Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 820 - 839)

WEDNESDAY 28 MARCH 2007

MARGARET HODGE, MR GEOFF SMITH, MR VERNON COAKER AND MR STEPHEN WEBB

  Q820  Lord Harris of Haringey: Following on from that, and I move on to my main question, we were told that the FBI has 300 forensic computer investigators, examiners. That suggests a scale of investment in this which is far in excess of anything which the police in the UK could muster. Do you agree that there needs to be a step change in the scale?

  Mr Coaker: Certainly we need to look at how we are dealing with this crime across the country, and that is certainly what we are doing.

  Q821  Lord Harris of Haringey: Mr Coaker, you have already told us that essentially there is no agreed definition of cyber crime, that most crimes are defined as broad or whatever else, but of course the consequence of that is that there is no policing target for investigating or prosecuting such crimes. Do you think the police should be set explicit targets for the investigation of cyber-enabled crime?

  Mr Coaker: The whole question of targets is actually quite difficult because as part of the broader debate, Chairman, as you know, we are continually told to reduce targets for the police and not to constrain the activity of police forces and that they should be free to tackle crime as they feel appropriate. I would rather say, particularly as we are now in the process of negotiating a new set of measures and performance indicators for the police for April 2008, that the important thing to say is that all of us need to think of how we deal with e-crime and to actually ensure that it is mainstreamed into police work. I know the argument is that if you do not have it as a measure then it will not be mainstreamed. I have a bit more confidence about the future than that. I think the essential thing is, as I said, some sort of coordinated activity which goes on, that it goes down to the local police forces and that there is collaborative working and I think through that we will see a step change in activity across the country.

  Q822  Lord Harris of Haringey: The Home Secretary, I think last week, announced that there would now be a special means of reporting crimes which involve a knife, and that slightly goes against your view that the police should be allowed to get on with it. Would there not be a similar case for saying that there should be separate recording of crimes which involve Internet use or computers?

  Mr Coaker: Again, these are judgments which you make about how many targets you specifically have, what things you explicitly measure and what things you do not, but clearly the reduction of crime in all its forms will be a major part of police activity and certainly e-crime will be a major part of that.

  Q823  Lord Harris of Haringey: In the absence, of course, of targets how are you going to ensure that resource levels are maintained, especially in terms of investigating level 2 crime which crosses force boundaries?

  Mr Coaker: One will obviously be looking at the reduction of crime, the reduction of harm in communities, and the assessment which will take place in respect of that will be measured and as part of that process we will look to see how the police are doing in this area.

  Q824  Lord Harris of Haringey: If I can just return to this question of aggregating crimes to create a big crime which is then investigated, we were told, I think on 21 February, by Gareth Griffith, who is the Head of Trust and Safety for eBay, "When we try to get police engaged, sometimes they say, `Look, we'd love to help you. If it is not over "x" threshold'—thousands of pounds, or whatever it is—`we can't help you.'" Do you think that is an acceptable way for the police to respond to online fraud?

  Mr Coaker: Obviously the police make operational decisions with respect to all crime, not just online crime. The police will determine what is an appropriate response with respect to anything which is reported to them. The point we have to make is that e-crime, online fraud, online crime is an important consideration for the police and they need to deal with that appropriately, but as I say there will be operational decisions which are made locally.

  Q825  Lord Harris of Haringey: It is not something you feel the Home Office should itself monitor?

  Mr Coaker: As I say, I think what we need to do is to say to the police that we expect the reduction of harm in communities to be at the forefront of their thinking, the reduction of crime in all its forms to be at the forefront of their thinking. They will be assessed, inspected and measured on that particular indicator and e-crime will be a part of that.

  Q826  Earl of Erroll: We have been told by the police that the reporting procedures are going to change on 1 April and that the victims will be required to report the fraud in the first instance to the banks and no longer to the police, and then the banks will decide whether or not to report it to the police. What is the reason for this change?

  Mr Coaker: We are actually trying to bring some clarity to the situation where we had before, in answer to Lord Harris's point, sometimes people going to the police with something and then the police saying, "Thank you very much for coming, but it is actually not something where we could go back to your bank." The Home Office, in discussion with APACS, looked at the situation and decided that the most appropriate way of (a) protecting individuals, (b) protecting business, and (c) actually giving us a better chance of actually catching the criminals was actually to have a more logical, rigorous system. So from 1 April people experiencing that sort of fraud, online fraud, will be asked to report that in the first instance to APACS, who will then make the decision whether to report it on to the police, because as I say people will go to them and will want what has happened to them put right and then APACS will get a bigger picture of what has happened and then report back to the police, who can then have a more intelligent overall picture of what is actually going on.

  Q827  Earl of Erroll: Is there not a danger this will lead to a chronic under-reporting, because if the banks do not want to scare their customers then surely they have got a vested interest in not reporting it on to the police and just trying to play down the risks?

