Examination of Witnesses (Questions 360
- 379)
WEDNESDAY 24 JANUARY 2007
MR NICHOLAS
BOHM, PROFESSOR
IAN WALDEN
AND MR
PHIL JONES
Q360 Baroness Hilton of Eggardon:
If we can go on to actually buying things from shopping websites
when one uses one's credit card. I have only dealt with amazon.com,
but there is a whole range of them, is there not? What particular
special risks do you see customers taking in that situation?
Mr Bohm: By and large, I do not think that using
your credit card or revealing the credit card number, the expiry
date and the security code on the back, which is about the full
range of information you are required to reveal, is a risky thing
to do. You do it all the time. You do it in a shop, on the telephone,
and you do it on-line. People have been made to feel nervous about
it, in my view, for no terribly convincing reason. If you ask
people whether they think their bank account number is a confidential
piece of information, I think many would say yes, but in fact
it is on every cheque they write and hand to absolutely anybody,
so it does not make a lot of sense to see it as a big secret.
The same is true of the credit card. I think undue anxiety has
been attached to the risk from the customer's point of view. I
think the risk is greatest for the merchant, because in transactions
where the customer is not present the merchant has no way of checking
a signature against what is on a card or any other way of verifying.
If the merchant claims the money from the bank and the customer
rejects the claim saying, "I never dealt with this merchant,"
the bank will re-charge that amount to the merchant, claim it
back through the credit card system, and will usually make an
administrative charge as well. So merchants have no means of protecting
themselves against that risk except on a volume basis. They have
to hope that it does not happen so often as to render the acceptance
of credit cards on-line uneconomic. There are systems deployed
now under which the merchants should be able to get greater assurance
from the banks, which are gradually being rolled out, but from
the credit card user's point of view the risk seems to me to be
extremely small.
Q361 Baroness Hilton of Eggardon:
Does the same level of risk apply in Europe and the United States
or would you see all the websites as being equally secure in that
respect?
Mr Bohm: It is not that the websites are equally
secure, it is that the disclosure of the information is fundamentally
harmless to the consumer, and therefore I think it makes no difference
where. It has to be said that if crooks light upon your credit
card details to use fraudulently rather than somebody else's,
you could be the one put to the trouble of rejecting the transactions.
You are, to some extent, in the hands of the quality of your credit
card issuer and if you have a low cost, cheap credit card issuer
who does not care very much, you may struggle to persuade them
and compel them to initiate a charge back and re-credit your account
and any charges they have made. So you can be put to varying degrees
of trouble when your credit card details are used for fraud. In
the extreme case, if your credit card issuer refused to credit
your account when you are entitled to have it credited you are
left with initiating legal proceedings or resisting its legal
proceedings against you to recover the money. That is not a happy
position, so I am not saying it is a neutral effect, but the risks
are exactly the same if you use your credit card in a shop which
handles your information insecurely. So it is not particularly
attributable to on-line use. We are all of us potentially liable
to being impersonated by crooks and having some degree of trouble
getting it accepted that it was not us, it was a crook. To some
extent the fact that banks and financial institutions have taken
up the practice of accepting electricity bills as capable of identifying
people exposes them to the additional risk. Once upon a time,
I do not think it would have occurred to them to do that so it
is, funnily enough, the increased emphasis on identifying pieces
of paper of this kind which are in fact rather easily forged or
stolen which has actually exposed people to more risk, probably,
than they used to be facing.
Q362 Lord Patel:
I have a key related question, but in some US states there are
laws relating to security breach notification laws where the businesses
which lose personal data have to inform the individuals affected
and maybe even widely inform the public. Should we not have such
laws?
Mr Bohm: I am strongly in favour of extending
breach notification and it is a principle which possibly has even
wider benefits. There are two significant benefits to breach notification
and they are different from each other. One is that the incentive
on breach notifiers to avoid the breaches is increased, so it
operates as a form of penalty, and that seems to me a desirable
phenomenon. It increases the cost, the burden, the embarrassment.
One hopes that it will therefore decrease the incidence, and that
is distinctly desirable. It is a very effective way of doing it.
It is self-policing largely. There is a second benefit, and that
is to those whose data has been lost. They are better informed
if they are later impersonated about how this might have come
about. So somebody who says to his credit card issuer, for example,
"I didn't do that transaction," and is faced with a
recalcitrant issuer who says, "Well, how could that be?"
he has a ready answer, "I was notified on this, that and
the other date that my data was part of a batch which was lost
by this or that institution." So it could very easily be,
and that is particularly important in a case where, for example,
there might have been a loss of data consisting of credit card
personal identification numbers. So if somebody becomes aware
that a cash machine has had a skimmer attached, in that case it
is exceedingly valuable to all the customers whose cards have
passed through that machine to know that there has been a compromise
which might explain that fact that they have been defrauded, so
that they have a response to a bank which says, "How could
this be if you didn't do it?" So I think there are two distinct
and considerable benefits and I would be strongly in favour of
our taking that up, and indeed arguing that it ought to be extended
across Europe.
