Examination of Witnesses (Questions 280
WEDNESDAY 1 MARCH 2000
BRUCE, MP, MR
Lord Faulkner of Worcester
280. And "rebuilding our web site".
(Mr Wales) Absolutely, and you do not get this problem
when you do it on the telephone. Going back to where Philip led
in to me on the question of business to business e-commerce and
the huge volumes that go through the City of London, we are talking
about people like APACS and Swift for banking transactions, huge
volumes of foreign exchange, absolutely monumental securities
dealing. In all of those security is an absolute prime consideration
and obviously the people who are operating these systems are always
in a race to keep ahead of what we might call the e-criminal;
it is the most pressing issue for them. Therefore, the important
thing is to ensure that any regulation which is designed to build
trust for the consumer and designed to build consumer confidence,
does not actually damage in any way the existing business to business
structures because it could have disastrous effects. This is why
EURIM, for example, was so anxious to ensure that key escrow as
it is called, placing your encryption keys in escrow, did not
form part of any licensing regime for trusted third parties. Although
the trusted third party approach is one way of building confidence,
if you build in key escrow then you hit at the basic security
of many of the City of London systems and this, of course, is
likely to be an issue with the new regulations. That is really
the key message, we are looking after consumers, do not destroy
the existing business to business structure.
(Mr Bruce) Government for two years has been trying
to get an Electronic Commerce Bill which became the Electronic
Communications Bill. When one analysed it there was very little
that Government had to do, so the Bill is now very short, it is
now in your Lordships' House, but we are concerned from EURIM's
point of view that many of the things that we persuaded the DTI
would close down e-business have now gone into a Home Office Bill
and the Investigation of Regulatory Powers Bill is now sitting
with that and I think we will have to consult with Government
again about whether they are doing the right thing on that Bill.
281. Could I come back to the issue of technology
and none of us around the table is a technician. You were talking
about operating these Pcs as technology develops. You said there
probably will be many more people using the TV as it is easier
to handle and more user friendly. Presumably one will move on
to using mobile phones for access to the Internet. You can change
your mobile phone fairly frequently. People have half a dozen
of them as fashion items and all rest of it. Tvs you do not change
very often in my experience. I have changed my lap-top more than
I have changed my television. How will people cope with changing
technology if you are using the TV as the prime medium for access
or is there a mechanism where you can plug something into the
(Mr Bruce) I think that is what will happen. Your
existing television will have a box plugged in the back. As things
develop new boxes will get plugged into the back. Many of the
services are being plugged into digital televisions.
282. Which are more expensive.
(Mr Bruce) And there is a whole pile of products now
being issued by people through cable TV, terrestrial broadcasting
of digital and through satellite digital all designed to give
Internet access by any other word and to do e-commerce over the
Net, but the consumer sees it as using their normal "zapper"
with their television because they are used to that interface
and they can make it work properly.
(Mr Wales) Basically, in the end television will become
a dumb terminal and intelligence will lie at the other end of
283. I want to go back to something you said
about trust and the consumer. I know that you made a passionate
plea, which was do not let this problem about trust with the consumer
get in the way of the business to business area. The fact is that
it is a new technology, it is something that although we say we
understand it as consumers, we are still slightly scared of it.
We are not necessarily that scared of using it, it is not like
driving a new car where you think you are going to crash it. But
actually one is slightly scared of what it is out there in the
ether and how when you allow your credit card to go through you
could be duped, one hears many horror stories. Can I just spend
one minute telling you what happened to me today? I logged on
to my e-mail and I found a message from Amazon.co.uk. I am a great
supporter of theirs. I have not bought any books since last November.
I got a message from them saying, "We regret that your credit
card has not been accepted"in other words you are
a fraudster"Before we process your order please send
us a cheque in sterling in order to support the order that you
made at the weekend." On the 2nd December I was mugged in
Buenos Aires and my visa card was taken along with my purse, etc
and it has not surfaced until now. Obviously somebody has got
my visa card. I am feeling pretty miffed about it in that, first,
I am regarded as being unable to afford to pay for the books and
my credit has been withdrawn on the Visa and, second, if things
like this can happen I am not desperately keen on it. I am a bit
anti Amazon.co.uk today.
