Home Affairs CommitteeJoint written evidence submitted by the National Trading Standards Board, the National Trading Standards eCrime Centre, the Association of Chief Trading Standards Officers and the Trading Standards Institute [EC 12]
This response has been submitted to the Home Affairs Committee eCrime Inquiry by the National Trading Standards Board (NTSB), the National Trading Standards eCrime Centre (NTSeCC), the Association of Chief Trading Standards Officers (ACTSO) and the Trading Standards Institute (TSI) and was produced by Mike Andrews (NTSeCC) and Paul Thompson (Warrington & Halton Trading Standards).
Introduction
1. Local Authority Trading Standards Services (LATSS) enforce a wide range of consumer protection legislation across the UK. In the past this has been focussed on the traditional “high street” where a physical premise could be visited and problems could be addressed in a much more tangible way. However, the internet has brought a whole new market place to consumers in the UK which has led to Trading Standards having to adopt new and innovative approaches to ensuring adequate protection for consumers carrying out their transactions online. As more and more consumers and businesses now routinely use technology (be that internet, e-mail or mobile/smart phones), Trading Standards faces further challenges in ensuring internet scams are properly tackled.
2. Trading Standards has a vital role to play in an overall strategy of e-crime enforcement. The security and integrity of the internet is key to the future economic success of the UK. Consumers need to feel they are adequately protected when carrying out their business online and equally, businesses need to be confident that rogue traders operating online are robustly tackled. Trading Standards takes the leading role in ensuring both these priorities are met and welcomes the opportunity to submit written evidence in relation to this inquiry.
What e-crime is understood to be and how this affects crime recording
3. The terms e-crime and cyber crime are often used interchangeably but are, broadly speaking, one and the same. The ACPO definition of e-crime is; “The use of networked computers or internet technology to commit or facilitate the commission of crime”. This is a perfectly reasonable definition but can cover a wide range of offending and there is often a lack of clarity as to the types of criminality that fall within that definition. Indeed, there is (in law) no such crime as an “e-crime”. This in itself can lead to problems in the effective reporting and recording of e-crime, as outlined later in this section.
4. The UK Cyber Security Strategy and previous discussions on the subject of e-crime have tended to focus, quite reasonably, on the higher level criminality such as hacking, Distributed Denial of Service (DDoS) attacks, cyber terrorism and large scale data/identity theft. However, in relation to consumer and business impact, there are a number of areas that whilst individually may be perceived as low level criminality, they can often have a disproportionate effect on the individuals concerned. These are often crimes that are not specifically dependant on technology to facilitate the crime, as would be the case for DDoS for example. However, the proliferation of technology has made the commission of the offences far easier and allowed the offenders to target a much wider audience than they would previously been able to using “traditional” methods. For example, the sale of counterfeit goods or websites set up to encourage consumers (and businesses) to part with their money without the product or service ultimately being provided. In terms of the National Intelligence Model (NIM) much of this would appear at first glance to be Level 1 criminality. However, when the scale of offending is assessed it can quite often become apparent that this in fact Level 2 (and in some cases Level 3) criminality.
5. In relation to the recording of e-crime, in practice the ACPO definition and most other definitions fail to provide for the successful recording of all instances of e-crime. This is primarily because the e-crime element is often a sub-element of the actual mischief of the crime. For example, a trader using a website to commit some sort of advance fee fraud might be classified as a fraud offence, when the principal mechanism to facilitate the crime is the internet. Furthermore, there is a proliferation of mechanisms by which consumers and businesses can report/record instances of e-crime. This in itself leads to an inaccurate picture as to the true scale of e-crime (see paragraph 16).
The extent and nature of the threats on which e-crime policy is based and how well they are understood by policy makers
6. Broadly speaking, Central Government would appear to have a good understanding of the higher level threats posed by e-crime. However, there is probably less of an understanding of the threats posed directly to consumers and businesses when going about their normal day to day business, for example; websites offering fake job opportunities, companies offering to provide a service with up front fees that then fail to deliver the service (advance fee fraud) and websites selling counterfeit, dangerous and/or illicit products. The Federation of Small Businesses believes e-crime is having a serious detrimental impact on their economic success.
7. The creation of the National Trading Standards eCrime Centre (NTSeCC) (see paragraph 15) has gone some way to begin to address this issue. However, there still remains a lack of recognition amongst policy makers as to how that may fit within an overall approach to tackling e-crime. The priority thus far, as one would expect, has been tackling the high level threats to national security. From a local policing perspective, the policy has tended towards tackling the spread of child pornography. As a consequence, the very real threat from general scams that are targeted at UK consumers has tended to be poorly understood. Anecdotal evidence suggests that, what appears to be relatively low-level criminality can have a disproportionate impact on those individuals affected. To someone on a relatively low income, losing £100 through some form of internet scam could be extremely detrimental to their well-being. As an economy we are increasingly reliant on e-commerce so policy makers need to fully understand the impact of this type of criminality and the detrimental effect it has in creating a trusted online environment.
8. As outlined above, policies are often considered and devised based upon serious and organised criminality (eg Home Office Guidance and Implementation of RIPA Notice for use with Facebook, Charles Miller April 2010—which focused primarily on SOCA/Police access to Facebook). Much more detailed consideration needs to be given to the impact e-crime has at Level 1, particularly from a Trading Standards perspective as this often forms part of much wider Level 2 and Level 3 criminality. If one considers the Home Office guidance referred to above, the process was considered and is only relevant for SOCA/Police, as a result the disclosure process can only be accessed by SOCA/Police Single Points of Contact (SPoC). Even then the disclosure process does not go far enough to assist with localised law enforcement issues faced by Trading Standards.
