Morning Hearing on 02 February 2012

Hearing Transcript

(10.00 am) LORD JUSTICE LEVESON Good morning. MR BARR Good morning, sir. We're going to start today with witnesses from the mobile phone companies, Mr Blendis from Everything Everywhere, Mr Hughes from Vodafone and Mr Gorham from Telefonica. LORD JUSTICE LEVESON Very good. MR BARR We're going to listen to them all together, sir. Can I ask that the gentlemen are sworn in, please. MR JAMES BLENDIS (affirmed) MR ADRIAN GORHAM (sworn) MR MARK HUGHES (sworn) Questions by MR BARR MR BARR Can I start, please, Mr Hughes, with you. Could you tell us the position that you hold and a little bit about your professional background, please? MR HUGHES Yes, sure. I'm currently head of fraud risk and security for Vodafone UK. I have been in that position since August 2011 and I've worked in the fraud risk and security department in Vodafone since October 2006.
Q. Mr Gorham, if I could ask you the same question, please. MR GORHAM I'm the head of fraud and security for Telefonica O2, I've been in that role for ten years and have been in the industry for 13.
Q. Mr Blendis? MR BLENDIS Vice-president for legal and regulatory affairs for Orange and T-Mobile. I've been in that position since the merger in 2010. Previously in a similar position for T-Mobile.
Q. Thank you. I'm now going to ask each of you if the witness statement submitted either by yourself or by someone else from your organisation is true and correct to the best of your knowledge and belief. Mr Hughes? MR HUGHES Yes, it is.
Q. Mr Gorham? MR GORHAM Yes, it is.
Q. Mr Blendis? MR BLENDIS Yes.
Q. Your witness statements deal with some matters of disclosure which I need not deal with now, and they also tell us a little bit about the approach that each of your companies has taken to voicemail security. It's that issue that I want to explore first of all. What I'm going to do is take you through a number of the issues and ask you what your company's approach is now and what it's been in the past. So can I start first of all, is the transmission of the actual voicemail encrypted? MR HUGHES Yes, it is. MR GORHAM Yes. MR BLENDIS Yes.
Q. Has that been the position since the introduction of digital transmission or is it more recent than that? MR HUGHES My understanding is it's been encrypted for the whole period of time from the introduction of digital. It's always been encrypted. MR BLENDIS I believe that's the case, yes. LORD JUSTICE LEVESON You're going to have to speak up and make sure that you're heard, because otherwise we won't pick up what you're saying. Thank you. MR BARR Can I now move to the question of default PIN numbers. It's common ground that all of you have systems in place to guard access to voicemail, which is governed by a PIN number. Is it right, Mr Hughes, that at one point in time Vodafone phones had a default PIN setting, so when the phone arrived, there would be a PIN which anyone would know until it was changed? MR HUGHES So 2001 and before, there was a default PIN setting on the Vodafone network.
Q. And when was the change made? MR HUGHES In 2001. I'm not sure of the exact month, but it was in 2001.
Q. What brought about that change? MR HUGHES I'm not sure exactly what triggered the change, but with any of our products and services, we're always looking at ways to improve the security, so what the trigger was I can't be sure now, but it was changed in 2001.
Q. What was the position, please, Mr Gorham, at Telefonica O2? MR GORHAM We previously had a default PIN that was sent to customers and it was down to the customer if they wanted to change that default PIN or leave it at default and that was the case until 2005/2006 when we had the voicemail issue and it was at that point that that security was then enhanced.
Q. Are you referring there to the well-publicised convictions of Mr Mulcaire and Mr Goodman? MR GORHAM Yes.
Q. Mr Blendis, can you tell us what the position has been at Orange and T-Mobile? MR BLENDIS Orange has never had a default PIN. T-Mobile had default PIN prior to 2002, and that was taken away late 2002.
Q. And what was the reason for taking it away in 2002? MR BLENDIS I don't know precisely, but I can only imagine the feeling was that it would add to the security if there was no default PIN. LORD JUSTICE LEVESON So just to understand this, and I think I've got the way in which it worked, this was a mechanism whereby people would listen to their messages from a remote telephone? MR BLENDIS Yes. LORD JUSTICE LEVESON Because they can always get into their voicemail from their own mobile but if you wanted to dial in from a landline, you could pick it up? MR BLENDIS Correct. LORD JUSTICE LEVESON And there had to be some distinguishing feature to make sure that you were getting your own messages, but of course if people just had the default number, then it was easy for that to be tried? MR GORHAM That's correct, yes. MR HUGHES Yes. MR BARR Can I ask you, Mr Hughes, while we're on this subject, the Inquiry has heard evidence from Mr Nott, who says that he drew to Vodafone's attention the security vulnerability that existed from having a default PIN in the late 1990s, and indeed the Inquiry has had evidence that the matter was dealt with by Vodafone in a radio interview soon afterwards, at which time the advice was to change PIN number. Why didn't Vodafone do more back in the late 1990s when Mr Nott drew the problem to your company's attention and instead wait until 2001 to introduce a more secure system? MR HUGHES So the simple answer as to why is I don't know why that wasn't done at that point. The person that represented Vodafone at the time in the Radio 5 interview has sadly passed away some years ago, and in preparation for coming to this Inquiry we've tried to find people that perhaps would be aware of what was happening at that point, but we've been unable to do so. The default PIN setting, as you've heard, was pretty much an industry standard at that time and it was changed in 2001. Whether that was in relation to the claims the correct claims at the time of Mr Nott, I simply cannot be sure.
Q. Can I ask now about what is sometimes referred to as temporary PINs, but they're PIN numbers which can be set by customer services departments if a customer rings in and asks for that to happen if they, for example, have forgotten their PIN number. Did Vodafone have a temporary PIN system? MR HUGHES At the time of the criminality that was happening in 2006, a customer could call through to a customer service agent, and once they'd authenticated by answering some specific personal credentials about themselves as a customer, which would include items such as the date of birth, the registered address, their postcode, et cetera, they would be able to ask the customer service agent to either (a) set up remote access to their voicemail, should they require it, and that would involve needing a PIN number, and the customer service agent would be able to set the PIN number to either a number of their choosing, which may be easily rememberable, or the customer could ask for the PIN number to be set up to a number that they choose. Conversely, if it was already set up, they could ask for the PIN to be reset and again the same criteria would apply.
Q. Does that system remain in place or not? MR HUGHES It doesn't remain in place. That was changed when the criminality came out and we were aware of what the attack methods were. We made changes to take away from all of our customer service agents either visibility of the PIN or for the ability for them to be able to reset the PIN. We made changes to the system so that the customer would go through some guidance on the handset and the PIN number would be texted to the registered handset and SIM, and it would also reject any weak PINs, any double numbers, sequential numbers, to make sure that it was as secure as possible.
Q. Mr Gorham, can I ask you to deal with the same issue, please, from the Telefonica O2 perspective? MR GORHAM Prior to 2005, if a customer contacted us, we could reset their PIN back to the default and then the customer could choose their new PIN. So at no stage would we know what the PIN actually was. We would purely reset it back to default and the customer could then change it. The same as with Vodafone, they would pass the security questions and validation. Since that date, what we now do is we actually send the new PIN number. So if they've locked their account out, if they can't get in, we will actually send the new PIN number to their mobile phone so they will receive a text with that new PIN number on, so again our staff are not aware of their actual specific PIN.
Q. And Mr Blendis? MR BLENDIS So customers who want to set up their voicemail will call customer services and they can put their own unique PIN on at that point in time, so if they do that, then it will be secure. We also now have a system where if somebody calls in in those circumstances to change the PIN, a text will be sent back to the phone so that the owner of the phone will see that that's been changed, so they'll be notified.
Q. If that's the position now, was the historic position that your customer service people would know a PIN when it was changed or has the system that you've just outlined always been in place? MR BLENDIS The PIN is not visible and never has been visible to the customer service agent in the system, so it's not stored in the system. They would know because of the conversation because they'd set the PIN at that time what that PIN was, but it wouldn't be stored.
Q. When MR BLENDIS That's always been the case.
Q. Is that still the case now? MR BLENDIS Yes.
Q. Does that mean there's still potentially a vulnerability if the member of staff is the subject of a successful I think the term is successful social engineering or blagging? MR BLENDIS If somebody socially engineers the account and convinces the customer service agent and changes the PIN for their own purposes, a text will be sent back to the customer phone, so the customer, who obviously isn't the party that's blagging the account, would be notified.
Q. How long has that automatic text notification been in place? MR BLENDIS That's since 2006, that's a change that we've put in place.
Q. Was that again because of the exposure in 2006 of illegal activity? MR BLENDIS Yes. I think it's fair to say that security has always been important to us. It's a significant issue for us, as it is for our customers, so we're always looking to improve that. That was an initiative we put in place in 2006 and we have a new raft of initiatives coming through that will make further improvements going forward. LORD JUSTICE LEVESON Is the default and I don't want to expose your security to scrutiny but is the default a complex or is the number complex or can it be straightforward? I appreciate you'll reject 1111, but for some security devices it has to be a combination of capitals and lower case and numbers and symbols. I'm sure you understand. Is it a straightforward number or can you make it more complex? MR GORHAM In our case, it's a four digit number is the default, but until the customer has changed that to their own unique number, they cannot use the voicemail facility. LORD JUSTICE LEVESON Oh, I see. MR GORHAM So the customer has to go in and has to actually put a unique number in before they can use the voicemail service. MR BLENDIS As part of our changes, we would actually restrict what we call easily guessable PINs. So you wouldn't be allowed a PIN that was say 0000 or 1234. So the enhanced security we're putting in place will hopefully close that down as well. MR HUGHES That's the same for Vodafone. LORD JUSTICE LEVESON Of course, you could choose your birthday, and your computer won't know the birthday of your customer. MR BLENDIS Our customer service agents are now being trained specifically on this issue, so there's a heightened awareness with our customer service agents. We also have training specifically for blagging. So they would know not to allow a customer to put their date of birth, and if there was a suspicion of that, if it was 1971, for example, then they would probably say, "Is that your date of birth? Could you select something more secure?" MR BARR Mr Gorham, could you help us with the position at O2 with easily guessable PINs? We've heard from the other two witnesses that they do now have systems in place to prevent them. Does O2? MR GORHAM Again the same for us. The easily guessable numbers we don't actually have PINs that you can use that relate to those numbers.
Q. And in terms of educating users, which Mr Blendis touched upon a moment ago, perhaps I could ask Mr Hughes what steps is Vodafone taking at the moment to educate users to change PINs and to look out for signs of unlawful interception? MR HUGHES Anyone in our call centre environment who deals with customer information, we provide them with a level of training and guidance to make sure, as with the other networks that we've heard from, that they're aware of the types of attacks that can happen and the types of, you know, as you've put it blagging that can happen and that they've got an awareness to make sure that they can deal with that. The other thing we try and make our customers aware of is the PINs themselves, because, as you say, if they put a date of birth, the system may not know that and it may not be to the system an easy guessable PIN, it's really important that we keep the messages going to our clients that they should treat any PIN numbers that they set up on the mobile communications network exactly as they would with their banking credentials and they must keep them secure, whether they're default or not. If the pass may have been online, they must keep their PIN numbers secure.
Q. Mr Gorham? MR GORHAM We have comprehensive training for our staff when they join the business. They do computer based training and part of that takes them through social engineering and explains how it can happen, how we can help prevent it. We also do mystery shopping on our staff, so we actually have an organisation that tries to blag information out of our staff, so we can continually learn what new MOs are and how we can better protect our customers. And we do roadshows for our people. So there's continued training. Exactly the same with our customers. We give information, it's on our portal, we have guru sort of video clips to try and explain to customers how they can actually keep their messages secure and what they can do to protect their own information. MR BLENDIS The only thing I'd add to that is we also now have a process where if a customer service agent suspects that they're not talking to the genuine customer, they have a process whereby they will call the customer. So if they can go through a conversation, terminate the call, call the customer back. If it's a blagger, they're usually not calling from the handset, so the customer would get a call back to the handset to warn them or check that it was them. We think that will hopefully close down as far as we can the problem of social engineering.
Q. Can I ask now about what happens when somebody enters the wrong PIN repeatedly, at what point there's an automatic lockdown of the account. Mr Hughes, what's the position at Vodafone now? MR HUGHES As soon as we made the changes in 2006, one of the other features that we brought in was to ensure that if anybody tries to dial the unique voicemail number of the customer remotely, so not from the handset, and they enter even one wrong digit, they make one mistake in entering that PIN, a text message is sent to the registered handset and SIM of that customer account which says something along the lines of, "An unsuccessful attempt has been made to listen to your voicemail remotely. Please contact a member of our customer services team immediately if this was not you."