(Mr Bruce) If one does what I always try to do with
these cases, which is to say what happens in the existing world,
somebody could have been using your credit card in South America
from last December until somebody gets round to stopping it. Once
the electronic systems that are now being dealt with have gone
on to line there has been a check electronically which has thrown
up the fact thatNo doubt you have told them that your card
is no longer valid and no longer available and they are therefore
giving you that information and stopping fraud going on. I would
have thought you are using a new number on your new credit card
284. All I am saying is that I get the impression
that they will think "We don't want to do business with her
(Mr Virgo) Part of the thing here is how the system
actually works because what has almost certainly happened is that
the payment went through and they have now received a recharge
long after the event and that is the point of that Visa statement
on recharges, because what appears to happen is these supposed
online credit card verification routines only check that it is
a valid number and it has not yet been reported as stolen. The
actual recharges may come through anything up to six months late.
There are a lot of problems in those payment systems and the checking
of security, which is why you have got people like the Identrus
consortium trying to produce much faster online verification systems,
but those systems will be quite expensive. I think Identrus is
likely to be about $10 to $15 per transaction when it comes in,
i.e. it is there for higher value transactions.
285. It does knock the trust.
(Mr Virgo) It does indeed.
286. I take your point, Mr Bruce.
(Mr Bruce) One should also focus on the worst part
of this which is the company that is being defrauded and not getting
paid in the past rather than you actually losing anything from
your credit card because you can go back and say, "Something
has been charged against my credit card when I have told you to
Baroness O'Cathain: Except my good name. That
is the thing I am worried about.
287. I was interested in appendix C on regulation
of content on the Internet and I have two inter-related questions.
As I understand it your argument is that we cannot do much about
the point of origination but we can do something about the point
of access in broad terms. I would like to know how that is moving
forward in terms of EU initiatives and so on, what your current
view is on this issue; in addition, if we move into this area
of voluntary regulation, I would be interested to hear about the
Internet Watch Foundation, its role and its parentage and how
effective it has been in its policies?
(Mr Virgo) The issues of content and liability for
content are largely under the e-Commerce Directive and I will
ask Richard to speak to that in a moment or two. We have got to
a situation now where the e-Commerce Directive essentially says
regulation at the point of origin except where this offends against
consumer protection or other existing statutory protections, or
if it is illegal in the country of destination. The issue is how
you reconcile these positions. Hence the various initiatives for
alternative disputes resolution. The Internet Watch Foundation
was relaunched a couple of weeks ago and Roger Darlington has
become the new chairman and the remit has been extended to cover
racism. There is also an initiative for a thing called "Rights
Watch", which is a separate body which is going to be policing
breaches of copyright on the Net. If one makes a comparison, ICSTIS,
which is the chatline regulator, has a budget of about £2
million a year to do a much simpler job albeit with a broader
remit than the Internet Watch Foundation which has very limited
resources and is purely focused on the issues of pornography and
primarily focused on paedophilia.
288. We are having evidence from them.
(Mr Virgo) Certainly, my feeling all along has been
that the Internet Watch Foundation needs far more resources to
do its job and it needs a remit and a position much more akin
to that of ICSTIS to be effective.
(Mr Wales) The focus of the e-Commerce Directive and
the liabilities section is actually to relieve Internet Service
Providers (ISP) from liability where they are not responsible
for content, but this is a very good example of how regulation
should not be drafted because the provisions are actually technology
specific, launching into descriptions of what is a mere conduit,
as they call it, caching and hosting. These are incorrect descriptions
of current technology and they will be overtaken by new technology
very quickly. The result at the moment is a fair degree of confusion
and it would look as though, unless you are simply providing a
line over which information is being transmitted, you are likely
to have some form of liability for the content which makes life
almost impossible for the average ISP because they are obviously
transmitting vast amounts of information for all sorts of customers
and they cannot possibly take responsibility for the content of
that information. So there is quite an issue there.