  Mr Coaker: I suppose you could argue that, but the other argument would be that actually what people want is an effective way of tackling fraud, an effective way of tackling online crime, and if the Home Office, the banks, industry and business in general explain why it is being done then I think people will accept that, not as a way of massaging the crime figures but as an effective way of actually (a) trying to protect people, but (b) trying to get at the criminals who are actually behind the fraud which is being perpetrated on the individuals.

  Q828  Earl of Erroll: We have heard that the banks are already not reporting fraud to the police directly, so why is this suddenly going to change? Are you doing anything to address the current under-reporting?

  Mr Coaker: By actually encouraging people to go to APACS, I think we will get a better picture of what is actually taking place, because APACS will record that in their own figures and then we are saying to them, "Come to the police where appropriate." It is not about saying to them, "Don't come to us," it is about saying, "Then come to the police," but it will give us a better overall picture of what is actually taking place in the way that it will help us then to tackle crime.

  Margaret Hodge: Can I help a little bit on this? If there is a filtering system, which is what this is, the hope is that those who do get reported to the police will be dealt with much more efficiently and effectively. One of the current problems is that people feel that if they do get to the police they do not get a response, and the banks themselves as a whole have told us and the Home Office that they do not bother, so if you can create a much more formal filtering system those who then get reported on to the police will be dealt with more efficiently and effectively. It is back to the fact that at present it is how you define your crime. At present it is like the British Crime Survey figures which looked at the virus. That might be the least significant of crimes, but only 1% of people currently report those crimes to the police. There is an argument—and it is something the Committee no doubt will wish to consider—about which crimes should the police, with a limited finite resource, focus on. I think a filter is the sensible way forward.

  Q829  Earl of Erroll: I can see, as you say, that it is a logical thing, but I wonder when the Federal Trades Commission in the States has gone the other way and said that you should report it first to the police, so that they have a sense of how much crime there is, and then it can be abrogated to the banks. So at least the police have a notion of really how bad it is, even if the banks are then going on to process it. Is that not a more sensible way to do it?

  Margaret Hodge: That is a counter argument and my understanding—and I think probably Geoff will be able to expand on this, as I have not seen it first hand—is that actually operationally in the States, whilst this theoretically sounds a good model, it is pretty chaotic with pretty inconsistent outcomes for individuals.

  Chairman: That is certainly not what we heard. We are looking at this from the point of view of the individual, not an efficient system which the state runs but from the point of view of the individual, and if you go to a bank very often it may be due to the bank's incompetence or even a problem within the bank, such as they have lost their data, which they have chosen not to tell people. What does the individual do? The individual can feel very threatened by this. You then go to somewhere like APACS, which tells you to go back to the bank. It may be that the bank is at fault. Think of the poor individual. The poor individual is now considerably worried and what we were told in the States is that what the individuals like is that once they have gone to the police they are given a standard form, and 18,000 police stations in the States have this form, and once you have filled that form out you at least have started down the road and you have declared that at least you are honest enough or that you have enough credibility that you go to the police and you have got the form filled out. The problem has still got to be dealt with, but I think to circulate the people back through the banks is just going to drive -

  Q830  Baroness Hilton of Eggardon: It also protects the bank because it does mean that it is a proper claim and it is not someone pretending that someone has misused their credit card. So I would have thought the banks would welcome that. The other thing we saw was this excellent booklet which all police stations in America are given, which helps them deal with not just computer fraud but also the seizure of computers and how to preserve evidence, and so on. It was an absolutely excellent document, I thought, and something which without a great deal of resources the Home Office could actually implement in this country.

  Mr Smith: We would be keen to have a look at that, Chairman.

  Q831  Lord Harris of Haringey: It also runs contrary to the report produced by the National Consumer Council in this country, which says that the biggest problem for people in terms of sorting out identity theft is the fact that they cannot get ready access to crime numbers from the police and that they are shuffled backwards and forwards in a way which in fact is now being institutionalised.

  Margaret Hodge: I think we should hear from the officials, but all I would say to you is that being given a crime number might give you a little bit of comfort, but if nothing happens beyond that I am not sure of the extent of the comfort you would get from that.

  Lord Harris of Haringey: The National Consumer Council are saying that is what people need to sort it out.

  Q832  Earl of Erroll: Anecdotally, a friend told me at lunch the other day that one of the things you are missing is that a lot of fraud is perpetrated by eBay and other auction houses, and of course they are not included in this, so where are they going to report it? This chap knew he had been ripped off for £100, he knew he was a sucker, he actually knew it when he was doing it, but what really upset him was not that he had lost £100 but that there was nowhere to report it. That is what really got his goat. At the end of the day you have got to have a reporting system to the police, I think, for the people outside. It is not just the banks and the credit cards, there is lots of other fraud going on there as well.

  Mr Smith: I think you suggested that APACS might be interested in under-reporting. I simply do not believe that is true. I know you have taken evidence from APACS and I am sure they made that point to you strongly. They have no interest in doing that.

