Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 620 - 639)

WEDNESDAY 21 FEBRUARY 2007

MR GARRETH GRIFFITH, MR ALASDAIR MCGOWAN, MR MICHAEL BARRETT AND MR JEREMY BEALE

  Q620  Lord Harris of Haringey: Data Protection Act.

  Mr Beale: Data Protection Act, thank you. A post code is not individualised.

  Q621  Lord Howie of Troon: Mine is actually.

  Mr Beale: It is usually down to about a road, but it is rarely to one building and one individual within a building. An email address, of course, very often is to an individual. So I think that there would be a difference. You can get a general email account for a company, which would be different. One other point is that the DTI did initiate internally a review of business-to-business unsolicited email—which is probably a more useful term than "spam"—to see if there was further regulation or anything more that needed to be done in this area. Again, I have not heard if that has been concluded or any outcome that has come from that.

  Q622  Lord Howie of Troon: It just strikes me that membership lists of learned societies, and so on, have been bought and sold for years, like postal addresses. I think that this is a distinction without a difference.

  Mr Griffith: I think that it does come to what Mike has said. The equivalent of the spam filters is having channels below your post box, through your door. It channels it that way into your bin, or it channels it that way into your in-box. I have had an email account with Yahoo for about 15 years and I get no spam. My spam in-box fills up quickly, but I never go look at it. My in-box is pretty clean every time. Frankly, with Yahoo they just turned it on for me, which I have found very helpful. I can opt out, but they turned it on for me. It is something that increasingly we need to do as an industry: to be a bit more—"parental" maybe is not the best word—but guiding our users and maybe trying to help them out by turning something on for them. Microsoft's Internet Explorer 7 anti-phishing functionality is actually defaulted off—which is surprising. You have to turn it on yourself. I was thankful for Yahoo for turning on my spam filter, and that is something we can do as a business. It effectively removes the problem from our users' in-box.

  Q623  Chairman: Is this not something, Mr Beale, that you think business should do? Here we have had two suggestions. Mr Barrett was saying that ISPs should be required to turn on these sorts of filters, and perhaps the browser-makers should also be required to have this as the default setting.

  Mr Beale: I understand the desire. I am sure that there are things that can be done, and I know that there are things that are being done. These companies are doing things themselves and some ISPs are doing things. Is it ISPA or Lynx that has developed a code of conduct too for its members? I also think that the ISPs cannot solve all the problems. It is sometimes very hard for them to track where emails are coming from. If it is a botnet, for instance, they do not know that the person whose machine it is coming from is the person who has launched the attack. If they try closing it down or blocking emails from that person, they might have a legal problem there in terms of their contractual relations. This is why I was saying that trying to identify a silver bullet for all problems is not very workable. It is also why I was saying that it would be useful to develop a dialogue with the groups that are working on this, to identify what they can do and are doing. It would be very useful.

  Q624  Lord Patel: Are there companies failing to meet their legal obligations when doing business online?

  Mr Beale: I saw this question. I think we said they were not necessarily aware of all their legal obligations necessarily.

  Q625  Lord Patel: Weasel words!

  Mr Beale: I want to explain why I did not mean it in quite that weaselly way. Precisely because a lot of the online activities, as we were just discussing, are actually covered by existing laws, but do so in new ways, companies may not be aware. I am really thinking of SMEs here. They might not have the expertise to know how a fraud is committed online, such that they need to develop a specific risk management strategy for dealing with that. Also, a lot of them that we hear about feel there is a problem out there. They are very aware, they read in the press lots of reports, and they are afraid of getting into difficulties; but, again, they do not know exactly what they need to do.

  Q626  Lord Patel: Are you saying that there are companies who do not know their legal obligations when doing business?

  Mr Beale: In relation to e-crime, yes.

  Q627  Lord Patel: So what does the CBI do to inform them?

  Mr Beale: We have done a number of things. We have ongoing activities in this area with our members. We launched—as we cited in our evidence that we submitted—a guide for SMEs and their supply chain partners, because obviously in some respects it might not be you that is doing something wrong but a partner that you have engaged in business with, which then creates a problem for you. We did that with DTI and Ernst & Young. Frankly, we have limited resources, have a limited voice with the business community, and this is why we say that a much larger-scale, higher-profile campaign led by the Government would help in this regard, so that they were hearing about the problems; they were being informed about where expertise that could help them lay; and where there was increasing devotion of resources to the development of that expertise. I think that could help turn round the problem quite significantly with the broad mass of businesses in this country.

  Q628  Lord Patel: You do not think some high-profile prosecutions might bring it about?

  Mr Beale: I was interested in that question. It would certainly momentarily raise some interest, and everyone would probably think, "Oi! I hope that isn't going to happen to me. I had better have a look". Just to take—without in any way wanting to pick on them—Nationwide, which is pretty high profile, they did get hit with a significant fine in this regard. I will point out that Nationwide is in an area that is already heavily regulated; where there are many rules in place; where in many respects they are probably a very knowledgeable company; and if even they have a problem, you can imagine what it is like for companies who do not have those resources.