(Mr Bruce) Just one small point on the regulation
of all of this. Your Lordships will know that there is a Utilities
Bill going through the House at the moment which reforms OFTEL,
but the Government has also announced it will bring out a White
Paper in the Autumn which will reform both OFTEL and all the regulation
of broadcasting and Internet content and all of those sorts of
things could come within that remit. There are rumours that the
Government might actually pull telecommunications regulation out
of the Utilities Bill because it is effectively going off half
cocked in trying to regulate only one part, i.e. the technical
side of telecommunications as opposed to everything that needs
to be included and I am sure the Government will be interested
in the report that is coming forward from your Committee as to
how you see these things, but it is currently a matter of some
difficulty to the Government to decide how it deals with this.
Lord Cavendish of Furness
289. It seems to me the Internet is just a new
twist in the globalisation which is affecting powers of nation
states and Parliaments and one thing and another. There is nothing
new in that except that it is quite a big new twist. There seems
to be some consensus over what should and can be done in the fields
of privacy, intellectual property and one thing and another, but
generally speaking this powerlessness which does seem to have
come across from witnesses has got to be coped with by the institutions
in the political class particularly in an area where pressure
groups are so predominantly forming opinion and they can be internal,
they can be police forces and Treasury people. I would like to
have a flavour of what colleagues in the other place are feeling
about these really rather conflicting views that it is going to
affect the business of government, it is going to affect their
(Mr Bruce) I think the feeling is very clear amongst
colleagues, particularly those who just have a passing interest
in this, which is that they do not want to have pornography delivered
into the home, they do not want to see children being exploited
in other countries or women being exploited in other countries
and for this information to come into the United Kingdom. It is
a very difficult one on jurisdiction but it is not impossible.
One has to remind people that Gary Glitter ended up in prison
because he had used a computer to look at pornography. I suspect
that if he had had it through the post or gone and bought it and
brought it in in a suitcase he would not have been caught, so
one has to have a bit of a balance on this. It is something that
my colleagues in the other place certainly do exercise their minds
on. I had a researcher who came over for three months from the
States look at this for me and an interesting fact that she came
up with was that there is one piece of legislation that everybody
(other than America, unfortunately) is signed up to and that is
the UN rights of the child and under the UN rights of the child
every country is there to protect children from being exploited
sexually but also being exploited by seeing adults having pornography.
One could actually say to any government in terms of material
coming from that particular country that they are actually breaking
the conventions of the rights of the child and they should take
action against the people who are providing the material. I think
this is an international issue, but not one that is insurmountable
in terms of being able to take action. I think the Utilities Bill
needs to look very carefully at the situation where very often
a telecoms provider who is providing a line in and knows material
is coming through is prevented from licensing conditions of cutting
off the customer and even sometimes in international treaties
for cutting off the customer and I think the European Commission
and all the international bodies must look at having a clause
which says where something is not in the public good in terms
of information coming through in that way it can be cut off, but
it does get even more complicated. I think the issue of freedom
of speech and the fact that in America you can say virtually anything
about any group of people yet in Germany, for instance, you cannot
have Holocaust denial, that is a criminal offence, you cannot
try to pretend that the jews were never gassed in gas chambers,
that is a criminal offence, but that information could come from
America straight down to a computer, but once it is on that person's
computer then they have effectively broken the law of that country
and the jurisdictions there.
290. Is there a danger, feeling what you feel,
that the pressure will come in to strengthen it and do damage?
(Mr Bruce) Knee-jerk reactions can have that effect.
We are looking at the Regulation of Investigatory Powers Bill
where my colleagues are worried about pornography coming through
and that is the 1, 2, 3 per cent of the traffic that might come
through and business is then concerned that the regulations that
are brought in kills the other 97 per cent of traffic coming through
and, indeed, it does not stop the pornography coming through,
it simply moves to a step outside of the jurisdiction within the
United Kingdom and one has to be very careful in this international
environment not to kill the golden goose simply by thinking that
one can go in and try to regulate heavy handedly.