  Q833  Earl of Erroll: They will only hear it if the bank tells them.

  Mr Smith: I think Lord Broers made some very interesting points about certain types of crime where it might be appropriate to go initially to the police, but the statistics which we put out first abut the prevalence of phishing attacks I think actually argues strongly that you should go to the bank first, because it is essentially about in real-time stopping the money flowing, because if the bank is alerted very quickly then they can see the pattern of the phishing attack and they can start to take remedial action against the sites. As I understand it, the way they try and prevent this is to try and stop the cash transfers and they try and limit the damage through that. So in a way, operationally the banks have got to come into this very, very quickly. I think that going to a police station, yes, it is great for getting a crime number and it is great for the back end of the process, but it puts delay into actually trying to solve it.

  Q834  Earl of Erroll: Could it be done online, possibly?

  Mr Smith: Yes. It takes us back to an earlier question about reporting. Could I just explain one last point, and I think it is a very pertinent point from Lord Harris about identity theft, which I think is a separate issue from the phishing attacks. I think a lot of people are realising that there are problems in that once you have lost your identity, where do you go to to get it reinstated? I know that the Crosby study on identity is looking very seriously at this issue and we expect them to report imminently. That may make some recommendations about that remediation process, and it is a very important point, I think, to address.

  Q835  Lord O'Neill of Clackmannan: But there is a question of the independence of APACS because at the end of the day they are the creatures of the banks and on the insistence of the banks they will not even tell us which banks lose how much money. As a gatherer of statistics, I certainly do not have a great deal of confidence in them and I think you are giving them a degree of power and influence in them which hitherto their performance has not deserved.

  Mr Webb: Can I say something about APACS and the crime statistics? You will have noted that all the statistics we gave at the beginning were from APACS's figures. In reality recorded crime figures on fraud have been very erratic and are not really that much help in understanding trends. Actually the point you make is a very interesting one. The fact that the banks know that their figures will not be quoted and broken down by institutions is why they have confidence in passing it on to APACS. If they thought they would get into the public domain then there would be those reputation issues, so I think that gives you more confidence in the figures. Just on the point about reporting to the banks as opposed to reporting to the police, of course anyone suffering cash, cheque or credit card fraud is going to go to the bank anyway, so what this basically means for the individual citizen who has been defrauded is that this removes from them the need to go to the police as well. It means also that the reports which will go from the banks to the police are more likely to spot the links. They are going to be a higher quality crime report than any isolated individual might be able to make and we would see this as reducing bureaucracy both for the police and also reducing burdens on the individual and I do not see any reason why APACS and the banks would not want to ensure this information did get across.

  Q836  Lord O'Neill of Clackmannan: Mr Coaker, if someone comes to your surgery on a Friday or a Saturday and says, "I've been ripped off and I'm not happy with the bank that I'm dealing with. Could you tell me which bank I could go to, or alternatively where I can find out the relevant information which would give me confidence that the system the bank is running is better than some of the others?" at the moment you could not answer that question because APACS is not allowed by its members to make that information available. Do you not think, as a minister, you have a responsibility to the British public as much as to the ease of statistical collection and presentation?

  Mr Coaker: What we are trying to do is to establish a system which more effectively tackles fraud and people being ripped off and having their money, or whatever, stolen online. The system we have put in place is about trying to protect the individual but also to try and pick up a pattern which may be established, which then means that we have got more opportunity to catch the criminals behind it. So what I would say to any constituent of mine is that the system we are trying to put in place is about trying to improve protection for them as individuals but also trying to give us a better intelligence picture, which will enable us then to get at the criminals who are behind that activity.

  Q837  Lord Mitchell: Changing the direction of crime in some ways, on the subject of botnets we have seen evidence of the profusion of botnets for hire. The first question is, is it illegal to purchase the services of a botnet in the UK?

  Mr Coaker: No, it is not illegal to actually purchase it. It is a difficult area because many computers, computer tools, et cetera, are actually capable of dual use. What is illegal is the making, adapting or supplying of articles for use in computer misuse offences. In the same way that knives can be used illegally but you would not ban all knives, that is in part the logic we are applying to this particular scenario as well.

  Q838  Lord Mitchell: Does it make a difference whether the botnet is used for spamming or for launching denial of service attacks in terms of its legality?

  Mr Webb: Purchasing is not an offence. Making, supplying or obtaining articles for use in computer misuse offences are, but not for purchasing.

  Mr Coaker: The actual purchase is not illegal, but the actual use that you may make of an article is. If you make a particular article, if you adapt or supply an article which is subsequently then used in a computer misuse offence, that obviously is the part of it which is illegal. So it is the use you make of the equipment, or whatever, rather than the actual purchase of it.

  Q839  Baroness Hilton of Eggardon: We used to technically deal with the proceedings around telephone calls by charging people for abstracting electricity. Presumably botnets are using people's electricity supply and technically, therefore, they could be charged with theft?

  Mr Coaker: That is an interesting thought!


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007