Q363 Lord Patel:
Have there been any prosecutions under the existing laws in the
UK of merchants who has lost data because their computer has been
hacked?
Mr Bohm: I am not aware of them. It is Mr Jones's
territory as much as mine. I do not know whether he is.
Mr Jones: I am certainly not aware of any prosecutions
and the important point to make is that, of itself, however serious
that security breach was would not be a criminal offence, so they
do not hold themselves open to prosecution at that stage. It would
only occur under existing data protection legislation when they
were already subject to a formal notice requiring them to take
additional steps, but just to follow on from the previous point,
we are certainly not opposed in principle to the idea of breach
notification. We do think it is quite important that thought would
have to be given to getting the thresholds right. We fully understand
the name and shame element. Where I think we have some concerns
is, what do you tell individuals they can do to mitigate the risk?
If it is a very serious case where numbers have been lost, and
I understand that what banks will traditionally do is actually
withdraw those cards and re-issue. So we think there are some
detailed points to address about what constitutes a significant
enough security breach to inform the public and then what do you
tell them that enables them to do something useful about it?
Q364 Lord Patel:
So there is no offence even if a merchant has had his computers
hacked and data is lost of a customer but he does not inform the
customer?
Mr Jones: No, there is not, and the merchant
does not commit an offence.
Q365 Lord Patel:
As a Commissioner, do you have any powers through the Data Protection
Act to act in response to breaches?
Mr Jones: As I say, what we do have is the power
to issue a formal enforcement notice, which puts an organisation
on notice to amend their practices. If they are actually in breach
of the notice, at that stage it is a criminal offence but not
before.
Q366 Earl of Erroll:
If it is not hacking but an employee takes the data and sells
it, does that make it a criminal offence?
Mr Jones: It may well make it a section 55 offence,
but the interesting thing about that is that it is an offence
which the data controller cannot himself commit. One of the employees
can commit it by selling information, giving it to a friend, a
colleague, and somebody can commit that offence by inveigling
it out of the data controller, but however irresponsibly the data
controller behaves he does not commit an offence.
Q367 Earl of Erroll:
As this data should be kept in an encrypted form in the modern
day and world on these databases, why do you not just pre-emptively
issue your notifications to those companies which are not encrypting
such sensitive data, and then you could act against them if they
were in breach?
Mr Jones: Certainly we have not thought of that.
I suspect it would be fairly hard to identify the large number
of companies involved, but I think it is something which has not
occurred to us.
Earl of Erroll: Pick some large ones.
Q368 Lord Harris of Haringey:
Do we need special laws for e-crime, or is the current statute
framework satisfactory? Perhaps you could also answer whether
there are any gaps in the current statutory framework for e-crime?
Mr Bohm: I am not conscious of significant legal
gaps. You may say that the one you have just identified and pointed
to is a gap and you may say that the obligations of those who
control sensitive information should be subject to more stringent
controls, but if we look at the general field of crime and say,
"Are things happening on-line which aren't crimes there but
ought to be and would be elsewhere?" I think the answer is,
"Not particularly." There was for a long time felt to
be an inadequacy in the Computer Misuse Act, which has now been
remedied. I think that there are problems in the field, but I
would have said that they were problems which go more to the effectiveness
of criminal investigation, sometimes perhaps the effectiveness
of judicial understanding of the issues, and to trial and process
management. So it is always easy to say more resources would be
helpful, but ensuring that the police have the intellectual infrastructure
to deal with crimes involving electronics and computers, and that
the courts can readily grasp what they are about will, I suspect,
do more to put wrongs right than tinkering with the legal framework
at its base.
Professor Walden: I think there are two separate
situations. One, does the existing criminal code cope with crime
in cyberspace? The answer to that is, generally yes, but examples
are found where that is not the case. The Fraud Act 2006 in part
addressed a problem in an Internet environment, the fact that
you could not deceive a machine, and therefore giving credit card
details to a website and obtaining a service dishonestly was not
considered to be a criminal offence of fraud until the recent
amendments to the fraud rules. Likewise, in the area of child
abuse images we have required amendments to existing law to cope
with the new technology. On the other hand, you do have new activity
such as denial of service attacks, where existing legislation
requires supplementation, and that is what the Computer Misuse
Act attempted to do and the latest reform is designed to address
flaws or lacunae which have been identified in that computer specific
context.
