Examination of Witnesses (Questions 820
- 839)
WEDNESDAY 28 MARCH 2007
MARGARET HODGE,
MR GEOFF
SMITH, MR
VERNON COAKER
AND MR
STEPHEN WEBB
Q820 Lord Harris of Haringey:
Following on from that, and I move on to my main question, we
were told that the FBI has 300 forensic computer investigators,
examiners. That suggests a scale of investment in this which is
far in excess of anything which the police in the UK could muster.
Do you agree that there needs to be a step change in the scale?
Mr Coaker: Certainly we need to look at how
we are dealing with this crime across the country, and that is
certainly what we are doing.
Q821 Lord Harris of Haringey:
Mr Coaker, you have already told us that essentially there is
no agreed definition of cyber crime, that most crimes are defined
as broad or whatever else, but of course the consequence of that
is that there is no policing target for investigating or prosecuting
such crimes. Do you think the police should be set explicit targets
for the investigation of cyber-enabled crime?
Mr Coaker: The whole question of targets is
actually quite difficult because as part of the broader debate,
Chairman, as you know, we are continually told to reduce targets
for the police and not to constrain the activity of police forces
and that they should be free to tackle crime as they feel appropriate.
I would rather say, particularly as we are now in the process
of negotiating a new set of measures and performance indicators
for the police for April 2008, that the important thing to say
is that all of us need to think of how we deal with e-crime and
to actually ensure that it is mainstreamed into police work. I
know the argument is that if you do not have it as a measure then
it will not be mainstreamed. I have a bit more confidence about
the future than that. I think the essential thing is, as I said,
some sort of coordinated activity which goes on, that it goes
down to the local police forces and that there is collaborative
working and I think through that we will see a step change in
activity across the country.
Q822 Lord Harris of Haringey:
The Home Secretary, I think last week, announced that there would
now be a special means of reporting crimes which involve a knife,
and that slightly goes against your view that the police should
be allowed to get on with it. Would there not be a similar case
for saying that there should be separate recording of crimes which
involve Internet use or computers?
Mr Coaker: Again, these are judgments which
you make about how many targets you specifically have, what things
you explicitly measure and what things you do not, but clearly
the reduction of crime in all its forms will be a major part of
police activity and certainly e-crime will be a major part of
that.
Q823 Lord Harris of Haringey:
In the absence, of course, of targets how are you going to ensure
that resource levels are maintained, especially in terms of investigating
level 2 crime which crosses force boundaries?
Mr Coaker: One will obviously be looking at
the reduction of crime, the reduction of harm in communities,
and the assessment which will take place in respect of that will
be measured and as part of that process we will look to see how
the police are doing in this area.
Q824 Lord Harris of Haringey:
If I can just return to this question of aggregating crimes to
create a big crime which is then investigated, we were told, I
think on 21 February, by Gareth Griffith, who is the Head of Trust
and Safety for eBay, "When we try to get police engaged,
sometimes they say, `Look, we'd love to help you. If it is not
over "x" threshold'thousands of pounds, or whatever
it is`we can't help you.'" Do you think that is an
acceptable way for the police to respond to online fraud?
Mr Coaker: Obviously the police make operational
decisions with respect to all crime, not just online crime. The
police will determine what is an appropriate response with respect
to anything which is reported to them. The point we have to make
is that e-crime, online fraud, online crime is an important consideration
for the police and they need to deal with that appropriately,
but as I say there will be operational decisions which are made
locally.
Q825 Lord Harris of Haringey:
It is not something you feel the Home Office should itself monitor?
Mr Coaker: As I say, I think what we need to
do is to say to the police that we expect the reduction of harm
in communities to be at the forefront of their thinking, the reduction
of crime in all its forms to be at the forefront of their thinking.
They will be assessed, inspected and measured on that particular
indicator and e-crime will be a part of that.