Q. What's the position at O2 please? MR GORHAM After three unsuccessful attempts to get into the voicemail box, your voicemail box is locked, which means it can't be accessed for a period of 30 minutes. At the same time, a new PIN is sent to the actual registered handset, so the customer then will receive a new PIN number that they must use to access their voicemail, then they have to reset their own PIN again.
Q. How long has that system been in place? MR GORHAM That's been in place since 2006, following the inquiry.
Q. Mr Blendis? MR BLENDIS Yes, similar system. If there are three unsuccessful attempts, then the voicemail will block and they would have to call into customer services to reset it and go through security checks.
Q. How long has that been the case? MR BLENDIS That's always been the case on Orange.
Q. And on T-Mobile? MR BLENDIS On T-Mobile it will drop, so after three unsuccessful attempts it will disconnect and there will then be a 30 minute gap and they will be able to retry after that. We are trying to align the systems, so we have a complete new voicemail platform that's intended to deal with a lot of these issues and align the systems.
Q. Is the owner of the account notified of unsuccessful attempts on the T-Mobile accounts or is that a matter which needs tightening up? MR BLENDIS I think that's something that's in the process to align the two brands. I don't think that's the case currently.
Q. Can I ask now about when there are multiple simultaneous attempts to access a voicemail? Is there any automatic lock-out procedure in that event on Vodafone accounts? MR HUGHES I'm not sure, I'd have to check that and write to you separately. MR GORHAM It would be the same as my previous answer. Once there's been three attempts, the account would lock.
Q. So it doesn't matter MR GORHAM It doesn't matter where they come from.
Q. I'm asking now about two simultaneous attempts. MR GORHAM It would count those as two, I believe. I'd have to check and come back. MR BLENDIS I know that's part of the new platform, so that will prevent that from happening going forward. You won't be able to have dual access to the same box.
Q. Now a question which your evidence may already have answered. I was going to explore whether the number of digits in the PIN is important, because presumably the smaller the number of digits, if you keep trying, you'll eventually get there. Does it mean because of your automated lockout procedures that you don't regard a large number of digits in the PIN as really necessary? MR HUGHES I think if you compare it to perhaps the financial industry and people's cash cards are four-digit PINs, I don't know exactly how many thousands of combinations there are, but I think from all of our perspectives, certainly from Vodafone, one wrong key press of that PIN is going to send an alert to the customer. LORD JUSTICE LEVESON Aren't there 9,999? MR HUGHES Is that how many there are? LORD JUSTICE LEVESON I would have thought so, but rather fewer than that if you exclude 111 and 0000.
Q. Does anybody see an issue with the number of digits? MR GORHAM No, I think the number of digits, four, is the same as you would have with a banking card and everything. I think the challenge is getting customers to use those numbers and pick PINs that are not easily guessable. MR BLENDIS I think also to be fair customers want a balance between usability and security, so if you tell them they have to have a ten digit PIN number to get into their voicemail, they'll find it quite difficult. LORD JUSTICE LEVESON Yes, I have a system that I have to change the number every three months and the problem of course then is remembering what it is at the relevant time. So I see the problem. MR BARR Mr Blendis, you've already touched on future developments at Orange and T-Mobile. Can I ask each of you more generally about whether you think, accepting what you've already said, there is anything further that can be done and in particular whether there is anything actually in the pipeline. Mr Hughes? MR HUGHES Yes, so we're always looking at ways that we can improve our security. It's very much my job to do that. From a customer authentication perspective, we're looking at some future technical enhancements, what you could do, probably in the areas of things like voice biometrics, which would be the digital reading of the actual customer as they call in, which is something we're looking into for sort of future deployments on the Vodafone network. MR GORHAM Similar to ourselves, there's lots of things in the future that may come along and be technology solutions. What we just have to be careful of is they still give customers the usability, that they actually want to use our products and services. Also at international level with the GSM Association, I believe next Monday, Tuesday, they're issuing a new standard on voicemail security, put together by all the operators, so that will try and get more of a basis for security across the industry. MR BLENDIS As I said, we have a new voicemail platform that we're putting in place which should actually be complete in the next few months and that will have a number of enhanced features. The real problem is the unauthorised access, so every time the voicemail box is accessed remotely, a text will be sent back to the customer, so if that is somebody that's trying to hack, the customer will be alerted. We'll actually also give customers the option to switch off remote access. If they don't use it and don't want it, we'll enable them to switch that off so they can't be hacked, essentially. LORD JUSTICE LEVESON Of course that works also if you have the PIN number before you access the box. Because I think one of your companies says until you've actually put in your own unique number, you can't access the voicemail. So if you never do put in a number, you simply will never have access to a voicemail. MR BLENDIS That's true, but somebody can still guess the number. So yes, you're right, unless you set it up. But it's the people that set it up and then want to disconnect it, they'll be able to do that. MR BARR Mr Hughes, can I ask you about the letter that Vodafone sent to the Inquiry on 26 January. In that letter, Vodafone very properly drew the Inquiry's attention to an exception to the general changes which you've been telling us took place around 2006. I understand from that letter that there was a specific system, which at its peak had 300,000 users, called Vodafone Mail, which was not subject to the tightenings of security which you have outlined to us and that was overlooked and was only relatively recently discovered and put right. You tell us things were put right in June 2010; is that right? MR HUGHES That's correct.
Q. On the Vodafone Mail system, a user could dial 242 from their mobile handset to collect messages. Could they dial 242 to collect messages remotely? MR HUGHES I'd have to check that. I'm not entirely sure.
Q. But they could certainly check remotely simply by using a PIN number and using a default PIN number? MR HUGHES Yes. So the system itself accounted for about 1 per cent of our customer base. The platform was due to be decommissioned actually around the time of the activity coming to light. However, you could have with the changes I outlined on the main platform, you could still in theory have phoned through to a customer service agent, you still have to authenticate, but then you would be able to ask the customer service agent to reset the PIN on that specific service. The action we did take at the time was that we took away the ability for the vast majority of our customer service agents to be able to reset the PIN and we limited that to a very small number of customer service managers that we had in our call centre environment to try and address that specific issue, but as you rightly said, it wasn't decommissioned fully until around about 2010, that's correct.
Q. Does Vodafone know whether or not there were any losses of confidential data from Vodafone Mail? MR HUGHES What we have done in all of our contacts with the Operation Weeting team at the Metropolitan Police is check that any of what we now know to be the confirmed victims were ever a member of the Vodafone Mail service, and I'm happy to say that they weren't.
Q. It's plain, if I may say so, gentlemen, that your respective companies have taken significant action from about the middle of the last decade, when this issue received a lot of prominence and was the subject of high profile criminal proceedings. But it's the position that the Inquiry has heard evidence that these security vulnerabilities were known about in general terms and publicised long before that, not least through the publicity generated in the media by Mr Nott, and his story was picked up in a number of places. So I'd like to ask each of you in turn, and I'll start with Mr Blendis, why the industry didn't react more quickly than it has. MR BLENDIS I have to be honest, I don't know what our knowledge was of Mr Nott at that time. That was a long time before the scandal erupted around the Mulcaire hacking. I think we have reacted quickly, and I think we always have a continuous programme of improvement. Security has always been a priority for us. It's important for our customers so it's important for us, not just in relation to voicemail hacking but across the whole spectrum of services. We have a programme of enhancements on security generally to make sure that information is contained, that it's only kept with people that need to hold that information and the access is limited, and also that if there are suspicions that people within our business can disclose data, that that is restricted as far as we can. So people within our business now can't download information onto data sticks, they can't send large files by email. These are very restrictive operations within the business, but we have reacted and we have done our best to enhance that because it's important for our customers.
Q. Mr Gorham, why wasn't more done earlier? MR GORHAM I wasn't aware of the Mr Nott case prior to 2005/2006. We certainly were not aware of the weakness that was being exploited within the voicemail platforms prior to the investigation. That was completely news to us and I believe to the industry, and it was at that point that we then went up to the next level of security by taking away some of the features that customers had, so we took that decision away from customers when we found out it was being abused. But prior to that, I had no evidence that voicemail was being abused in any way.
Q. I think I've already asked you about Mr Nott, so I won't repeat that question. Can you help me more generally with why Vodafone didn't act before it did? MR HUGHES I think when you look back through the time line now of the issues that were changed in 2001 around default PIN settings across all the network providers, when this other issue of blagging or social engineering came to light, the networks, the industry made changes again to increase security, and I think building on what O2 have said, I think generally when you look at criminality right the way across the communications sector, whatever way it's happening, whether it be the issue of blagging, whether it be the theft of mobile phones, whether it be the theft of metals, we actually, you may be surprised to learn, collaborate quite a lot in the security arena. It's not necessarily a competitive area for us, so we'll meet regularly to make sure that all of us have the best security that we can and we share ideas to protect our customers right the way across the industry. LORD JUSTICE LEVESON I'm delighted to hear that. MR BARR I'm going to move now and deal more shortly with the interception of conversations. It's well-known that a long time ago an analogue conversation was intercepted and hit the headlines in the newspapers. Is it right as a general proposition that intercepting mobile phone conversations is now a lot more difficult than it used to be? MR HUGHES I think it's very difficult. The encryption that we all replace from the point at which the customer makes a call from their handset and where it transmits through the air to the technology infrastructure that it needs to, it's all encrypted to a very specific standard with all sorts of difficult algorithms applied to it. I think it's certainly reasonable to say it is possible to do that. Doing it live, which is I think what you're alluding to, is incredibly difficult technically. You would have to have a lot of technical skill to do it, and you'd have to have significant financial resources behind you to buy the equipment in order to do it. Of course, it's illegal and I think carries a custodial sentence under RIPA.
Q. Does anyone disagree with that answer? (Witness shook their heads) As far as you're aware, is the interception of conversations, whether live or ex post facto, a significant issue? MR BLENDIS No. MR HUGHES No. MR GORHAM No.
Q. Can we move to blagging and we've touched on this to some extent in your answers already about what staff have access to, particularly you've told us about PINs. Can staff have access to location data, where calls are made from? Mr Hughes, I'll start with you. MR HUGHES No, not readily. We give our customer service agents the details they would need to help with any type of customer query. I suppose this will be specifically around usually around billing queries. We'd make that sort of information available. Location information is incredibly sensitive, so we make sure there are only a very few specific areas that have the need to have access to location details and the sorts of areas I'm thinking about in my organisation would be the areas in which we're obligated to share communications data with the police and the authorities to help with their investigations. It's very much ring-fenced to make sure that that information is kept as absolutely secure as possible.
Q. Has that always been the case or is that as a result of a tightening up of security? MR HUGHES It's always been the case to the best of my knowledge.
Q. Can you give us some idea about the number of employees which Vodafone has who would have access to location data, in rough terms? MR HUGHES The wider organisation I have to check. I'm thinking about my own remit and responsibilities in the area that I've outlined and that would include around about 15 people.
Q. Mr Gorham, what's the position with O2 so far as location data is concerned? MR GORHAM Our customer service staff have access to your billing information, the calls that you've made, but they certainly wouldn't have access to the location of your phone, that's an access they don't have and never would have had. There are people in the organisation, the same as Vodafone, we have had the police disclosure team and they need to have access for requests we get from the police for location, life at risk cases. There's also some of our engineering staff that have access to that data if a customer is having problems on the network making calls, they may want to identify what cell site they're on, so those kinds of people. I'd have to write to the committee to give you an idea of the numbers of staff that would probably have access. I suspect it would be about 50 but I don't have first-hand knowledge of that.
Q. Mr Blendis? MR BLENDIS Again, customer service agents wouldn't have access to specific location information, for example PIN type information. That's very restricted. It's within a specific police liaison team within our organisation that sits in my team. There's about 20 people in each of the Orange and T-Mobile organisations.
Q. How long has that restrictive approach to showing location data been in place? MR BLENDIS That's always been the case.
