Select Committee on Science and Technology Minutes of Evidence

Examination of Witnesses (Questions 860 - 879)



  Q860  Baroness Hilton of Eggardon: The problem with the sales staff is that they glory in the complicated vocabulary, do they not, when they are talking to you?

  Margaret Hodge: Or the turnover is huge. What we have tried to do on digital switch-over, which one could do anywhere, is to do a kite marking scheme for the retailers and for the producers as well, and that is always quite a good way of trying to get self-regulation to some agreed standard across industry. You can spread that sort of mechanism in any bit of the sector you want.

  Mr Smith: Could I just add, the more consumers are working in a kind of "point and shoot" environment the happier I think everyone would feel and I think with the advent of broadband the automatic patching and updating of software actually has moved on considerably. To answer Lord Broers's point about the outdated software, most computers are now sold packaged with antivirus software. Admittedly, the package that is on the machine could be the 2005 edition, but when it makes connection, when you load it up, it will go to the website and update itself. If it is 2005 it will take for ever to update, but it will do it, so I am not so sure that is a big problem, but we will think about it.

  Q861  Lord Young of Graffham: I have quite a straightforward question really. If a bank has a forged cheque from my cheque book it honours it. If my credit card gets stolen and I have notified the bank, and somebody else has signed it, they honour it. Should the banks be responsible for losses due to Internet fraud?

  Margaret Hodge: You said it was a straightforward question. I wish I could give you a straightforward answer, because it depends on the particular circumstances, the particular fraud which has been perpetrated. So if there is a contract between the individual and the bank in that instance, the contract would determine who pays if something goes wrong. There is the banking code, which you will be very familiar with, which is basically that where it is believed that users took all reasonable steps to ensure that they would not lose their card then the bank will pick up the tab. I think you have established a liability. Liability exists in that context. I think that laying down absolutely firmly whose liability it is and when goes back again to the discourse we have had this afternoon about this partnership between the user, the provider and the banks. It is a difficult one. Who do you say is liable? I suppose our focus on that is working with the banks to ensure that they have better security. There is this new system, which I have not seen but I have heard of, where you have a different number on every transaction. What is it called?

  Mr Smith: A one time password.

  Margaret Hodge: A one time password, another terminology, so that every time you undertake a transaction you have that as security and that appears to be an improvement.

  Q862  Lord Young of Graffham: The reason why I think there is more in this question than a simple answer is that we have moved in a progression from a world in which we all signed cheques and went into a bank to collect money to a world of ATM machines, and that will pass and we will be in a world in which money will be electronically transferred literally from my wallet to the bank. In those circumstances, should not either the DTI or the Home Office be looking very closely at the sort of regulations which could pertain to that before it begins to arise?

  Margaret Hodge: It is a fast-changing world, so of course it is absolutely right that we should constantly be vigilant and ensure that the regulatory framework is appropriate, and actually in this instance probably it is the FSA rather than either of us here who would have responsibility.

  Mr Webb: It is possibly worth also saying that there is currently a scheme verified by Visa and Mastercard of a secure code where, providing you as an individual sign up and the retailer signs up, you have a secure site where you can do your transaction and then that will be firm and the bank will stand behind that. So in a sense there is already the possibility for consumers and retailers to get into a position where the bank will guarantee the transaction. It is a relatively new scheme and the take-up is increasing but it is still relatively low at the moment, but that is certainly one of the things which APACS and the banking industry see as the way forward.

  Mr Coaker: It goes back to Lady Hilton's point about the need for consumers to be aware of these sorts of things as well. Consumer awareness I think is a huge issue.

  Lord Young of Graffham: Yes, absolutely.

  Q863  Lord Harris of Haringey: If you really want to encourage e-commerce and you really want to encourage the banks to improve their security systems, requiring them to accept liability—as they do, I think, in the United States—for problems with Internet banking would surely be the most powerful driver of all?

  Margaret Hodge: I think the answer is that that sounds easy, but then you have got to define the circumstances in which you would expect them to accept liability.

  Lord Mitchell: The Americans seem to do so.

  Q864  Earl of Erroll: Surely, it is the same as the Bills of Exchange Act 1886 or the American Regulation E, you just quite clearly put the liability on the banks? At the end of the day, they are the ones who control the money flow. Under the Bills of Exchange Act 1886 they had liability for a forged signature, or whatever, because there was a problem in those days. What we have now is an electronic way for them to offload that liability to the merchant or to the customer and we need to put it back with them, because they are actually the ones who could implement technology. If you look, for instance, at Alliance & Leicester, who have now been authenticating their site back to their users for some time, they only have 0.01% of the Internet fraud, and the fact that the rest are hiding behind APACS because they are not implementing two-way authentication is an excuse. The things you talk about, actually two factor authentication, merely helps the bank not the consumer and the banks are hiding. If you put the liability back with the banks they will do something about it and all you need is some primary legislation to enable that to happen.