Q826 Earl of Erroll:
We have been told by the police that the reporting procedures
are going to change on 1 April and that the victims will be required
to report the fraud in the first instance to the banks and no
longer to the police, and then the banks will decide whether or
not to report it to the police. What is the reason for this change?
Mr Coaker: We are actually trying to bring some
clarity to the situation where we had before, in answer to Lord
Harris's point, sometimes people going to the police with something
and then the police saying, "Thank you very much for coming,
but it is actually not something where we could go back to your
bank." The Home Office, in discussion with APACS, looked
at the situation and decided that the most appropriate way of
(a) protecting individuals, (b) protecting business, and (c) actually
giving us a better chance of actually catching the criminals was
actually to have a more logical, rigorous system. So from 1 April
people experiencing that sort of fraud, online fraud, will be
asked to report that in the first instance to APACS, who will
then make the decision whether to report it on to the police,
because as I say people will go to them and will want what has
happened to them put right and then APACS will get a bigger picture
of what has happened and then report back to the police, who can
then have a more intelligent overall picture of what is actually
going on.
Q827 Earl of Erroll:
Is there not a danger this will lead to a chronic under-reporting,
because if the banks do not want to scare their customers then
surely they have got a vested interest in not reporting it on
to the police and just trying to play down the risks?
Mr Coaker: I suppose you could argue that, but
the other argument would be that actually what people want is
an effective way of tackling fraud, an effective way of tackling
online crime, and if the Home Office, the banks, industry and
business in general explain why it is being done then I think
people will accept that, not as a way of massaging the crime figures
but as an effective way of actually (a) trying to protect people,
but (b) trying to get at the criminals who are actually behind
the fraud which is being perpetrated on the individuals.
Q828 Earl of Erroll:
We have heard that the banks are already not reporting fraud to
the police directly, so why is this suddenly going to change?
Are you doing anything to address the current under-reporting?
Mr Coaker: By actually encouraging people to
go to APACS, I think we will get a better picture of what is actually
taking place, because APACS will record that in their own figures
and then we are saying to them, "Come to the police where
appropriate." It is not about saying to them, "Don't
come to us," it is about saying, "Then come to the police,"
but it will give us a better overall picture of what is actually
taking place in the way that it will help us then to tackle crime.
Margaret Hodge: Can I help a little bit on this?
If there is a filtering system, which is what this is, the hope
is that those who do get reported to the police will be dealt
with much more efficiently and effectively. One of the current
problems is that people feel that if they do get to the police
they do not get a response, and the banks themselves as a whole
have told us and the Home Office that they do not bother, so if
you can create a much more formal filtering system those who then
get reported on to the police will be dealt with more efficiently
and effectively. It is back to the fact that at present it is
how you define your crime. At present it is like the British Crime
Survey figures which looked at the virus. That might be the least
significant of crimes, but only 1% of people currently report
those crimes to the police. There is an argumentand it
is something the Committee no doubt will wish to considerabout
which crimes should the police, with a limited finite resource,
focus on. I think a filter is the sensible way forward.
Q829 Earl of Erroll:
I can see, as you say, that it is a logical thing, but I wonder
when the Federal Trades Commission in the States has gone the
other way and said that you should report it first to the police,
so that they have a sense of how much crime there is, and then
it can be abrogated to the banks. So at least the police have
a notion of really how bad it is, even if the banks are then going
on to process it. Is that not a more sensible way to do it?
Margaret Hodge: That is a counter argument and
my understandingand I think probably Geoff will be able
to expand on this, as I have not seen it first handis that
actually operationally in the States, whilst this theoretically
sounds a good model, it is pretty chaotic with pretty inconsistent
outcomes for individuals.
