Publications on the internet
UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE
To be published as HC 618-iv
House of commons
TAKEN BEFORE THE
Home Affairs Committee
Tuesday 29 January 2013
Tom Ironside and Mike Andrews
Evidence heard in Public Questions 133 - 145
USE OF THE TRANSCRIPT
This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.
Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.
Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.
Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.
Taken before the Home Affairs Committee
on Tuesday 29 January 2013
Keith Vaz (Chair)
Mr James Clappison
Dr Julian Huppert
Mr David Winnick
Examination of Witnesses
Witnesses: Tom Ironside, Director of Business and Regulation, British Retail Consortium, and Mike Andrews, National E-Crime Co-ordination Manager for the National Trading Standards E-Crime Centre, gave evidence.
Q133 Chair: We have business in the House today, so I must apologise if, as is likely, in the middle of your evidence I suspend the Committee so that Members can vote. We will come back, so do not feel that we have abandoned you. As you know, the Committee is undertaking an inquiry into e-crime and clearly the views of your organisation in particular. Mike Andrews, you are the e-crime co-ordination manager for the National Trading Standards E-Crime Centre. Could you tell us something about current trends in this area? Is it on the increase at the moment?
Mike Andrews: Yes, there is certainly anecdotal evidence to support the suggestion that there is an increase in e-crime, particularly in terms of the trading standards remit, which is where we are approaching this from in terms of scams that are targeted at consumers. Some examples that we are particularly seeing are job opportunity scams, advance fee frauds, anti-virus software scams and vehicle-matching scams. What we are seeing more and more is that a lot of these scams that were done in the physical world, in terms of trading standards enforcement, are now moving more and more towards being perpetrated online, on the internet and email and technology like that to facilitate the crimes.
Q134 Chair: From where you are and from what you see, where are these scams coming from? Are they onshore, or are they coming other countries?
Mike Andrews: There is a mixture. In terms of obviously getting into trading standards, we are looking at where we can enforce UK legislation, but more and more the intelligence that we are receiving suggests that there is an increasing element of offshore criminality.
Q135 Chair: What the Committee is very interested in is the fact that certain other countries appear to be targeting the United Kingdom, partly because of our very buoyant retail market. If you look offshore, is it coming from other European countries or from beyond Europe?
Mike Andrews: It is very much a mixture. It is from other European member states; it is from former members of the eastern bloc; it is coming from the far east. It is very difficult to pinpoint specific locations because it truly is, to use a cliché, a global problem.
Q136 Chair: Mr Ironside, welcome. Your own recent survey shows losses of about £205 million?
Tom Ironside: It does.
Chair: How does that compare to other losses that are suffered by the retail industry, such as shoplifting and other crimes of that kind? Are you seeing an increase in this trend?
Tom Ironside: Yes. Our annual retail crime survey was published at the start of last week, and that showed a £1.6 billion impact on the retail sector of crimes relating to retail activities. That represents a smaller proportion of overall retail turnover than the £205 million does of the £29 billion or £30 billion that currently passes through online retailing. You can see that it is some way beyond the more general sort of tonal activity that takes place across the sector. I think that some of that is associated with the fact that it is a relatively new channel with relatively new challenges and, we think, some particular issues to be focused on from a law enforcement perspective in particular.
Chair: We will come on to some of those.
Q137 Michael Ellis: Mr Ironside, can I just ask you about two particular issues. One is proportionality. How do you approach the prosecution of offenders who may have stolen an item that in and of itself is of low value, but where the prosecution will obviously necessarily cost an awful lot more than the value of the item? There is a public interest in prosecuting those individuals, but do you have anything to say about the issue of proportionality?
Tom Ironside: I think we have a general view about proportionality, in that we see that any criminal retail activity is a matter of serious concern and should be taken seriously by all concerned. We have a broader issue in relation to e-crime in particular, which is that we think that local response, be it in terms of reporting, of investigation or of enforcement, is seen to be not ideal as it currently stands. We have questions about the extent to which local law enforcement officers are in a position to meaningfully progress cases. It is more from that perspective that we approach that question.
Q138 Michael Ellis: Can I ask you also about the increased use of mobile technology, because you have spoken about this and the challenges that the increased use of mobile technology holds for retailers? What do you perceive to be the main challenges?
