Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 360 - 379)

WEDNESDAY 24 JANUARY 2007

MR NICHOLAS BOHM, PROFESSOR IAN WALDEN AND MR PHIL JONES

  Q360  Baroness Hilton of Eggardon: If we can go on to actually buying things from shopping websites when one uses one's credit card. I have only dealt with amazon.com, but there is a whole range of them, is there not? What particular special risks do you see customers taking in that situation?

  Mr Bohm: By and large, I do not think that using your credit card or revealing the credit card number, the expiry date and the security code on the back, which is about the full range of information you are required to reveal, is a risky thing to do. You do it all the time. You do it in a shop, on the telephone, and you do it on-line. People have been made to feel nervous about it, in my view, for no terribly convincing reason. If you ask people whether they think their bank account number is a confidential piece of information, I think many would say yes, but in fact it is on every cheque they write and hand to absolutely anybody, so it does not make a lot of sense to see it as a big secret. The same is true of the credit card. I think undue anxiety has been attached to the risk from the customer's point of view. I think the risk is greatest for the merchant, because in transactions where the customer is not present the merchant has no way of checking a signature against what is on a card or any other way of verifying. If the merchant claims the money from the bank and the customer rejects the claim saying, "I never dealt with this merchant," the bank will re-charge that amount to the merchant, claim it back through the credit card system, and will usually make an administrative charge as well. So merchants have no means of protecting themselves against that risk except on a volume basis. They have to hope that it does not happen so often as to render the acceptance of credit cards on-line uneconomic. There are systems deployed now under which the merchants should be able to get greater assurance from the banks, which are gradually being rolled out, but from the credit card user's point of view the risk seems to me to be extremely small.

  Q361  Baroness Hilton of Eggardon: Does the same level of risk apply in Europe and the United States or would you see all the websites as being equally secure in that respect?

  Mr Bohm: It is not that the websites are equally secure, it is that the disclosure of the information is fundamentally harmless to the consumer, and therefore I think it makes no difference where. It has to be said that if crooks light upon your credit card details to use fraudulently rather than somebody else's, you could be the one put to the trouble of rejecting the transactions. You are, to some extent, in the hands of the quality of your credit card issuer and if you have a low cost, cheap credit card issuer who does not care very much, you may struggle to persuade them and compel them to initiate a charge back and re-credit your account and any charges they have made. So you can be put to varying degrees of trouble when your credit card details are used for fraud. In the extreme case, if your credit card issuer refused to credit your account when you are entitled to have it credited you are left with initiating legal proceedings or resisting its legal proceedings against you to recover the money. That is not a happy position, so I am not saying it is a neutral effect, but the risks are exactly the same if you use your credit card in a shop which handles your information insecurely. So it is not particularly attributable to on-line use. We are all of us potentially liable to being impersonated by crooks and having some degree of trouble getting it accepted that it was not us, it was a crook. To some extent the fact that banks and financial institutions have taken up the practice of accepting electricity bills as capable of identifying people exposes them to the additional risk. Once upon a time, I do not think it would have occurred to them to do that so it is, funnily enough, the increased emphasis on identifying pieces of paper of this kind which are in fact rather easily forged or stolen which has actually exposed people to more risk, probably, than they used to be facing.

  Q362  Lord Patel: I have a key related question, but in some US states there are laws relating to security breach notification laws where the businesses which lose personal data have to inform the individuals affected and maybe even widely inform the public. Should we not have such laws?

  Mr Bohm: I am strongly in favour of extending breach notification and it is a principle which possibly has even wider benefits. There are two significant benefits to breach notification and they are different from each other. One is that the incentive on breach notifiers to avoid the breaches is increased, so it operates as a form of penalty, and that seems to me a desirable phenomenon. It increases the cost, the burden, the embarrassment. One hopes that it will therefore decrease the incidence, and that is distinctly desirable. It is a very effective way of doing it. It is self-policing largely. There is a second benefit, and that is to those whose data has been lost. They are better informed if they are later impersonated about how this might have come about. So somebody who says to his credit card issuer, for example, "I didn't do that transaction," and is faced with a recalcitrant issuer who says, "Well, how could that be?" he has a ready answer, "I was notified on this, that and the other date that my data was part of a batch which was lost by this or that institution." So it could very easily be, and that is particularly important in a case where, for example, there might have been a loss of data consisting of credit card personal identification numbers. So if somebody becomes aware that a cash machine has had a skimmer attached, in that case it is exceedingly valuable to all the customers whose cards have passed through that machine to know that there has been a compromise which might explain that fact that they have been defrauded, so that they have a response to a bank which says, "How could this be if you didn't do it?" So I think there are two distinct and considerable benefits and I would be strongly in favour of our taking that up, and indeed arguing that it ought to be extended across Europe.

