Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 600 - 619)

WEDNESDAY 21 FEBRUARY 2007

MR GARRETH GRIFFITH, MR ALASDAIR MCGOWAN, MR MICHAEL BARRETT AND MR JEREMY BEALE

  Q600  Lord O'Neill of Clackmannan: Mr Barrett, you have made the point several times that it is 41 basis points. Is that a figure which has been changing, given increased volumes?

  Mr Barrett: It does move. I have only been with PayPal just over nine months myself, so I am not sure I could tell you with any great accuracy the long-term historical trend line. To a very large extent it is driven by the effectiveness of our back-end fraud control models. What will happen typically is, if there is some kind of temporary spike in fraud, then we will tune the fraud protection models and that will drive it back down again. As far as I know—but, as I say, I do not have enough longevity with the company to tell—it does just bump around in a certain range.

  Q601  Lord O'Neill of Clackmannan: This is for anyone who wants to answer. Are the police able and willing to investigate fraud or other criminal activity online? What has been your experience of dealing with the police in these matters?

  Mr Beale: I can speak generally, but maybe others have direct experience.

  Mr Griffith: We work very closely with the police. We have two distinct groups within our trust and safety teams: our law enforcement relationship management team and our fraud investigation team. One is more proactive. We are basically reaching out to law enforcement and helping them to understand the issues on the Internet, for example, and over the last couple of years we have trained 3,500 police officers. We either go out to them or they come to us. About 100 at a time come to us, either in Dublin or in Richmond, and we go through a training process. We find that the willingness at a personal level is there. When you speak to a police officer, they are dying to be there, to help out the people in their community, et cetera, and investigate. Their challenges often are the tools that are made available to them and the priorities that have been set for them. We find them being quite frustrated, especially at the local level. In a local police station, for example, some of them are not able to access the Internet. When someone comes in and says, "I got this item on eBay. I'd like you to take a look at it", they cannot actually go and take a look at it. There are some fundamental things like that which cause a real challenge for police officers, and I hear a lot about that. One thing, which is maybe one step higher, is that I have found the priorities are generally around higher-value issues. What happens on eBay tends to be lower-value, higher-volume types of things. When we try to get police engaged, sometimes they say, "Look, we'd love to help you. If it is not over `x' threshold"—thousands of pounds, or whatever it is -- "we can't help you". The other thing is that, if it is a criminal issue—we are not a criminal agency and obviously we cannot take action against people—we do have a very streamlined process, where we work with law enforcement if they come to us. We ask our community of users to go to their local police stations, get them to contact us—and we give them numbers, email addresses and everything they need to contact us—and then we can work with the police. What we find is the users coming back to us, saying, "They're not interested". It is only a £500 laptop, or whatever the issue might be. So I think that we see frustration on both sides. We see law enforcement being frustrated because they want to engage, but either they cannot technically or prioritisation-wise, and we see users saying, "We're trying to knock on their door and get them to listen, but they can't help".

  Q602  Lord O'Neill of Clackmannan: Do you monitor this across countries? Obviously you are an international organisation. What is the experience, let us say, within the EU? How does the UK stand up to comparison with other police forces in other jurisdictions?

  Mr Griffith: In my experience I would say that it varies by different countries. There does seem to be a general issue around scale. The issues we see here seem to be very similar across Europe. I would say that in many of the countries it is probably an even more significant challenge for law enforcement. That being said, when you do have something of scale that crosses the threshold into a number volume or a monetary volume that is relevant, we have great working relationships. Someone mentioned earlier about the spoof, the phishing guys. A lot of our challenge comes out of Romania actually, out of Eastern Europe, and we were recently involved in an arrest of five people in an Internet café, where us and the United States' secret service went in with local law enforcement and managed to catch these guys sending out millions and millions of emails. So when you are talking in big-scale volumes, you start to get some help; when you are talking at the lower levels, which most of our users encounter, it is a bit difficult.