Q369 Lord Harris of Haringey:
So essentially you are all saying, "It's absolutely fine
and dandy. We don't need new laws to deal with e-crime because
it's just a new manifestation of that"? I think in fact the
SCL evidence talks about it being "a modern tool for those
intent on committing established offences," but the consequence
of that is that there is no data or no reliable data on the incidence
of e-crime, there are no policing targets and actually there are
few incentives, as a consequence, for the police to pursue this
and to build up their capacity to combat it. Can I ask whether
there are, in your view, any legal options short of creating a
whole new category of e-crime which would enable us to distinguish
between e-crime, say fraud using the Internet or similar offences
which use more traditional means? Would there be a way of differentiating
it short of creating a whole new category of offences?
Professor Walden: Currently the way crime is
recorded in the UK does create a problem for fraud in particular.
I think it would be fair to say that the vast majority of fraud
committed today involves computers because the vast majority is
accounting data, and data which gives rise to financial gains
and loss is processed by computers. So I do not think, in that
respect, there is necessarily need to distinguish where the tool
differs from being a computer or being some other particular technique.
Clearly, the question of reporting was addressed by the previous
question in part because if businesses were required to notify
of a breach that would, perhaps, incentivise. We would get better
crime reporting. One of the problems we have today is that at
a commercial level the criminal justice system does not serve
businesses well and they have no incentive to report certainly
medium-scale fraud committed against them. From an individual
perspective it is very difficult for consumers to know who to
report to. If I suffer a fraud on Amazon and I went to my local
police station, I think they would be quite nonplussed as to what
to do.
Mr Bohm: I think you would create a difficulty
in any case if what is already criminal is made criminal a second
time in a new way, because you have got no way of knowing that
prosecutors will charge it in the electronic form rather than
the other if it is the same crime either way, so you will not
necessarily improve the statistics. It is essentially an administrative
problem, can the operations of the police be organised so that
they discriminate effectively, and it is probably not helpfully
addressed by creating a new layer of crime which they may or may
not know how to use in the way you are hoping they would.
Q370 Earl of Erroll:
So is the problem actually a lack of training and resource in
the Police Force, so that the moment it appears to have an electronic
or Internet facet to it they do not feel that they have the capability
to pursue it or track down the offenders and prosecute them?
Professor Walden: I think it is in part a question
of resource, but it is also in part a question of scale. The Internet
allows the volume of crime, industrial crime, which we have not
seen in a traditional environment and that in itself creates an
insoluble resource problem. However much more money we put into
the police, the fact that Operation Ore showed that we can suddenly
have 7,000 potential suspects landing on the doorstep of the police
is a difficult one to solve.
Q371 Earl of Erroll:
But surely the problem, if you take what people have referred
to, the Amazon or the eBay fraud, is that they are frauds where
someone is either selling stolen goods or someone is paying for
some goods and then getting some cash back off the person, without
going into the detail of it? Those are frauds being perpetrated
by people inside Britain, identifiable, pursuable, and they are
probably doing it frequently enough to get quite large sums of
money, so they would be worth pursuing. Any one incident may be
trivial, but the person behind it is not trivial and if a burglar
commits more than one burglary, we still pursue them and try to
lock them up even if each burglary has been small.
Professor Walden: In part that is a question
of the structure of the current Police Force in the United Kingdom.
We have the local Police Forces in the 43 areas and then we have
some national agencies such as the Serious and Organised Crime
Agency. With these inter-regional crimes which may occur, perhaps,
across the south of England, I think it has been well documented
that this is a gap currently in our policing structure and the
disappearance of the National High-Tech Crime Unit has led to
the perception that that level two regional crime may not be properly
served. There is an article in The Independent today from
the Metropolitan Police Service calling for a new way of addressing
e-crime at a regional level.
Q372 Chairman:
Do you see this as an important issue? The very fact that you
cannot distinguish these crimes from other crimes leaves us without
targets for the police or reliable data.
Professor Walden: I think we do have a problem
with data collection, but I think we have to recognise there are
things we can know and things we cannot know. I think we need
to establish reporting structures which are somewhat separate
from the law enforcement agencies, and we see that emerging. We
are seeing the establishment of an identity theft reporting mechanism.
Within the area of child abuse images the Internet Watch Foundation
provides a reporting mechanism. I think those sorts of bodies,
which are independent from the police, will hopefully generate
better statistics than can be expected from a traditional mechanism
through the reporting to your local policeman about things which
you have suffered, because evidence showed that in most cases
if you suffer a virus you will go to your local PC World and tell
them, as you are trying to get it mended, that you have suffered
such a problem.