9. Purely from a Trading Standards view point current legislation in relation to e-crime is often a case of applying square pegs to round holes. For example, obtaining disclosure from a hosting company should ordinarily be a straight forward Data Protection Act request. However, quite frequently hosting companies will refuse on the grounds the information is telecommunications data. Another example would include obtaining disclosure from social networking sites, for example Facebook, as referred to previously. The inability of regional law enforcement officers to obtain data pertinent to a Facebook account, whereby the account holder involved in criminality has closed privacy settings, is in effect giving the criminal fraternity an open passport to trade illegally.
10. These examples highlight the gaps between policy makers and law enforcement agencies which have a duty to enforce e-crime at Level 1. Unfortunately, the difficulties posed by these gaps often result in little or no action being taken to identify and apprehend individuals involved in e-crime, let alone anyone connected to organised gangs. Furthermore, this fundamental lack of enforcement ability at Level 1 fails to provide the information necessary to deliver the intelligence building blocks which are required to carry out successful enforcement at Level 2 and Level 3.
The effectiveness of current law enforcement and legislative capabilities, including local and regional capabilities and the potential impacts of proposed organisational change
11. Recent organisational changes would appear to have been successful in having an impact in tackling the serious, national e-crime threats that we are faced with. The creation of PCeU, SOCA Cyber and others is certainly a step in the right direction. Clearly, it remains to be seen what impact the creation of the National Crime Agency (and in turn the National Cyber Crime Unit) will have in tackling e-crime.
12. In respect of Trading Standards, changes to consumer protection enforcement that have led to the creation of NTSeCC are a welcome move in recognising the importance of tackling all forms of e-crime and not just those at a high or serious organised crime level. However, there still remain some fundamental issues which need to be tackled:
(a)
(b)
(c)
13. With reference to resources and training, NTSeCC is about the undertake a programme of work to ensure Trading Standards enforcement staff are suitably trained to carry out e-crime investigations at a local level. This will include improving their knowledge of open source research, online investigation techniques and the capture of digital evidence. Allied to that is a programme of equipment procurement to ensure local staff have the correct tools (both software and hardware) to help them further their investigations.
Whether there are any gaps in the response to e-crime and, if so, how they should be addressed
14. The Consumer Landscape Review, commissioned by the Government in 2011, set out a vision to, amongst other things, improve and simplify the way in which consumer protection legislation was enforced locally, regionally and nationally. Traditionally, the majority of this work was split between the Office of Fair Trading (OFT) and individual LATSS. With the differing remits (and geographical boundaries) of the two bodies, this often led to “enforcement gaps”, particularly when dealing with cross-region and national issues. In recognition of this, the National Trading Standards Board (NTSB) was formed to oversee the transition of responsibilities from the OFT to LATSS, with particular emphasis on putting in place an infrastructure to tackle cross-region and national issues and/or cases of a particularly complex nature (Level 2 and Level 3 criminality).
15. As part of this process, the provision of e-crime enforcement in relation to scams and rip-offs directed at consumers and businesses was indentified as a key priority. Whilst there are a number of officers in individual LATSS who take an active role in e-crime enforcement, there was no coherent approach to tackle a problem which, by its very nature, is a cross-region issue. It was also recognised that e-crime enforcement is a specialised area, requiring specific expertise and skills. Furthermore, for reasons already identified, this area of e-crime has not always been seen as a priority by other enforcement agencies. As a result, the new NTSeCC has been formed to tackle the problem of internet scams directed at consumers and businesses.
16. Consumers and business are faced with a bewildering array of options when reporting e-crime. The local police force, LATSS, Citizens Advice, Crimestoppers and Action Fraud are just some of the reporting mechanisms available. As a result, it is sometimes difficult to build up a complete and accurate picture of the current and emerging threats faced. NTSeCC has recognised this as a key issue and therefore the collection and analysis of intelligence in relation to e-crime is core to its business. This will allow us to monitor current and future trends so we can direct our limited resources in a way that is likely to have the most impact. However, it is felt that greater clarity needs to be provided as to where to report instances of e-crime. If this is through a central point (for example Action Fraud) then this needs to be backed up by clear, simple processes that allow for the rapid dissemination of reports to the appropriate agencies for action (ie NTSeCC, LATSS etc).
Options for addressing key emerging issues that will affect the public such as liability over personal computer security, personal data held by social networking sites and its vulnerability to criminal use
17. NTSeCC is currently undertaking a National Strategic Assessment with a view to identifying emerging threats faced by consumers that are specific to areas that Trading Standards has a duty to enforce. However, as part of the wider Trading Standards role, we have a duty in terms of safeguarding vulnerable people. In line with this, Trading Standards would look to support any activities through its links with Citizens Advice and their wider Consumer Empowerment Projects.
The effectiveness of current initiatives to promote awareness of using the internet safely and the implications of peoples’ online behaviours for related public policy
18. There are a number of initiatives aimed at raising awareness such as Know The Net, Get Safe Online and Action Fraud. Whilst these are worthy attempts to give the public a greater awareness, there doesn’t seem to be a coherent response to tackling this issue. Frequently consumers and businesses put themselves in positions whereby they are easy prey for online criminals. This is often as a result of being poorly educated in the potential dangers of the internet and being unaware of the personal and financial risks they undertake whilst using the internet/computers.
19. One could question whether this should be the sole responsibility of Government or whether the industry (ISPs, search engines etc) should take on a more pro-active role in educating their customers to some of the pitfalls of using and trading on the internet. Whilst we recognise that steps are already being taken by some parts of the industry, there are elements that seem to “turn a blind eye” to both their moral (and in some cases legal) responsibilities.
November 2012