  Mr Barrett: Perhaps I could add to that. Definitely on a global level the threshold problem is a serious one. You will often find a case where it may be that the threshold is, say, $50,000 or something of that nature before you can get a prosecutor interested in a case. So, as we compensate our consumers who have been victimised, we are running the meter up and slowly building up a dossier on some particular individual, until such time as, "Aha, we are now over the threshold!". But if it was 50, and it is in some cases, and we first found out about this guy when he had stolen just $1,000, that is 49 more cases at $1,000 each before we can get him arrested. So I think you can argue that the threshold problem is causing the public real harm.

  Mr Beale: We have quite a few reports from members that they feel that the technical competence of the police nationally, across the board, is not as high as they would like and need to deal with these. Centrally that expertise might exist, but in a number of local forces it does not exist, and that is obviously where the problem lies, because that is where people are meant to report at the moment.

  Q603  Lord O'Neill of Clackmannan: That would be the reason why your evidence suggests that a number of your member companies are reluctant to report cases to the police, or is it a recognition of the threshold issue as well?

  Mr Beale: It is both, and it is reputational too: that they do not always want to advertise when they have had a problem, I should add. It goes back to the point about resources. The police obviously have limited resources to develop this expertise. There is a limited supply of people with these capabilities, and it is a general problem that not enough people are coming out of universities with IT skills. I do not think that information security is yet a required part of getting an IT qualification. I may be incorrect about that, but a lot of effort has not yet been put into developing this capability nationally.

  Q604  Lord O'Neill of Clackmannan: Do you think that the activities which are considered criminal are covered by the law, and therefore people would be willing to report to the police in order that action could be taken? Do you think that the law is clear enough in its definition of what is criminal in relation to e-theft?

  Mr McGowan: I think certainly the new Fraud Act will help. The Computer Misuse Act amendments which went through the Police and Justice Act will also help. Again, it ultimately boils down to enforcement. Also, there is a broader issue here in terms of how you tackle this on a cross-jurisdictional basis. Ultimately, the legal framework is only as strong as the weakest link in the chain. So if others' jurisdictions have weaker protections in place, then you will simply see organised gangs migrating to those jurisdictions. There has to be international co-operation at a governmental level in that sense.

  Q605  Lord O'Neill of Clackmannan: One last question on the issue of the quality of policing. We have had evidence which suggests that, once the police have become good at detecting, you guys recruit them as security officers! Apart from that side of the equation, could you put a figure on what you would consider to be a reasonable amount of money or resource that the police should be putting on to this issue? Are you happy that they have enough people involved in it? It would appear that in some areas you say that there is not. I am not asking you to pluck a figure out of the air, but do you have any idea of how much more could be done by the police to encourage you?

  Mr McGowan: I think it is very hard to put a precise figure on it. To pick up your point about recruiting ex-policemen, we plead guilty in that respect, in so far as our head of law enforcement relationship management is an ex-Scotland Yard detective of 30 years' standing! On the plus side, however, his role is, as Garreth says, to go out and train the police, and also trading standards, as to how they can work with eBay and with PayPal to deal with the problem. I think that we are very conscious that there are only limited resources available to the police. Clearly it is a matter for the Home Office and the police to determine national policing priorities. Perhaps one thing we would urge is that, when they are deciding their priorities, they take into account the threshold issue and, in assessing harm, focus on the high-volume but low individual loss cases. So if they have a clearer sense of the overall picture and therefore of the overall harm that is being created by phishing attacks, that may possibly input into some of the national policing priorities.

  Q606  Lord Howie of Troon: Thinking about this threshold you keep talking about, is there a national threshold or is the threshold invented by each particular police station?

  Mr Griffith: I would say that different police stations have different thresholds. I cannot give you a number. I have not encountered it as, "Oh, there's the cross-over", but it does seem to be on a case-by-case or station-by-station basis. So I imagine that it is depending upon their resources.

  Q607  Lord Howie of Troon: Does it vary quite widely?

  Mr Griffith: Again, I am not sure. I would say that it probably does not vary a lot.

  Q608  Earl of Erroll: On this aggregation of cases and threshold, you are telling us that it is too small—say £500, £1,000, whatever it is—to report to the local station, and hoping they will come back to you. Could you not aggregate all these cases, work out if there is a single person behind it, then present the entire dossier and then, at that point, say who had been defrauded?

  Mr Barrett: We do it. We precisely operate that way.

  Q609  Earl of Erroll: I just wanted to clarify that that is what you can do.

