Select Committee on Science and Technology Minutes of Evidence

Supplementary letter from Ross Anderson

  I owe the committee, as I recall, a few more pieces of information to supplement the testimony I gave you.

  First, I was asked for further details about the arrangement under which electronic fraud is no longer to be reported to the police but to the banks, who will then report onwards to the police (perhaps via APACS) to the extent that they see fit.

  I had heard of this initially from the West Mercia force, whom I was helping with an ATM fraud enquiry, and who were implementing it from January. I now understand that, according to the Met, the new reporting scheme will come into effect nationwide on 1 April.

  The argument runs that at present if a citizen discovers a fraudulent entry on their bank statement, and goes to the local police station to report it, the police may refuse the report on the grounds that there is as yet no firm evidence of a loss. The citizen will be advised to talk with their bank, to confirm that a loss has occurred. Then the police will accept the report, issue the crime number, and feed it into their statistics and intelligence databases.

  It is argued that this process is inefficient and tiresome, but could be streamlined by having the report made to the bank. The bank then collates the reports and passes them on to the police cheque and plastic card squad, who will investigate as seems appropriate to them.

  One problem is that a fraud victim is often told by her banks that she must be mistaken, or negligent, or colluding, and in any case liable. So frauds are not investigated or even reported properly. At a deeper level, the scheme's incentives are quite wrongly aligned. The bank has every incentive to deny claims; and although banks may pay claims that are part of a clear pattern (as in the Sri Lankan case I referred to), an individual bank may easily fail to see a pattern, especially when complainants are stonewalled by the bank's branch staff. I think I referred to an incident in which a skimmer was placed on a Tesco ATM in Flitwick; if 100 cards were cloned then each issuing bank might have had complaints from a dozen customers, and it might simply never come to the bank's notice that they had all used that particular ATM. There is no incentive for the bank to be diligent in looking for such patterns.

  Even if the bank issues a fraud report, the perverse incentives continue. APACS tries to present chip and PIN as a success in reducing fraud, so has an incentive to minimise fraud. Police forces, and the Home Office, similarly wish the crime statistics to go downwards.

  The second point on which I promised you more information was the research paper at Softint 2007 on the effect of Internet take-up on state-level US crime statistics. The paper in question is "Pornography, Rape and the Internet", Todd D Kendall, at Fourth bi-annual Conference on the Economics of the Software and Internet Industries, 19-20 January 2007, Toulouse, France.[4] This shows that Internet uptake is negatively correlated with two categories of reported crime (rape and prostitution) and positively correlated with one ("runaways"—missing persons under 18).

  The third point concerns the quality of forensic work and its relation to online risks. I have twice been consulted about the credit card frauds that took place in the context of Operation Ore. It is clear that the Landslide website at the centre of that case was a persistent target of credit card fraudsters. The evidence was however disregarded by UK investigators. In consequence, between 2002 and 2006, a significant number of raids took place on the homes of innocent citizens who had simply had their credit card numbers stolen by crooks who used the Landslide web site. A number of these citizens were wrongfully prosecuted for incitement, in the absence of any evidence beyond the credit card statements. I understand that Duncan Campbell has sent you a copy of the judgment in the case of R v Grout. As for the worst-case outcome to date for personal Internet security, I would like to draw the committee's attention to "No evidence against man in child porn enquiry who killed himself", Ian Herbert, The Independent, 1 October 2005.[5]

  The committee might care to consider what measures are appropriate to mitigate such risks to citizens in future.

13 March 2007

4 Back

5 Back

previous page contents

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007