  Q363  Lord Patel: Have there been any prosecutions under the existing laws in the UK of merchants who has lost data because their computer has been hacked?

  Mr Bohm: I am not aware of them. It is Mr Jones's territory as much as mine. I do not know whether he is.

  Mr Jones: I am certainly not aware of any prosecutions and the important point to make is that, of itself, however serious that security breach was would not be a criminal offence, so they do not hold themselves open to prosecution at that stage. It would only occur under existing data protection legislation when they were already subject to a formal notice requiring them to take additional steps, but just to follow on from the previous point, we are certainly not opposed in principle to the idea of breach notification. We do think it is quite important that thought would have to be given to getting the thresholds right. We fully understand the name and shame element. Where I think we have some concerns is, what do you tell individuals they can do to mitigate the risk? If it is a very serious case where numbers have been lost, and I understand that what banks will traditionally do is actually withdraw those cards and re-issue. So we think there are some detailed points to address about what constitutes a significant enough security breach to inform the public and then what do you tell them that enables them to do something useful about it?

  Q364  Lord Patel: So there is no offence even if a merchant has had his computers hacked and data is lost of a customer but he does not inform the customer?

  Mr Jones: No, there is not, and the merchant does not commit an offence.

  Q365  Lord Patel: As a Commissioner, do you have any powers through the Data Protection Act to act in response to breaches?

  Mr Jones: As I say, what we do have is the power to issue a formal enforcement notice, which puts an organisation on notice to amend their practices. If they are actually in breach of the notice, at that stage it is a criminal offence but not before.

  Q366  Earl of Erroll: If it is not hacking but an employee takes the data and sells it, does that make it a criminal offence?

  Mr Jones: It may well make it a section 55 offence, but the interesting thing about that is that it is an offence which the data controller cannot himself commit. One of the employees can commit it by selling information, giving it to a friend, a colleague, and somebody can commit that offence by inveigling it out of the data controller, but however irresponsibly the data controller behaves he does not commit an offence.

  Q367  Earl of Erroll: As this data should be kept in an encrypted form in the modern day and world on these databases, why do you not just pre-emptively issue your notifications to those companies which are not encrypting such sensitive data, and then you could act against them if they were in breach?

  Mr Jones: Certainly we have not thought of that. I suspect it would be fairly hard to identify the large number of companies involved, but I think it is something which has not occurred to us.

  Earl of Erroll: Pick some large ones.

  Q368  Lord Harris of Haringey: Do we need special laws for e-crime, or is the current statute framework satisfactory? Perhaps you could also answer whether there are any gaps in the current statutory framework for e-crime?

  Mr Bohm: I am not conscious of significant legal gaps. You may say that the one you have just identified and pointed to is a gap and you may say that the obligations of those who control sensitive information should be subject to more stringent controls, but if we look at the general field of crime and say, "Are things happening on-line which aren't crimes there but ought to be and would be elsewhere?" I think the answer is, "Not particularly." There was for a long time felt to be an inadequacy in the Computer Misuse Act, which has now been remedied. I think that there are problems in the field, but I would have said that they were problems which go more to the effectiveness of criminal investigation, sometimes perhaps the effectiveness of judicial understanding of the issues, and to trial and process management. So it is always easy to say more resources would be helpful, but ensuring that the police have the intellectual infrastructure to deal with crimes involving electronics and computers, and that the courts can readily grasp what they are about will, I suspect, do more to put wrongs right than tinkering with the legal framework at its base.

  Professor Walden: I think there are two separate situations. One, does the existing criminal code cope with crime in cyberspace? The answer to that is, generally yes, but examples are found where that is not the case. The Fraud Act 2006 in part addressed a problem in an Internet environment, the fact that you could not deceive a machine, and therefore giving credit card details to a website and obtaining a service dishonestly was not considered to be a criminal offence of fraud until the recent amendments to the fraud rules. Likewise, in the area of child abuse images we have required amendments to existing law to cope with the new technology. On the other hand, you do have new activity such as denial of service attacks, where existing legislation requires supplementation, and that is what the Computer Misuse Act attempted to do and the latest reform is designed to address flaws or lacunae which have been identified in that computer specific context.