Tom Ironside: From a mobile perspective, we do not see that there is a different set of criminality that accrues to mobile commerce as compared with other forms of online retail criminal activity as it currently stands. We put a lot of that down to using exactly the same sorts of measures to screen and tackle fraud within an m-commerce environment. There is an emerging expert view that the real challenge in mobile technology is the personal information that people keep on their mobiles, and that seems to be more problematic. It is more about the information that mobile phone users are choosing to store on their phones, and there is the potential for malware and other software applications to access that. But that is not a specifically retail-related issue.
Q139 Mr Winnick: Mr Andrews, you have a particular responsibility, have you not, for the protection of the public? Do you feel that sufficient protection is available for people, bearing in mind the scams that are now constantly being undertaken?
Mike Andrews: It is fair to say that in terms of legislative protection and of what criminal enforcement can be undertaken or of the civil remedies that are in place, the existing legislation is broadly adequate because it works equally well in the physical world as it would do in the virtual world in terms of e-commerce and e-crime. From that perspective, we do not really have any issues. The difficulty we have is more from the enforcement side, in particular the changes that have been put in place in terms of the Regulation of Investigatory Powers Act and plans in the draft Communications Data Bill that will potentially make it more difficult for us to tackle the problem, particularly in relation to getting communications data in relation to offending that is happening online.
Chair: Thank you. I am going to stop you there because we have to vote. We will continue with the questioning afterwards; we will not abandon you. I suspend the Committee until 4.15pm.
Sitting suspended for a Division in the House.
Q133 Mr Winnick: Mr Ironside, you represent of course the retailers. Retailers obviously want to make as much profit as possible. It would be odd otherwise, as you are in business to succeed and I am sure at the same time to try to be as fair as possible to your customers. Do you feel that customers have enough protection against online scams?
Tom Ironside: Consumer relationships are absolutely fundamental to the successful running of BRC member businesses. We certainly feel that the resourcing that is now being allocated to looking at online scams, rip-offs and other borderline criminal activity is absolutely right, because if consumers lose confidence in online commercial activity, then that has a knock-on effect right across the sector, we would feel. We do not have a perspective that there is insufficient resourcing currently, but we welcome the fact that this focus is emerging.
Q134 Mr Winnick: Yes. You are sitting together. I assume there is some co-ordination between the organisation Mr Andrews represents and retailers?
Tom Ironside: We were just talking about the fact that there definitely should be some co-ordination between our organisations, and we can see some strong potential in doing so. I am aware that the unit Mr Andrews is working in is relatively new, so it prevents-
Mr Winnick: At this moment there is not, but it is your intention there should be?
Tom Ironside: Indeed.
Mr Winnick: Mr Ironside, I should have thought the initiative, to a large extent, should come from your part of the affair.
Tom Ironside: We are very happy to make that connection and see whether there are ways that we can work together.
Q135 Mr Winnick: From this day onwards, so to speak. During the break when we were having a rather crucial vote, you came to the conclusions that you just told us?
Tom Ironside: There was clearly quite close alignment between the sorts of things that we were saying in our submissions, happily, and I can see that there is potential for us to work closely in the future.
Mr Winnick: Perhaps we could be kept informed of developments.
Tom Ironside: Very happy to.
Mike Andrews: Absolutely, yes.
Q136 Chair: In respect of victims of some of these crimes, recently my credit card was hacked, a PayPal account was set up in my name and money taken out of my account to pay for something. Obviously the money has been returned by the bank, but when I inquired of PayPal and others who was responsible, there did not seem to be any interest in finding out who was responsible for this; the main interest was obviously in ensuring that I was satisfied and that I had my money back. Do you think that this is a problem in dealing with online crime: nobody traces it to the very end to find out what has happened?
Mike Andrews: I think you have absolutely hit the nail on the head there. Before the suspension, one of the points I was keen to stress was that when you are dealing with the physical world it is relatively easy to identify if somebody is up to no good. It is quite easy to identify a shop or a house that you can pay a visit to in the physical world, but in the virtual world it is that much more difficult to trace where the offender is. You are relying on e-mail addresses, credit card numbers, mobile phone numbers and so on, and to trace that information is quite difficult. That is where we have serious concerns in relation to the proposed changes to allowing local authorities to have access to communications data, because clearly the access to the subscriber and usage information in relation to communications data is vital in being able to track and trace offenders who are operating in the virtual environment. Proposals to remove access to that information would have a significant detrimental impact on our ability to trace those offenders, and the example you have highlighted there is a perfect case in point.