Q. I'm getting the sense though that call data generally, who a person has been calling, is available to your customer services operators of necessity, so that they can deal with legitimate enquiries. Is there anything that can be done to prevent a blagger trying to obtain data about who a person has been calling, for example a blagger who wants to know if X has been calling a suspected lover or something like that? MR HUGHES From the Vodafone perspective, we'd only ever assist a customer with details about their own mobile phone activity in the numbers that belong to them and that's their outgoing calls. So we would never considering answering any question for anyone other than themselves. I think in general terms around authentication of the customer, the important thing is that when the customer service agent has the call put through, that we've done enough to make sure that we've beyond reasonable doubt, if you like, we can be sure we're talking to the right person, either the customer or someone who is registered to the account, and that's what we need to make sure is the case for our customer service agents, who are there in place to help our customers. MR GORHAM Same for us. When a customer contacts us, we ask customers to have a password on their account which they need to get correct before we have a discussion with them. If they don't have the password or have forgotten it, we will go through a number of security questions to try and validate who they are, and we will vary those questions. So they will change to try and give us that confidence. The challenge, as I'm sure you appreciate, is we have about 35 million calls every year into customer services, 23 million customers. The opportunities that social engineering occurs is very, very rarely and it's very difficult to defend somebody who may have already stolen an individual's personal identity and is using that to trick that confidence at that stage. MR BLENDIS It's a similar position, customer services agents would only supply billing data to the genuine customer. We recognise that we need to do more to make customer service agents aware of blagging, so we have a training programme running out, we have videos that they watch that shows examples of how it's done. We're encouraging customer services to move away from the traditional what are probably easier questions so that they will ask more rigorous questions that they know only the customer would have access to that information.
Q. I picked up from the Vodafone information that there's now a duty to report suspected data breaches at Vodafone. Is that the same in O2? MR GORHAM Absolutely, yes.
Q. I see you nodding, is that the same MR BLENDIS (Nods head).
Q. for Everything Everywhere? Do you all have whistle-blowing policies to protect whistle-blowers who come forward? MR BLENDIS Yes. MR HUGHES Yes. MR GORHAM Yes.
Q. Can I ask you what your experience has been in terms of attempts to socially engineer information from your organisations? Mr Hughes, can you give us an idea of how many of your staff have had to be the subject of disciplinary proceedings for that sort of issue? MR HUGHES Certainly. From the records that I've looked at in preparation for helping the Inquiry today, we go back to 2009, which is as far as back as I can see from an investigations perspective. Whether it be the accidental disclosure of personal data and I'd like to add none of this information is in relation to voicemail hacking but the wider issue of customer personal data so whether it be the accidental leakage of customer personal data or whether it be a malicious attempt to remove personal data from the company, I believe we've had 13 investigations which have resulted in either some kind of disciplinary warning or a dismissal from the organisation.
Q. Mr Gorham, can you MR GORHAM My evidence is the same as we supplied back to the committee. So since 2003 we've had 54 staff who have either been disciplined, prosecuted or dismissed for cases relating to breaches of data security. That is not purely voicemail. That could be disclosing some billing information, looking at somebody's account that they weren't supposed to look at, but that's the total scale would be 54, and a number of those were investigated by our own investigators and are taken through to the criminal courts if it's believed to be appropriate and the evidence is there to substantiate.
Q. Mr Blendis? MR BLENDIS So the number of people that have been dismissed and prosecuted across both brands is four people in the last I think it is five years. We don't have records of other disciplinaries. We only know about those ones where we have initiated an investigation, contacted the police and those have actually led to the prosecution of those individuals.
Q. Only the most serious of cases? MR BLENDIS There will be other cases and those will be dealt with through our disciplinary procedures, but we don't have records of exactly how many cases.
Q. We have in the bundle at tab 11 the response to a request for information from the Information Commissioner's office about data protection breaches by telecommunications companies. There is on the third page of that document a list of companies and the number of data protection breaches. All of your companies feature on that list. At the top is BT with 42, then Talk Talk with 12, Virgin Media with 20, O2 with 10, Orange with one, Three with two, Vodafone with 18, T-Mobile with six and Sky with 10, and that's for the period between 1 April 2008 and 31 July 2011. On the face of it, those are concerning statistics. I'd like to ask you whether more can be done to protect personal data by your companies. Mr Hughes, I'll start with you, please. MR HUGHES Of course. Both privacy and security are put into everything that we do. In every product and service we bring to market, it's designed in from scratch. It's incredibly important. We recognise how important it is to our customers and our employees and that's why it's important to us. Yes, we have an obligation to supply details of the breaches to the Information Commissioner's office and the legislation may lay out certain penalties on all of our organisations in relation to data breaches, but certainly in terms of Vodafone, my security department is responsible for making sure that this doesn't happen and, when it does happen, any employee in the organisation, whether it be accidentally or done as a result of an inaction on that employee's behalf which has led to that breach or whether it be malicious, any of our employees should expect a very robust approach to that.
Q. Mr Gorham? MR GORHAM The ten cases here that refer to our organisation, they are investigated by our regulatory team and they are farmed out to my investigators if appropriate, or customer services if it involves them. We send reports back to the ICO and make recommendations on what we're going to do for improvement and we've had no further action taken against us on those cases. We strive continually to continue to protect our customers' data at that highest level, but a lot of these do tend to be fairly minor cases in the effect that they could be domestic situations, so you can get examples of where it's an employee and it's a relative, and it's very difficult to guard sometimes against those domestic situations that drive some of them, rather than these being major data breaches of large amounts of customer data.
Q. Mr Blendis? MR BLENDIS For security, data security is a top priority for our business. It's a priority for the board, it's a priority for everyone who's working for products and services. We have a kind of three-point approach to data security. The first thing is just to cleanse information in business as far as we can to make sure we only hold data that's relevant and key to our services, so we narrow down the amount of information that we hold. The second thing is to make sure that access is only restricted to those that really need to see it, so we don't have large swathes of data sitting across the business for general access. The third thing is to ensure that that access can only be attained in limited circumstances, so it can't be sent by email, can't be downloaded onto data sticks, and that we hope will really narrow down the opportunity for people to breach those data security procedures. But as we've heard from the others, low level breaches will occur, and I think some of these notifications are partly, for example, where we've had a request for information from a customer, we have an obligation to provide that information, but we have failed to do so within the timeline. So we take it very seriously, but the volume of these is fairly low. They're not all major security breaches.
Q. Can I move now to the cases of hacking which have emerged and which are being investigated by the police. In answering my next questions, please don't give any names, but what I would like to know is first of all whether you know how many or whether you have a current figure for how many of your customers have been the victims of voicemail interception. Mr Hughes? MR HUGHES Yes, so from the point at which we helped the police with their inquiry, we ran some checks. Would you like me to tell you the checks that we ran?
Q. Very briefly. MR HUGHES We were provided with two suspect landline numbers, which we now understand belong to News International, and we checked to see which unique voicemail numbers of our entire customer base had been contacted by these landline numbers. That produced us a report to say that there were 177 unique voicemail numbers that had been dialled. However, that doesn't suggest that there's 177 victims. What we needed the police to do was put their evidence and their pieces of the jigsaw together to come back with and confirm exactly who the victims were on the Vodafone network, and we understand that that investigation has now taken place and from our liaison with the police, we understand on the Vodafone network there are 40 victims.
Q. What's the position at O2? MR GORHAM Back when the police investigation kicked off, yes, they came to us with a specific phone number where calls had been made into voicemail retrieval numbers. We did our own identification, we identified in the region of 40 customers that we believed may have had their accounts compromised. We passed that information back to the police and took the step of contacting those customers. So we contacted all our customers, informed them of what we could see on our network and we advised them at that stage about how they could enhance their voicemail security to stop any further attempts to listen to their messages.
Q. Do you have a number? MR GORHAM Ours was 40, slightly under. MR BLENDIS We had 45 customers that we identified on the Orange network. That's where the call-in number had accessed those 45 numbers and accessed the voicemail box, that was 45 on Orange, and on T-Mobile it was 71.
Q. Can I move on to the question of communicating the facts of a breach of data security to the customer. Can we start with what the position is now. Has Vodafone informed any of its customers that their voicemails have been hacked? MR HUGHES Yes. In January 2012 we worked with the police and they told us that they were in a position to contact the customers on the Vodafone network and they wished to do so, so my understanding is that the police contacted the customers in January 2012 and we also did exactly the same thing.
Q. All of them? MR HUGHES All of them. MR GORHAM We contacted all of our customers back at the time of the original Inquiry, so that was five years earlier when the original police investigation took place.
Q. Mr Blendis? MR BLENDIS We contacted all of those customers in July 2011, so that was after we had received the information from the police that verified which were the victims of phone hacking. Up to that point, we didn't have that verification from the police.
Q. Why wasn't it done earlier by Vodafone? MR HUGHES We were expressly told at the time of the investigation not to contact our customers as we may prejudice the police investigation. We're very experienced in working with the police, we help them make thousands of investigations a year, so the last thing we would want to do would be to trample on an investigation that the police were running. So that's why it wasn't done.
Q. Was there any correspondence between your company and the police expressly dealing with this issue? MR HUGHES Yes. The correspondence that I have is that we received quite confusingly a letter in the October of 2010 from the Metropolitan Police requesting that we contact the Vodafone customers that were victims, and we had to point out we wrote back to them and pointed out that although we'd supplied the 177 unique voicemail numbers, we still had no clarity at all about who the actual victims were on the Vodafone network until the police put their pieces of the jigsaw together and told us that, so we never received a response to that communication, and the next communication that we had was when in late 2011 the police told us they were now in a position to be able to identify the victims on the Vodafone network, and as soon as they did that, we followed suit with contacting our customers immediately.
Q. Was the lack of a response from the police back in 2010, October 2010, was that chased in the interim between October 2010 and the answer later in 2011? MR HUGHES I have no specific records I can draw upon to say that it was chased or how frequently it was. I know that throughout the whole period of the investigation when we were helping from 2006 to date, we fully co-operated with anything that we were asked to do in relation to the investigation, but whether it was specifically chased, I have nothing I can draw upon to be able to look at the
Q. I don't wish to suggest that in any way you haven't co-operated with the police, but can I ask you this. From your customers' point of view, would you accept that perhaps Vodafone should have been more proactive about liaising with the police to ensure that your customers could have been told at the earliest sensible opportunity? MR HUGHES What we did manage to agree with the police around the time the investigation was, they accepted that we could send out some generic voicemail security advice to customers within our organisation which would be perhaps more at risk, so people in the media, members of government, et cetera, so we were able to push out some communications, some general awareness communication to them at the time. Also, throughout the whole of the period of the investigation from 2006 right the way through until now, clearly it started to get into the media, so we did field a lot of calls from really concerned customers saying, "I'm worried about what's happened, have I been a victim?" As I've said previously, we would never be able to, with any level of clarity, without seeing that police evidence, confirm that they were a victim, but what we were able to do was see whether their information had been supplied to the police as part of the evidence bundle, and if it had, we informed them of that and asked them to then contact the police for more details. To answer your question sort of directly, I think with the benefit of hindsight it would be have been much better to have a level of clarity with the police much earlier so that we could tell our customers what the issue was.
Q. Mr Blendis, we've heard that O2 notified their customers at an earlier stage than your companies. MR BLENDIS Yes.
Q. Why didn't your companies do the same? MR BLENDIS We were in a similar position, where we did not know that those customers were the victims of phone hacking, so we have a large number of callers that the hacker potentially called, and actually all we knew was that the call diverted to voicemail, so we don't even know at that stage whether they have then accessed the voicemail box, which would lead to potentially a presumption of hacking. So we did actually write to the police in November 2010 and we said, "We've given you all of the information that we have. If you can identify those customers that you believe were the victims of hacking, please tell us and we will contact those customers." We did that in November 2010.
Q. And what response did you get? MR BLENDIS We've had no response to that.
Q. Did you chase? MR BLENDIS We didn't chase. I think in hindsight and I think now we would probably be much more proactive because I think we recognise and sympathise with customers that were hacked and we would really want them to know about that. So what we need to get to is circumstances where we have clarity where we're not prejudicing the investigation, where we're not, for example, tipping off the hackers themselves. So some of the numbers actually are the journalists at the News of the World, so what's likely is that there was some trial and error of the process, and I think it's highly likely that if we had simply contacted everyone that we had as a potential victim, we may well have tipped off those people. MR BARR Thank you. Those were all my questions. LORD JUSTICE LEVESON I have no questions. Obviously you've been following the events as they've unfolded, and I have no doubt that each of your companies will do all that it can to minimise the risk of data loss and the consequent damage to the security of your customers. I have no doubt that you will. Thank you all very much for coming and for the response that you've given to my requests. Thank you. MR BARR Sir, the next witness is going to be Mr Imossi. MR ANTHONY IMOSSI (affirmed) Questions by MR BARR MR BARR Mr Imossi, good morning.
A. Good morning.
Q. Could you give the Inquiry your full name, please?
A. Anthony Imossi.
Q. Are the contents of your witness statements true and correct to the best of your knowledge and belief?
A. They are indeed.
Q. You tell us that you are the President of the Association of British Investigators Limited.
A. Yes, I am.
Q. And that your primary occupation is as a professional investigator in the private sector trading as solicitors law services?
