Examination of Witnesses (Questions 860
WEDNESDAY 28 MARCH 2007
Q860 Baroness Hilton of Eggardon:
The problem with the sales staff is that they glory in the complicated
vocabulary, do they not, when they are talking to you?
Margaret Hodge: Or the turnover is huge. What
we have tried to do on digital switch-over, which one could do
anywhere, is to do a kite marking scheme for the retailers and
for the producers as well, and that is always quite a good way
of trying to get self-regulation to some agreed standard across
industry. You can spread that sort of mechanism in any bit of
the sector you want.
Mr Smith: Could I just add, the more consumers
are working in a kind of "point and shoot" environment
the happier I think everyone would feel and I think with the advent
of broadband the automatic patching and updating of software actually
has moved on considerably. To answer Lord Broers's point about
the outdated software, most computers are now sold packaged with
antivirus software. Admittedly, the package that is on the machine
could be the 2005 edition, but when it makes connection, when
you load it up, it will go to the website and update itself. If
it is 2005 it will take for ever to update, but it will do it,
so I am not so sure that is a big problem, but we will think about
Q861 Lord Young of Graffham:
I have quite a straightforward question really. If a bank has
a forged cheque from my cheque book it honours it. If my credit
card gets stolen and I have notified the bank, and somebody else
has signed it, they honour it. Should the banks be responsible
for losses due to Internet fraud?
Margaret Hodge: You said it was a straightforward
question. I wish I could give you a straightforward answer, because
it depends on the particular circumstances, the particular fraud
which has been perpetrated. So if there is a contract between
the individual and the bank in that instance, the contract would
determine who pays if something goes wrong. There is the banking
code, which you will be very familiar with, which is basically
that where it is believed that users took all reasonable steps
to ensure that they would not lose their card then the bank will
pick up the tab. I think you have established a liability. Liability
exists in that context. I think that laying down absolutely firmly
whose liability it is and when goes back again to the discourse
we have had this afternoon about this partnership between the
user, the provider and the banks. It is a difficult one. Who do
you say is liable? I suppose our focus on that is working with
the banks to ensure that they have better security. There is this
new system, which I have not seen but I have heard of, where you
have a different number on every transaction. What is it called?
Mr Smith: A one time password.
Margaret Hodge: A one time password, another
terminology, so that every time you undertake a transaction you
have that as security and that appears to be an improvement.
Q862 Lord Young of Graffham:
The reason why I think there is more in this question than a simple
answer is that we have moved in a progression from a world in
which we all signed cheques and went into a bank to collect money
to a world of ATM machines, and that will pass and we will be
in a world in which money will be electronically transferred literally
from my wallet to the bank. In those circumstances, should not
either the DTI or the Home Office be looking very closely at the
sort of regulations which could pertain to that before it begins
Margaret Hodge: It is a fast-changing world,
so of course it is absolutely right that we should constantly
be vigilant and ensure that the regulatory framework is appropriate,
and actually in this instance probably it is the FSA rather than
either of us here who would have responsibility.
Mr Webb: It is possibly worth also saying that
there is currently a scheme verified by Visa and Mastercard of
a secure code where, providing you as an individual sign up and
the retailer signs up, you have a secure site where you can do
your transaction and then that will be firm and the bank will
stand behind that. So in a sense there is already the possibility
for consumers and retailers to get into a position where the bank
will guarantee the transaction. It is a relatively new scheme
and the take-up is increasing but it is still relatively low at
the moment, but that is certainly one of the things which APACS
and the banking industry see as the way forward.
Mr Coaker: It goes back to Lady Hilton's point
about the need for consumers to be aware of these sorts of things
as well. Consumer awareness I think is a huge issue.
Lord Young of Graffham: Yes, absolutely.
Q863 Lord Harris of Haringey:
If you really want to encourage e-commerce and you really want
to encourage the banks to improve their security systems, requiring
them to accept liabilityas they do, I think, in the United
Statesfor problems with Internet banking would surely be
the most powerful driver of all?
Margaret Hodge: I think the answer is that that
sounds easy, but then you have got to define the circumstances
in which you would expect them to accept liability.
Lord Mitchell: The Americans seem to
Q864 Earl of Erroll:
Surely, it is the same as the Bills of Exchange Act 1886 or the
American Regulation E, you just quite clearly put the liability
on the banks? At the end of the day, they are the ones who control
the money flow. Under the Bills of Exchange Act 1886 they had
liability for a forged signature, or whatever, because there was
a problem in those days. What we have now is an electronic way
for them to offload that liability to the merchant or to the customer
and we need to put it back with them, because they are actually
the ones who could implement technology. If you look, for instance,
at Alliance & Leicester, who have now been authenticating
their site back to their users for some time, they only have 0.01%
of the Internet fraud, and the fact that the rest are hiding behind
APACS because they are not implementing two-way authentication
is an excuse. The things you talk about, actually two factor authentication,
merely helps the bank not the consumer and the banks are hiding.