Chairman: That is certainly not what
we heard. We are looking at this from the point of view of the
individual, not an efficient system which the state runs but from
the point of view of the individual, and if you go to a bank very
often it may be due to the bank's incompetence or even a problem
within the bank, such as they have lost their data, which they
have chosen not to tell people. What does the individual do? The
individual can feel very threatened by this. You then go to somewhere
like APACS, which tells you to go back to the bank. It may be
that the bank is at fault. Think of the poor individual. The poor
individual is now considerably worried and what we were told in
the States is that what the individuals like is that once they
have gone to the police they are given a standard form, and 18,000
police stations in the States have this form, and once you have
filled that form out you at least have started down the road and
you have declared that at least you are honest enough or that
you have enough credibility that you go to the police and you
have got the form filled out. The problem has still got to be
dealt with, but I think to circulate the people back through the
banks is just going to drive -
Q830 Baroness Hilton of Eggardon:
It also protects the bank because it does mean that it is a proper
claim and it is not someone pretending that someone has misused
their credit card. So I would have thought the banks would welcome
that. The other thing we saw was this excellent booklet which
all police stations in America are given, which helps them deal
with not just computer fraud but also the seizure of computers
and how to preserve evidence, and so on. It was an absolutely
excellent document, I thought, and something which without a great
deal of resources the Home Office could actually implement in
this country.
Mr Smith: We would be keen to have a look at
that, Chairman.
Q831 Lord Harris of Haringey:
It also runs contrary to the report produced by the National Consumer
Council in this country, which says that the biggest problem for
people in terms of sorting out identity theft is the fact that
they cannot get ready access to crime numbers from the police
and that they are shuffled backwards and forwards in a way which
in fact is now being institutionalised.
Margaret Hodge: I think we should hear from
the officials, but all I would say to you is that being given
a crime number might give you a little bit of comfort, but if
nothing happens beyond that I am not sure of the extent of the
comfort you would get from that.
Lord Harris of Haringey: The National
Consumer Council are saying that is what people need to sort it
out.
Q832 Earl of Erroll:
Anecdotally, a friend told me at lunch the other day that one
of the things you are missing is that a lot of fraud is perpetrated
by eBay and other auction houses, and of course they are not included
in this, so where are they going to report it? This chap knew
he had been ripped off for £100, he knew he was a sucker,
he actually knew it when he was doing it, but what really upset
him was not that he had lost £100 but that there was nowhere
to report it. That is what really got his goat. At the end of
the day you have got to have a reporting system to the police,
I think, for the people outside. It is not just the banks and
the credit cards, there is lots of other fraud going on there
as well.
Mr Smith: I think you suggested that APACS might
be interested in under-reporting. I simply do not believe that
is true. I know you have taken evidence from APACS and I am sure
they made that point to you strongly. They have no interest in
doing that.
Q833 Earl of Erroll:
They will only hear it if the bank tells them.
Mr Smith: I think Lord Broers made some very
interesting points about certain types of crime where it might
be appropriate to go initially to the police, but the statistics
which we put out first abut the prevalence of phishing attacks
I think actually argues strongly that you should go to the bank
first, because it is essentially about in real-time stopping the
money flowing, because if the bank is alerted very quickly then
they can see the pattern of the phishing attack and they can start
to take remedial action against the sites. As I understand it,
the way they try and prevent this is to try and stop the cash
transfers and they try and limit the damage through that. So in
a way, operationally the banks have got to come into this very,
very quickly. I think that going to a police station, yes, it
is great for getting a crime number and it is great for the back
end of the process, but it puts delay into actually trying to
solve it.
Q834 Earl of Erroll:
Could it be done online, possibly?
Mr Smith: Yes. It takes us back to an earlier
question about reporting. Could I just explain one last point,
and I think it is a very pertinent point from Lord Harris about
identity theft, which I think is a separate issue from the phishing
attacks. I think a lot of people are realising that there are
problems in that once you have lost your identity, where do you
go to to get it reinstated? I know that the Crosby study on identity
is looking very seriously at this issue and we expect them to
report imminently. That may make some recommendations about that
remediation process, and it is a very important point, I think,
to address.