A. Yes.
Q. And you've been doing that since 1981.
A. Yes.
Q. Your personal specialism is corporate and Internet fraud, theft, due diligence and litigation support?
A. Yes.
Q. And before becoming a private investigator, you worked for 15 years in the legal profession as a litigation managing clerk?
A. Yes.
Q. Prior to your involvement in the Association of British Investigators, you were the founder and former chairman of the UK industry-wide Investigator Sector Group; is that right?
A. No, I was the president first, I became president in the year 2000, and in the eve of the passing of the Private Security Industry Act, myself and the then principal of the IPI got together and formed the Investigator Sector Group so that we could form a united front and speak with one voice on the question of licensing.
Q. In 2004, you were appointed secretary general to the European-based umbrella body Internationale Kommission der Detektivverbande, which is currently working on EU common minimum standards on good practice recommendations for investigations?
A. Yes.
Q. And you have been the president of the ABI twice, the first time between 2000 and 2004, and currently since April 2008?
A. Correct.
Q. You go on to tell us something about the ABI. You tell us it was incorporated on 31 December 1970 and that its antecedents are that it began life as long ago as 1913 under the title British Detectives Association, and that there was another association, the Association of British Detectives, with which it merged and became the Association of British Detectives before its transformation into the ABI in 1970?
A. Correct.
Q. You tell us that despite the efforts of the ABI and its predecessor organisations over the years to improve professionalism and self-regulation in the industry, you think that there still remains more to be done?
A. Very much so.
Q. Perhaps we can pause there to just ask you what the membership of the ABI is at the moment?
A. It's circa 500. We sort of hover below and above that number, depending on which time of the year. Out of 500, some 450 are UK-based and we have some overseas members.
Q. I understand it's not possible to find a definitive statistic for the number of people working in the private investigation industry in this country, but what are the reliable estimates believed to be?
A. Well, when the Home Office first started working on the project to regulate the industry around about the time the act was passed and before the SIA was formed, a figure was plucked out of thin air at 10,000, simply so it could work out its plan, its financial planning. Now I became aware in 2008 that the Home Office had substantially reduced that estimate to 5,000 and they were trying to put some meat on the bone with identifying who that could be and they were struggling to do so. I was aware of that because I was drawn into the research by the government department that had been commissioned by the Home Office. It's about that time that it became apparent to me that there was a higher risk that licensing, which had been dangled in front of us for the previous eight, nine years
Q. If I could stop you there, because I'm going to come back to licensing. I'm just interested in numbers. The government estimates were around the 5,000 mark. Do you know how many private investigators are registered as data controllers?
A. Yes. After the presentation that you had here in September, I was present and I listened to the Assistant Information Commissioner and I was particularly drawn to his evidence that there were 350,000 in total data controllers on the ICO's register. It then occurred to me that perhaps this could be the nearest or the most reliable source for us to try and estimate how many private investigators, or at least responsible private investigators that there are, because one of the purposes that features on the register is actually called private investigation and after that presentation I put the question formally to the Information Commissioner's office and I got the answer back the figure was just a handful below 2,000.
Q. So on any view, the number of private investigators who are members of the ABI, expressed as a percentage of the overall total of the industry, is really quite small?
A. Well, in round figures if the total data controllers with that purpose is 2,000, then the 500 or 450 membership is a sizeable proportion, I would submit.
Q. But on any view a minority?
A. Certainly.
Q. You tell us in your witness statement about the structure of the organisation. It has a governing council with president, vice president and treasurer. Functions including discipline, marketing, compliance, enforcement and membership selection, to which we'll come in a moment, and you have a full-time salaried general secretary.
A. Indeed.
Q. There are five regional branches. You're a non-profit organisation and funded essentially by annual subscription from members.
A. Yes.
Q. Your strategic objective, you say, is to work towards a Royal Charter in order to become the Chartered Institute of Investigators?
A. Yes, that's not entirely clear there. That would be a collective ambition. I would hope to pull together support from other professional organisations within the industry. We have already approached the IPI, the ex-police officers in commerce, the Association of Certified Fraud Examiners, to name but three organisations that we've asked to meet with us to discuss our proposals to make a move towards petitioning for the LORD JUSTICE LEVESON How many associations are there?
A. Essentially there are three that are predominantly dedicated towards professional investigation. There are several other specialised organisations. I can't remember off the top of my head exactly how many there are, but, for example, I recently met with the insurance fraud investigation group, another group, but they predominantly represent in-house investigators in the insurance market. But it very much depends on how, or if and when regulation is implemented, how it is viewed, and what parts of the sector are to be drawn in. For example, in-house MR BARR If I just stop you are there on the question of the number of organisations, you mentioned three at the start of your answer. Are those the IPI, the ABI and WAPI?
A. There's three predominantly that specialise on the investigations side, yes.
Q. At paragraph 12 of your witness statement, you tell us that there has never been a requirement in the British Isles for the registration or licensing of investigators in the private sector. And the guesses as to the numbers of people practising in the private sector are 3,000 to 20,000, and you told us a little bit more about that a moment ago. The immediate thought that springs to mind from that evidence, Mr Imossi, is that this Inquiry has heard from a private investigator, Mr Derek Webb, who told the Inquiry that he was licensed. Can you help us?
A. I can indeed.
Q. Can that be right?
A. No, it's not. And I took it upon myself to track him down and speak with him and I did quite recently. It turns out that what he actually meant that he had membership of the IPI. It wasn't a licence at all.
Q. I think we can take it from your witness statement that you are a strong supporter of licensing?
A. Yes. Or, well, regulation.
Q. In the absence of formal regulation of the industry, can I ask you a little bit more about what your Association does by way of self-regulation of its members? You tell us that there is a Code of Ethics and Professional Standards, it's exhibited to your witness statement. It's right, isn't it, that at the heart of that document, amongst other things, is a requirement always to act with honesty?
A. Yes.
Q. And also always to act within the law?
A. Yes.
Q. Is there any specific guidance provided by the ABI about phone hacking, including voicemail interception?
A. Well, we haven't identified those particular problems per se, but they would be incorporated in the legislation and laws that exist that would affect the activities of investigations. If I could just sort of build up to the publication I'm going to refer to in a moment and how it came about, the turning point for the industry, really step number one to our ambitions to become a profession, was on 1 March 2000 when the Data Protection Act 1998 came into force, and that very month I had organised and chaired a conference, a seminar, for any investigators dedicated to data protections and how things had to change, and in fact how the law had changed. One of the speakers at that seminar was one of the deputy commissioners, Philip Jones, who suggested something during the question and answer session which buried very deeply in the back of my mind, and he said really that we needed to put together a best practice guide to give some sort of guidance to those practising investigations as to what they could and could not do. It wasn't until two years later that I actually found the right person who could put such a guide together, and indeed that was Richard Newman, who has some legal qualification, and who later became my successor in 2000 as President, and he did put together a best practice guide which predominantly is all about the Data Protection Act but also other statutes and case precedents that affect our activities. This is the only publication that exists in our sector, and we subsequently made it the basis of an entry exam for people to become members of our Association. The idea being that at the very least to a reasonable competent level the applicant will be familiar with the general contents of that guide. And that was an idea that came and we had it checked and read over by Rosemary Jay, who was the former solicitor of the office of the Information Commissioner, so we were absolutely certain that what we were talking about here was correct and the correct practice.
Q. So short answer: Data protection, yes; specific guidance on phone hacking, no?
A. No, we haven't addressed those particular points, but I'm sure they will be matters that we will bring into the next edition.
Q. Thank you. Can I now move to paragraph 15 of your witness statement, where you set out the checks which the ABI performs before it admits a member, and you tell us first of all that there is a credit check. Why do you think it's so important to have a credit check?
A. Well, being a professional investigator, it is our view that we hold not just a position of trust and confidentiality handling clients' sensitivity, but we also hold a position of responsibility to the inside knowledge that we gain through our activities to various systems, particularly in the credit industry, and I would suggest that an investigator would probably have learnt how he could escape his responsibilities on debt matters. Therefore, it was has always to my knowledge been a term, a condition of membership that the members are clean of any monetary judgments.
Q. Might it also be that a person who was under financial duress might be tempted to do things which he or she
A. That would follow.
Q. might not otherwise do?
A. That would certainly be the case.
Q. You then tell us that there is a criminal conviction certificate (basic disclosure) requirement. Can you just help us, explain what the basic disclosure level requires?
A. Yes. We've always had a self-declaration requirement that a member is clear of any criminal convictions, subject to the Rehabilitation of Offenders Act provisions. In 2009 we had a very unfortunate experience where someone who had been granted provisional membership was brought to our attention by the police that he was actually a convicted sex offender, and his activities as an investigator were really inconsistent with the job that they were trying to do in keeping an eye on him, from the Sexual Offenders Register. Of course we immediately looked into this and he had lied on his application form, he hadn't declared his conviction, and of course we immediately expelled him, and it then became apparent that the self-certification system was insufficient. However, having said that, we are not until we become regulated, we are not an exempt occupation, so we are not entitled to obtain a disclosure certificate from the Criminal Records Bureau in England and Wales, because they only provide standard and enhanced disclosures which are for exempt occupations or people working with children or vulnerable adults. But there is, and I hadn't previously appreciated this, a third type of disclosure, which is called basic disclosure, which will only show unspent convictions, and that is available to anybody through Disclosure Scotland, and I undertook some research and learnt that in fact this, although the Disclosure Scotland was primarily for Scotland, it actually covered police national computer information for the whole of the United Kingdom, so we then decided that we would implement that as a compulsory requirement for all our members. LORD JUSTICE LEVESON Just pause a moment, please. (Pause).
A. My previous efforts to succumb the problem of not being an exempt occupation hadn't succeeded particularly well. That was when the CRB was first formed, the Association successfully applied to become an umbrella body of the CRB and my idea was I would encourage the members to become countersignatories as part of the process and the procedure to become a countersignatory required the CRB to carry out a full check on the individual, and of course if the CRB granted them that countersignatory category, that gave us the green light that there was genuinely a clear criminality history. However, we could only do it on a volunteer basis, and whilst we raised 50-odd members, persuaded them to go through that process, it wasn't sufficient, and in the event we weren't actually producing sufficient searches, searches for CRB fee-generating work, and the CRB required us and many other umbrella bodies to cease that status. MR BARR Does it come to this, that you do what you can to find out about an applicant's criminal history, but that you would, if the law allowed it, dearly like to do more and have a full enhanced check?
A. Well, at least a standard CRB check, yes. Enhanced might be going a little bit too far, but certainly a standard check, which is what in fact would happen if we became regulated by statute. The industry would become an exempt occupation.
Q. The next check that you mention in your witness statement is to ensure that the applicant or the applicant's business is notified as a data controller.
A. Yes.
Q. You take two professional referees, which you pursue, and you say that there is an interview.
A. Yes.
Q. Proof of identity is required and there is an examination which is based on the best practice guide?
A. Yes.
Q. Which you've mentioned a moment ago. In addition to that, you have a mandatory insurance requirement, with a limit of at least ?250,000.
A. Yes.
Q. Can I just explore that issue very briefly, by observing that there is a private investigator going through legal proceedings at the moment with payments of damages which, when taken together, will far exceed ?250,000, not a member of your organisation, I should hasten to add. But is it enough?
A. Probably not, but it's a minimum requirement. We had to set a minimum requirement. Now, I know you mentioned that there's an ongoing case, but our actual track record is quite good, and we have been able to manage to bring premiums substantially down. Certainly by making it a compulsory requirement to have the cover, we were able again to negotiate quite well with the underwriters. Now, the norm level of cover in my experience is about ?1 million. Many agencies take 2 or above, in millions of pounds. But we had to set a bare minimum. Bearing in mind that some of our members' activities are quite minimal and they don't have a huge exposure to large or potential large claims.
Q. I think you tell us later in your statement that when this requirement was introduced, that there was a drop in the number of people who renewed their membership; is that right?
A. Yes. We did, but we've found that we've very quickly made it up. The simple truth was that even taking into account the level of membership fee, the amount of premium that had dropped because of our negotiations added together equated to less than what someone who was not a member would be able to get that cover. But it was a tough change of culture, because the norm is for investigators not to have professional indemnity, and it was the Association's view that as part of our cultural move to professionalise the industry and really make them more responsible and accountable, that this requirement would give confidence to the outside world that we were the good guys.
Q. Your final check is that the applicant's details are circulated amongst the membership so that if anyone knows any reason why the person should be considered unsuitable, he or she can come forward and say so?
