Examination of Witnesses (Questions 600
WEDNESDAY 21 FEBRUARY 2007
Q600 Lord O'Neill of Clackmannan:
Mr Barrett, you have made the point several times that it is 41
basis points. Is that a figure which has been changing, given
Mr Barrett: It does move. I have only been with
PayPal just over nine months myself, so I am not sure I could
tell you with any great accuracy the long-term historical trend
line. To a very large extent it is driven by the effectiveness
of our back-end fraud control models. What will happen typically
is, if there is some kind of temporary spike in fraud, then we
will tune the fraud protection models and that will drive it back
down again. As far as I knowbut, as I say, I do not have
enough longevity with the company to tellit does just bump
around in a certain range.
Q601 Lord O'Neill of Clackmannan:
This is for anyone who wants to answer. Are the police able and
willing to investigate fraud or other criminal activity online?
What has been your experience of dealing with the police in these
Mr Beale: I can speak generally, but maybe others
have direct experience.
Mr Griffith: We work very closely with the police.
We have two distinct groups within our trust and safety teams:
our law enforcement relationship management team and our fraud
investigation team. One is more proactive. We are basically reaching
out to law enforcement and helping them to understand the issues
on the Internet, for example, and over the last couple of years
we have trained 3,500 police officers. We either go out to them
or they come to us. About 100 at a time come to us, either in
Dublin or in Richmond, and we go through a training process. We
find that the willingness at a personal level is there. When you
speak to a police officer, they are dying to be there, to help
out the people in their community, et cetera, and investigate.
Their challenges often are the tools that are made available to
them and the priorities that have been set for them. We find them
being quite frustrated, especially at the local level. In a local
police station, for example, some of them are not able to access
the Internet. When someone comes in and says, "I got this
item on eBay. I'd like you to take a look at it", they cannot
actually go and take a look at it. There are some fundamental
things like that which cause a real challenge for police officers,
and I hear a lot about that. One thing, which is maybe one step
higher, is that I have found the priorities are generally around
higher-value issues. What happens on eBay tends to be lower-value,
higher-volume types of things. When we try to get police engaged,
sometimes they say, "Look, we'd love to help you. If it is
not over `x' threshold"thousands of pounds, or whatever
it is -- "we can't help you". The other thing is that,
if it is a criminal issuewe are not a criminal agency and
obviously we cannot take action against peoplewe do have
a very streamlined process, where we work with law enforcement
if they come to us. We ask our community of users to go to their
local police stations, get them to contact usand we give
them numbers, email addresses and everything they need to contact
usand then we can work with the police. What we find is
the users coming back to us, saying, "They're not interested".
It is only a £500 laptop, or whatever the issue might be.
So I think that we see frustration on both sides. We see law enforcement
being frustrated because they want to engage, but either they
cannot technically or prioritisation-wise, and we see users saying,
"We're trying to knock on their door and get them to listen,
but they can't help".
Q602 Lord O'Neill of Clackmannan:
Do you monitor this across countries? Obviously you are an international
organisation. What is the experience, let us say, within the EU?
How does the UK stand up to comparison with other police forces
in other jurisdictions?
Mr Griffith: In my experience I would say that
it varies by different countries. There does seem to be a general
issue around scale. The issues we see here seem to be very similar
across Europe. I would say that in many of the countries it is
probably an even more significant challenge for law enforcement.
That being said, when you do have something of scale that crosses
the threshold into a number volume or a monetary volume that is
relevant, we have great working relationships. Someone mentioned
earlier about the spoof, the phishing guys. A lot of our challenge
comes out of Romania actually, out of Eastern Europe, and we were
recently involved in an arrest of five people in an Internet café,
where us and the United States' secret service went in with local
law enforcement and managed to catch these guys sending out millions
and millions of emails. So when you are talking in big-scale volumes,
you start to get some help; when you are talking at the lower
levels, which most of our users encounter, it is a bit difficult.
