Supplementary letter from Ross Anderson
I owe the committee, as I recall, a few more
pieces of information to supplement the testimony I gave you.
First, I was asked for further details about
the arrangement under which electronic fraud is no longer to be
reported to the police but to the banks, who will then report
onwards to the police (perhaps via APACS) to the extent that they
I had heard of this initially from the West
Mercia force, whom I was helping with an ATM fraud enquiry, and
who were implementing it from January. I now understand that,
according to the Met, the new reporting scheme will come into
effect nationwide on 1 April.
The argument runs that at present if a citizen
discovers a fraudulent entry on their bank statement, and goes
to the local police station to report it, the police may refuse
the report on the grounds that there is as yet no firm evidence
of a loss. The citizen will be advised to talk with their bank,
to confirm that a loss has occurred. Then the police will accept
the report, issue the crime number, and feed it into their statistics
and intelligence databases.
It is argued that this process is inefficient
and tiresome, but could be streamlined by having the report made
to the bank. The bank then collates the reports and passes them
on to the police cheque and plastic card squad, who will investigate
as seems appropriate to them.
One problem is that a fraud victim is often
told by her banks that she must be mistaken, or negligent, or
colluding, and in any case liable. So frauds are not investigated
or even reported properly. At a deeper level, the scheme's incentives
are quite wrongly aligned. The bank has every incentive to deny
claims; and although banks may pay claims that are part of a clear
pattern (as in the Sri Lankan case I referred to), an individual
bank may easily fail to see a pattern, especially when complainants
are stonewalled by the bank's branch staff. I think I referred
to an incident in which a skimmer was placed on a Tesco ATM in
Flitwick; if 100 cards were cloned then each issuing bank might
have had complaints from a dozen customers, and it might simply
never come to the bank's notice that they had all used that particular
ATM. There is no incentive for the bank to be diligent in looking
for such patterns.
Even if the bank issues a fraud report, the
perverse incentives continue. APACS tries to present chip and
PIN as a success in reducing fraud, so has an incentive to minimise
fraud. Police forces, and the Home Office, similarly wish the
crime statistics to go downwards.
The second point on which I promised you more
information was the research paper at Softint 2007 on the effect
of Internet take-up on state-level US crime statistics. The paper
in question is "Pornography, Rape and the Internet",
Todd D Kendall, at Fourth bi-annual Conference on the Economics
of the Software and Internet Industries, 19-20 January 2007, Toulouse,
This shows that Internet uptake is negatively correlated with
two categories of reported crime (rape and prostitution) and positively
correlated with one ("runaways"missing persons
The third point concerns the quality of forensic
work and its relation to online risks. I have twice been consulted
about the credit card frauds that took place in the context of
Operation Ore. It is clear that the Landslide website at the centre
of that case was a persistent target of credit card fraudsters.
The evidence was however disregarded by UK investigators. In consequence,
between 2002 and 2006, a significant number of raids took place
on the homes of innocent citizens who had simply had their credit
card numbers stolen by crooks who used the Landslide web site.
A number of these citizens were wrongfully prosecuted for incitement,
in the absence of any evidence beyond the credit card statements.
I understand that Duncan Campbell has sent you a copy of the judgment
in the case of R v Grout. As for the worst-case outcome to date
for personal Internet security, I would like to draw the committee's
attention to "No evidence against man in child porn enquiry
who killed himself", Ian Herbert, The Independent, 1 October
The committee might care to consider what measures
are appropriate to mitigate such risks to citizens in future.
13 March 2007
4 http://www.idei.fr/doc/conf/sic/papers_2007/kendall.pdf Back