A. Yes, it's a belt and braces system.
Q. You then go on to describe enforcement, compliance and disciplinary procedures. You tell us that there's a rolling audit, random checks, disciplinary process, which is backed by investigation of complaints. You mentioned one case a moment ago where there was a disciplinary issue leading to the expulsion of the member. Can you help us with what sort of level of disciplinary offences you have to deal with?
A. Well, we don't have that many, I hasten to add, but they do vary. The most common is complaints from members of the public, which we take very, very seriously indeed, and we do investigate to the hilt, and we will apply such penalties that we're able to within our by-laws from expulsion down to perhaps just a reprimand. But we're very, very sensitive to how members of the public, the consumers of investigators, how they're treated and how they perceive members of the Association.
Q. Look at tab 5 of the bundle and the document that you've exhibited to your witness statement which is entitled "The Association of British Investigators. Self-regulation of investigators in the private sector, a discussion document." This document sets out, doesn't it, the ABI's position on the state of the industry vis-a-vis regulation and the future?
A. Yes. It's a work in progress. It isn't the ideal finished product, but in the time that we had, we felt it important to put something across to this Inquiry so you can see where we were coming from and what our views are about the industry and what we would like to see done about it.
Q. Working from the executive summary, one of the points you raise is that some investigators have questionable antecedents because it's possible for anyone to hold themselves out as a private investigator in this country. To your knowledge, is this a really sizeable problem or not?
A. Well, it is. The "What price privacy now?" publication from the Information Commissioner certainly was a shock and awe document to expose the extent of the problem, but it's much deeper than that. We have examples where two people, brothers, who have a very long history of antecedents that cut to the very core reason why this Inquiry is
Q. I certainly don't want you to name anybody, please.
A. No. And they made enquiry as to the possibility of joining the Association of British Investigators. They were sent away with a flea in their ear and very promptly formed their own organisation.
Q. I don't want to go into that particular example any further, thank you. I'm asking generally, is it a problem that you think is widespread in the industry?
A. Well, yes, it is.
Q. And then you go on to describe how changes in information communication technology, which have happened very rapidly in recent years, have generated very significant privacy issues, and are these the very issues that this Inquiry has been constituted to look into?
A. Yes.
Q. Hacking, blagging?
A. Yes.
Q. And so on and so forth?
A. Yes.
Q. Can I ask you again, perhaps anecdotally from what you pick up from your members and from the wider investigations community, is this a problem which you think has happened in the past and has now been put to bed or is it an ongoing issue?
A. I think it's an ongoing issue. The mere fact that we get asked to organise counter measures for suspected bugging problems would indicate that certainly something is going on. The phone hacking situation, I certainly wasn't aware that that was being used by anybody. I can't for the life of me even today think why an investigator undertaking investigative activities would take such a risk, or what benefit he would gain to his investigation by intercepting a voicemail. I can understand the value of it to the media, because of course they are looking at innocent people who will innocently leave messages, perhaps even of a sensitive nature, on a voicemail, but the sort of people that I investigate are not likely to leave anything that would be of remote interest to my investigation on a voicemail. LORD JUSTICE LEVESON That may be because you're investigating people who may or may not be doing things which they will want to keep covered up. The sort of investigations that I've been looking at are of people who are simply living their lives.
A. Correct. Correct, sir. I would go on to say, you know, we're very sensitive to teach our members about the methodologies that they adopt and we're sensitive to not encouraging intrusive methods. We played a significant role in the preparation of a document, for example, that was published by the Association of British Insurers in 2007 which was a guide on the engagement of investigators, and one of the things that come out there is that really and that dealt with really surveillance, which is a method to use as a last resort, not to use as the norm, and my understanding of what happened with the mobile telephones interception was that it was being used by obviously illegally, but it was being used as a norm, as a norm tool of first resort. LORD JUSTICE LEVESON All right. Shall we take a short break? We'll just have seven minutes. Thank you. (11.30 am) (A short break) (11.37 am) MR BARR Mr Imossi, can I take you to paragraph 5 of your discussion paper on page 4. You say there that the UK is one of the remaining countries in what you describe as the free world where there is no current system for the vetting, registration or licensing of investigators in the private sector. Do you know of any country which might be described as part of the Western world which does not have at least registration for private investigators?
A. Germany, Norway. That's two I can think of off the top of my head.
Q. But the majority have, do they?
A. Yes.
Q. You go on then in your discussion page to touch upon the problem of hacking, blagging and bribery at paragraph 13 on page 6. Can I ask, do you have any personal knowledge which will assist the Inquiry to establish how extensive those practices have been?
A. The only information I could point towards is that which is contained in the "What price privacy?" and the follow-up report. We hear, obviously rubbing shoulders with other investigators you hear of stories of things going on, but I have to say that when I saw "What price privacy?", it was a shock to see how extensive the practices was. LORD JUSTICE LEVESON That's, of course, only one person.
A. Yes, but it did exhibit a list of prosecutions LORD JUSTICE LEVESON Yes.
A. as one of the exhibits. MR BARR One person at the centre of the web, but various associates that he was working with.
A. Yes.
Q. What I would like to ask you about in this section is what you mentioned in your second witness statement, that you think there are illegal services on offer being advertised on the Internet by unregulated private investigators. Is that right?
A. Yes, it is.
Q. Would you be able to provide the Inquiry with some examples?
A. It's not a it's an opinion, it's not something that I could point my finger at and say it's been tested in a court of law, but
Q. Things that you would regard as unethical?
A. Yes, indeed. The one that is very typical is the interception of emails, the unlawful interrogation of computers that belong to a third party. LORD JUSTICE LEVESON That's being advertised on the Internet?
A. It is, sir. I'm a little bit surprised, sir, that it hasn't really hit the media as it should have done, because LORD JUSTICE LEVESON Don't identify them now, but if you could send the Inquiry some urls, I would be grateful.
A. Indeed, sir, I will. MR BARR You go on to make the point that the use of illegal methods or unethical methods by unregulated private investigators can put more scrupulous investigators out of business.
A. Yes, indeed.
Q. Is that a real problem in the industry at the moment?
A. Well, it is when you bear in mind that some clients and it happens to me on occasion, a client will come to me with a specific problem and ask me to prepare a proposal, and then they're quite often a little bit surprised that I haven't suggested providing some of these illegal services like hacking into someone's bank account or some of the other things that have been identified. The consumer thinks it's the norm.
Q. I appreciate that you don't work yourself with the media, but from your knowledge of your industry and your accounts within the industry, are the media a big client of the private investigation industry or not?
A. My answer would be very, very speculative.
Q. Don't speculate if you don't know.
A. I can't
Q. You go on then to develop the argument in your discussion paper, explaining the efforts the IBA has been making over the years. You explain at paragraph 20 that there's an agreement between the ABI and the DVLA for the release of certain information under their accredited trade association scheme, page 8, if you want to turn it up. Has this scheme in your experience allowed for a controlled and properly regulated flow of information from the DVLA to investigators in lawful circumstances?
A. Yes, very much so, and it was a prime example of the way the Association would like to move things, because we do hear quite often coming from within the sector people saying that we really ought to be given access to data if we're going to be regulated. My personal attitude is no, the access to data already exists by the permissive exemptions within the Data Protection Act. What we have to do is educate the data controllers and win their confidence that we will treat the data responsibly and within the restraints of law, and the success we've had with our DVLA facility is one prime example. I would hasten to add I'm moving towards another one, but I've had to launch last week an application to the High Court asking for permission for judicial review against one particular body that's dug its heels in and will simply not talk to us about accessing a certain database.
Q. You then tell us about plans to launch an ABI academy.
A. Yes.
Q. To provide accredited training for private investigators. Is that a proposal that's going to go forwards?
A. Oh, very much. So we've been working on this since a strategic decision was made in 2008 that we would make every effort to try and move towards a chartered institute or apply for chartered institute status. One of the things that have held us up is getting the ABI academy knocked into shape. We've now got that in shape, it's got all the right accreditation, right approval, it has the SIA nod of approval that it would be one of the qualifications it would look for in the event of statutory regulation, and I have to say that very much part of the examination questions that would form part of that qualification would be based around the Section 55 and other aspects of the Data Protection Act.
Q. Since you touched upon it, I was going to come to it later, what is the ABI's position as to whether or not a breach of Section 55 of the Data Protection Act ought to carry a custodial sentence?
A. When it was first announced or launched by the Information Commissioner in his "What price privacy?" document, we made a policy decision not to support it at that stage for two reasons. Primarily we saw it as a threat to the progress or the move towards regulating the industry as a whole, that if a prison sentence was available to the courts, that maybe the government would be less encouraged to go towards the regulation side of it. The second problem that we saw was one where in the shock and awe effect of "What price privacy?", at the same time the Information Commissioner exhibited the manual on how one could go around breaking the law and it was felt that really that was the wrong thing to do, and it was counter-productive to the very aims of the document. And we felt it perhaps a little bit unfair to then start putting a prison sentence when the Information Commissioner himself had put temptation in the path of those who might be minded to pursue that path rather than the righteous one.
Q. Is that really a good reason for opposing a custodial sentence
A. No. The main reason was we saw it as a possible threat to the move towards regulation. We have, as a matter of policy, since changed that and I have written to the I wrote to the Information Commissioner on behalf of the Association only last year saying that the Association is now fully in support of his campaign to bring about the custodial sentence. LORD JUSTICE LEVESON I don't understand the problem, because of course no judge would send somebody to prison for an accidental breach of the law, even though it's an absolute offence, but might very well for industrial, wholesale conduct of business on the basis of unlawful access to data.
A. I agree entirely, sir. But one has to bear in mind on the other side of the coin the Data Protection Act is not the simplest of statutes for anybody to follow, and there are mixed messages that come out from the Information Commissioner's office. For example, in the closing evidence of the Information Commissioner himself when he sat on this platform, he made a statement which at the time when I watched it took my breath away, and I held back thinking: did he really mean that? I thought I'll wait, I'll rewatch it online, re-read the transcripts, and indeed I came away thinking this may send the wrong signals. And indeed, it did, because it was brought to my attention that on two forums, discussion forums, Internet discussion forums for investigators not, I hasten to add, the ABI's one a slant had been put on his words, almost hinting that the Information Commissioner's tolerance of or acceptance of the public interest defence could be extended to beyond the media. As a consequence of that grey area, I sent a fax to the Information Commissioner on Tuesday morning inviting him to set the matter straight so that I could and I would publish his response in our journal and send it to the other forums, just so there is no misunderstanding as to what investigators can or can't do. LORD JUSTICE LEVESON The law is comparatively clear. The section
A. It is, sir, but what is not clear, and he used the term, rather unfortunately in my estimation, he referred to "the dark arts". I'm a little bit confused as to what the dark arts are. LORD JUSTICE LEVESON Well, if you'd sat here for the last three months, I think you'd have understood the expression.
A. Well, okay, but perhaps it's not as a severe methodology as I'd understood. LORD JUSTICE LEVESON It's not. It is undeniably loose language, but it's really been used as shorthand for some of the conduct of the press about which complaint is made. MR BARR You tell us at page 10, following the internal pagination of your discussion document, a little bit more about CRB checks. You've explained the position, but here on page 10 you tell us when the CRB check was introduced, 5 per cent of your members failed to renew. Of course there can be any number of reasons why a member fails to renew, but was that an abnormally high number of non-renewals for a particular year?
A. Yes, it was. We had a problem, it was a new requirement, not seen before by the Association or indeed anywhere within the industry, and I suspect that it wasn't just failure to renew, we actually expelled en masse 18 who had failed to produce their first criminal conviction certificate. I don't think for one moment that it's because they had something to hide or something they didn't want us to see, because many of those eventually came back with their tail between their legs. They simply had not paid attention to the requirement. But it was disconcerting that for the renewal numbers that we actually saw this drop, and that did leave it open to the suspicion that perhaps there was an underlying problem that we simply did not have visibility to.
Q. And a related fact, paragraph 28, you tell us is that since compulsory CRB checks were introduced by the ABI, not a single one of your members has been arrested, summoned or convicted of any criminal offence. Are you there trying to explain that the CRB check has had a very positive influence on behaviour?
A. Yes, it has.
Q. Finally, in the industry I'd like to ask you about clients. Is there a certain type of client in the industry who seeks out the more unscrupulous of investigators rather than the kite marked member of a reputable association?