Mr Barrett: Perhaps I could add to that. Definitely
on a global level the threshold problem is a serious one. You
will often find a case where it may be that the threshold is,
say, $50,000 or something of that nature before you can get a
prosecutor interested in a case. So, as we compensate our consumers
who have been victimised, we are running the meter up and slowly
building up a dossier on some particular individual, until such
time as, "Aha, we are now over the threshold!". But
if it was 50, and it is in some cases, and we first found out
about this guy when he had stolen just $1,000, that is 49 more
cases at $1,000 each before we can get him arrested. So I think
you can argue that the threshold problem is causing the public
Mr Beale: We have quite a few reports from members
that they feel that the technical competence of the police nationally,
across the board, is not as high as they would like and need to
deal with these. Centrally that expertise might exist, but in
a number of local forces it does not exist, and that is obviously
where the problem lies, because that is where people are meant
to report at the moment.
Q603 Lord O'Neill of Clackmannan:
That would be the reason why your evidence suggests that a number
of your member companies are reluctant to report cases to the
police, or is it a recognition of the threshold issue as well?
Mr Beale: It is both, and it is reputational
too: that they do not always want to advertise when they have
had a problem, I should add. It goes back to the point about resources.
The police obviously have limited resources to develop this expertise.
There is a limited supply of people with these capabilities, and
it is a general problem that not enough people are coming out
of universities with IT skills. I do not think that information
security is yet a required part of getting an IT qualification.
I may be incorrect about that, but a lot of effort has not yet
been put into developing this capability nationally.
Q604 Lord O'Neill of Clackmannan:
Do you think that the activities which are considered criminal
are covered by the law, and therefore people would be willing
to report to the police in order that action could be taken? Do
you think that the law is clear enough in its definition of what
is criminal in relation to e-theft?
Mr McGowan: I think certainly the new Fraud
Act will help. The Computer Misuse Act amendments which went through
the Police and Justice Act will also help. Again, it ultimately
boils down to enforcement. Also, there is a broader issue here
in terms of how you tackle this on a cross-jurisdictional basis.
Ultimately, the legal framework is only as strong as the weakest
link in the chain. So if others' jurisdictions have weaker protections
in place, then you will simply see organised gangs migrating to
those jurisdictions. There has to be international co-operation
at a governmental level in that sense.
Q605 Lord O'Neill of Clackmannan:
One last question on the issue of the quality of policing. We
have had evidence which suggests that, once the police have become
good at detecting, you guys recruit them as security officers!
Apart from that side of the equation, could you put a figure on
what you would consider to be a reasonable amount of money or
resource that the police should be putting on to this issue? Are
you happy that they have enough people involved in it? It would
appear that in some areas you say that there is not. I am not
asking you to pluck a figure out of the air, but do you have any
idea of how much more could be done by the police to encourage
Mr McGowan: I think it is very hard to put a
precise figure on it. To pick up your point about recruiting ex-policemen,
we plead guilty in that respect, in so far as our head of law
enforcement relationship management is an ex-Scotland Yard detective
of 30 years' standing! On the plus side, however, his role is,
as Garreth says, to go out and train the police, and also trading
standards, as to how they can work with eBay and with PayPal to
deal with the problem. I think that we are very conscious that
there are only limited resources available to the police. Clearly
it is a matter for the Home Office and the police to determine
national policing priorities. Perhaps one thing we would urge
is that, when they are deciding their priorities, they take into
account the threshold issue and, in assessing harm, focus on the
high-volume but low individual loss cases. So if they have a clearer
sense of the overall picture and therefore of the overall harm
that is being created by phishing attacks, that may possibly input
into some of the national policing priorities.
Q606 Lord Howie of Troon:
Thinking about this threshold you keep talking about, is there
a national threshold or is the threshold invented by each particular
Mr Griffith: I would say that different police
stations have different thresholds. I cannot give you a number.
I have not encountered it as, "Oh, there's the cross-over",
but it does seem to be on a case-by-case or station-by-station
basis. So I imagine that it is depending upon their resources.
Q607 Lord Howie of Troon:
Does it vary quite widely?
Mr Griffith: Again, I am not sure. I would say
that it probably does not vary a lot.
Q608 Earl of Erroll:
On this aggregation of cases and threshold, you are telling us
that it is too smallsay £500, £1,000, whatever
it isto report to the local station, and hoping they will
come back to you. Could you not aggregate all these cases, work
out if there is a single person behind it, then present the entire
dossier and then, at that point, say who had been defrauded?
Mr Barrett: We do it. We precisely operate that
Q609 Earl of Erroll:
I just wanted to clarify that that is what you can do.
