Examination of Witnesses (Questions 420
- 439)
WEDNESDAY 24 JANUARY 2007
MR MIKE
HALEY AND
MR PHIL
JONES
Q420 Earl of Erroll:
Therefore it is not extraditable?
Mr Haley: In this case, because our powers are
only civil powers, it would not be a criminal offence. We only
have civil injunctive powers for regulations 22 and 23 of the
PCRs, plus our main role is actually looking at the deceptive
and misleading nature of spam. Because we regulate advertising,
we are not concerned with spam per se, we would leave that
to the Information Commissioner if it was not deceptive or misleading,
but when it is misleading like that spam was, we do see it as
our duty to use the powers we have. But he could not be extradited
because it was not a criminal offence which was being investigated.
Q421 Lord Patel:
Can the London Action Plan be effective without any legal force?
Mr Haley: It is effective in a number of ways
by establishing a network of contacts, but I would point out that
it is on a "best efforts" basis. It does rely on the
individual's commitment to co-operate. I have an example of where
it has failed and we need further legal clarity, which was when
OPTA, the Dutch agency, approached our agency under the London
Action Plan to provide information about a spammer using a Yahoo.co.uk
account. We have powers to gain information under section 224
of the Enterprise Act, but our legal adviser said we could not
use it to gain information to pass on to the Dutch authority because
they were not a Community enforcer under our consumer protection
laws. So in that case there were again no UK victims of that spam
and we could not use our powers to get the information and pass
it on. So in that case they had one of the top 10 spammers and
required information to stop them and we could not obtain the
information to pass it on to them in a lawful way. Yahoo were
quite right not to give that information over. I am not criticising
Yahoo because there was not a legal gateway for them to give that
information to us. We have also had a problem in the London Action
Plan where Spamhaus, an organisation which is a kind of watchdog
for spam, had given us information there was going to be a major
spamming campaign over a weekend, and they gave us the information.
When I contacted the relevant Internet Service Provider, who is
a member of the London Action Plan, without a court order or any
other further action they were not able to stop that spamming
campaign. I think in the end they took a decision based on pressure
to pull that campaign and stop it happening, but there was no
legal requirement, it was just best efforts.
Q422 Lord Patel:
So you feel that the UK spam laws are adequate?
Mr Haley: I think in those two instances of
international co-operation there could be much improvement in
ensuring that we have gateways to share information with agencies
which are spam enforcement agencies elsewhere, because we do not
always have those gateways. Secondly, I believe it would be very
helpful if we could take action against spammers in the UK who
are targeting non-UK consumers, because there are two gaps in
that area. That is my enforcement experience.
Q423 Lord Patel:
Are there laws internationally beginning to converge relating
to spam?
Mr Haley: No, there are not, because we have
the two different models of opt in and opt out, choices for consumers.
I think the Americans are very wedded to their model and the European
Union has taken its decision that we should have a different model,
so I do not see convergence along those lines at the moment. What
we do see through organisations like the OECD and the London Action
Plan is encouraging those countries which do not have spam laws
to bring in spam laws as recommended under the spam toolkit which
the OECD produced, which has model laws.
Q424 Lord Patel:
Does that not make it difficult to prosecute if there are different
laws in different countries?
Mr Haley: We would not prosecute in a non-EU
country, but we do have a power to prosecute within the European
Union. It would make it difficult if they were breaching UK law
but targeting elsewhere, outside the European Union. We could
not do that because there would be no consumers in Europe who
had been affected.
Q425 Lord Patel:
But you just said that with spammers in the UK who had not spammed
UK citizens but had sent spam to the United States we would not
be able to prosecute?
Mr Haley: That is right, yes.
Q426 Lord Patel:
Does that not mean the law is inadequate?
Mr Haley: If that is what the Government wanted
us to do, yes, it is inadequate.
Q427 Earl of Erroll:
How can you prove they did not send spam to UK citizens? A lot
of citizens have "hotmail.com" as opposed to ".co.uk"
accounts, which will therefore be the United States, and in fact
one of my email addresses I know is hosted in Seattle. Therefore,
I could well have received some of this spam.
Mr Haley: We tried very hard in that case to
find consumers who had complained about this particular practice.
We had to look at our own complaint database and had no complaints.
We then also had the problem that we could not go into the premises
of the spammers to seize any of the computers and hard drives
to check who they had been spamming because our investigative
powers will not stretch to that.
Earl of Erroll: In other words, I should
forward all my spam on to you in future?
Q428 Lord Harris of Haringey:
And your personal email address!
Mr Haley: We do have a spam OFT website where
you can forward any deceptive, misleading or fraudulent spam.
