Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 420 - 439)

WEDNESDAY 24 JANUARY 2007

MR MIKE HALEY AND MR PHIL JONES

  Q420  Earl of Erroll: Therefore it is not extraditable?

  Mr Haley: In this case, because our powers are only civil powers, it would not be a criminal offence. We only have civil injunctive powers for regulations 22 and 23 of the PCRs, plus our main role is actually looking at the deceptive and misleading nature of spam. Because we regulate advertising, we are not concerned with spam per se, we would leave that to the Information Commissioner if it was not deceptive or misleading, but when it is misleading like that spam was, we do see it as our duty to use the powers we have. But he could not be extradited because it was not a criminal offence which was being investigated.

  Q421  Lord Patel: Can the London Action Plan be effective without any legal force?

  Mr Haley: It is effective in a number of ways by establishing a network of contacts, but I would point out that it is on a "best efforts" basis. It does rely on the individual's commitment to co-operate. I have an example of where it has failed and we need further legal clarity, which was when OPTA, the Dutch agency, approached our agency under the London Action Plan to provide information about a spammer using a Yahoo.co.uk account. We have powers to gain information under section 224 of the Enterprise Act, but our legal adviser said we could not use it to gain information to pass on to the Dutch authority because they were not a Community enforcer under our consumer protection laws. So in that case there were again no UK victims of that spam and we could not use our powers to get the information and pass it on. So in that case they had one of the top 10 spammers and required information to stop them and we could not obtain the information to pass it on to them in a lawful way. Yahoo were quite right not to give that information over. I am not criticising Yahoo because there was not a legal gateway for them to give that information to us. We have also had a problem in the London Action Plan where Spamhaus, an organisation which is a kind of watchdog for spam, had given us information there was going to be a major spamming campaign over a weekend, and they gave us the information. When I contacted the relevant Internet Service Provider, who is a member of the London Action Plan, without a court order or any other further action they were not able to stop that spamming campaign. I think in the end they took a decision based on pressure to pull that campaign and stop it happening, but there was no legal requirement, it was just best efforts.

  Q422  Lord Patel: So you feel that the UK spam laws are adequate?

  Mr Haley: I think in those two instances of international co-operation there could be much improvement in ensuring that we have gateways to share information with agencies which are spam enforcement agencies elsewhere, because we do not always have those gateways. Secondly, I believe it would be very helpful if we could take action against spammers in the UK who are targeting non-UK consumers, because there are two gaps in that area. That is my enforcement experience.

  Q423  Lord Patel: Are there laws internationally beginning to converge relating to spam?

  Mr Haley: No, there are not, because we have the two different models of opt in and opt out, choices for consumers. I think the Americans are very wedded to their model and the European Union has taken its decision that we should have a different model, so I do not see convergence along those lines at the moment. What we do see through organisations like the OECD and the London Action Plan is encouraging those countries which do not have spam laws to bring in spam laws as recommended under the spam toolkit which the OECD produced, which has model laws.

  Q424  Lord Patel: Does that not make it difficult to prosecute if there are different laws in different countries?

  Mr Haley: We would not prosecute in a non-EU country, but we do have a power to prosecute within the European Union. It would make it difficult if they were breaching UK law but targeting elsewhere, outside the European Union. We could not do that because there would be no consumers in Europe who had been affected.

  Q425  Lord Patel: But you just said that with spammers in the UK who had not spammed UK citizens but had sent spam to the United States we would not be able to prosecute?

  Mr Haley: That is right, yes.

  Q426  Lord Patel: Does that not mean the law is inadequate?

  Mr Haley: If that is what the Government wanted us to do, yes, it is inadequate.

  Q427  Earl of Erroll: How can you prove they did not send spam to UK citizens? A lot of citizens have "hotmail.com" as opposed to ".co.uk" accounts, which will therefore be the United States, and in fact one of my email addresses I know is hosted in Seattle. Therefore, I could well have received some of this spam.

  Mr Haley: We tried very hard in that case to find consumers who had complained about this particular practice. We had to look at our own complaint database and had no complaints. We then also had the problem that we could not go into the premises of the spammers to seize any of the computers and hard drives to check who they had been spamming because our investigative powers will not stretch to that.

  Earl of Erroll: In other words, I should forward all my spam on to you in future?

  Q428  Lord Harris of Haringey: And your personal email address!

  Mr Haley: We do have a spam OFT website where you can forward any deceptive, misleading or fraudulent spam.