If you put the liability back with the banks they will do something
about it and all you need is some primary legislation to enable
that to happen.
Margaret Hodge: I hear that and I think defining
that primary legislation is much more difficult and much more
complex for it to be fair than I think you have suggested in saying
that to me. There will be some circumstances where we could put
in primary legislation and there could be other circumstances
where it is consumer behaviour rather than the banks which is
at fault, which has led to a fraud or an abuse, or loss of money,
whatever it is, a theft, and it is difficult to get those parameters
right. What I do agree with you, and it is what we are trying
to do all the time, is to try and improve the abuse of fraud by
authentication schemes and working with the banks in that regard.
We can go with the heavy hand of the law rather than the more
self-regulatory route down which we are tending to travel and
it is a matter of judgment for this Committee which it thinks
is more appropriate. I leave that to you. We think we have got
the balance about right, but you may think that we ought to be
a bit tougher than we have been so far.
Chairman: We will go on discussing that,
but I think we are minded to think that as things change more
should be done.
Q865 Lord Paul:
Can I ask a more simple question: who regulates Internet services
in the United Kingdom?
Margaret Hodge: This question I had some idea
you might ask. It comes from the idea that again it would be easier
and simpler to have one regulator and one form of regulation.
We are regulated by EU law, by UK law, and we also look at rather
more global protocols which determine what we do. What we try
to do in our regulatory framework is to ensure that the authority
responsible for regulation offline is also responsible for regulation
online. So the FSA, for example, will be responsible for online
banking regulation. The main bodies we have got are Ofcom and
the Information Commissioner, and I suppose a crude division of
labour between them is that Ofcom regulates the industryit
is a bit too crude to put it like this, but I will say it anywayand
the Information Commissioner will look after the interests of
Q866 Lord Paul:
We understand that by virtue of Section 32 of the Communications
Act 2003 Ofcom does not have any remit to regulate the content
that is provided via Internet services, but given the increasing
use of the Internet to transmit content, which will accelerate
with convergence, is this position tenable in the long term?
Margaret Hodge: Content on the Internet is extremely
difficult to regulate because it does not get produced nationally,
it gets produced globally. We are quite proud actually of the
work led by the Home Office and led by Vernon Coaker around self-regulation
on content, particularly in relation to child abuse and those
sorts of issues. We have the Internet Watch Foundation, but it
is extremely difficult to think of a mechanism which we implement
nationally which would impact in the way we would want on what
is a global service. That is really the problem we face. Again,
if the Committee comes up with useful suggestions in that regard
I think both the Home Office and the DTI would love to hear them.
Q867 Lord Young of Graffham:
And the Government of China! You can access anywhere on the Internet
but you cannot regulate, you simply cannot, as I have said. There
are some governments around the world which have tried and have
Mr Coaker: It is China I was thinking of.
Margaret Hodge: I was in China last October,
where we talked a lot about how they could police their system
rather better than they currently do, and they are making efforts
there. There is actually a huge amount which comes from there,
and from the States as well, which from your visit you believe
to have a far better, stronger regulatory framework.
Q868 Lord Paul:
Ofcom has statutory duties both to promote "media literacy"
and to "conduct research" into such areas as "the
experiences of the consumers in the markets for electronic communications
services". Could Ofcom use these powers more proactively
than it has done so far, in order to encourage better self-regulation
within the industry? Let me give an example. What is the Government
or Ofcom doing to persuade social networking sites such as MySpace
to present appropriate guidance to users about the risks of disclosing
personal information online?
Margaret Hodge: Could we have a step change
in Ofcom's performance around its media literacy duties? I think
the answer has to be, yes, and they are actually tackling that
as we go. I am not quite sure where we have got to. They have
produced an outline policy paper, which is probably out to consultation.
I shall be corrected if I am wrong on this, but I think that is
where we are, and that is coming back soon to them. But I agree
with you entirely that they have a role to play, amongst others,
in providing much, much better education and understanding of
the potentials and the dangers of the changing content in ICT,
so absolutely, I am with that.
