Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 351 - 359)

WEDNESDAY 24 JANUARY 2007

MR NICHOLAS BOHM, PROFESSOR IAN WALDEN AND MR PHIL JONES

  Q351  Chairman: Mr Bohm and Mr Jones, thank you very much for joining us today. We are going to proceed although Professor Walden is not here because there are certain questions which are more addressed to you and I think it will be more efficient that way. He is giving a lecture, evidently, and may be a bit late. You should be aware that we are being webcast and televised today. For any member of the public here, there is an information note for you, which you may have picked up already. We can start first by you introducing yourselves, if you would, and then if you wish you can make an opening statement or we will go straight into questions. Shall we start with you, Mr Bohm?

  Mr Bohm: I am Nicholas Bohm. I contributed to the submission to the Sub-Committee made by the Foundation for Information Policy Research and I am also a member of the Law Society's Electronic Law Committee. This area has been a field of interest for some years. I do not think I need to make an opening statement of any kind. I am happy to deal with questions along the lines indicated, or indeed any others.

  Mr Jones: I am Phil Jones. I am an Assistant Commissioner of the Information Commissioner's Office. The Information Commissioner is responsible for promoting and monitoring compliance with the Freedom of Information Act, the Data Protection Act, and more relevant to today's circumstances the Privacy and Electronic Communications Regulations. Again, I do not have any opening statement to make.

  Q352  Chairman: Thank you very much. Let me go into the first question. Who should most appropriately carry the risk of on-line fraud, and are statutory changes needed to achieve this?

  Mr Bohm: The basic legal position is that if fraud consists of misrepresentation—and in the on-line context normally it does—then the person who is deceived by the misrepresentation is the one who prima facie carries the loss. That position is part of the common law notion that a claimant must prove his case, so that if someone seeks to hold me to a bargain which he says I made and I say "I did not make it, it was someone pretending to be me", he has to prove it was me in order to prove his case; and if he cannot prove it was me, then he stands the resulting loss. He may have a claim against the person by whom he was deceived, but as between him and me he bears the loss and he tries to recover it somewhere else if he can. The common law position has occasionally been buttressed statutorily and the written submission refers the Sub-Committee to the Bills of Exchange Act where in the late nineteenth century the common law was codified so that a forged cheque is a nullity and there is no way the bank can debit your account with it; it lacks authority. That has not generally been codified. Where codified, it is irreversible by contract; where it is not codified, it can be reversed by contract. So you can have contracts under which, for example, a bank might seek to say, "If your password has been used in an on-line transaction, then we are authorised to debit your account whether you were the person who used it or not. So even if we were deceived by a third party, you stand the loss." That would be attempting to shift the risk by contract. The only existing defences against attempts to shift the risk by contract are the Unfair Contract Terms Act and the regulations made under the European Directive which points in the same direction. That is how one would argue if one was faced with a contract term of that kind and there had been a fraud. I think the common law position leaves the risk in the right place, that is to say those who deploy security systems for the purpose of checking that the customer is the one making the transaction are the ones who should stand the risk of it failing. They mostly at the moment deploy systems which are inherently weak because they are based on shared secrets. When your bank asks the caller for my mother's maiden name it is hardly a reliable method, and if the bank chooses to rely on it and it does not work it should be the bank's problem, not mine. So I think that consumers in particular probably need a bit of support in achieving the position of being free from this risk. If a bank says, "No, our system is perfect. We know it must have been you or somebody you gave the number to," consumers can have a bit of a hard time in establishing what ought to be for the bank to prove the other way. I would like to see the banking system Ombudsman, the Office of Fair Trading and anybody else concerned with unfair contract terms encouraged to take a robust line, but I think the law points in broadly the right direction as it is.

  Q353  Chairman: Thank you. Before we proceed, welcome, Professor Walden. We decided to go ahead because the early questions are more orientated towards the other two, but thank you for being here. Would you like to just introduce yourself for the record?

  Professor Walden: Yes. First, let me apologise. I had the typical problem of trying to get through security in time. My name is Professor Ian Walden. I am head of the Institute of Computer and Communications Law at Queen Mary University of London.