Q137 Mr Clappison: How successful do you think Action Fraud has been at gaining recognition as a central reporting point for e-crime?
Mike Andrews: I think recently there has been a lot of publicity. I believe it was five police force areas it was initially trialled in and it is now being rolled out across the remaining police forces in the UK. We welcome the idea of having a central reporting point for all forms of fraud and obviously in particular in relation to e-crime and internet fraud. What we are slightly concerned about is how that information is then co-ordinated and disseminated to agencies like ourselves so that we can take appropriate action, because obviously we have a remit in terms of enforcing consumer protection legislation. It is vital that that information that is fed into organisations such as Action Fraud is properly co-ordinated and disseminated to agencies who can take the appropriate action. We welcome the progress that has been made, but I think it is quite clear that we need to engage closely with them to ensure that information is followed up.
Q138 Mr Clappison: On that point, do you think that current crime recording conventions give an accurate picture of the profile of e-crime? How do you think this could be improved?
Mike Andrews: It is fair to say that the current recording mechanisms probably are not adequate because you tend to find that the illicit activity would get recorded as a general fraud or a consumer protection legislation issue in terms of, for example, a trademarks offence if they were counterfeit goods. They tend to get classified under those areas, but the e-crime element is not necessarily always picked up. Therefore, it is fair to say that there is probably a large-scale under-reporting of e-crime and its true economic impact.
Q139 Chair: What kind of communication is there between banks, the law enforcement agencies and yourselves, not just yourselves as individuals, but in terms of retailers? I think you have said in the past, Mr Ironside, that there needs to be better communication between banks and card users. What kind of information would it be helpful for you to have in order to deal with this very serious problem?
Tom Ironside: There are a couple of areas in particular that we have identified where we think improvements could be made to the way in which banks communicate with retailers. When a card is flagged as lost or stolen, we find out very rapidly that that is the case and we can take action as a result. However, where fraudulent activity is undertaken, the communications links are much slower, and we think there is a clear case for that being addressed and flagged in an appropriate way so that retailers can take appropriate action at the time in question. The other issue that has been raised by members in this context is wanting to have a better or deeper understanding in relation to card-not-present transactions, where again there is an absence of depth of knowledge, which would allow retailers to respond particularly when fraud turnover threshold ratios are being approached. I think there are some quite straightforward things that would assist retailers to respond in an appropriate way.
Q140 Chair: I would have thought that the arrival of the unique personalised PIN number-presumably only people who know what their PIN number is should be able to use a credit card-would have cut down on the amount of fraud that is being committed, but it seems to have gone up.
Tom Ironside: I am absolutely sure that chip and PIN has had a significant impact in that context.
Chair: What, to make it better or worse?
Tom Ironside: It is a counter-factual case, but it has prevented fraudulent activity that would have otherwise taken place. However, it is a growing area of retail activity, so it is accompanied by criminality that sits alongside that and not all of that relates to card-not-present activity. Some of it is identification-related; some of it is refund fraud. There are all sorts of different strands to it.
Q141 Chair: But presumably, even though you might be able to stop the use of a fraudulent card, if somebody has ordered something online and purchased it, it must be very difficult to get back the product itself. You may be able to stop the use of the card. Is there any evidence to suggest that you get the product back?
Tom Ironside: I suppose it depends on the point at which the fraudulent activity is detected. There is considerable sophistication in the way that the third-party screening companies look at commercial approaches from customers. Where there are multiple uses of the same card across a range of different products, where there are a multiple uses of the same address in deliveries, then that can throw up warning signals in advance.
Q142 Lorraine Fullbrook: You have both criticised the capacity of law enforcement to respond to low-level, high-volume e-crime. Have you noticed any improvements in this area?
Tom Ironside: From our point of view, if I can respond, we have not, and I think that retailers’ perspective currently is that there is a lack of confidence in the local response. I think it is understandable that at a local level you will not necessarily have the expertise or the resourcing to adequately address what can be a technologically complex and difficult area of criminality. What we would like to see-and it goes back to an earlier answer-is a very effective central reporting mechanism that allows bulk reporting because, as I was mentioning, quite often you get a linked range of, say, 200 offences, all of which relate to a single card or a single address. Expecting an individual case report for each of those is perhaps not the best way to go about things and we think there are ways to make that process as business-friendly as possible.