  Margaret Hodge: I hear that and I think defining that primary legislation is much more difficult and much more complex for it to be fair than I think you have suggested in saying that to me. There will be some circumstances where we could put in primary legislation and there could be other circumstances where it is consumer behaviour rather than the banks which is at fault, which has led to a fraud or an abuse, or loss of money, whatever it is, a theft, and it is difficult to get those parameters right. What I do agree with you, and it is what we are trying to do all the time, is to try and improve the abuse of fraud by authentication schemes and working with the banks in that regard. We can go with the heavy hand of the law rather than the more self-regulatory route down which we are tending to travel and it is a matter of judgment for this Committee which it thinks is more appropriate. I leave that to you. We think we have got the balance about right, but you may think that we ought to be a bit tougher than we have been so far.

  Chairman: We will go on discussing that, but I think we are minded to think that as things change more should be done.

  Q865  Lord Paul: Can I ask a more simple question: who regulates Internet services in the United Kingdom?

  Margaret Hodge: This question I had some idea you might ask. It comes from the idea that again it would be easier and simpler to have one regulator and one form of regulation. We are regulated by EU law, by UK law, and we also look at rather more global protocols which determine what we do. What we try to do in our regulatory framework is to ensure that the authority responsible for regulation offline is also responsible for regulation online. So the FSA, for example, will be responsible for online banking regulation. The main bodies we have got are Ofcom and the Information Commissioner, and I suppose a crude division of labour between them is that Ofcom regulates the industry—it is a bit too crude to put it like this, but I will say it anyway—and the Information Commissioner will look after the interests of the individual.

  Q866  Lord Paul: We understand that by virtue of Section 32 of the Communications Act 2003 Ofcom does not have any remit to regulate the content that is provided via Internet services, but given the increasing use of the Internet to transmit content, which will accelerate with convergence, is this position tenable in the long term?

  Margaret Hodge: Content on the Internet is extremely difficult to regulate because it does not get produced nationally, it gets produced globally. We are quite proud actually of the work led by the Home Office and led by Vernon Coaker around self-regulation on content, particularly in relation to child abuse and those sorts of issues. We have the Internet Watch Foundation, but it is extremely difficult to think of a mechanism which we implement nationally which would impact in the way we would want on what is a global service. That is really the problem we face. Again, if the Committee comes up with useful suggestions in that regard I think both the Home Office and the DTI would love to hear them.

  Q867  Lord Young of Graffham: And the Government of China! You can access anywhere on the Internet but you cannot regulate, you simply cannot, as I have said. There are some governments around the world which have tried and have failed.

  Mr Coaker: It is China I was thinking of.

  Margaret Hodge: I was in China last October, where we talked a lot about how they could police their system rather better than they currently do, and they are making efforts there. There is actually a huge amount which comes from there, and from the States as well, which from your visit you believe to have a far better, stronger regulatory framework.

  Q868  Lord Paul: Ofcom has statutory duties both to promote "media literacy" and to "conduct research" into such areas as "the experiences of the consumers in the markets for electronic communications services". Could Ofcom use these powers more proactively than it has done so far, in order to encourage better self-regulation within the industry? Let me give an example. What is the Government or Ofcom doing to persuade social networking sites such as MySpace to present appropriate guidance to users about the risks of disclosing personal information online?

  Margaret Hodge: Could we have a step change in Ofcom's performance around its media literacy duties? I think the answer has to be, yes, and they are actually tackling that as we go. I am not quite sure where we have got to. They have produced an outline policy paper, which is probably out to consultation. I shall be corrected if I am wrong on this, but I think that is where we are, and that is coming back soon to them. But I agree with you entirely that they have a role to play, amongst others, in providing much, much better education and understanding of the potentials and the dangers of the changing content in ICT, so absolutely, I am with that.

  Q869  Lord Mitchell: You mentioned child abuse and I would like to come on to that subject. ISPs are being made to purchase and install systems to block access to child abuse image sites. The ISPs told us that this will not prevent the determined from accessing this material and will only prevent inadvertent access. Is there any evidence that inadvertent access to child abuse images is a significant problem?