Q869 Lord Mitchell:
You mentioned child abuse and I would like to come on to that
subject. ISPs are being made to purchase and install systems to
block access to child abuse image sites. The ISPs told us that
this will not prevent the determined from accessing this material
and will only prevent inadvertent access. Is there any evidence
that inadvertent access to child abuse images is a significant
Mr Coaker: There is no evidence about that being
a problem. The last point to make about inadvertent access is
that we have no evidence that that is problem, but I think it
is a very important part of the Government's strategy in actually
trying to prevent child abuse images being available on websites
in this country. I think that the public would expect us to do
everything we can to block these images. I am assured that there
are people out there who have the technical ability to probably
overcome the blocking processes which ISPs are putting in place
and will put in place. Could I just put on record, Chairman, that
I have been very pleased with the cooperation from ISPs in this
area. There is significant blocking taking place already. I think
that is a reasonable request to make of ISPs and I think the fact
that some people may actually be able to overcome that blocking
process is not a reason for it not to happen and in fact it is
simply another hoop, if you like, which you put in place in order
to try and protect the children of this country. I think that
is a reasonable thing to be in place and I think most people would
expect it to be there. It is not a magic solution. It is not a
solution which says that if this is in place it will prevent any
person from accessing these sites who are determined to do so,
but it hopefully makes it much more difficult and hopefully, therefore,
when it is brought to court the fact that somebody has had a particular
technical expertise in order to access that site will help the
court in determining the verdict.
Q870 Lord Mitchell:
Do you not feel that it would better to push the responsibility
for blocking content onto the end-user machine? Let me just add
to that, in the evidence we have received it is staggering, for
example, the lack of knowledge by parents on subjects like grooming
sites, blogging sites, chat rooms and all the other things which
go on. I think only 10% of parents were totally aware of what
is actually happening on the Internet. What strikes us is that
really when somebody turns on a machine for the first time there
should be an access point actually telling people what the problems
are. Just to give you a simple example, every time I turn on my
car on the display it tells me not to look at the display when
I am driving. It seems pretty obvious, but it is telling me not
to do that and I do not see why, when people turn on their computers
for the first time, it should not say, "We want to take you
through all the dangers of the Internet, what you as parents should
be aware of and what precautions you should take."
Mr Coaker: Certainly all of these types of procedures
and processes we are looking at. We recently are looking at the
BSI kite mark, which will be available for machines and software
in order to show which are particularly good at protecting children
or others with that particular piece of software or hardware.
One of the things we are trying to prevent is the situation where
you have a computer where the end-user has got a particular piece
of kit which, when it is installed, will prevent them from accessing
these abuse images, but I guess then you would have a situation
where it could be uninstalled. It may be that just simply having
an end-user product of some sort which will prevent access to
child abuse images which is currently on the computer, and you
sell it as such, and then somebody may uninstall it, so you have
still got a problem with that type of situation where somebody
who is determined to overcome it could actually do so. We think
it is one way of trying to prevent access to child abuse images.
We are moving towards a point where we have virtual total compliance,
as far as is possible. If there are other processes that we can
adopt at the same time, then I think we will look at those as
well, but blocking is an integral part of that.
Q871 Lord Mitchell:
I think education is an absolutely important part as well.
Mr Coaker: Yes, of course. That is a very good
point and I should have mentioned that in responding to the question
you put. You are absolutely right, education is an important part
of this. It is like many policies in respect of this area, that
actually it is not either/or, it is a combination of all of the
various policies and a combination of all of these various factors
in order to do what we all want, which is actually to protect
Let me move on to another topic. During our investigations we
have seen a fairly large volume of illegal trading which is going
on on the Internet of credit card numbers, credit card data, addresses,
security numbers, et cetera. Bearing this in mind, is it any longer
appropriate to pursue police investigations or still less launch
prosecutions on the basis only of logs of credit card use?
Mr Coaker: Chairman, clearly much of the answer
to that is operationally for the police. I think Mr Gamble gave
evidence in respect of this matter. I would simply make the point
that I do not think the police would prosecute someone simply
on the basis of their credit card being used. I think an investigation
into whether you prosecute would require you to take account of
all of the various relevant issues with respect to that particular
crime which you were investigating. Of course, at the end of the
day the evidence that you present would be tested not only by
the police but by the Crown Prosecution Service and ultimately
in the end by the courts to determine whether a crime had been
committed or not. As I say, I believe that just on the basis of
a credit card I am not sure the prosecution would proceed.
Do you think they are sufficiently aware of this?
Mr Coaker: I think they are and, as I say, at
the end of the day the great safety net for us all is the fact
that the police made their investigations. That then has the test
of the Crown Prosecution Service to determine whether they should
prosecute or proceed, or not, and then ultimately it is a matter
for the courts. As I say, many of these are operational matters,
but I would be surprised if it was purely and simply on the basis
of credit card details that a prosecution was taken forward.