  Q369  Lord Harris of Haringey: So essentially you are all saying, "It's absolutely fine and dandy. We don't need new laws to deal with e-crime because it's just a new manifestation of that"? I think in fact the SCL evidence talks about it being "a modern tool for those intent on committing established offences," but the consequence of that is that there is no data or no reliable data on the incidence of e-crime, there are no policing targets and actually there are few incentives, as a consequence, for the police to pursue this and to build up their capacity to combat it. Can I ask whether there are, in your view, any legal options short of creating a whole new category of e-crime which would enable us to distinguish between e-crime, say fraud using the Internet or similar offences which use more traditional means? Would there be a way of differentiating it short of creating a whole new category of offences?

  Professor Walden: Currently the way crime is recorded in the UK does create a problem for fraud in particular. I think it would be fair to say that the vast majority of fraud committed today involves computers because the vast majority is accounting data, and data which gives rise to financial gains and loss is processed by computers. So I do not think, in that respect, there is necessarily need to distinguish where the tool differs from being a computer or being some other particular technique. Clearly, the question of reporting was addressed by the previous question in part because if businesses were required to notify of a breach that would, perhaps, incentivise. We would get better crime reporting. One of the problems we have today is that at a commercial level the criminal justice system does not serve businesses well and they have no incentive to report certainly medium-scale fraud committed against them. From an individual perspective it is very difficult for consumers to know who to report to. If I suffer a fraud on Amazon and I went to my local police station, I think they would be quite nonplussed as to what to do.

  Mr Bohm: I think you would create a difficulty in any case if what is already criminal is made criminal a second time in a new way, because you have got no way of knowing that prosecutors will charge it in the electronic form rather than the other if it is the same crime either way, so you will not necessarily improve the statistics. It is essentially an administrative problem, can the operations of the police be organised so that they discriminate effectively, and it is probably not helpfully addressed by creating a new layer of crime which they may or may not know how to use in the way you are hoping they would.

  Q370  Earl of Erroll: So is the problem actually a lack of training and resource in the Police Force, so that the moment it appears to have an electronic or Internet facet to it they do not feel that they have the capability to pursue it or track down the offenders and prosecute them?

  Professor Walden: I think it is in part a question of resource, but it is also in part a question of scale. The Internet allows the volume of crime, industrial crime, which we have not seen in a traditional environment and that in itself creates an insoluble resource problem. However much more money we put into the police, the fact that Operation Ore showed that we can suddenly have 7,000 potential suspects landing on the doorstep of the police is a difficult one to solve.

  Q371  Earl of Erroll: But surely the problem, if you take what people have referred to, the Amazon or the eBay fraud, is that they are frauds where someone is either selling stolen goods or someone is paying for some goods and then getting some cash back off the person, without going into the detail of it? Those are frauds being perpetrated by people inside Britain, identifiable, pursuable, and they are probably doing it frequently enough to get quite large sums of money, so they would be worth pursuing. Any one incident may be trivial, but the person behind it is not trivial and if a burglar commits more than one burglary, we still pursue them and try to lock them up even if each burglary has been small.

  Professor Walden: In part that is a question of the structure of the current Police Force in the United Kingdom. We have the local Police Forces in the 43 areas and then we have some national agencies such as the Serious and Organised Crime Agency. With these inter-regional crimes which may occur, perhaps, across the south of England, I think it has been well documented that this is a gap currently in our policing structure and the disappearance of the National High-Tech Crime Unit has led to the perception that that level two regional crime may not be properly served. There is an article in The Independent today from the Metropolitan Police Service calling for a new way of addressing e-crime at a regional level.

  Q372  Chairman: Do you see this as an important issue? The very fact that you cannot distinguish these crimes from other crimes leaves us without targets for the police or reliable data.

  Professor Walden: I think we do have a problem with data collection, but I think we have to recognise there are things we can know and things we cannot know. I think we need to establish reporting structures which are somewhat separate from the law enforcement agencies, and we see that emerging. We are seeing the establishment of an identity theft reporting mechanism. Within the area of child abuse images the Internet Watch Foundation provides a reporting mechanism. I think those sorts of bodies, which are independent from the police, will hopefully generate better statistics than can be expected from a traditional mechanism through the reporting to your local policeman about things which you have suffered, because evidence showed that in most cases if you suffer a virus you will go to your local PC World and tell them, as you are trying to get it mended, that you have suffered such a problem.