  Mr Coaker: There is no evidence about that being a problem. The last point to make about inadvertent access is that we have no evidence that that is problem, but I think it is a very important part of the Government's strategy in actually trying to prevent child abuse images being available on websites in this country. I think that the public would expect us to do everything we can to block these images. I am assured that there are people out there who have the technical ability to probably overcome the blocking processes which ISPs are putting in place and will put in place. Could I just put on record, Chairman, that I have been very pleased with the cooperation from ISPs in this area. There is significant blocking taking place already. I think that is a reasonable request to make of ISPs and I think the fact that some people may actually be able to overcome that blocking process is not a reason for it not to happen and in fact it is simply another hoop, if you like, which you put in place in order to try and protect the children of this country. I think that is a reasonable thing to be in place and I think most people would expect it to be there. It is not a magic solution. It is not a solution which says that if this is in place it will prevent any person from accessing these sites who are determined to do so, but it hopefully makes it much more difficult and hopefully, therefore, when it is brought to court the fact that somebody has had a particular technical expertise in order to access that site will help the court in determining the verdict.

  Q870  Lord Mitchell: Do you not feel that it would better to push the responsibility for blocking content onto the end-user machine? Let me just add to that, in the evidence we have received it is staggering, for example, the lack of knowledge by parents on subjects like grooming sites, blogging sites, chat rooms and all the other things which go on. I think only 10% of parents were totally aware of what is actually happening on the Internet. What strikes us is that really when somebody turns on a machine for the first time there should be an access point actually telling people what the problems are. Just to give you a simple example, every time I turn on my car on the display it tells me not to look at the display when I am driving. It seems pretty obvious, but it is telling me not to do that and I do not see why, when people turn on their computers for the first time, it should not say, "We want to take you through all the dangers of the Internet, what you as parents should be aware of and what precautions you should take."

  Mr Coaker: Certainly all of these types of procedures and processes we are looking at. We recently are looking at the BSI kite mark, which will be available for machines and software in order to show which are particularly good at protecting children or others with that particular piece of software or hardware. One of the things we are trying to prevent is the situation where you have a computer where the end-user has got a particular piece of kit which, when it is installed, will prevent them from accessing these abuse images, but I guess then you would have a situation where it could be uninstalled. It may be that just simply having an end-user product of some sort which will prevent access to child abuse images which is currently on the computer, and you sell it as such, and then somebody may uninstall it, so you have still got a problem with that type of situation where somebody who is determined to overcome it could actually do so. We think it is one way of trying to prevent access to child abuse images. We are moving towards a point where we have virtual total compliance, as far as is possible. If there are other processes that we can adopt at the same time, then I think we will look at those as well, but blocking is an integral part of that.

  Q871  Lord Mitchell: I think education is an absolutely important part as well.

  Mr Coaker: Yes, of course. That is a very good point and I should have mentioned that in responding to the question you put. You are absolutely right, education is an important part of this. It is like many policies in respect of this area, that actually it is not either/or, it is a combination of all of the various policies and a combination of all of these various factors in order to do what we all want, which is actually to protect our children.

  Q872  Chairman: Let me move on to another topic. During our investigations we have seen a fairly large volume of illegal trading which is going on on the Internet of credit card numbers, credit card data, addresses, security numbers, et cetera. Bearing this in mind, is it any longer appropriate to pursue police investigations or still less launch prosecutions on the basis only of logs of credit card use?

  Mr Coaker: Chairman, clearly much of the answer to that is operationally for the police. I think Mr Gamble gave evidence in respect of this matter. I would simply make the point that I do not think the police would prosecute someone simply on the basis of their credit card being used. I think an investigation into whether you prosecute would require you to take account of all of the various relevant issues with respect to that particular crime which you were investigating. Of course, at the end of the day the evidence that you present would be tested not only by the police but by the Crown Prosecution Service and ultimately in the end by the courts to determine whether a crime had been committed or not. As I say, I believe that just on the basis of a credit card I am not sure the prosecution would proceed.

  Q873  Chairman: Do you think they are sufficiently aware of this?

  Mr Coaker: I think they are and, as I say, at the end of the day the great safety net for us all is the fact that the police made their investigations. That then has the test of the Crown Prosecution Service to determine whether they should prosecute or proceed, or not, and then ultimately it is a matter for the courts. As I say, many of these are operational matters, but I would be surprised if it was purely and simply on the basis of credit card details that a prosecution was taken forward.

  Q874  Earl of Erroll: Regulation 5 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 requires communications providers to keep their networks secure. Responsibility for enforcement currently lies with the Information Commissioner. Are you satisfied the Information Commissioner is best placed to monitor network security?

