Examination of Witnesses (Questions 620
WEDNESDAY 21 FEBRUARY 2007
Q620 Lord Harris of Haringey:
Data Protection Act.
Mr Beale: Data Protection Act, thank you. A
post code is not individualised.
Q621 Lord Howie of Troon:
Mine is actually.
Mr Beale: It is usually down to about a road,
but it is rarely to one building and one individual within a building.
An email address, of course, very often is to an individual. So
I think that there would be a difference. You can get a general
email account for a company, which would be different. One other
point is that the DTI did initiate internally a review of business-to-business
unsolicited emailwhich is probably a more useful term than
"spam"to see if there was further regulation
or anything more that needed to be done in this area. Again, I
have not heard if that has been concluded or any outcome that
has come from that.
Q622 Lord Howie of Troon:
It just strikes me that membership lists of learned societies,
and so on, have been bought and sold for years, like postal addresses.
I think that this is a distinction without a difference.
Mr Griffith: I think that it does come to what
Mike has said. The equivalent of the spam filters is having channels
below your post box, through your door. It channels it that way
into your bin, or it channels it that way into your in-box. I
have had an email account with Yahoo for about 15 years and I
get no spam. My spam in-box fills up quickly, but I never go look
at it. My in-box is pretty clean every time. Frankly, with Yahoo
they just turned it on for me, which I have found very helpful.
I can opt out, but they turned it on for me. It is something that
increasingly we need to do as an industry: to be a bit more"parental"
maybe is not the best wordbut guiding our users and maybe
trying to help them out by turning something on for them. Microsoft's
Internet Explorer 7 anti-phishing functionality is actually defaulted
offwhich is surprising. You have to turn it on yourself.
I was thankful for Yahoo for turning on my spam filter, and that
is something we can do as a business. It effectively removes the
problem from our users' in-box.
Is this not something, Mr Beale, that you think business should
do? Here we have had two suggestions. Mr Barrett was saying that
ISPs should be required to turn on these sorts of filters, and
perhaps the browser-makers should also be required to have this
as the default setting.
Mr Beale: I understand the desire. I am sure
that there are things that can be done, and I know that there
are things that are being done. These companies are doing things
themselves and some ISPs are doing things. Is it ISPA or Lynx
that has developed a code of conduct too for its members? I also
think that the ISPs cannot solve all the problems. It is sometimes
very hard for them to track where emails are coming from. If it
is a botnet, for instance, they do not know that the person whose
machine it is coming from is the person who has launched the attack.
If they try closing it down or blocking emails from that person,
they might have a legal problem there in terms of their contractual
relations. This is why I was saying that trying to identify a
silver bullet for all problems is not very workable. It is also
why I was saying that it would be useful to develop a dialogue
with the groups that are working on this, to identify what they
can do and are doing. It would be very useful.
Q624 Lord Patel:
Are there companies failing to meet their legal obligations when
doing business online?
Mr Beale: I saw this question. I think we said
they were not necessarily aware of all their legal obligations
Q625 Lord Patel:
Mr Beale: I want to explain why I did not mean
it in quite that weaselly way. Precisely because a lot of the
online activities, as we were just discussing, are actually covered
by existing laws, but do so in new ways, companies may not be
aware. I am really thinking of SMEs here. They might not have
the expertise to know how a fraud is committed online, such that
they need to develop a specific risk management strategy for dealing
with that. Also, a lot of them that we hear about feel there is
a problem out there. They are very aware, they read in the press
lots of reports, and they are afraid of getting into difficulties;
but, again, they do not know exactly what they need to do.
Q626 Lord Patel:
Are you saying that there are companies who do not know their
legal obligations when doing business?
Mr Beale: In relation to e-crime, yes.
Q627 Lord Patel:
So what does the CBI do to inform them?
Mr Beale: We have done a number of things. We
have ongoing activities in this area with our members. We launchedas
we cited in our evidence that we submitteda guide for SMEs
and their supply chain partners, because obviously in some respects
it might not be you that is doing something wrong but a partner
that you have engaged in business with, which then creates a problem
for you. We did that with DTI and Ernst & Young. Frankly,
we have limited resources, have a limited voice with the business
community, and this is why we say that a much larger-scale, higher-profile
campaign led by the Government would help in this regard, so that
they were hearing about the problems; they were being informed
about where expertise that could help them lay; and where there
was increasing devotion of resources to the development of that
expertise. I think that could help turn round the problem quite
significantly with the broad mass of businesses in this country.
Q628 Lord Patel:
You do not think some high-profile prosecutions might bring it
Mr Beale: I was interested in that question.
It would certainly momentarily raise some interest, and everyone
would probably think, "Oi! I hope that isn't going to happen
to me. I had better have a look". Just to takewithout
in any way wanting to pick on themNationwide, which is
pretty high profile, they did get hit with a significant fine
in this regard. I will point out that Nationwide is in an area
that is already heavily regulated; where there are many rules
in place; where in many respects they are probably a very knowledgeable
company; and if even they have a problem, you can imagine what
it is like for companies who do not have those resources.