  Q429  Earl of Erroll: Is the problem really now that in the past, before the globalisation enabled by the Internet, a criminal had to travel to a country really to perpetrate a fraud or something of this nature, whereas now you can do it remotely across borders without ever having to leave your home ground and therefore the old principle that it has to do harm in the UK, or in the country where the person is resident, really needs to be looked at internationally and the international law? What we need is to get international co-operation on changing that principle universally?

  Mr Haley: Yes, I would agree, and I also believe that our powers are still based on the off-line world of knowing where a trader is, being able to go and speak to him, have premises inspected and then take action appropriately. If we know a spamming campaign is coming over the weekend and we cannot take any administrative steps, we have to go and apply for a court order and the spam would have been sent out to millions of people before we had even had a chance to move. So I think there is a need to look at not just the international infrastructure but also for adequate powers and sanctions to apply in a fast-moving environment where I think we have lagged behind. I think Phil would agree with me about the sanctions not being really appropriate to be a deterrent for a spammer.

  Q430  Chairman: There is a point which Lord Erroll made which I find very important and that is that you do seem to be comforting yourself with the fact that you do not receive as many complaints as, for example, you do for phone calls and for faxes. I think that is mainly because people do not think there is anywhere to complain to. If they knew where to complain, I think you would be drowned!

  Mr Haley: I hope I did not give the impression of being comforted. I agree totally that there is a lack of a single place to complain and there are enough other direct marketing scams to keep my team busy. For us to then request information about email scams—I am sure we would be deluged if there was a simple way of electronically forwarding your complaints about email scam.

  Q431  Chairman: Or even forwarding the scams?

  Mr Haley: Yes, forwarding the scams. I would say also that our data on complaints does show a low incidence of people who have been victims of sending money to a spammer or giving information to a phishing site. However, we need to balance that with the fact that the economics of spamming operations mean that they only need a very small number of people to respond to make sizeable amounts of money and we should not solely base our enforcement strategies and policies based on the number of people coming forward and saying, "I've lost money." The fact that there is a spamming campaign for any product or deception means that they will be making money out of it, otherwise they would not do it. So it is a challenge to change our mindsets, if you like, in terms of whereas before we had a pile of complaints, and I have got a smaller pile here, that is an obvious case to investigate. If it is in the real world, say a direct mailing scam, we know where to go and how to do it. The other factor I would put in is that we do have a lack of skilled and competent investigators in this area to make a real dent in email and Internet scams.

  Q432  Baroness Sharp of Guildford: Are there any other areas of international co-operation which we need to develop? We have more or less covered it, but you may like to add something to what you have already said.

  Mr Haley: Yes. I think there are two elements to whether there should be any more international arrangements. I would put forward one as best practice. On 1 January this year the European Union brought in a new regulation on consumer protection co-operation. We have set up a network of public consumer protection agencies throughout Europe with common powers, including on-site inspections, which we lacked before, which enables information to be shared on breaches of 11 different consumer protection regulations, which include distance selling and the eCommerce regulations. It also means that we can refer cases to other European enforcement agencies to take effective action. I do not see why we could not have that also for spam-related enforcement, rather than having to look at whether it has breached those specific 11 regulations on consumer protection. On the broad issue of do we need any more kind of London Action Plans, I have a view that there are plenty of international organisations. We have the Message Anti-abuse Working Group (MAAWG), the anti-phishing working group, there is the Melbourne-Seoul memorandum of understanding, there is probably a whole list of different agencies who have an interest, different organisations and networks, and it might be time to actually look at the commonalities and having fewer of those networks. Recently in Greece six of the anti-spam agencies came together, the anti-spam networks, to have a common portal website and to try to work closer together. So I think we need a more formal network for the exchange of intelligence and effective enforcement and probably less of the informal networks set up for different cyber security threats, perhaps one covering the whole range of cyber security threats.

  Chairman: Lady Hilton, did you have a question?

  Q433  Baroness Hilton of Eggardon: I had a question about your 9/11 example, which seemed to me a straightforward case of fraud and I do not understand why the Americans did not apply for extradition and why it was treated as spam. It seems to me mis-labelling.

  Mr Haley: It was a quite complex investigation because there was something that they were selling. They were misleading the recipients of the spam by saying, "You could be dot USA." You could be dot USA, within, I suppose the best way of putting it is on a kind of intranet. So they set up your own system, which would be like a computer's own intranet, but you could not reach your address via the World Wide Web. So it is a misleading communication in terms of the content of the spam rather than selling a dot USA web address which did not exist at all. I think this is one of the issues which in the UK would probably be dealt with by the new Fraud Act in that it is a misleading representation. Before those misleading representations would be civil matters and would rarely be investigated as fraud.