  Q373  Lord Harris of Haringey: Can I just pursue this a little, because we heard evidence quite separately about bullying through the Internet and the fact that what distinguished it was the fact that this was within people's own homes and that it therefore was different in nature from traditional forms of bullying between children. Essentially this is fraud committed, if you like, in the privacy of people's own homes because it is being conducted over the Internet. Does that not place it in a different category in terms of the way in which it impacts upon people? We draw a distinction between a theft which is committed following somebody breaking and entering premises and theft which takes place in the open. Is there not an argument for distinguishing between fraud or theft which takes place through the Internet because of that personalised nature of the crime?

  Professor Walden: Yes, I think that argument can be made. The way in which we record statistics is different, clearly, from the way in which we categorise crime and I do not think we would benefit by proliferating new types of offences designed to capture traditional crimes committed within a new environment. There certainly may be, and probably would be, a policy benefit from recording the fact that these crimes are committed in different ways, but I do not think it requires new offences, it just requires new reporting mechanisms.

  Q374  Lord Harris of Haringey: But the nature of the offence is not different because it is committed in a way which people regard as personal, as part of their private world, part of something where they like to think they are secure because it is in their own home?

  Professor Walden: I personally think not.

  Q375  Baroness Sharp of Guildford: Moving from reporting to pursuing criminal charges, in the memorandum from the Society for Computers and Law you claimed that there may be a reluctance within the Crown Prosecution Service to pursue criminal charges where the only charges available are those under the Computer Misuse Act 1990 or the Data Protection Act 1998 for computer-related crime. What sort of evidence have you got to support this and what types of offence are most affected?

  Professor Walden: I think part of the problem is that historically the offences did not necessarily attract a particularly high tariff so that, for example, the offence of unauthorised access gave rise to a maximum penalty of six months' imprisonment. In terms of evidence, I have been involved for the past five years in training Crown Prosecution Service personnel to specialise in high-tech crime prosecutions, so the evidence which I put to the SCL and which was incorporated in this paper was from that trainee exercise where we have trained over 150 CPS prosecutors in high-tech crime. The constant feedback was, "Well, there's uncertainty about the application of the law in the area of computer misuse, the history of the Act.. We've had continual bad judgments, bad case law, which may have been corrected but we have problems in explaining the technology to jurors and explaining the technology to judges." In the majority of circumstances we are talking about a computer being used as a tool to commit a traditional offence, so let us use the traditional offence and ignore the legislation which really addresses the tool, which is the Computer Misuse Act.

  Q376  Baroness Sharp of Guildford: The evidence you have got from this really stems very largely from your work training with the CPS?

  Professor Walden: With the Crown Prosecution Service, yes. It is a concern that prosecuting under the Computer Misuse Act is more likely to give rise to problems than using traditional offences.

  Q377  Lord Sutherland of Houndwood: This is a question for the Information Commission but it starts with evidence from SCL in fact, who have told us that they are not aware that there has been any enforcement by the Information Commissioner, whether at the request of Ofcom or anyone else, of Internet providers taking appropriate action under the specified regulations. I do not know whether they are simply not fully informed, whether there have been enforcements, but what are your comments on this?

  Mr Jones: No, they are perfectly well-informed. There has not been any such action. What I would stress here is that the way the Privacy and Electronic Communications Regulations work is heavily towards people reporting things to us which appear to be breaches and then asking us whether we will take action. The reality is that the action we have taken over these regulations has reflected those areas which we have had large numbers of complaints about, and they have actually been to do with telesales and faxes, not so much with emails and not to my knowledge much at all relating to ISP security.

  Q378  Lord Sutherland of Houndwood: Is this because you are not being notified or not being made aware of such offences, or because they are not considered to be important?

  Mr Jones: No, it is not that we would not consider them important if we had evidence of them. What I am saying is that we have not had evidence of them. I entirely accept that that does not mean to say that there are not weaknesses there, I am just saying that they have not been drawn to our attention.

  Q379  Lord Sutherland of Houndwood: SCL imply that they are not completely satisfied with this and they would like to see Ofcom involved in the enforcement of regulations. There is a question of whether they have the powers to do so, but if they were to be involved would there be advantages, disadvantages, if I could ask both of you that?

  Mr Jones: The way the mechanism is set up at the moment is that because of the way Ofcom works and because it has a wider staffing than we do and has a technical expertise in certain areas that we do not, if it brings to our attention what it sees as significant failings then we can actually take enforcement action on the basis of that. We are perfectly happy to do so, it is just that it has not happened yet.

  Professor Walden: I think the idea put by SCL is that essentially Ofcom is the better resourced and more experienced regulator in respect of the industry and therefore, in part to help the Information Commissioner's Office, Ofcom will be well-placed to address these issues.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007