  Q629  Lord Patel: That was about losing their information. It was not necessarily not fulfilling their legal obligation when doing business.

  Mr Beale: I was reading the FSA's report on the case on the way over here, just to make sure I was familiar with it. As I understand it, Nationwide was found not to have complied with the principles laid down by the FSA. What I am saying is that we have had a pretty big case there, where the company—despite its best intentions, despite being in a very heavily regulated area—still managed not to do all that it needed to and, once it found out, did do it. However, I do not think that will change the massive problem that we face, which is that many, many companies do not have the ability to know what to do.

  Q630  Lord Patel: So you would agree that the CBI calling for more education at a regional level is not going to achieve much?

  Mr Beale: This is why I have said a national campaign is really what is required, but that would be very much in the regions, because that is where a lot of the SMEs, and certainly a lot of our smaller members, tend to be located. That is also where—as we were talking about earlier—there is this variable quality in terms of the provision of the ability of the police forces to follow up.

  Q631  Lord Patel: Who should lead the national campaign?

  Mr Beale: As I said, I think that it should be a Government-led campaign, by which I mean that the Government should take a lead role; but it should be one that is done in close co-operation and co-ordination with those private sector groups that have expertise and knowledge and that are active in this area. It really can only come through a partnership of business and government; but if the Government at the highest level did lead this, it would be helpful in that regard. I should also say that I think there is an opportunity here. The Conservative Party has called for the creation of a homeland security agency, along the lines that exists in the United States. The Chancellor has called for a national security strategy to deal with the threats, including online threats, that the UK faces. We would see a national information security strategy as one part of that. If it could be explicitly defined as such, that would help it. Precisely because information security is often seen as part of the problem for companies, it is seen as a technical issue—a techie issue for the geeks—when in many respects it is actually part of an overall security strategy that companies have, and it is the same for the UK as a whole. It needs to be seen not as somehow separate from security in general but as an essential part of it.

  Q632  Earl of Erroll: I just want to clarify a couple of things. I know that we talked about the phishing problem earlier, but there are a couple points on top of that. At the moment, the banks refund phishing losses. Do you do the same?

  Mr Barrett: Yes, we do.

  Mr Griffith: For consumers, absolutely we do.

  Q633  Earl of Erroll: You have been talking about issuing a low-cost security token. That will protect against password-stealing attacks okay, but it will not protect against some of the man-in-the-middle attacks. Do you think that you could be leading people into a false sense of security? Earlier, I referred to the two channels for authentication of who is using a mobile.

  Mr Barrett: By an odd coincidence, I actually brought mine. You can look at it later, if you like. It just displays a rolling six-digit PIN that changes every 30 seconds. The answer is that while these kinds of one-time password tokens do not directly themselves defend against man-in-the-middle attacks, there are other technical measures that can be employed. While we get a bit twitchy about saying too much about that in public, because we do not want to tip the bad guys off as to the kinds of ways that we can detect it, none the less they are fairly readily detectable, because of things like association with accounts to IP addresses and to machines. Essentially, a machine that has never had any activity before will suddenly see a whole spike of potential log-on attempts, and that is radically different from the pattern of behaviour that is normally associated with that user, who often will only use two or three machines themselves. So you can do a great deal on back-end fraud models. While no technological solution is perfect, I think that man-in-the-middle has been overstated as a reason not to be attempting these kinds of things.

  Q634  Earl of Erroll: Do you think that we should be looking at authenticating higher-value transactions over a mobile telephone link back, or something like that?

  Mr Barrett: It is certainly one option and it is one that we have been discussing within PayPal. The difficulty is that it works very effectively when it works, but it is what happens when it fails. With a consumer who attempts to perform some transaction and then cannot because their phone battery is dead, you do realistically need to provide legitimate alternatives to them. Those are precisely the situations where the criminal elements will then try to create and exploit those channels; so what you are doing is potentially just moving the fraud around.

  Q635  Lord Mitchell: In 2004 Which? claimed that there were 200 fraudulent auctions a day on eBay. I guess two years ago is almost Stone Age territory, is it not? The British Museum complained about items stolen from archaeological digs and the Federation Against Software Theft were concerned about pirated CDs and DVDs. An awful lot more people use your services now, and I wondered if things had improved.

  Mr Griffith: Generally, across the board over the years, we are constantly improving our security operations. Specific to some of the areas you are talking about, we have a program called a VERO programme—

  Q636  Lord Mitchell: Called ... ?