A. Yes, in my experience there will be those that will be price-driven, predominantly from the credit industry, and from what I understand, from what I've picked up through this Inquiry and the "What price privacy?" document, the media too, but I should imagine it's very much price-driven and the sheer gall of doing those activities. MR BARR Thank you. Those are all my questions. LORD JUSTICE LEVESON I have one question. Why is it, do you know, and if you don't know I may address the question to somebody else, why the Home Office moved away from implementing the statutory regulatory model that they were contemplating after the legislation?
A. I don't know, sir. LORD JUSTICE LEVESON Because it seems that in a business that is as fragmented as yours, without one predominant trade association, there's you and then there are others, as you've identified, it's difficult to see how a cohesive self-regulatory model can be established.
A. The self-regulation works for us, for my Association. LORD JUSTICE LEVESON Yes, but that's for 500 people. If you wanted to engage everybody, then are we going to have six different self-regulatory models?
A. What our discussion paper suggests is that it doesn't necessarily have to be the Association of British Investigators that regulates. It's whatever body or bodies are set up, so long as, as we suggest, they follow the ABI model. LORD JUSTICE LEVESON Or they have their own model, but there has to be a model which is consistent, hasn't there?
A. Exactly, sir. That's what I'm saying. Consistent with what the model the criteria that the ABI sets, ie that list of requirements to become a member and our policing of it. But if I could just go back to the Home Office factor, it may well have been one of cost or the sheer uncertainty of what they were getting involved in. When the impact assessment, the regulatory impact assessment document was put out in 2007, there were four options which appear in the Mr Butler's evidence. Option number three was to implement licensing, but only implement the test on criminality and identity, and to leave the issue of competency perhaps at a later date. It was my feeling and our Association's policy that our response be one to suggest that although option four is the ideal, by bringing competency, that really they ought to bring in option three to start off with, simply so that they could then identify the size of the industry, who they were, what they're doing and where they are. Then they could actually get their head around how to regulate them more fully by bringing in competency, but I think they bit more than they could chew by going for the full monty, option four, and I think it was only a small minority of the stakeholders who responded to that consultation document that went in favour of option four. I can't remember the numbers. But it certainly would have been a very different situation now had they gone for that option three. It would have been very simple to have brought in, the infrastructure was already in place, they could now be working not on regulating but how to improve the standards and check the competency. LORD JUSTICE LEVESON Thank you. Thank you very much. MR BARR Sir, the next witness is Mr Palmer. MR DAVID PALMER (sworn) Questions by MR BARR MR BARR Mr Palmer, make yourself comfortable, please, and then can you tell us your full name.
A. My full name is David Charles Palmer.
Q. Are the contents of your witness statement true and correct to the best of your knowledge and belief?
A. Yes, they are. MR BARR It's tab 40. LORD JUSTICE LEVESON Yes, I have it. MR BARR You tell us that you are the Principal of the Institute of Professional Investigators, which I shall refer to as the IPI from now on. You are also a serving police officer, currently based at the financial crime unit, Fraud Squad, of the Heddlu Gwent Police, if I haven't done violence to the pronunciation. You've previously had six years in the Royal Air Force police and 26 years in the Gwent police in various roles, including being in the criminal investigation department in 2002 and the Fraud Squad in 2006. You joined the Institute in 1990 and you've been a fellow since 1995, and on the board since 1996. Principal, 2001 to 2003 and then again from 2010 to the present. It's important, you remind us, to recognise that you are submitting this statement and your evidence is given in your capacity as principal of the IPI and not in any way as a police officer.
A. (Nods head).
Q. You tell us then a little bit more about the IPI. It was formed in 1976, when it broke away from the ABI because of the wish to create an academic arm to the trade association. Can I be clear, please, is it right that you can be a member of both the ABI and the IPI?
A. You can be, yes.
Q. And you are a more academic organisation than the ABI?
A. That would be accurate, yes.
Q. Do you have any idea what the sort of membership overlap is?
A. We've recently sought to find that out and found that it was quite difficult to do quickly, but I think it was in the region of 50, but that would be a semi blind guess.
Q. What is your current membership, please?
A. 353.
Q. It's right, isn't it, although we needn't go into the details at all, that there is perhaps a possibility of a merger between the ABI
A. It is under discussion, yes.
Q. and the IPI? You then set out the objects of the Institute, which I won't read out, they will be available to the website, and then the Code of Ethics. The Code of Ethics requires a promise from a member: "To conduct myself with honesty, integrity and to uphold the highest moral principles and avoid conduct detrimental to my profession; to conduct all investigations within the bounds of legality, morality and professional ethics; to guard my own professional reputation and that of my professional associates; and to uphold the objects of the Institute and abide by the Memorandum and Articles of Association of the Institute of Professional Investigators." Can I ask you now, how many instances have you had of members being disciplined for failing to live up to those ethical standards?
A. My own experience was we conducted one, shall we say, appeal against a finding of culpability in respect of one member who had allegedly breached client confidentiality in that he'd used a film of a surveillance on the television, I think it was local television, and the client involved disputed the investigator's claim that the investigator had permission to use that film. That's the only occasion I know of where we've had a hearing, as such. Other complaints have been made, but they're usually about the size of an investigator's bill, which is purely a contractual matter between the client and the investigator, unsubstantiated, unclear allegations of an investigator's behaviour where a solicitor's made a representation on behalf of a client but refused to identify who the client was, so we applied the principles of fairness and said, "Without evidence, we can't really conduct an investigation", and that's pretty much the extent, my recollection, of any disciplinary issues with the Institute.
Q. We've heard from the last witness that Mr Derek Webb, he understands, was a member of the IPI. That's obviously a fact which has recently been asserted. Would you be able to check the membership records and inform the Inquiry as to whether or not that is correct?
A. I have conducted a check today, having been made aware of it, and I conducted a check a while back when the name first came up. All I can tell you from our records, checks today, that he has not been a member for the fast three to four years, possibly five. Mr Imossi showed me the certificate, which was dated 2005, and it may well be he joined and then resigned or just failed to renew his subscriptions, but he's not currently a member. LORD JUSTICE LEVESON I think he was encouraged to become a journalist. I think that was his evidence, wasn't it? MR BARR Yes, it was, and so his membership must have been historic on any view. Do your records extend far enough back for you to verify it or are you accepting from what you've seen this morning that he was at some stage a member of the IPI?
A. We are seeking to verify the extent of his membership.
Q. Thank you. If you could let us know in due course what the outcome of your research is, we would be grateful. You tell us a little bit about the organisation. It has articles of association and by-laws, a board of governors supported by a secretariat, disciplinary procedures, which might, at the top of the scale, culminate in dismissal. And you tell us then that the membership requirements are to have NVQ level 4 in investigations or something equivalent. Does that set quite a high threshold for membership of the IPI?
A. Only on it was established that level 4 NVQs required a level of management qualification or experience and that was a decision made early on by the then board. Subsequently, NVQs fell into disuse. There were a few people that went through it, but it fell into disuse, so we couldn't really use it as our benchmark. What we have now is an assessment admissions committee, who look at the qualifications submitted by an applicant and decide on a level of participation based on those qualifications. What we try to do is keep them as high as possible, but we're also cogent of the fact that in the IPI, and this is where the term "private investigators" becomes a confusion, because a lot of our members aren't they are investigators and they work in the private sector, but they're not what a member of the public would understand a private investigator to be. For example, we have one forensic tax accountant, and we've had forensic accountants in the past. So identifying a qualification that fits a generic membership level is difficult. We have to look at individual qualifications and decide if that fits our bill, as it were.
Q. You explain that the high level of membership at fellowship level requires either a higher qualification, recognition of an acceptable 8,000 word thesis on an investigatory subject, and you can also have honorary fellowships. You go on to tell us that the IPI is highly vociferous in support of licensing for investigators and would have preferred that high competency levels and qualifications had been sought by the SIA in its deliberations. In fact, the position is that there isn't any statutory regulation of private investigators at all
A. None at all.
Q. at the moment, is there, so your preference for a high level of regulation has to be contrasted with the grand truth, which is that there is none at all.
A. My statement was making reference, if you like, to what the SIA in one of their later consultation documents suggested would be the level of qualification, where somebody would be expected to have competencies in five areas that would require them to undergo 60 hours' training. That would be an exceptionally basic level of training if somebody could learn their trade in 60 hours. At the high end, you can imagine we could have taken I believe it's Spain's template, where you have to have a degree before you can become a private investigator. That in itself would have been unworkable in the UK, I suspect. So what we would like is something that equates to perhaps and we explored this some years ago a legal executive. Somebody who is not expected to have the entire legal knowledge expected to run a law practice, but have sufficient to be able to assist a law practice. An investigator should in our mind have something at that level of knowledge, experience, competency, as it were. But as things stood with the SIA and for reasons which we fully understand, they had to go to a basic level because, again because of the breadth of nature of investigative work, trying to get a one size fits all competency was exceptionally difficult.
Q. You tell us that the industry provides a distance learning course for investigators and the very first module deals with ethics and standards. Is that because ethics and standards are regarded as so fundamental to the work of your members?
A. Yes.
Q. Is the distance learning available outside non-members?
A. It's Internet-based, so you pay your fee and you can take as long as you want to undertake it, and there is the logistically influenced possibility of an examination at the end, which if passed and subject to any other criteria set by the admissions committee, could result in an award of associate membership with the Institute, but not full membership.
Q. Do you think that there is a general lack of training in the industry? Is that your impression?
A. The impression I've got over the years is that the majority of trained investigators have come from an investigative background where they've received training either could be through the forces, through the police, customs, HMRC, that way. The training for a private investigator outside those routes has tended to be, for example, provided by a distance learning course, from the Academy of Private Investigation, a BTech level 3. Those have come about pretty much since the suggestion that licensing will come into being. Prior to that, there was pretty much nothing except a couple of distance learning packages provided by I think there was one company called Meridian and another one called Streetwise. We looked at them and while we can't comment on the quality of the training packages, what we were conscious of was that they were put together by accountants and businessmen, not investigators.
Q. I think your answer, informative as it is, is really talking as to what training is available. I think my question was more directed as to do you think there are significant numbers of people holding themselves out as private investigators who are untrained and subject to no requirement to be trained?
A. Oh yes. Yes.
Q. Can I explore what anecdotal evidence you might have come across in your position of Principal of the IPI about first of all phone hacking. Was the hacking scandal when it emerged a surprise to you or not?
A. Um difficult question. Because my role isn't private investigation, as such, I suppose I was fairly neutral as an individual. In terms of looking at it having become aware of the event, it's not altogether surprising that that sort of thing happened. My own experience in my other role regarded a local self-appointed private investigator who was even being investigated by the local news and they did one of those not fly on the wall, exposes, documentaries on him and he was offering to bug people's houses. So the fact that people are out there conducting unlawful activities in the name of private investigation isn't a surprise to me, no.
Q. What about blagging? When the Information Commissioner published "What price privacy?", was that a shock to you or not?
A. No, I'm not surprised in the least. I've been aware that in the United States it's been considered a normal practice amongst investigators. Maybe not so much now, because the Americans are becoming more data protection conscious as time goes by, but years ago, phoning someone up and blagging information from them was considered arguably a legitimate investigative technique.
Q. You seem to be describing a cultural problem so far as blagging is concerned. Do you think that the I think it was described as "shock and awe" by the last witness of the ICO's report, has that had an impact?
A. I've not had any conversation with IPI participants about this specific matter. It's not come up as a matter of conversation, so I am not really in a position to answer that question with any authority.
Q. Does the IPI educate its members about the unlawfulness of blagging and intercepting communications?
A. As circumstances arise and events pass in time, we tend to address those problems with articles through our journal The Professional Investigator which is sent by email to all the members who are on email and posted to those who request it. If an issue arises, then we tend to put something in writing and circulate it. If it's more urgent than that, we'll circulate it directly by email, and when the opportunity arises, we'll have a seminar. For example, relevant to this particular Inquiry, I think it would have been 2008 or 2009 we had two investigators from the ICO come to our annual general meeting and give a three quarter of an hour presentation on data protection legislation and what was Operation Motorman, the results and their findings and their opinions as to the way forward and what was going on in the private investigation information brokers' industry, shall we call it, because we as a sector, private investigators like to distance themselves, understandably, from those people who call themselves private investigators. Basically they're information brokers. They go out blagging, obtaining information unethically, shall we say, and passing it on to whoever's willing to pay for that information.
Q. Can you help us now with your impression of the size of the market for unlawfully obtained data? To what extent are you able to help us as to the number of people who are out there trying to buy these services?
A. I really can't help on that.
Q. Can you help at all with either the importance of the media sector to the industry as a client in general or as to the sorts of services that they're seeking?
A. I'm afraid I can't. I've no had no conversation with members where they've discussed the extent of their contact with the media, if any.