Mr Griffith: We do that. It is in cases where
maybe we have not done it on that particular criminal perpetrator,
or whatever it isbut we do that, yes.
Q610 Lord Harris of Haringey:
Can I switch to spam? Do you think UK laws on spam are fit for
purposeto use a popular phrase?
Mr McGowan: I know that there have been issues
raised about the investigation powers of the Information Commissioner
and issues to do with the appeals process for the Information
Commissioner. I know others have commented in the past that there
are issues about penalties with the UK spam laws. I would come
back to my earlier point that enforcement of the law matters too,
and if other jurisdictions have weak spam laws then, ultimately,
people will migrate to those jurisdictions. So I think that one
has to look at it on an international basis as well as a national
basis. I do not know if Jeremy wants to comment further.
Mr Beale: I would agree, but I do not think
that there are any more laws or legal powers; it is the actual
getting the ability to implement those. As I understand from the
Information Commissioner, they are not calling for any more formal
powers under the law; they are just asking to be given explicitly
the ability to do what they have been asked to do. The prosecutions
for spam in this countryor the lack of, compared to some
other countries that operate under the same European directive,
where there have been more prosecutionsindicates that there
is something of an issue here.
Q611 Lord Harris of Haringey:
Specifically in your CBI evidence you make the point about the
notice being suspended if somebody commences an appeal. Is that
derived from the EU directive itself or is that a UK variant?
Mr Beale: I am not a lawyer, so I have an inability
to be able to say specifically the fault in that, but we understood
that the DTI would be able to enable the Commissioner to get greater
capabilities in that regard. We also understood, I think it was
last summer, that they had started a review of this; but we have
heard nothing further.
Q612 Lord Harris of Haringey:
But the CBI would in principle be happy with the idea that enforcement
action should not be suspended if somebody lodges an appealbecause
clearly that could have ramifications in all sorts of other areas.
Mr Beale: This is where the lawyers come in,
because it depends on the nature. If it is clearly spam, then
definitely; but there are cases of "Is it spam? Is it not?",
which is where at the moment the Commissioner cannot do anythingand
that does not seem to be right. The reasonand I am not
just trying to split hairs with you hereis that we think
an effective mechanism that everyone understands would be better
than one where everyone is clearly fairly dissatisfied with it.
We are not greatly in favour of onerous powers of inspection or
the ability of the Information Commissioner to arbitrarily close
down websites, or anything like thator at all, of course.
However, we are also saying that at the moment there is a situation
in the UK where there is a lot of frustration with the situation
over spam, and so it would be helpful if there was more clarity
to enforce the law.
Q613 Lord Harris of Haringey:
Mr McGowan is clearly itching to say something!
Mr McGowan: I know that there have also been
issues around whether it should apply to business email accounts,
and there has been some frustration there in the past. Although
phishing is just one subset of spam, and there is another part
of spam which is just nuisance and clogs up people's in-boxes,
but to tackle the phishing partwhich generates fraud and
creates damagethere the Fraud Act will help, because that
creates a new offence of "fraud by misrepresentation";
but that still comes back to the point about enforcement. It is
important to think too about technological solutions and how you
keep it simple for the end-user. We have on eBay a system called
"My Messages", which is essentially a web-based, dedicated,
personalised in-box which somebody has. We therefore have a simple
message which we can give to our users that if a message is in
"My Messages", i.e. their in-box that they have on eBay,
then they can be sure that it is from eBay. If it is not, then
they cannot be sure. That keeps it simple for people. Mike may
want to talk about the safety bar that has been introduced by
PayPal, which directs spam messages to people's spam folders.
Mr Barrett: There was some talk a couple of
years ago that digitally signing emails was going to be the ultimate
solution to spam and that, after that occurred, the problem would
largely be solved. Unfortunately, what occurred then was the predictable
IT industry standards fight, with various factions disagreeing
with each other as to what the technology should look like. Those
standards, because there were multiple of them, did not go anywhere.