  Margaret Hodge: We have two regulators really operating in this space. We have the Information Commissioner, who has responsibility for personal data, information about the individual, and we have Ofcom, which has responsibility for the regulation of the networks and continuity of supply. I think in that question the interpretation is somehow that the Information Commissioner has got the responsibility around the networks. He has not. Just on the more general point there, Ofcom is just about to put out, I think, a consultation. I think we have done a bit of this today, have we not, about things about to come out, but this is a consultation which is about to emerge on the scene from Ofcom looking at the general conditions around this area and I think security will feature quite prominently, as I understand it, in that consultation, so it may well be that many of the issues raised by this Committee will be taken up in that particular consultation. The only other thing to say, as of course I am sure you are aware, is that Europe has the overarching responsibility here on legislation for communications providers and they, too, will be looking at the issue of security, so we will have a double take on it.

  Q875  Earl of Erroll: I think the real worry is about the Information Commissioner's powers. For instance, when a laptop was recently stolen the Nationwide ended up being fined £980,000 by the FSA, just under a million pounds. It was a huge amount. But when the banks put unshredded statements into the bin, then that comes under the Information Commissioner's office and all it can do is impose a fine of £5,000 if they actually did do it and they were repeat offenders. Online websites are being broken into and details being stolen repeatedly, and in fact I noticed that yesterday or the day before on the Serious Crime Bill which is going through the House at the moment the Minister kept saying that the great protection is the Data Protection Act and the Information Commissioner. Does the Information Commissioner really have the powers and ability to enforce these things properly, because you seem to place a lot of reliance on him but he has very little power?

  Margaret Hodge: He has the powers and he could make a recommendation to us around issues such as fine levels. Again, my understanding is that he is considering that at the moment, but when he looks at fine levels in relation to individual data in this area he has to look at other areas where there are abuses of legislation. Let me give you an example. My postbag as a minister around issues which go to the Information Commissioner is much, much larger around TPS, the Telephone Preference Service. I get many more letters from MPs around abuses of that than I do around any abuses in relation to the Internet. In his review of an appropriate fining regime he has to have regard to the rather broader areas of crime and breaches of the legislation than simply looking at breaches relating to the Internet, and it is interesting to see that they are not big here. They do not feature massively in his in-tray. I assume he has given evidence to you already and I do not know whether he said that, but certainly my perception, as a minister, is that he gets more.

  Chairman: He said that, yes.

  Q876  Earl of Erroll: It may be because people do not realise and the penalties are inadequate.

  Mr Coaker: Could I just say that there has been a review by the DCA of penalties in respect of the misuse of data and I think that is now reported and what the Government is now looking at is a vehicle to actually look at increasing some of the penalties available for the misuse of data and finding an appropriate vehicle to take that forward.

  Q877  Chairman: I think perhaps people can remember a day when the telephone did not have that problem and as they have only recently acquired a computer they think that the problems have come with the computer!

  Margaret Hodge: It may well be.

  Mr Coaker: The increased penalties for the misuse of data is something which is being taken forward.

  Q878  Lord O'Neill of Clackmannan: A related matter about fines. We have had a lot of complaints about email spam. Does the Government intend to raise the level of fines for spamming and block the loophole of business to business span?

  Margaret Hodge: This goes back really to the question we have just discussed. I had forgotten that point about the DCA and it may well be that arising out of that DCA review the level of fines will go up. The only other thing I can say to you which might be of help is that the advice to us from the Information Commissioner is that speed is more important to him. At the moment the investigations just take too long and I think if he would prioritise any issue he would go for speed more than fine levels as giving greater consumer satisfaction.

  Q879  Lord O'Neill of Clackmannan: What about the question of companies, as they do in the States like AOL and Microsoft, bringing anti-spam cases to court? They seem to be under the impression that it is rather more difficult for companies like AOL or Microsoft to bring a legal action of this kind on behalf of third parties in the UK.

  Margaret Hodge: I am slightly baffled on that one.

  Mr Smith: I am not sure I have got a very strong answer to that. I do not think there are many spammers left working out of the UK, I think they are down to single figures, I suspect. Most of them are in the US, China and Eastern Europe, so whether Microsoft would actually need to take such action in the UK is debatable.

  Margaret Hodge: Can we write to you?

  Lord O'Neill of Clackmannan: Yes, I was going to suggest that. I am not trying to ask you a trick question, but if you could pause and reflect and then write back, I think it would be helpful. Thank you.

previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007