Q629 Lord Patel:
That was about losing their information. It was not necessarily
not fulfilling their legal obligation when doing business.
Mr Beale: I was reading the FSA's report on
the case on the way over here, just to make sure I was familiar
with it. As I understand it, Nationwide was found not to have
complied with the principles laid down by the FSA. What I am saying
is that we have had a pretty big case there, where the companydespite
its best intentions, despite being in a very heavily regulated
areastill managed not to do all that it needed to and,
once it found out, did do it. However, I do not think that will
change the massive problem that we face, which is that many, many
companies do not have the ability to know what to do.
Q630 Lord Patel:
So you would agree that the CBI calling for more education at
a regional level is not going to achieve much?
Mr Beale: This is why I have said a national
campaign is really what is required, but that would be very much
in the regions, because that is where a lot of the SMEs, and certainly
a lot of our smaller members, tend to be located. That is also
whereas we were talking about earlierthere is this
variable quality in terms of the provision of the ability of the
police forces to follow up.
Q631 Lord Patel:
Who should lead the national campaign?
Mr Beale: As I said, I think that it should
be a Government-led campaign, by which I mean that the Government
should take a lead role; but it should be one that is done in
close co-operation and co-ordination with those private sector
groups that have expertise and knowledge and that are active in
this area. It really can only come through a partnership of business
and government; but if the Government at the highest level did
lead this, it would be helpful in that regard. I should also say
that I think there is an opportunity here. The Conservative Party
has called for the creation of a homeland security agency, along
the lines that exists in the United States. The Chancellor has
called for a national security strategy to deal with the threats,
including online threats, that the UK faces. We would see a national
information security strategy as one part of that. If it could
be explicitly defined as such, that would help it. Precisely because
information security is often seen as part of the problem for
companies, it is seen as a technical issuea techie issue
for the geekswhen in many respects it is actually part
of an overall security strategy that companies have, and it is
the same for the UK as a whole. It needs to be seen not as somehow
separate from security in general but as an essential part of
Q632 Earl of Erroll:
I just want to clarify a couple of things. I know that we talked
about the phishing problem earlier, but there are a couple points
on top of that. At the moment, the banks refund phishing losses.
Do you do the same?
Mr Barrett: Yes, we do.
Mr Griffith: For consumers, absolutely we do.
Q633 Earl of Erroll:
You have been talking about issuing a low-cost security token.
That will protect against password-stealing attacks okay, but
it will not protect against some of the man-in-the-middle attacks.
Do you think that you could be leading people into a false sense
of security? Earlier, I referred to the two channels for authentication
of who is using a mobile.
Mr Barrett: By an odd coincidence, I actually
brought mine. You can look at it later, if you like. It just displays
a rolling six-digit PIN that changes every 30 seconds. The answer
is that while these kinds of one-time password tokens do not directly
themselves defend against man-in-the-middle attacks, there are
other technical measures that can be employed. While we get a
bit twitchy about saying too much about that in public, because
we do not want to tip the bad guys off as to the kinds of ways
that we can detect it, none the less they are fairly readily detectable,
because of things like association with accounts to IP addresses
and to machines. Essentially, a machine that has never had any
activity before will suddenly see a whole spike of potential log-on
attempts, and that is radically different from the pattern of
behaviour that is normally associated with that user, who often
will only use two or three machines themselves. So you can do
a great deal on back-end fraud models. While no technological
solution is perfect, I think that man-in-the-middle has been overstated
as a reason not to be attempting these kinds of things.
Q634 Earl of Erroll:
Do you think that we should be looking at authenticating higher-value
transactions over a mobile telephone link back, or something like
Mr Barrett: It is certainly one option and it
is one that we have been discussing within PayPal. The difficulty
is that it works very effectively when it works, but it is what
happens when it fails. With a consumer who attempts to perform
some transaction and then cannot because their phone battery is
dead, you do realistically need to provide legitimate alternatives
to them. Those are precisely the situations where the criminal
elements will then try to create and exploit those channels; so
what you are doing is potentially just moving the fraud around.
Q635 Lord Mitchell:
In 2004 Which? claimed that there were 200 fraudulent auctions
a day on eBay. I guess two years ago is almost Stone Age territory,
is it not? The British Museum complained about items stolen from
archaeological digs and the Federation Against Software Theft
were concerned about pirated CDs and DVDs. An awful lot more people
use your services now, and I wondered if things had improved.
Mr Griffith: Generally, across the board over
the years, we are constantly improving our security operations.
Specific to some of the areas you are talking about, we have a
program called a VERO programme
Q636 Lord Mitchell:
Called ... ?
Mr Griffith: VERO. It stands for Verified Rights
Owners. We have more than 18,000 brands and rights owners who
are part of that programme. We basically provide tools which facilitate
their reporting items that they find on our site that violate
any kind of intellectual property that they own. The tools we
provide make it very simple for them to do that, but the challenge
we have is that having 105 million items on the site at any one
time is just volume, and the ability to have the expertise to
know what each one of those is. We do provide those tools and
we rely on the rights owners to get back to us. As soon as they
let us know or notify us of any copyright infringement, we remove
it from the site. That is a process that is working very well.