Subsequently, what PayPal and eBay have done is that we are now
in a position where we are 100% signing all of our outbound emailwhich
does not sound terribly interesting, except that what it then
allows us to do is to work with the top half-dozen ISPs. If you
look at the distribution of email addresses across ISPs, it is
one of the classic, very long-tailed curves; but the first six
ISPs, which are all of the ones you would expectlike Yahoo,
MSN, Hotmail, Gmail, and so onrepresent 50% of the email
addresses on the planet. So what we are trying to do is to work
with those ISPs and get them to drop anything that says it comes
from PayPal or eBay but in fact is not properly signed. That will
start to have impact before the end of this year, as we work with
Q614 Lord Harris of Haringey:
At one stage business lobbied for exemptions for unsolicited business-to-business
email. Is that still the position of business, or do you no longer
feel that is appropriate?
Mr Beale: We have not formulated a specific
position there. I can describe the broad situation. We get a lot
of businesses complaining about the amount of unsolicited emails
they get. Some of them have even gone so far as to say they are
going to deny their staff email, so that they will not be distracted
by this; they will not clog up their services, et ceterawhich
is an unfortunate situation, obviously. On the other hand, there
is amongst businesses, compared to individuals, a greater desire
to be able to be informed about what potential suppliers may be
able to offer them and to know about what is going on in the market.
So I do not think it is an either/or situation. It is certainly
a lot more ambiguous than in relation to unsolicited emails to
Q615 Lord Harris of Haringey:
There have been various examples of reputable companies farming
out email marketing campaigns to other, perhaps less reputable,
companies who, in turn, send email spam to individuals who have
never asked to receive it. I think that Sainsbury's mobiles and
Virgin wines have been caught out, and there are reports of T-Mobile
using a quite unsuitable list of email addresses which was bought
off eBay for £20. Do you see this being a problem that can
be stamped outand, if so, how?
Mr McGowan: I do not know the specific case
you are referring to in respect of eBay, although it sounds like
the sort of listing which we would probably end. We are pretty
personally identifiable information to third parties for their
marketing purposes without members' explicit consent.
Q616 Lord Harris of Haringey:
If somebody advertised something on eBay saying, "We've got
some good address lists for sale", you would not allow that?
Mr Griffith: No, we would not allow that. We
would take it down.
Q617 Lord Harris of Haringey:
More generally, do you think there are things that would enable
the problem of this being farmed out to less reputable companies,
who then do things that perhaps are deniable by the main company?
Mr Beale: In general, I think that good, reputable
companies try to, and should, develop codes of conduct internally
for how they deal with data. They obviously have requirements
in terms of how they deal with personal data but, more general
data, they would and should develop those according to their own
individual business situations. I think it would be very hardif
this is where you are trying to getto formulate a law saying
how they should handle general data that they hold in relation
to their suppliers. You might end up actually restricting the
operations of supply chains.
Mr Barrett: Perhaps I may answer a slightly
different question from the one you in fact asked. I was talking
with Bruce this morning about spam generally, and I confess that
I get slightly irritated when people say that spam is an unsolvable
problem. Personally speaking, I have had the same email address
for nearly a decade and, when I have my spam filter switched on
properly, I see essentially no spam. I get probably one piece
a week or something of that nature, and I get a perfectly acceptable
false-positive rate where something gets mis-categorised as spam.
You can always argue, "Yes, that's an arms race", and
so onand, yes, it is. On the other hand, the difficulty
we are dealing with is the fact that those technologies have by
and large not been put in front of consumers. The obvious piece
of the overall ecosystem that represents the Internet that could
do that are the ISPs. One of the questions is why have not the
ISPs done more to protect their consumers?
Lord Harris of Haringey: Not the question I
asked, but an interesting answer!
Q618 Lord Howie of Troon:
Is there any difference between buying and selling email addresses
and buying and selling ordinary postal addresses, which has been
going on for many years? Membership lists and things.
Mr Griffith: I suppose no. It seems to me that
I do not want my address being sold out there, if I am not willing
to be contacted at that address. That is the difficult challenge.
People are talking about "offline spam", which is that
stuff that makes its way through our door. In most cases it does
not have my address on it. It is just someone walking round the
street, sticking them in the boxeswhich is slightly different,
I suppose, to the challenge on the Internet. If you give out that
email address, that is my way into your door. So it is slightly
different. I am not sure of the right answer to that question.
Q619 Lord Howie of Troon:
It is an answer anyway.
Mr Beale: I am not quite sure where this is
going, because there are obviously legal restrictions on what
companies can sell to other companies in terms of personal data
about individuals. That is under thewhat is it called?