Q. The ABI have explained in their evidence really quite a detailed screening process for membership. The process you've described is rather different. It's based on an academic threshold. What character checks does the IPI make?
A. We ask for two referees, which are then who are contacted and the bona fides of the references checked. We've recently introduced CRB requirements. Obviously that wasn't available to us some years ago, but we've been a bit slower than the ABI in that regard, but it is now a requirement. Bankruptcy checks, CCJ checks and years ago there was very much an everybody knew everybody element to the industry. So our then secretary general was a practising private investigator and he knew someone who'd know somebody who'd know somebody, so there was an undercurrent of "I know that what I'm being told is true because I've investigated it". Our secretariat now is not from the industry, so we rely more on documentary evidence provided by applicants.
Q. Proof of identity?
A. Proof of identity and we've also introduced an interview, where appropriate, where a local member would be asked to go and interview the applicant to see whether, for example, you know, if they say they're a professional investigator, are they in fact working from a bedsit or do they have a proper office premises. We suddenly became aware that without these checks we could be letting in the traditional wannabe, somebody who just wants the title of private investigator. LORD JUSTICE LEVESON Mr Palmer, the real problem is not those who want to get involved in a professional operation; it's the people who don't want to be involved in a professional operation, who are perfectly content to misuse ways of collecting information for their own purposes. Isn't it?
A. Yes, but we would be concerned that they want to use our the membership of our Institute LORD JUSTICE LEVESON Of course.
A. as a way of enhancing their ability to do just that. MR BARR Can I take it that what you would like to see is formal regulation, which means that those who are licensed are thoroughly checked out before they are licensed?
A. Yes. Our preference at the moment would be for licensing by a regulatory authority like the SIA. Alternatively, I was at a conference yesterday where the SIA briefed that another alternative might be self-regulation but with a statutory backing similar to that of the GMC. That too would be acceptable to the IPI. Self-regulation without any statutory backing, I think, would be ineffective.
Q. Thank you. Finally can I ask you about your views on a custodial penalty for breach of Section 55 of the Data Protection Act? Where does IPI stand on that issue?
A. We're not averse to the concept of there being a suitably robust punishment for these offences, but at the same time as we're letting rapists and robbers off with relatively light sentences, whether the practicality of a custodial sentence or the threat of a custodial sentence would justify its imposition LORD JUSTICE LEVESON Yes, you make it all clear on your website, which is our page 2734, that the comparison of issuing cautions for
A. Burglaries. LORD JUSTICE LEVESON burglaries or car thefts as opposed to those who sell data, but just to put the thing into context, Mr Graham explained that if the penalty is limited to a financial one, and as you know, courts are always required to have regard to means to pay, those who commit possibly quite serious breaches of the data protection legislation may end up with penalties that are little more than fixed penalties that one might get for extremely trivial regulatory offending, whereas those who are in the business of industrial misuse of data for gain would not be capable of pursuit or sentence at an appropriate level.
A. Yes, I'm reminded of what you said earlier, my Lord, and I thought at the time I attended the WAPI conference a while back and a solicitor made the observation and I looked into it and it might be worth considering, if this information is being obtained by fraud, whether the sections 1 and 2 of the Fraud Act 2006 would apply which has a ten-year sentence away. LORD JUSTICE LEVESON Yes. The interesting problem is the ability to steal information, and if you're working in this area, you will know the problems of that area of the criminal law.
A. I want to stress I'm not averse to the concept of there being a strict punishment. I was only questioning the practicality. LORD JUSTICE LEVESON Well, I understand that. Nobody is suggesting that loss of liberty would be anything other than for the most egregious, repetitive and deliberately exploitative behaviour. MR BARR Sir, thank you, that was all that I had for this witness. LORD JUSTICE LEVESON Thank you very much indeed. Thank you, Mr Palmer. MR BARR Sir, the next witness is Mr Smith, but before he's called, I've not yet had an opportunity to introduce myself to him. Might I ask for five minutes to do so? LORD JUSTICE LEVESON Yes. Let me rise for just a few minutes. (12.21 pm) (A short break) (12.25 pm) MR BARR Thank you, sir. Mr Smith is the next witness. LORD JUSTICE LEVESON Thank you. MR ANTHONY SMITH (sworn) Questions by MR BARR MR BARR Mr Smith, if you'd like to sit down and make yourself comfortable. I should explain at the start that you're standing in at short notice for Mr Withers who is unable to be with us today. LORD JUSTICE LEVESON Thank you very much. That explains why I can't find his statement. Right. MR BARR Could you give the Inquiry your full name, please?
A. Yes, my name is Anthony Smith.
Q. Could you confirm that you are the Vice-Chairman of the eGroup Moderator, Complaints and Discipline section of the World Association of Professional Investigators?
A. Yes, I am.
Q. And are the contents of the witness statement provided to the Inquiry by Mr Withers from WAPI, as I will call it, true and correct to the best of your knowledge?
A. Yes, it is.
Q. We are told in the statement that you have been a full-time investigator since 1977, working with Ferguson Investigations of Liverpool until the business was sold, and that you opened your own business in 1981 in Liverpool. You are a founder member of the Merseyside Association of Investigators and Process Servers, and remained the secretary and treasurer of that association until 2000, becoming a life member in 2007. You joined WAPI in 2002, and have been on the governing council since 2004. WAPI itself was formed in 2000, wasn't it?
A. Yes, it was.
Q. And it's a not for profit company set up as a private investigators' trade association and representative body formed by professionals for professionals, being your slogan?
A. Yes.
Q. Could you tell us about what it was which caused the formation of WAPI?
A. Although it was slightly before my time, it was as an alternative to the other associations. It has been mentioned here today that there are three associations; there are many more smaller ones, regional ones, local ones. The idea of WAPI was to try to encompass all investigators because the figures that have also been quoted today have been up to 10,000, and I believe it's nearer 10,000 than 5,000 investigators in this country was to bring everybody, or as many as we could, under an umbrella. That's the reason why it was formed.
Q. And you have 420 members at present, according to the statement. Are you able to help us with how many of those members are United Kingdom members?
A. Yes. To my knowledge, we have just under 300 United Kingdom members. Sorry, just under 200 United Kingdom members. Approximately 127 overseas, of which possibly 40 are European. They're approximate figures, I've not got the exact figures here.
Q. Can you help us with the entry criteria for joining WAPI? What does one have to establish to get in?
A. It's a member application with references. We have to take two references. We will check the references up. We need proof of identity, proof that they've been in business for a period of time, at least a year. There are various categories. If they haven't been in business for a year, they can come in as a probationary member, trainee, et cetera, but it is very loose. It's very, very loose.
Q. So when you say "very loose", what's the requirement, if any, to provide evidence of criminal convictions?
A. No, we do not have that yet.
Q. So it follows that a member somebody can join WAPI even though they have a criminal conviction?
A. Well, we ask them, obviously, we do ask. They can lie, but we do not take up any CRBs.
Q. You don't check?
A. No.
Q. Why is that?
A. By the very reason being that as I say, because there are so many investigators who are unaligned to any association, it's a case of bring them in, then we'll look at it. You know, like the way that there's no legislation. Any legislation will do us at the moment, because we have none. The case of let's get the investigators in, and then we can examine how many we have and what we're dealing with. We don't know what we're dealing with.
Q. I understand from the witness statement that the policy of WAPI is that if somebody is convicted whilst a member
A. They will be ejected, yes.
Q. that would normally result in expulsion. What's the position on a caution?
A. It would depend. That would possible go to the GC level where the GC would question the individual concerned, depending on what it was.
Q. Do you know if there have been any examples? Don't name anybody.
A. No, we've not had any examples.
Q. Can I take it therefore that there are no credit checks either?
A. No, there are no credit checks.
Q. No interview?
A. If any points are raised to any member of the GC where there may be a query, similar really to the IPI, as the last witness said, they would put out in their journal. If one of our members raises a question we will ask that prospective member in for interview to explain themselves.
Q. What is the organisation's position on the future regulation of private investigators?
A. We'd like to see it happen. Certainly in my opinion, and I can only speak from my opinion here, this profession is in disarray, this profession is so fragmented, there are so many associations, all with a self-interest, and there are people who will not join those associations because they feel that if they come into the associations they will be tied by one person's idea, another person's idea. It needs regulation. Via the SIA would be ideal, but it needs firm regulation.
Q. You said that was a personal view, so we'll continue in that vein. What level of regulation do you think is realistic and appropriate going forward? Are we talking just registration or about competency requirements?
A. I think it would have to be competency, but once again, to just ask for registration to get people to come forward who would not normally come forward. There are investigators out there, as I say, who are completely unaligned, members of no association, but they would like something. By issuing a licence, a provisional licence, for a first 12 months or whatever, I don't know how it would work, I have no idea, but we need to do something.
Q. You've given a personal view. Is there a house line? Does WAPI as an association have a position on the future regulation of the industry?
A. We'd all like to be involved, yes, we would. Every association would like to be involved. I don't think it's a job for any association.
Q. So you're against self-regulation and in favour of state regulation?
A. Yes.
Q. You, like the other organisations, have an ethical code. You deal with that at page 5 of your witness statement. I'm not going to go through all the details. But the salient point for our purposes is perhaps the first one, which says: "Conduct all investigations and allied matters with integrity and within acceptable legal, professional and moral guidelines." I'm going to ask you in a moment what you mean by "acceptable", but before we do that, I think it's only fair that I read the penultimate bullet point which also says: "Comply with the regulatory and legal requirements within their operational jurisdiction." Against that background, what's an acceptable legal, professional and moral guideline?
A. As long as it was legal. That would be the underline.
Q. The other bullet point which I'll draw attention to is that there's a requirement at all times to protect the good reputation of members, clients, the association and the profession in general. You then tell us about training, and you tell us that certainly at the time this statement was drafted there was due to be a convention in Greenwich in November of last year entitled "Hacking, blagging, bugging and tracking the law".
A. Yes.
Q. Did that go ahead?
A. Yes, it did.
Q. What is WAPI's position so far as hacking is concerned?
A. Once again, if it's illegal, it's illegal.
Q. Blagging?
A. Illegal.
Q. Can I ask you a little bit now about your experience of the industry in general? To what extent is it your sense that there are illegal data gathering practices going on at the moment?
A. I think it's always gone on. I think it always has.
Q. Do you think there has been any improvement in the position since, first of all, the publication of the Information Commissioner's report "What price privacy?"?
A. Yes, I think so. I think maybe prior to that there was a degree of there were a lot of as people call grey areas, I'm not too sure about that, but there were grey areas that people were making use of.
Q. But still going on nevertheless?
A. Yes.
Q. And what about the impact of the phone hacking scandal, which received so much publicity last year? Do you think
A. I was amazed at the extent of it. We all knew it was going on, but I was amazed at the extent and the unnecessity sorry, the unnecessariness of some of it. It just seemed to be the first point of action for some people.
Q. Is it still going on?
A. I have no personal knowledge of it, but I presume it would be. LORD JUSTICE LEVESON Well, I think we can all speculate about that. One way or the other. MR BARR But you can't help us
A. No, not with any fact.
Q. with any firm information. Can you help us with recent disciplinary activity by WAPI? Has WAPI had to take disciplinary action against any members recently?
A. Our last one was just over a year ago, we had to evict somebody from the Association. It was nothing to do with hacking or blagging, it was an argument between a client the member did not (a) respond to me or (b) respond to the client initially respond to the client or (b) respond to me. It was considered that the only way to go was to evict him from the Association. That company still trades. Where's my teeth? Ain't got it.
Q. The section of the witness statement which starts at the bottom of page 6 is entitled "The media and private investigators." It says that the media have been a relatively common work source for a number of agencies throughout the UK; is that your understanding?
A. Yes. I would say so, yes.
Q. And you say: "The instructions are generally for the locating of individuals, untangling company groups and obtaining information in respect of persons who are or may be the subject of a newspaper story. The general consensus is that in accepting such instructions, the specified requirements are in the public interest." What's your understanding of the public interest test in these circumstances?
A. That it is a difficult one. I could only say that I would have to judge at the time. If it is a politician who may be taking bribes or may be having an affair with a he can be pressurised in some way, that again is a grey area. Public interest.
Q. What sort of methods are we talking about here? Are we talking about investigators thinking that it's all right to follow somebody or are we talking about the use of even more intrusive methods such as intercepting communications or blagging?
A. No, I would only say surveillance. It would come from surveillance. If sufficient time was put in, it will come from surveillance.
Q. You say in the statement you found no member who indicated that they'd been requested to perform illegal acts such as phone hacking, bugging or similar.