  Mr Griffith: VERO. It stands for Verified Rights Owners. We have more than 18,000 brands and rights owners who are part of that programme. We basically provide tools which facilitate their reporting items that they find on our site that violate any kind of intellectual property that they own. The tools we provide make it very simple for them to do that, but the challenge we have is that having 105 million items on the site at any one time is just volume, and the ability to have the expertise to know what each one of those is. We do provide those tools and we rely on the rights owners to get back to us. As soon as they let us know or notify us of any copyright infringement, we remove it from the site. That is a process that is working very well. We have had that for a few years. We meet with not so much FAST but FACT, Federation Against Copyright Theft. It is a group we meet with frequently and we work in partnership with them. They help us identify different kinds of filtering technologies that might help us catch things before they get on to the website, as well as us helping to improve their reporting technology, which helps us to get things down as soon as they let us know. The agreement we have with the British Museum is very similar to that. There is basically a triangular agreement between us, the British Museum and law enforcement whereby, as soon as anything is not verified to the extent that they believe is right or they do not believe it is legitimate or authentic, they let law enforcement and us know. We take it down and law enforcement go and do their bit—basically knock on doors. So it works quite effectively.

  Q637  Chairman: The evidence that eBay submitted to us pointed out that the company was an online marketplace rather than an auction house and it was not a retailer. Given that eBay is a unique phenomenon, which could exist nowhere else but online, what sort of regulatory framework for the company's activities would you regard as appropriate? Do we need new regulatory systems tailor-made for online trade?

  Mr McGowan: Perhaps I could answer that. The first point I would make is that eBay is a company and the sellers who trade on eBay are subject already to all manner of regulation. Just before we came here, I was trying to jot down, off the top of my head, a list of the various regulations which apply. The examples I would cite are the eCommerce Directive, the Distance Selling Directive, the Data Protection Directive, the ePrivacy Directive, the Sale of Goods Act, the Price Indications Regulations, the Trade Descriptions Act, the Unfair Commercial Practices Directive—which will come in later this year. I am not an expert on PayPal regulation, but I know they are subject to all sorts of financial regulation, such as the eMoney Directive and various bits of regulation from the FSA. The other thing to factor into this of course is that we have, as Garreth said, at any given time 100 million items live to site and 50,000 different categories. You have all manner of regulation and legislation which applies to the sale or resale of those items. So I think that I would start from the premise that there is a huge amount of regulation out there. One of the general myths there is with the Internet is that it is a bit of a Wild-West, unregulated sphere. The reality is that, in general—and there are some exceptions to this—if it is illegal offline, it is also illegal online.

  Q638  Chairman: There are cases where an auction on eBay seems to be visible to other people, and the people who do not win something get an email from somebody else saying, "You bid this and didn't win. However, I have another one". As far as I can see, that is completely fraudulent. Have you been able to stop that activity?

  Mr McGowan: I might ask Garreth to say a word or two about that, but this is an area where we have been, with our safeguarding members' ID—an initiative which we have just recently launched—taking steps to anonymised the bidding IDs which are there for high-value items.

  Mr Griffith: First of all, we have a legitimate functionality on the site which we call "second chance offer", which is used vastly by goods sellers on the site as a way to cross-sell and up-sell merchandise to bidders who did not win the auction but who might want to pay a little bit less for something. The vast majority of the use of that functionality is perfectly legitimate. It is actually the crossover between the spoof and the phishing that we have talked about already and this functionality, where the fraudsters, if you will, are sending out these emails—often just on a chance that you might be interested—saying, "I have this laptop. I realise you didn't win it. I'll give it to you for £100 if you pay with Western Union". Actually, it is not happening on the website; it is completely separate. It is basically an email that looks just like one of ours; you just copy the HTML and you send it through. Most of our buyers are not aware of the functionality, so they think, "That's good marketing. We'll take you up on that". This is where all of what we said before, our anti-spoof tools and technologies that we have, kick in; when we say, "Check your `My Messages', for example, and if you get a legitimate second-chance offer it is in your `My Messages'. Forward the email to spoof@eBay.com if you want to double-check. You will get something back telling you whether it was legitimate or not". So all those same tools apply. Also we have banned, for example, Western Union or instant money transfer mechanisms on eBay as payment mechanisms. We have worked with Scotland Yard to help us enforce that. Our messaging all the time is "Do not use these mechanisms". We have it right before you bid, and when you are about to pay. There is clear messaging in emails and on the site saying, "Do not use these mechanisms".

  Q639  Lord Harris of Haringey: Are you going to say that "eBay never will email you directly" or that no one you sanction will ever email you directly?

  Mr Griffith: We would not say, "We don't email you directly" because we do. We do send transaction emails saying, "You have bid on something" or "You have won something". What we do is, at the same time we email it into your in-box we email it into your "My Messages" area on eBay. What we always say is, "If you have any doubt, either forward it to spoof@eBay.com or double-check in `My Messages'". The other thing we do is that we greet you by your name. We greet you by your user name and match it to your email address. Fraudsters cannot do that, because they do not have both. They either have one or the other or just your email. Again, that is one more cog in the multiple, easy checks that you can do to recognise the legitimate email.


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007