Q835 Lord O'Neill of Clackmannan:
But there is a question of the independence of APACS because at
the end of the day they are the creatures of the banks and on
the insistence of the banks they will not even tell us which banks
lose how much money. As a gatherer of statistics, I certainly
do not have a great deal of confidence in them and I think you
are giving them a degree of power and influence in them which
hitherto their performance has not deserved.
Mr Webb: Can I say something about APACS and
the crime statistics? You will have noted that all the statistics
we gave at the beginning were from APACS's figures. In reality
recorded crime figures on fraud have been very erratic and are
not really that much help in understanding trends. Actually the
point you make is a very interesting one. The fact that the banks
know that their figures will not be quoted and broken down by
institutions is why they have confidence in passing it on to APACS.
If they thought they would get into the public domain then there
would be those reputation issues, so I think that gives you more
confidence in the figures. Just on the point about reporting to
the banks as opposed to reporting to the police, of course anyone
suffering cash, cheque or credit card fraud is going to go to
the bank anyway, so what this basically means for the individual
citizen who has been defrauded is that this removes from them
the need to go to the police as well. It means also that the reports
which will go from the banks to the police are more likely to
spot the links. They are going to be a higher quality crime report
than any isolated individual might be able to make and we would
see this as reducing bureaucracy both for the police and also
reducing burdens on the individual and I do not see any reason
why APACS and the banks would not want to ensure this information
did get across.
Q836 Lord O'Neill of Clackmannan:
Mr Coaker, if someone comes to your surgery on a Friday or a Saturday
and says, "I've been ripped off and I'm not happy with the
bank that I'm dealing with. Could you tell me which bank I could
go to, or alternatively where I can find out the relevant information
which would give me confidence that the system the bank is running
is better than some of the others?" at the moment you could
not answer that question because APACS is not allowed by its members
to make that information available. Do you not think, as a minister,
you have a responsibility to the British public as much as to
the ease of statistical collection and presentation?
Mr Coaker: What we are trying to do is to establish
a system which more effectively tackles fraud and people being
ripped off and having their money, or whatever, stolen online.
The system we have put in place is about trying to protect the
individual but also to try and pick up a pattern which may be
established, which then means that we have got more opportunity
to catch the criminals behind it. So what I would say to any constituent
of mine is that the system we are trying to put in place is about
trying to improve protection for them as individuals but also
trying to give us a better intelligence picture, which will enable
us then to get at the criminals who are behind that activity.
Q837 Lord Mitchell:
Changing the direction of crime in some ways, on the subject of
botnets we have seen evidence of the profusion of botnets for
hire. The first question is, is it illegal to purchase the services
of a botnet in the UK?
Mr Coaker: No, it is not illegal to actually
purchase it. It is a difficult area because many computers, computer
tools, et cetera, are actually capable of dual use. What is illegal
is the making, adapting or supplying of articles for use in computer
misuse offences. In the same way that knives can be used illegally
but you would not ban all knives, that is in part the logic we
are applying to this particular scenario as well.
Q838 Lord Mitchell:
Does it make a difference whether the botnet is used for spamming
or for launching denial of service attacks in terms of its legality?
Mr Webb: Purchasing is not an offence. Making,
supplying or obtaining articles for use in computer misuse offences
are, but not for purchasing.
Mr Coaker: The actual purchase is not illegal,
but the actual use that you may make of an article is. If you
make a particular article, if you adapt or supply an article which
is subsequently then used in a computer misuse offence, that obviously
is the part of it which is illegal. So it is the use you make
of the equipment, or whatever, rather than the actual purchase
of it.
Q839 Baroness Hilton of Eggardon:
We used to technically deal with the proceedings around telephone
calls by charging people for abstracting electricity. Presumably
botnets are using people's electricity supply and technically,
therefore, they could be charged with theft?
Mr Coaker: That is an interesting thought!
|