291. Do you want to add to this?
(Mr Virgo) You have industry saying leave it to us,
self-regulation, but unless that self-regulation is seen to be
effective and credible then you will have statutory regulation
and there is this tension that self-regulation has to be seen
to be effective in time to head off inevitable pressures that
will lead to statutory interference as scandals and so on emerge.
One of the big debates is about how far industry really can deliver
self-regulation in time and in areas where there is not a consensus
between the players. The debates in this area are clearly changing
with a number of the large players becoming quite draconian in
the conditions that they want to impose on those whose traffic
they carry while other players are wanting to be very liberal
and libertarian because their cost models are different and there
is a confused debate going on in the industry.
(Mr Wales) I agree with you entirely. This is a terrific
problem with the Internet and electronic commerce. There are no
boundaries and it makes the creation of laws and their enforcement
extremely difficult. If you try and control at the point of origin,
the provider simply changes the place he is operating from. It
has to be controlled from the point of consumer access. Therefore,
if you are trying to produce some sort of international coordination,
the easiest way to do it is through self-regulation. The industry
has to do it itself.
Lord Faulkner of Worcester
292. Forgive me if my approach is a little simplistic.
I am concerned about consumer confidentiality. I have been reflecting
on some of the evidence we have been hearing in previous weeks
about the way in which cookies work. As I understand itand
I would like you to comment and correct me if I am wrongit
is possible for the provider of information, when an individual
accesses their site, to be aware who that individual is through
the installation of a cookie inside that customer's machine and
then for them unwittingly to go on a database and to be targeted
for the promotion of products and services and junk mail. First
of all, am I correct in saying that that is possible with the
way things stand at the moment? Secondly, if it is so, do you
have any thoughts on how what I would regard as an abuse can be
(Mr Virgo) I think that is quite a reasonably accurate
summary of what those who plant the cookies there would like to
achieve. How reliable their technology is and how effectively
these things work I am less certain, but that is what they are
wanting to achieve. There is a range of reactions. There are some
technology enthusiasts who are quite happy for this to be done
to them because they think it will help target services; they
will get all sorts of benefits and so on. There are othersand
certainly I am one of themwho regard this as a gross intrusion
and I would like to be in control of what information those seeking
to sell to me have. This is one of those areas where there was
a period when the whole of the industry seemed to be going down
the route of "these cookies are a marvellous thing to help
us target our products and services", and then suddenly realising
that they are turning off key audiences. In Al Gore's first report
on the Internet he quoted American market research which showed
that about 70 per cent of Americans were less likely or unlikely
to use the Internet for e-commerce because of fear of such intrusions.
In other words, the American population had by and large similar
attitudes to those which I think most of the European population
have. It is a very real issue. It would appear to be a gross breach
of data protection legislation. Then we run into the issue that
there is a great deal of data protection legislation within the
United States. It is however at state level, not federal level.
The issue is not that they are not concerned about privacy but
that it is remit outside of the federal government. Once again,
the resolution is going to come largely as a mix of the legislative
positions in Europe and within the States of America, causing
the Internet service providers and the businesses to change their
business models. There have been a number of cases in America
where banks and ISPs have already been fined several million dollars
a time for selling and providing financial information in breach
of state banking regulations. I think there are a number of cases
pending regarding medical information in America. There are also
some civil cases pending regarding breach of the common law right
to privacy. I do not profess to understand how that is interpreted
293. What kind of timescale do you perceive
for this change? We were with some Americans last week and they
were reflecting the view which you have just expressed, that there
is a growing concern about cookies and something needs to be done.
(Mr Virgo) I confess I was talking with one of the
staffers when the Americans had dinner in this place and all we
got to at that point was agreeing that we need to exchange notes
on the situation.
(Mr Bruce) Elizabeth France was here at a colloquium
in this or another room a week or so ago and she indicated that
she is currently considering some cases against people who are
using cookies. If information is collected without people's knowledge
and is used for purposes that the individual has not given permission
for, they are undoubtedly breaking the Data Protection Acts. I
think today the new Act came into being in totality and that gives
the data protection registrar additional ways of dealing with
Lord Faulkner of Worcester
294. It is the "without people's knowledge"
point. Is there any way in which I, as a user and frequenter of
the Internet, can know whether or not I am having unwelcome cookies
implanted in me?