We have had that for a few years. We meet with not so much FAST
but FACT, Federation Against Copyright Theft. It is a group we
meet with frequently and we work in partnership with them. They
help us identify different kinds of filtering technologies that
might help us catch things before they get on to the website,
as well as us helping to improve their reporting technology, which
helps us to get things down as soon as they let us know. The agreement
we have with the British Museum is very similar to that. There
is basically a triangular agreement between us, the British Museum
and law enforcement whereby, as soon as anything is not verified
to the extent that they believe is right or they do not believe
it is legitimate or authentic, they let law enforcement and us
know. We take it down and law enforcement go and do their bitbasically
knock on doors. So it works quite effectively.
The evidence that eBay submitted to us pointed out that the company
was an online marketplace rather than an auction house and it
was not a retailer. Given that eBay is a unique phenomenon, which
could exist nowhere else but online, what sort of regulatory framework
for the company's activities would you regard as appropriate?
Do we need new regulatory systems tailor-made for online trade?
Mr McGowan: Perhaps I could answer that. The
first point I would make is that eBay is a company and the sellers
who trade on eBay are subject already to all manner of regulation.
Just before we came here, I was trying to jot down, off the top
of my head, a list of the various regulations which apply. The
examples I would cite are the eCommerce Directive, the Distance
Selling Directive, the Data Protection Directive, the ePrivacy
Directive, the Sale of Goods Act, the Price Indications Regulations,
the Trade Descriptions Act, the Unfair Commercial Practices Directivewhich
will come in later this year. I am not an expert on PayPal regulation,
but I know they are subject to all sorts of financial regulation,
such as the eMoney Directive and various bits of regulation from
the FSA. The other thing to factor into this of course is that
we have, as Garreth said, at any given time 100 million items
live to site and 50,000 different categories. You have all manner
of regulation and legislation which applies to the sale or resale
of those items. So I think that I would start from the premise
that there is a huge amount of regulation out there. One of the
general myths there is with the Internet is that it is a bit of
a Wild-West, unregulated sphere. The reality is that, in generaland
there are some exceptions to thisif it is illegal offline,
it is also illegal online.
There are cases where an auction on eBay seems to be visible to
other people, and the people who do not win something get an email
from somebody else saying, "You bid this and didn't win.
However, I have another one". As far as I can see, that is
completely fraudulent. Have you been able to stop that activity?
Mr McGowan: I might ask Garreth to say a word
or two about that, but this is an area where we have been, with
our safeguarding members' IDan initiative which we have
just recently launchedtaking steps to anonymised the bidding
IDs which are there for high-value items.
Mr Griffith: First of all, we have a legitimate
functionality on the site which we call "second chance offer",
which is used vastly by goods sellers on the site as a way to
cross-sell and up-sell merchandise to bidders who did not win
the auction but who might want to pay a little bit less for something.
The vast majority of the use of that functionality is perfectly
legitimate. It is actually the crossover between the spoof and
the phishing that we have talked about already and this functionality,
where the fraudsters, if you will, are sending out these emailsoften
just on a chance that you might be interestedsaying, "I
have this laptop. I realise you didn't win it. I'll give it to
you for £100 if you pay with Western Union". Actually,
it is not happening on the website; it is completely separate.
It is basically an email that looks just like one of ours; you
just copy the HTML and you send it through. Most of our buyers
are not aware of the functionality, so they think, "That's
good marketing. We'll take you up on that". This is where
all of what we said before, our anti-spoof tools and technologies
that we have, kick in; when we say, "Check your `My Messages',
for example, and if you get a legitimate second-chance offer it
is in your `My Messages'. Forward the email to spoof@eBay.com
if you want to double-check. You will get something back telling
you whether it was legitimate or not". So all those same
tools apply. Also we have banned, for example, Western Union or
instant money transfer mechanisms on eBay as payment mechanisms.
We have worked with Scotland Yard to help us enforce that. Our
messaging all the time is "Do not use these mechanisms".
We have it right before you bid, and when you are about to pay.
There is clear messaging in emails and on the site saying, "Do
not use these mechanisms".
Q639 Lord Harris of Haringey:
Are you going to say that "eBay never will email you directly"
or that no one you sanction will ever email you directly?
Mr Griffith: We would not say, "We don't
email you directly" because we do. We do send transaction
emails saying, "You have bid on something" or "You
have won something". What we do is, at the same time we email
it into your in-box we email it into your "My Messages"
area on eBay. What we always say is, "If you have any doubt,
either forward it to spoof@eBay.com or double-check in `My Messages'".
The other thing we do is that we greet you by your name. We greet
you by your user name and match it to your email address. Fraudsters
cannot do that, because they do not have both. They either have
one or the other or just your email. Again, that is one more cog
in the multiple, easy checks that you can do to recognise the