  Q354  Chairman: Thank you. Would you like to say anything as an opening statement, or are you happy that we proceed?

  Professor Walden: I am happy to proceed.

  Q355  Chairman: Did you have anything to add, Mr Jones?

  Mr Jones: I have nothing to add because I should point out that I am not an expert in fraud and the important point is that the rules for which our office is responsible which relate to unsolicited marketing communications relate to those as being unsolicited. Whether they are deceptive, misleading, potentially fraudulent does not really matter; it is an issue of whether they are unsolicited or not.

  Q356  Chairman: The banks are currently reimbursing people who lose money to phishing scams, for example. However, losses are currently small in the context of overall banking turnover and should losses rise significantly there is no guarantee that the banks will continue this policy. Should such reimbursement be a legal requirement, in your opinion?

  Mr Bohm: Yes, I think that it should be. I think the banks are deploying the systems and if they are not effectively and securely useable by their customers then the loss should clearly be on the banks, and I think the law should be a little more categorical in the customer's support than it is as matters stand. I think phishing is very difficult to deal with because if customers can be deceived into believing that they are dealing with a bank by someone who manages to stand in the middle between them, then whatever security mechanism is operating between the bank and the customer, they are both being deceived into passing security secrets through the middleman. But banks up to now have simply not been very good at enabling customers to be sure they are dealing with the bank and not a crook. Too many banks will still telephone a customer and then say, "But in order to discuss what I am ringing you up about, I must ask you to give me your security details," which is training the customer to give to an unknown person their security details. It is a very undesirable procedure. The better ones have a script for how to deal with a customer who raises this point and the poorer ones do not even have a script, but actually none of them should ever do it in the first place. Some banks still send out emails with clickable links in them, which is exactly the same error of training the customer to go through an insecure procedure. What the bank should be doing is helping the customers to understand how to be sure that it is the bank they are dealing with before they part with their secrets. I do not see very much sign of that at the moment. If the volume of phishing fraud rises, the incentive to get those things right needs to fall firmly on the banks and I think it is an incentives question.

  Q357  Chairman: Do you think that the services available to people who have a complaint against the bank are adequate in these cases? Are the ombudsmen, if they exist—and perhaps you could talk a bit about that—sufficiently independent of the banks?

  Mr Bohm: I think they are probably sufficiently independent, but when I last looked at a series of the Ombudsman's deliberations on the subject of what were then called "phantom withdrawals" from cash machines I had the impression that the Ombudsman's approach was not very sophisticated, not very well-informed by any expertise in security issues, and the Ombudsman therefore had not much recourse except to say that if the bank had checked everything and reported that everything appeared to be in order, he could not see that the customer could have a successful claim. So he was inclined, in other words, to rely on the banks' expertise instead of building up any independent expertise or putting the banks to any detailed proof. The last time I looked at this was a few years ago and things may have improved, so I cannot speak of the current position. I do think that it is necessary for the Ombudsman not merely to be honest, capable and independent, but actually to have some skills and resources available for testing the position when they are simply met with assertions that the bank's system has been fault-free and accordingly the fault must lie with the customer. At the moment, I fear that they are really no better than they were at resisting proof by assertion and it does not seem to me sufficient.

  Q358  Earl of Erroll: This is directed at Mr Jones, the Information Commissioner's Office, and I want to restrict the answer just to banks because there are questions about it in the wider context. Surely under one of the data protection principles the banks are required to keep their customers' data secure, so you do have an interest in there other than the unsolicited aspect of emails, or whatever?

  Mr Jones: Yes.

  Q359  Earl of Erroll: Earlier you said you did not.

  Mr Jones: Sorry. What I was trying to get at is the issue of fraud, and when we are talking about electronic communications that is under the Privacy and Electronic Communications Regulations and they really hinge on whether something is unsolicited, not whether it is unsolicited, and fraudulent, and deceptive and misleading. But you are perfectly right, under the Data Protection Act there is a clear principle in that Act that banks should keep the information secure and that is why, for example, we have initiated formal action in respect of the insecure disposal of customer documents without shredding. But it is the way the two bits of legislation fit together. I am sorry if I did not make that clear.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007