(Mr Virgo) "Yes", I think, is the technical
answer but, as a non-technician I do not know whether I have them
in my machines.
(Mr Bruce) You should be informed but I strongly suspect
that, unless you know sufficient to check your machine for them
and delete them, it could well happen to you without your knowing.
(Mr Wales) They will often show up on the Explorer
programme on your PC.
(Mr Virgo) They will show up on Explorer but do they
necessarily show up on all browsers?
(Mr Wales) No.
295. In your appendix C on page three where
you talk about trade bodies and regulatory bodies and the ISP
Association, could you tell us how many associations such as that
there are? Presumably, you include in that the Internet Watch
Foundation. Secondly, you state there that not all the ISPs are
actually members, even the major ones, of such an organisation.
What proportion of Internet providers are members of those types
of organisations, or not?
(Mr Virgo) I do not think there are many other bodies
representing ISPs, other than ISPA and its equivalents in the
other European Member States, but a large number of the nominal
ISPs that you see take a high street name and add "net"
on the end. The odds are that that ISP is run under contract by
IBM, EDS, ICL or AOL. Many of those are not represented directly
or indirectly via ISPA.
296. Surely if we go down the self-regulation
route, it has to be agreed between the government and a body or
a small group. Is it therefore not possible to legislate rather
than in detail to say that any provider must be a member of a
recognised body and allow the regulation to be formed through
the body by agreement? I cannot see how one is going to deal with
the myriad of providers.
(Mr Virgo) One of the consultations that is out at
the moment is the implementation of the Injunctions Directive.
This is the Directive that basically gives powers to take injunctions
for consumer protection purposes. In there, the proposal from
DTI is that the umbrella body within the United Kingdom is the
Office of Fair Trade but there are nominated bodies which can
issue injunctions in that hierarchy. Those are essentially going
to emerge as the bodies which are the United Kingdom end of international
disputes resolution processes. Whoever ends up nominated in that
area are effectively going to be the only bodies that can take
action through the courts for injunctions stating what it is you
may or may not do. I think it is going to happen anyway without
legislation but there is a period until 2 May for consultation
on that. One of the things I am trying to get our members in the
journalistic world to do is to publicise that because it is very
important as to who those nominated bodies are and that they have
the confidence of the consumers and of the suppliers. Your point
is absolutely right.
297. It is much more practice for the consumer
to know that if an Internat provider is on the net at all he is
regulated or he should not be there, rather than having to close
the stable door after the horse has bolted and take action.
(Mr Virgo) I do not know the full details as to why
many of the largest ISPs are not members of ISPA. It has been
said that it is because they take a far more draconian view of
their responsibilities and the enforcement that they should be
doing than the smaller ones and that they are far more hawkish
with regard to consumer protection and that there are quite fundamental
differences of policy within the different groups in that industry.
There may be other situations elsewhere but this is what has been
alleged to me when I ask, "Why are you not a member?"
and then I hear all these allegations.
298. What is your own personal view? Do you
think there should be a regulatory association for these like
this body? Do you think the big boys have right on their side
in that statement and that the grouping is the lowest common denominator?
(Mr Virgo) I have to say I do not know. What I would
most like to see is these issues debated out in the open rather
than behind closed doors.
299. This is an issue for us to turn our attention
(Mr Virgo) I think it is indeed.
(Mr Bruce) It is possible that in one of the regulatory
Bills, including the Utilities BillI am not plugging this
because I am not sure it is the right amendment anyway, but I
have an amendment in the Utilities Bill saying that the authority
that collects money from telecoms companies should put in things
like ICSTIS and the Internet Watch Foundation. It could well be
that there should be a power of a regulator to insist that people
who are running services over telecoms lines should be a member
of one of the groupings and that there is a power there at some
point, if they are not behaving themselves, and for the authority
to insist that happens. It is quite strange that the government
has come forward, saying it needs more regulation, has provided
the Utilities Bill with more regulation and has not actually addressed
this particular issue.