providers of new digital services. A copy of the consultation has been attached at Annex 2.[29]

15.  Key recommendations in the proposed guidance include: consumers' consent to charge must be clear and the requirement for password protection for stored applications to prevent children purchasing digital goods without the owner's permission.

16.  PhonepayPlus believes that the best and most cost-effective way to help consumers get the most out of PRS and prevent consumer harm is to help them help themselves. Our consumer literacy programmes have been designed to give consumers the knowledge they need to make informed choices about the PRS they use.

17.  Drawing on research into our consumer engagement with PRS in 2009-10, we have developed an award-winning schools literacy programme entitled PhoneBrain to help young people understand phone-paid services.

18.  As part of the campaign, we produce and promote to schools and youth clubs in England and Wales curriculum-friendly lesson plans for ICT and enterprise courses at GCSE level. These lessons draw on young people's natural enthusiasm for technology with the option to enter a competition for developing an app that would benefit their communities. Winners will receive an award of up to £500 from Live UnLtd, the social enterprise charity, to help them turn their ideas in to reality.


19.  The rapid change in mobile technology and the increasing adoption of smartphones, including by children, means that more and more people are using their phones to purchase digital content including app-based mobile payments.

20.  According to latest research published by Get Safe Online, 17% of smartphone users now use their phone for financial transactions, including online banking, shopping or social networking.[30] This form of transaction is typically and loosely defined as a micropayment, where digital content could be purchased for a very small sum of money.

21.  At PhonepayPlus we welcome innovation and investment in the PRS market worth in excess of £800m annually. However, experience of regulating PRS in a fast-changing market that has taught us that innovation and technology can move faster than most consumers - or their children's - ability to grasp the consequences of their purchase decisions.

22.  If consumers are left confused or disempowered, this will reduce confidence in use of PRS, smartphones and micropayments generally. Therefore, it is important to move quickly to ensure consumers can use services with complete confidence and that markets are not damaged by rogue providers.

23.  In recent years we have seen market developments that lead us to believe it is important for the Government to consider whether or not we have a regulatory framework in place that provides effective consumer protection and is ready to support growth in new and emerging services, such as micropayments. One recent estimate suggests global growth in micropayments from $320 billion to $680 billion by 2016.[31]

24.  PhonepayPlus believes the Government's wide-scale review of the regulatory framework supporting the UK communications sector provides an important opportunity to look at this area in more detail to ensure the UK can meet its ambitions to be a global high-tec hub for growth and innovation.


November 2011

28   Not printed. Back

29   Not printed. Back

30   Trend Micro's Threat Spotlight, August 2011, based on data collected in 2011, Get Safe Online. Back

31   The Advanced Payments Report 2011, Edgar, Dunn & Company, February 2011. Back

previous page contents next page

© Parliamentary copyright 2012
Prepared 2 February 2012