Mike Andrews: I echo that and I would like to think that the advent of Action Fraud as a central reporting centre would help to collate that intelligence so you can identify these patterns. The problem is that, from a trading standards perspective, you may get a number of different reports that are reported to individual local authorities, but then trying to collate that into this issue of low value but high volume is very much an area where we have a key remit to enforce that.
Q143 Lorraine Fullbrook: Mr Andrews, you have said that the recent changes to RIPA have impaired the ability of trading standards officers to investigate online offences. What is your estimate of the proportion of your investigations that have been adversely affected by the changes?
Mike Andrews: The changes are very recent. The changes in terms of having judicial approval for RIPA authorisations only came into effect in November, so it is quite difficult to quantify that at the moment, but I am aware that the Local Government Association is in the process of collating figures from local authorities across the UK to try to quantify the problem that this is causing. What is more concerning is not so much the changes to RIPA in terms of doing directed surveillance. I go back to my earlier point: the key changes that are planned are in relation to access to communications data, because that is fundamental to allowing us to track and trace offences that are occurring online. Removal of our ability to access that data will severely hinder the work that we can do.
Q144 Lorraine Fullbrook: You see that currently as an obstacle?
Mike Andrews: Yes.
Lorraine Fullbrook: What other obstacles would trading standards encounter when investigating online crime?
Mike Andrews: One of the key areas is the cross-border nature of e-crime, and that is why the unit that I am responsible for has been set up. Trading standards obviously operates at a local level through local government, but clearly e-crime is not confined to any one local authority area. Hence we have set up a national unit to tackle that problem, but at the same time we rely on colleagues in local authority departments to support us in that endeavour. Clearly government resources are under severe pressure in terms of budget cuts and e-crime is not always seen as a priority by council members and local politicians. Trying to get that engagement and work with local authorities is quite difficult in these times of austerity, so that is a key barrier for us. Further to that is also the very nature of e-crime. It is quite a complex, time-consuming area of criminality to investigate, hence the resources required to do so are quite-
Q145 Chair: Finally from me, DAC Leppard from the City of London Police said that we are not winning the war against online crime, and only last week a number of people who had anonymously hacked into PayPal had been given sentences of between seven months and 18 months, even though they had been responsible for fraud of £3.5 million, and one would believe that if you had robbed a bank, you would get a bigger sentence than that. Are you concerned, first, about the level of sentences of those who are involved in e-crime? Secondly, are we winning or are we losing the war against e-crime? Mr Andrews first, and then Mr Ironside.
Mike Andrews: I think the case you have highlighted there is a perfect example in that perhaps the sentencing is not adequate, because, as you have pointed out, if somebody walked into a bank with a sawn-off shotgun, they would have probably received a sentence significantly longer than that. Are we winning the war? Again, it goes back to the ability to properly quantify e-crime and the economic impact. I do not think we can fully quantify that at this stage, but it is certainly true that unfortunately the cyber-criminals are generally one, two or even three steps ahead of law enforcement in terms of their ingenuity and the methods that they have to hide behind the anonymity of the internet, and it makes it all the more difficult for us to track and trace those sorts of offenders.
Tom Ironside: From our perspective, if you do not have meaningful and effective enforcement, i.e. if you do not take appropriate action once criminality has been identified and see the punishment that flows through from that, then that obviously causes some extremely difficult messaging and potentially encourages additional criminality. Looking at incidence of e-crime, I think investment by businesses is successfully screening out lots of criminal activity. We can see potential in a move to a central reporting mechanism, but what we really need to see is that central reporting mechanism working effectively and delivering the investigations and enforcement that flow out of that. That is something for the future rather than something that is here already.
Chair: Mr Andrews and Mr Ironside, thank you very much for coming. I am sorry it has been a disjointed session, but we are most grateful to you for coming, and there must be other information that you feel would be of help to us. If there is, please do not hesitate to write to us. We are very pleased that you have had the opportunity to bond during the important vote on boundaries in answer to Mr Winnick’s question.