Q429 Earl of Erroll:
Is the problem really now that in the past, before the globalisation
enabled by the Internet, a criminal had to travel to a country
really to perpetrate a fraud or something of this nature, whereas
now you can do it remotely across borders without ever having
to leave your home ground and therefore the old principle that
it has to do harm in the UK, or in the country where the person
is resident, really needs to be looked at internationally and
the international law? What we need is to get international co-operation
on changing that principle universally?
Mr Haley: Yes, I would agree, and I also believe
that our powers are still based on the off-line world of knowing
where a trader is, being able to go and speak to him, have premises
inspected and then take action appropriately. If we know a spamming
campaign is coming over the weekend and we cannot take any administrative
steps, we have to go and apply for a court order and the spam
would have been sent out to millions of people before we had even
had a chance to move. So I think there is a need to look at not
just the international infrastructure but also for adequate powers
and sanctions to apply in a fast-moving environment where I think
we have lagged behind. I think Phil would agree with me about
the sanctions not being really appropriate to be a deterrent for
a spammer.
Q430 Chairman:
There is a point which Lord Erroll made which I find very important
and that is that you do seem to be comforting yourself with the
fact that you do not receive as many complaints as, for example,
you do for phone calls and for faxes. I think that is mainly because
people do not think there is anywhere to complain to. If they
knew where to complain, I think you would be drowned!
Mr Haley: I hope I did not give the impression
of being comforted. I agree totally that there is a lack of a
single place to complain and there are enough other direct marketing
scams to keep my team busy. For us to then request information
about email scamsI am sure we would be deluged if there
was a simple way of electronically forwarding your complaints
about email scam.
Q431 Chairman:
Or even forwarding the scams?
Mr Haley: Yes, forwarding the scams. I would
say also that our data on complaints does show a low incidence
of people who have been victims of sending money to a spammer
or giving information to a phishing site. However, we need to
balance that with the fact that the economics of spamming operations
mean that they only need a very small number of people to respond
to make sizeable amounts of money and we should not solely base
our enforcement strategies and policies based on the number of
people coming forward and saying, "I've lost money."
The fact that there is a spamming campaign for any product or
deception means that they will be making money out of it, otherwise
they would not do it. So it is a challenge to change our mindsets,
if you like, in terms of whereas before we had a pile of complaints,
and I have got a smaller pile here, that is an obvious case to
investigate. If it is in the real world, say a direct mailing
scam, we know where to go and how to do it. The other factor I
would put in is that we do have a lack of skilled and competent
investigators in this area to make a real dent in email and Internet
scams.
Q432 Baroness Sharp of Guildford:
Are there any other areas of international co-operation which
we need to develop? We have more or less covered it, but you may
like to add something to what you have already said.
Mr Haley: Yes. I think there are two elements
to whether there should be any more international arrangements.
I would put forward one as best practice. On 1 January this year
the European Union brought in a new regulation on consumer protection
co-operation. We have set up a network of public consumer protection
agencies throughout Europe with common powers, including on-site
inspections, which we lacked before, which enables information
to be shared on breaches of 11 different consumer protection regulations,
which include distance selling and the eCommerce regulations.
It also means that we can refer cases to other European enforcement
agencies to take effective action. I do not see why we could not
have that also for spam-related enforcement, rather than having
to look at whether it has breached those specific 11 regulations
on consumer protection. On the broad issue of do we need any more
kind of London Action Plans, I have a view that there are plenty
of international organisations. We have the Message Anti-abuse
Working Group (MAAWG), the anti-phishing working group, there
is the Melbourne-Seoul memorandum of understanding, there is probably
a whole list of different agencies who have an interest, different
organisations and networks, and it might be time to actually look
at the commonalities and having fewer of those networks. Recently
in Greece six of the anti-spam agencies came together, the anti-spam
networks, to have a common portal website and to try to work closer
together. So I think we need a more formal network for the exchange
of intelligence and effective enforcement and probably less of
the informal networks set up for different cyber security threats,
perhaps one covering the whole range of cyber security threats.
Chairman: Lady Hilton, did you have a
question?
Q433 Baroness Hilton of Eggardon:
I had a question about your 9/11 example, which seemed to me a
straightforward case of fraud and I do not understand why the
Americans did not apply for extradition and why it was treated
as spam. It seems to me mis-labelling.
Mr Haley: It was a quite complex investigation
because there was something that they were selling. They were
misleading the recipients of the spam by saying, "You could
be dot USA." You could be dot USA, within, I suppose the
best way of putting it is on a kind of intranet. So they set up
your own system, which would be like a computer's own intranet,
but you could not reach your address via the World Wide Web. So
it is a misleading communication in terms of the content of the
spam rather than selling a dot USA web address which did not exist
at all. I think this is one of the issues which in the UK would
probably be dealt with by the new Fraud Act in that it is a misleading
representation. Before those misleading representations would
be civil matters and would rarely be investigated as fraud.