  Mr Griffith: We do that. It is in cases where maybe we have not done it on that particular criminal perpetrator, or whatever it is—but we do that, yes.

  Q610  Lord Harris of Haringey: Can I switch to spam? Do you think UK laws on spam are fit for purpose—to use a popular phrase?

  Mr McGowan: I know that there have been issues raised about the investigation powers of the Information Commissioner and issues to do with the appeals process for the Information Commissioner. I know others have commented in the past that there are issues about penalties with the UK spam laws. I would come back to my earlier point that enforcement of the law matters too, and if other jurisdictions have weak spam laws then, ultimately, people will migrate to those jurisdictions. So I think that one has to look at it on an international basis as well as a national basis. I do not know if Jeremy wants to comment further.

  Mr Beale: I would agree, but I do not think that there are any more laws or legal powers; it is the actual getting the ability to implement those. As I understand from the Information Commissioner, they are not calling for any more formal powers under the law; they are just asking to be given explicitly the ability to do what they have been asked to do. The prosecutions for spam in this country—or the lack of, compared to some other countries that operate under the same European directive, where there have been more prosecutions—indicates that there is something of an issue here.

  Q611  Lord Harris of Haringey: Specifically in your CBI evidence you make the point about the notice being suspended if somebody commences an appeal. Is that derived from the EU directive itself or is that a UK variant?

  Mr Beale: I am not a lawyer, so I have an inability to be able to say specifically the fault in that, but we understood that the DTI would be able to enable the Commissioner to get greater capabilities in that regard. We also understood, I think it was last summer, that they had started a review of this; but we have heard nothing further.

  Q612  Lord Harris of Haringey: But the CBI would in principle be happy with the idea that enforcement action should not be suspended if somebody lodges an appeal—because clearly that could have ramifications in all sorts of other areas.

  Mr Beale: This is where the lawyers come in, because it depends on the nature. If it is clearly spam, then definitely; but there are cases of "Is it spam? Is it not?", which is where at the moment the Commissioner cannot do anything—and that does not seem to be right. The reason—and I am not just trying to split hairs with you here—is that we think an effective mechanism that everyone understands would be better than one where everyone is clearly fairly dissatisfied with it. We are not greatly in favour of onerous powers of inspection or the ability of the Information Commissioner to arbitrarily close down websites, or anything like that—or at all, of course. However, we are also saying that at the moment there is a situation in the UK where there is a lot of frustration with the situation over spam, and so it would be helpful if there was more clarity to enforce the law.

  Q613  Lord Harris of Haringey: Mr McGowan is clearly itching to say something!

  Mr McGowan: I know that there have also been issues around whether it should apply to business email accounts, and there has been some frustration there in the past. Although phishing is just one subset of spam, and there is another part of spam which is just nuisance and clogs up people's in-boxes, but to tackle the phishing part—which generates fraud and creates damage—there the Fraud Act will help, because that creates a new offence of "fraud by misrepresentation"; but that still comes back to the point about enforcement. It is important to think too about technological solutions and how you keep it simple for the end-user. We have on eBay a system called "My Messages", which is essentially a web-based, dedicated, personalised in-box which somebody has. We therefore have a simple message which we can give to our users that if a message is in "My Messages", i.e. their in-box that they have on eBay, then they can be sure that it is from eBay. If it is not, then they cannot be sure. That keeps it simple for people. Mike may want to talk about the safety bar that has been introduced by PayPal, which directs spam messages to people's spam folders.

  Mr Barrett: There was some talk a couple of years ago that digitally signing emails was going to be the ultimate solution to spam and that, after that occurred, the problem would largely be solved. Unfortunately, what occurred then was the predictable IT industry standards fight, with various factions disagreeing with each other as to what the technology should look like. Those standards, because there were multiple of them, did not go anywhere. Subsequently, what PayPal and eBay have done is that we are now in a position where we are 100% signing all of our outbound email—which does not sound terribly interesting, except that what it then allows us to do is to work with the top half-dozen ISPs. If you look at the distribution of email addresses across ISPs, it is one of the classic, very long-tailed curves; but the first six ISPs, which are all of the ones you would expect—like Yahoo, MSN, Hotmail, Gmail, and so on—represent 50% of the email addresses on the planet. So what we are trying to do is to work with those ISPs and get them to drop anything that says it comes from PayPal or eBay but in fact is not properly signed. That will start to have impact before the end of this year, as we work with those ISPs.