A. No.
Q. Can I ask you next what your view is as to whether or not there should be a custodial penalty for a breach of Section 55 of the Data Protection Act?
A. I think yes, for the ultimate breach. Obviously there would be mitigation in there, but yes. MR BARR Thank you. Those were all the questions that I have for you. LORD JUSTICE LEVESON Thank you very much indeed. Thank you for coming and standing in for Mr Withers.
A. Thank you. MR BARR Sir, the next witness is Mr Butler, who has arrived, I think, since we resumed with the last witness, so again, might I ask you for five minutes to introduce myself to him, please? LORD JUSTICE LEVESON Yes. (12.41 pm) (A short break) (12.44 pm) MR BARR Sir, thank you for the short adjournment. It transpires Mr Butler has been sitting listening to the evidence all morning. Perhaps he could be sworn in, please. MR WILLIAM ANDREW BUTLER (sworn) Questions by MR BARR MR BARR Mr Butler, make yourself comfortable, please. Could you give us your full name.
A. William Andrew Butler.
Q. Are the contents of your witness statement true and correct to the best of your knowledge and belief?
A. They are.
Q. You tell us that you are the Chief Executive of the Security Industry Authority and have been so since July of 2009. You previously held the post of Director of Corporate Services at the Gambling Commission, and you've also worked previously with the Audit Commission and the Healthcare Commission. You have a degree in law and you are a member of the Chartered Institute of Public Finance and Accountancy?
A. That's true.
Q. The SIA is a statutory body, established by the private security industry at 2001, as amended, and it's the organisation responsible for regulating the private security industry?
A. That's correct.
Q. Its mission is to regulate the private security industry effectively, and you have two main duties. The first is compulsory licensing of individuals undertaking designated activities within the private security industry, and the other is managing voluntary approved creditor schemes.
A. That's correct.
Q. Perhaps I could pause at that juncture for you to explain to us what you're meaning by the "private security industry", because it's plainly very much wider than private investigators?
A. It is indeed, and arguably wider than the scope of what we regulate. What we regulate at the moment are those activities which have been designated under the Private Security Industry Act. They include man guarding, that's security guarding, door supervisors, close protection operatives, people who handle cash and valuables in transit and those who do public surveillance using CCTV. We also currently licence vehicle immobilisers commonly known as wheel clampers, that's expected to become unlawful at some point in the future and we'll stopped licensing then, and people who hold keys as secure holders. As well as private investigators, there are other sectors which could be designated, for example security consultants, which have never been, and arguably there are other elements of the private security industry, for example those who install alarms or provide security software, who aren't currently contemplated in the Act, although the Act does allow the Secretary of State and the Home Office to introduce new sectors by order, so it's capable of extending. But man guarding, vehicle immobilisers and key holders are those currently covered.
Q. You tell us that licensing ensures that private security operatives are fit and proper persons, properly trained and qualified to do their job. Perhaps it's at this stage I can ask you about the position with private investigators. The position is, isn't it, that they're not yet designated activities and therefore they are not yet regulated by you?
A. That's correct.
Q. Your statement then sets out at some length the activity that there has been in trying to devise a way forward for the regulation of private investigators, and it's right, isn't it, that there has been an intention to regulate private investigators effectively throughout the entire existence of the SIA?
A. They weren't included in the original tranche of designated activity, but from the very outset, first of all informally and then more formally, consultation has taken place with a view, and I think you're absolutely right, the intent has always been there, the willingness has always been there, and the desire, certainly on our part, to bring private investigations. It's quite an important distinction. What the Act contemplates is the licensing of those involved in private investigations, not of private investigators. It's quite an important distinction in terms of the breadth of what is covered. We have failed singularly to achieve that so far. If I summarise, and I'm happy to elaborate otherwise, there are a number of issues which have prevented us as it were at a micro level on private investigations which range from issues around the availability of training, issues around the availability of parliamentary time to get the order through, and then there are more macro issues at an organisational level. This is one of the things that we have been doing. We have rolled out more broadly regulation across the whole of the UK, we've had problems internally on occasions in the past, and in the latest incidents we were ready to go but the questions as to the future of regulation more broadly have kind of put a hold on that and I think it's also fair to say that neither I and I can't speak for the Home Secretary, but I would assume in this case the Home Secretary would want to move forward now without the benefits of the recommendations of this Inquiry.
Q. There are a number of exhibits to your witness statement which take us through the history in detail. I'm not proposing to go to them in any detail at all, but it is right, isn't it, that there have been quite extensive consultation exercises to see what the industry wants?
A. There has, and I think it's not just those who provide private investigation. I mean, we've talked to police, serious organised crime, people to other agencies.
Q. I think the term is stakeholders.
A. Stakeholders is a term. LORD JUSTICE LEVESON No, I prefer you not using that word.
A. Yes, I'm with you on that, sir. We've spoken to lots of people. I think it's difficult to find anybody who doesn't think this is a good thing and something which should happen. MR BARR So the bottom line is everybody thinks it's a good thing, but for various unfortunate reasons, nothing has yet happened?
A. That would be a fair summary.
Q. Can I ask you then to tell us what is the position at the moment, so far as future intentions are concerned?
A. You'll forgive me if I talk a bit about how regulation might happen in the future, first, because I think that is the context in which we would be moving. Following the arm's length bodies review, which the government conducted following the election in 2010, it was announced that regulation of the private security industry would no longer be carried out by a non-departmental public body and there with be a phased transition to a new regulatory regime. We've been working with the Home Office and with the industry on what that might look like in future, and in the spring of last year, the government announced that there would be a new regime, there will continue to be robust statutory regulation of the private security industry, but the SIA at some point will be abolished in its current form and replaced with a regulator outside the government sector. I think somebody's already referred to something along the GMC model. I wouldn't use the word "self-regulation" in that phrase, because it will still be statutory and independent, largely, with greater industry involvement. In that context, that's where most effort on policy has been aimed over the last 12 months, as I'm sure you'll appreciate. However, the other commitment within that is at no point would the regime be weakened or narrowed. So the intention is still that the possibility of picking up private investigations would exist, and I think it's fair to say that that could be done either in anticipation of the new regime and accommodated within the new regime, or as part of the creation of the new regime. LORD JUSTICE LEVESON Tell me how.
A. It requires the Home Secretary to take forward an order designating the private security designating private investigations. That's subject, I believe, to the negative resolution process, although I would have to check that. It's likely that before that happened, the definition that currently sits in the Private Security Industry Act, which I think is in schedule 2, may need to be reviewed in the light of current developments. For example, there are a number of areas which are excluded in private investigations within schedule 2, one of which is where the collection of information or the investigation is exclusively for journalistic purposes. LORD JUSTICE LEVESON That's excluding?
A. The schedule excludes the collection of information. The nature of the exclusion, I understand MR BARR We'll be coming back to the exclusion in a little more detail, if that's convenient. LORD JUSTICE LEVESON Certainly. MR BARR If that's the position at the moment, can I get a feel, and I understand it's not entirely your gift by any means, as to what sort of level of certainty we might have that something is going to happen in the short term?
A. Subject to the fact that I can't bind the Home Secretary
Q. What's your finger on the pulse
A. my personal view is there is a willingness to move forward, and to actually get private investigations into regulation. I have to say that with the best will in the world, that's not something that can happen quickly. Part of our problem has been that you have to have the capacity to test competence, the creation of a training formula, and you've heard already today that there have been consultations on that, but there's not entire agreement on those competencies, then the creation of accredited courses, then the training of trainers and the establishment of sufficient training to train, and our working assumption is around 5,000 people, in order to allow them to be licensed under the regime, is not something that would happen overnight. It would require a period of time. Given that failure to have a licence and operating would then constitute a criminal conviction, you have to give people the time to do the training and to register appropriately. So a period of at least 12 months, possibly 15, is going to elapse between the point at which there is confirmation and there is an enforcement date, I suspect.
Q. And so the model that's being put forward at the moment is very much more than simply registration; it is full competency testing?
A. Our model sits on two fundamental pillars. We also check identity and right to work in the UK, but the two fundamental pillars are the fit and proper, which involves an assessment of criminality, and competence, which involves the individual being able to demonstrate that they've met a nationally prescribed and described qualification. I think I should point out that that's to allow you to work in the industry. I think earlier today there may have been some confusion in language. It's not that you're fit to have a particular job; it's that you are licensed to work in the industry. The decision as to whether you get a particular job is a decision that rests with the employer and not the licensing, but you can't apply for that job without being licensed.
Q. And in terms of the level of checking of criminal records history, is it, as we heard from Mr Imossi, envisaged that that will involve a full CRB check?
A. It won't involve the enhanced CRB check. We've done research as to the benefits of enhanced checks. In the past across the entire population of the people we licence in total we're currently running at 371,000, so it's up on the figures that we gave in my statement in October the number where enhanced checks would make a difference are small, the cost would be significant, so it's a standard check that we use. The existence of criminality does not preclude licensing. Our "get licenced" standards really assess the severity of the criminality and how recent and how established it is and that criminality includes everything from a caution through to time in prison or otherwise.
Q. Can I just explore next about where this regulation is going to be focused? You talked about the individual having to be licensed, but is it right there's going to be more of an emphasis on regulating the businesses than the individual?
A. Yes. The prime focus of the new regime would be on licensing businesses. We have no doubt, and the feedback from the industry supports this, that fundamentally in the private security industry you need to get a grip on businesses if you're going to get a grip on unfortunately this is not the only area where there are concerns about the practices. Having said that, the new regime will continue to require that individuals are registered with the regulator LORD JUSTICE LEVESON So it will be a regulatory offence to employ somebody who is not authorised?
A. Either a company which is not licensed or an individual who is not registered. LORD JUSTICE LEVESON Save, except, for secretaries or that type of
A. Yes, they would have to be people who were engaged specifically in the activities which are designated. LORD JUSTICE LEVESON All right. Let's pause there until 2 o'clock. Mr Butler, I won't require you to do this today, but you could think about it over lunch: I would like to know from you precisely what assistance I can give you and/or the Secretary of State to provide weight to the view that the regulation of this industry should happen sooner rather than later.
A. I'm happy to think about that and I think it's probably something that I would want to come back to you on, but probably jointly with officials and I think that may be possible. Perhaps, if we came back to it after lunch, I could speak to my colleagues. LORD JUSTICE LEVESON Yes. I don't insist that it's today. I'm going to be here for some time yet. But nothing that I have heard in the last three months persuades me other than the view that this is an industry that does require regulation, and I don't believe, simply on the basis of what I've heard today, that it could be a self-regulatory model, given the fractured nature of the associations that are involved in it. I don't anticipate you disagree with that?
A. I agree entirely with that. LORD JUSTICE LEVESON Right. Thank you. We'll pause there, but there's one thing I want to say. Ms Boase, this is going to involve you and, indeed, other core participants. In the light of the submissions that have been made in relation to the question of anonymous evidence, at my request Ms Stanistreet has provided a further statement that deals with what I might call the technical rather than substantive concerns about the evidence that she previously provided. For my purposes, I would be happy for short further submissions. I think News International will have received it, and similarly Associated Newspapers will have received it, and if the Guardian haven't, doubtless they will. I'm very content to receive short written additional submissions. If it's easier for us all to come tomorrow, we can do that, but I would have thought that something in writing, if anybody wants to add anything, by lunchtime tomorrow would be sufficient. But if you'd just think about that or ask Mr White, and Mr Caplan did make an appearance but didn't stay long enough to hear this, so if he could be asked that question, and similarly I don't think it is likely to impact on the Metropolitan Police, whose submissions I've seen. All right, 2 o'clock. Thank you. (1.05 pm)


Gave a statement at the hearing on 02 February 2012 (AM) ; and submitted 1 pieces of evidence
Gave statements at the hearings on 02 February 2012 (AM) and 02 February 2012 (PM) ; and submitted 11 pieces of evidence
Gave a statement at the hearing on 02 February 2012 (AM) ; and submitted 1 pieces of evidence
Gave a statement at the hearing on 02 February 2012 (AM) ; and submitted 6 pieces of evidence
Gave a statement at the hearing on 02 February 2012 (AM) ; and submitted 7 pieces of evidence
Gave a statement at the hearing on 02 February 2012 (AM) ; and submitted 11 pieces of evidence
Gave a statement at the hearing on 02 February 2012 (AM) ; and submitted 1 pieces of evidence


Understand all the key topics and the context behind the Inquiry's findings

Journalism & society
View more
View more
View more
Future of journalism
View more
Background & history
View more
Subsequent developments
View more
Ethics & abuses
View more