  Q434  Earl of Erroll: What is the OFT's opinion of the data breach notification laws, which are common in many US states now?

  Mr Haley: We do not have any particular view on those laws or in fact any breach of privacy regulations because we do not enforce the Data Protection Act or privacy regulations. We would always look to the ICO and government for a view on those types of matters.

  Q435  Baroness Hilton of Eggardon: Do you see it as your responsibility to educate the public about email scams? You said there was not a single telephone point which people could communicate with. Should that not be an obvious first step, perhaps?

  Mr Haley: I do believe that we have a duty to inform consumers about safe Internet shopping and how to avoid scams and spam, and in fact we have good information on our own website and on the consumer direct website, which is a service run by the Office of Fair Trading now. I think there is a whole range of organisations, local trading standards services, the Information Commissioner's Office, Internet Service Providers who have a duty to inform. I think the more information which is delivered the better, but I think there is some work to be done about agreeing common messages so that they are reinforced and that they are simple messages which people can understand. I would encourage people to go to the OFT's website and look under consumer information and then under spam where we have got a couple of interactive games, one on phishing and one on scams and spam. I think it needs to be lively and entertaining, particularly in the on-line world, because you have to try and speak in the language of people who are on the Internet. On your very good point of whether we should have a single point of contact, I believe that people who have problems with the Internet and email expect there to be a simple electronic means of making a complaint. We do not have one at the moment. We have considered signing up to something called the `Spot Spam' project, which is run by some European countries and is partly EU-funded, but we have not yet reached a decision on that. I think we also have to look at whether we would be overwhelmed and how we would use that information. I think there is a real opportunity for some public/private partnerships in dealing with that information because, as I said before, we are not always the most competent in terms of understanding the Internet, how it works, and tracking down the email addresses, whereas we are competent in using our investigative skills and prosecuting skills.

  Mr Jones: I would just endorse Mike's comments. I think there is a multitude of people who have the responsibility for seeking to warn individuals about the risks and the things they can do to mitigate those risks if they are going to deal over the Internet. It is people who are promoting e-Government, e-business, all sorts of things. It is certainly a responsibility which we take seriously, and if I may shamelessly plug the fact that European Data Protection Day is 29 January and we will be having a re-launch of some general guidance aimed at individuals about how they can be careful about their information in relation to identity fraud but also doing business on the Internet.

  Q436  Baroness Sharp of Guildford: You say you are going to be launching on that day, putting out information, and so forth. Where are you going to do this? Are you going to take newspaper advertisements, or what?

  Mr Jones: We have done newspaper advertisements in the past and they are very, very expensive and we did not find them as successful as we hoped they would be. What we do have is a number of filler ads which will go on television in those spare spaces. We are hoping to drum up quite a lot of media interest and therefore hopefully get some free publicity, to be absolutely brutal, but certainly some of it will be through promoting things through media channels and certainly we will be using our website, which has fairly recently been redesigned.

  Q437  Earl of Erroll: You could, of course, email all the corporate addresses!

  Mr Jones: We could, of course.

  Q438  Earl of Erroll: Could I just ask you very quickly about this one single point, because the police have got an under-funded fraud alert website which is run by one person who is snowed under and he is trying to do his best. Are you co-operating with them, or trying to work out which of you should be doing it, or is this an example of duplication?

  Mr Haley: We work quite closely with Operation Sterling, which is the Met Police preventative strand on a number of issues, and also now with the Serious Organised Crime Agency on preventative measures. That has been a way of making interventions such as with money transfer agents like Western Union to ensure that once someone has been scammed there can be ways of preventing the money reaching the scammers. On that particular issue we have not yet talked about sharing or pooling our resources because we have not gone down the road of having a single -

  Q439  Earl of Erroll: So the answer is no, because there is a chap there who is replying to 400 to 600 emails a day on frauds and it seems that there is duplication of effort there, so maybe it would be worth talking to them?

  Mr Haley: We do talk to them, but I think it is the difference of what our powers would be to deal with some of the fraud. We are not fraud investigators, we only look at misleading and deceptive conduct. I know that "deception" sounds like it is fraud, but it is deception in the terms defined by the control of misleading advertising regulations. It would not be a criminal offence. I think you are right that there is more than can be done in terms of co-operation between the agencies and I will take your advice to speak with them.

  Earl of Erroll: Because I do not think the consumer would know the distinction and which they should be reporting to. Until you pointed it out, I certainly did not.

  Chairman: Mr Haley and Mr Jones, thank you very much indeed. It has been a valuable session for us. As I said before, if there is anything which occurs to you which you think would be of use to us, please write to us. Thank you very much.






 
previous page contents

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007