  Q614  Lord Harris of Haringey: At one stage business lobbied for exemptions for unsolicited business-to-business email. Is that still the position of business, or do you no longer feel that is appropriate?

  Mr Beale: We have not formulated a specific position there. I can describe the broad situation. We get a lot of businesses complaining about the amount of unsolicited emails they get. Some of them have even gone so far as to say they are going to deny their staff email, so that they will not be distracted by this; they will not clog up their services, et cetera—which is an unfortunate situation, obviously. On the other hand, there is amongst businesses, compared to individuals, a greater desire to be able to be informed about what potential suppliers may be able to offer them and to know about what is going on in the market. So I do not think it is an either/or situation. It is certainly a lot more ambiguous than in relation to unsolicited emails to individuals.

  Q615  Lord Harris of Haringey: There have been various examples of reputable companies farming out email marketing campaigns to other, perhaps less reputable, companies who, in turn, send email spam to individuals who have never asked to receive it. I think that Sainsbury's mobiles and Virgin wines have been caught out, and there are reports of T-Mobile using a quite unsuitable list of email addresses which was bought off eBay for £20. Do you see this being a problem that can be stamped out—and, if so, how?

  Mr McGowan: I do not know the specific case you are referring to in respect of eBay, although it sounds like the sort of listing which we would probably end. We are pretty clear in our privacy policy that we do not share or rent or sell personally identifiable information to third parties for their marketing purposes without members' explicit consent.

  Q616  Lord Harris of Haringey: If somebody advertised something on eBay saying, "We've got some good address lists for sale", you would not allow that?

  Mr Griffith: No, we would not allow that. We would take it down.

  Q617  Lord Harris of Haringey: More generally, do you think there are things that would enable the problem of this being farmed out to less reputable companies, who then do things that perhaps are deniable by the main company?

  Mr Beale: In general, I think that good, reputable companies try to, and should, develop codes of conduct internally for how they deal with data. They obviously have requirements in terms of how they deal with personal data but, more general data, they would and should develop those according to their own individual business situations. I think it would be very hard—if this is where you are trying to get—to formulate a law saying how they should handle general data that they hold in relation to their suppliers. You might end up actually restricting the operations of supply chains.

  Mr Barrett: Perhaps I may answer a slightly different question from the one you in fact asked. I was talking with Bruce this morning about spam generally, and I confess that I get slightly irritated when people say that spam is an unsolvable problem. Personally speaking, I have had the same email address for nearly a decade and, when I have my spam filter switched on properly, I see essentially no spam. I get probably one piece a week or something of that nature, and I get a perfectly acceptable false-positive rate where something gets mis-categorised as spam. You can always argue, "Yes, that's an arms race", and so on—and, yes, it is. On the other hand, the difficulty we are dealing with is the fact that those technologies have by and large not been put in front of consumers. The obvious piece of the overall ecosystem that represents the Internet that could do that are the ISPs. One of the questions is why have not the ISPs done more to protect their consumers?

  Lord Harris of Haringey: Not the question I asked, but an interesting answer!

  Q618  Lord Howie of Troon: Is there any difference between buying and selling email addresses and buying and selling ordinary postal addresses, which has been going on for many years? Membership lists and things.

  Mr Griffith: I suppose no. It seems to me that I do not want my address being sold out there, if I am not willing to be contacted at that address. That is the difficult challenge. People are talking about "offline spam", which is that stuff that makes its way through our door. In most cases it does not have my address on it. It is just someone walking round the street, sticking them in the boxes—which is slightly different, I suppose, to the challenge on the Internet. If you give out that email address, that is my way into your door. So it is slightly different. I am not sure of the right answer to that question.

  Q619  Lord Howie of Troon: It is an answer anyway.

  Mr Beale: I am not quite sure where this is going, because there are obviously legal restrictions on what companies can sell to other companies in terms of personal data about individuals. That is under the—what is it called?


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007