Q373 Lord Harris of Haringey:
Can I just pursue this a little, because we heard evidence quite
separately about bullying through the Internet and the fact that
what distinguished it was the fact that this was within people's
own homes and that it therefore was different in nature from traditional
forms of bullying between children. Essentially this is fraud
committed, if you like, in the privacy of people's own homes because
it is being conducted over the Internet. Does that not place it
in a different category in terms of the way in which it impacts
upon people? We draw a distinction between a theft which is committed
following somebody breaking and entering premises and theft which
takes place in the open. Is there not an argument for distinguishing
between fraud or theft which takes place through the Internet
because of that personalised nature of the crime?
Professor Walden: Yes, I think that argument
can be made. The way in which we record statistics is different,
clearly, from the way in which we categorise crime and I do not
think we would benefit by proliferating new types of offences
designed to capture traditional crimes committed within a new
environment. There certainly may be, and probably would be, a
policy benefit from recording the fact that these crimes are committed
in different ways, but I do not think it requires new offences,
it just requires new reporting mechanisms.
Q374 Lord Harris of Haringey:
But the nature of the offence is not different because it is committed
in a way which people regard as personal, as part of their private
world, part of something where they like to think they are secure
because it is in their own home?
Professor Walden: I personally think not.
Q375 Baroness Sharp of Guildford:
Moving from reporting to pursuing criminal charges, in the memorandum
from the Society for Computers and Law you claimed that there
may be a reluctance within the Crown Prosecution Service to pursue
criminal charges where the only charges available are those under
the Computer Misuse Act 1990 or the Data Protection Act 1998 for
computer-related crime. What sort of evidence have you got to
support this and what types of offence are most affected?
Professor Walden: I think part of the problem
is that historically the offences did not necessarily attract
a particularly high tariff so that, for example, the offence of
unauthorised access gave rise to a maximum penalty of six months'
imprisonment. In terms of evidence, I have been involved for the
past five years in training Crown Prosecution Service personnel
to specialise in high-tech crime prosecutions, so the evidence
which I put to the SCL and which was incorporated in this paper
was from that trainee exercise where we have trained over 150
CPS prosecutors in high-tech crime. The constant feedback was,
"Well, there's uncertainty about the application of the law
in the area of computer misuse, the history of the Act.. We've
had continual bad judgments, bad case law, which may have been
corrected but we have problems in explaining the technology to
jurors and explaining the technology to judges." In the majority
of circumstances we are talking about a computer being used as
a tool to commit a traditional offence, so let us use the traditional
offence and ignore the legislation which really addresses the
tool, which is the Computer Misuse Act.
Q376 Baroness Sharp of Guildford:
The evidence you have got from this really stems very largely
from your work training with the CPS?
Professor Walden: With the Crown Prosecution
Service, yes. It is a concern that prosecuting under the Computer
Misuse Act is more likely to give rise to problems than using
traditional offences.
Q377 Lord Sutherland of Houndwood:
This is a question for the Information Commission but it starts
with evidence from SCL in fact, who have told us that they are
not aware that there has been any enforcement by the Information
Commissioner, whether at the request of Ofcom or anyone else,
of Internet providers taking appropriate action under the specified
regulations. I do not know whether they are simply not fully informed,
whether there have been enforcements, but what are your comments
on this?
Mr Jones: No, they are perfectly well-informed.
There has not been any such action. What I would stress here is
that the way the Privacy and Electronic Communications Regulations
work is heavily towards people reporting things to us which appear
to be breaches and then asking us whether we will take action.
The reality is that the action we have taken over these regulations
has reflected those areas which we have had large numbers of complaints
about, and they have actually been to do with telesales and faxes,
not so much with emails and not to my knowledge much at all relating
to ISP security.
Q378 Lord Sutherland of Houndwood:
Is this because you are not being notified or not being made aware
of such offences, or because they are not considered to be important?
Mr Jones: No, it is not that we would not consider
them important if we had evidence of them. What I am saying is
that we have not had evidence of them. I entirely accept that
that does not mean to say that there are not weaknesses there,
I am just saying that they have not been drawn to our attention.
Q379 Lord Sutherland of Houndwood:
SCL imply that they are not completely satisfied with this and
they would like to see Ofcom involved in the enforcement of regulations.
There is a question of whether they have the powers to do so,
but if they were to be involved would there be advantages, disadvantages,
if I could ask both of you that?
Mr Jones: The way the mechanism is set up at
the moment is that because of the way Ofcom works and because
it has a wider staffing than we do and has a technical expertise
in certain areas that we do not, if it brings to our attention
what it sees as significant failings then we can actually take
enforcement action on the basis of that. We are perfectly happy
to do so, it is just that it has not happened yet.
Professor Walden: I think the idea put by SCL
is that essentially Ofcom is the better resourced and more experienced
regulator in respect of the industry and therefore, in part to
help the Information Commissioner's Office, Ofcom will be well-placed
to address these issues.
|