Q874 Earl of Erroll:
Regulation 5 of the Privacy and Electronic Communications (EC
Directive) Regulations 2003 requires communications providers
to keep their networks secure. Responsibility for enforcement
currently lies with the Information Commissioner. Are you satisfied
the Information Commissioner is best placed to monitor network
Margaret Hodge: We have two regulators really
operating in this space. We have the Information Commissioner,
who has responsibility for personal data, information about the
individual, and we have Ofcom, which has responsibility for the
regulation of the networks and continuity of supply. I think in
that question the interpretation is somehow that the Information
Commissioner has got the responsibility around the networks. He
has not. Just on the more general point there, Ofcom is just about
to put out, I think, a consultation. I think we have done a bit
of this today, have we not, about things about to come out, but
this is a consultation which is about to emerge on the scene from
Ofcom looking at the general conditions around this area and I
think security will feature quite prominently, as I understand
it, in that consultation, so it may well be that many of the issues
raised by this Committee will be taken up in that particular consultation.
The only other thing to say, as of course I am sure you are aware,
is that Europe has the overarching responsibility here on legislation
for communications providers and they, too, will be looking at
the issue of security, so we will have a double take on it.
Q875 Earl of Erroll:
I think the real worry is about the Information Commissioner's
powers. For instance, when a laptop was recently stolen the Nationwide
ended up being fined £980,000 by the FSA, just under a million
pounds. It was a huge amount. But when the banks put unshredded
statements into the bin, then that comes under the Information
Commissioner's office and all it can do is impose a fine of £5,000
if they actually did do it and they were repeat offenders. Online
websites are being broken into and details being stolen repeatedly,
and in fact I noticed that yesterday or the day before on the
Serious Crime Bill which is going through the House at the moment
the Minister kept saying that the great protection is the Data
Protection Act and the Information Commissioner. Does the Information
Commissioner really have the powers and ability to enforce these
things properly, because you seem to place a lot of reliance on
him but he has very little power?
Margaret Hodge: He has the powers and he could
make a recommendation to us around issues such as fine levels.
Again, my understanding is that he is considering that at the
moment, but when he looks at fine levels in relation to individual
data in this area he has to look at other areas where there are
abuses of legislation. Let me give you an example. My postbag
as a minister around issues which go to the Information Commissioner
is much, much larger around TPS, the Telephone Preference Service.
I get many more letters from MPs around abuses of that than I
do around any abuses in relation to the Internet. In his review
of an appropriate fining regime he has to have regard to the rather
broader areas of crime and breaches of the legislation than simply
looking at breaches relating to the Internet, and it is interesting
to see that they are not big here. They do not feature massively
in his in-tray. I assume he has given evidence to you already
and I do not know whether he said that, but certainly my perception,
as a minister, is that he gets more.
Chairman: He said that, yes.
Q876 Earl of Erroll:
It may be because people do not realise and the penalties are
Mr Coaker: Could I just say that there has been
a review by the DCA of penalties in respect of the misuse of data
and I think that is now reported and what the Government is now
looking at is a vehicle to actually look at increasing some of
the penalties available for the misuse of data and finding an
appropriate vehicle to take that forward.
I think perhaps people can remember a day when the telephone did
not have that problem and as they have only recently acquired
a computer they think that the problems have come with the computer!
Margaret Hodge: It may well be.
Mr Coaker: The increased penalties for the misuse
of data is something which is being taken forward.
Q878 Lord O'Neill of Clackmannan:
A related matter about fines. We have had a lot of complaints
about email spam. Does the Government intend to raise the level
of fines for spamming and block the loophole of business to business
Margaret Hodge: This goes back really to the
question we have just discussed. I had forgotten that point about
the DCA and it may well be that arising out of that DCA review
the level of fines will go up. The only other thing I can say
to you which might be of help is that the advice to us from the
Information Commissioner is that speed is more important to him.
At the moment the investigations just take too long and I think
if he would prioritise any issue he would go for speed more than
fine levels as giving greater consumer satisfaction.
Q879 Lord O'Neill of Clackmannan:
What about the question of companies, as they do in the States
like AOL and Microsoft, bringing anti-spam cases to court? They
seem to be under the impression that it is rather more difficult
for companies like AOL or Microsoft to bring a legal action of
this kind on behalf of third parties in the UK.
Margaret Hodge: I am slightly baffled on that
Mr Smith: I am not sure I have got a very strong
answer to that. I do not think there are many spammers left working
out of the UK, I think they are down to single figures, I suspect.
Most of them are in the US, China and Eastern Europe, so whether
Microsoft would actually need to take such action in the UK is
Margaret Hodge: Can we write to you?
Lord O'Neill of Clackmannan: Yes, I was
going to suggest that. I am not trying to ask you a trick question,
but if you could pause and reflect and then write back, I think
it would be helpful. Thank you.