Q434 Earl of Erroll:
What is the OFT's opinion of the data breach notification laws,
which are common in many US states now?
Mr Haley: We do not have any particular view
on those laws or in fact any breach of privacy regulations because
we do not enforce the Data Protection Act or privacy regulations.
We would always look to the ICO and government for a view on those
types of matters.
Q435 Baroness Hilton of Eggardon:
Do you see it as your responsibility to educate the public about
email scams? You said there was not a single telephone point which
people could communicate with. Should that not be an obvious first
step, perhaps?
Mr Haley: I do believe that we have a duty to
inform consumers about safe Internet shopping and how to avoid
scams and spam, and in fact we have good information on our own
website and on the consumer direct website, which is a service
run by the Office of Fair Trading now. I think there is a whole
range of organisations, local trading standards services, the
Information Commissioner's Office, Internet Service Providers
who have a duty to inform. I think the more information which
is delivered the better, but I think there is some work to be
done about agreeing common messages so that they are reinforced
and that they are simple messages which people can understand.
I would encourage people to go to the OFT's website and look under
consumer information and then under spam where we have got a couple
of interactive games, one on phishing and one on scams and spam.
I think it needs to be lively and entertaining, particularly in
the on-line world, because you have to try and speak in the language
of people who are on the Internet. On your very good point of
whether we should have a single point of contact, I believe that
people who have problems with the Internet and email expect there
to be a simple electronic means of making a complaint. We do not
have one at the moment. We have considered signing up to something
called the `Spot Spam' project, which is run by some European
countries and is partly EU-funded, but we have not yet reached
a decision on that. I think we also have to look at whether we
would be overwhelmed and how we would use that information. I
think there is a real opportunity for some public/private partnerships
in dealing with that information because, as I said before, we
are not always the most competent in terms of understanding the
Internet, how it works, and tracking down the email addresses,
whereas we are competent in using our investigative skills and
prosecuting skills.
Mr Jones: I would just endorse Mike's comments.
I think there is a multitude of people who have the responsibility
for seeking to warn individuals about the risks and the things
they can do to mitigate those risks if they are going to deal
over the Internet. It is people who are promoting e-Government,
e-business, all sorts of things. It is certainly a responsibility
which we take seriously, and if I may shamelessly plug the fact
that European Data Protection Day is 29 January and we will be
having a re-launch of some general guidance aimed at individuals
about how they can be careful about their information in relation
to identity fraud but also doing business on the Internet.
Q436 Baroness Sharp of Guildford:
You say you are going to be launching on that day, putting out
information, and so forth. Where are you going to do this? Are
you going to take newspaper advertisements, or what?
Mr Jones: We have done newspaper advertisements
in the past and they are very, very expensive and we did not find
them as successful as we hoped they would be. What we do have
is a number of filler ads which will go on television in those
spare spaces. We are hoping to drum up quite a lot of media interest
and therefore hopefully get some free publicity, to be absolutely
brutal, but certainly some of it will be through promoting things
through media channels and certainly we will be using our website,
which has fairly recently been redesigned.
Q437 Earl of Erroll:
You could, of course, email all the corporate addresses!
Mr Jones: We could, of course.
Q438 Earl of Erroll:
Could I just ask you very quickly about this one single point,
because the police have got an under-funded fraud alert website
which is run by one person who is snowed under and he is trying
to do his best. Are you co-operating with them, or trying to work
out which of you should be doing it, or is this an example of
duplication?
Mr Haley: We work quite closely with Operation
Sterling, which is the Met Police preventative strand on a number
of issues, and also now with the Serious Organised Crime Agency
on preventative measures. That has been a way of making interventions
such as with money transfer agents like Western Union to ensure
that once someone has been scammed there can be ways of preventing
the money reaching the scammers. On that particular issue we have
not yet talked about sharing or pooling our resources because
we have not gone down the road of having a single -
Q439 Earl of Erroll:
So the answer is no, because there is a chap there who is replying
to 400 to 600 emails a day on frauds and it seems that there is
duplication of effort there, so maybe it would be worth talking
to them?
Mr Haley: We do talk to them, but I think it
is the difference of what our powers would be to deal with some
of the fraud. We are not fraud investigators, we only look at
misleading and deceptive conduct. I know that "deception"
sounds like it is fraud, but it is deception in the terms defined
by the control of misleading advertising regulations. It would
not be a criminal offence. I think you are right that there is
more than can be done in terms of co-operation between the agencies
and I will take your advice to speak with them.
Earl of Erroll: Because I do not think
the consumer would know the distinction and which they should
be reporting to. Until you pointed it out, I certainly did not.
Chairman: Mr Haley and Mr Jones, thank
you very much indeed. It has been a valuable session for us. As
I said before, if there is anything which occurs to you which
you think would be of use to us, please write to us. Thank you
very much.
|