I write further to your letter dated 26 April 2007, requesting clarification of points made in your letter dated 1 March 2007 and seeking answers to a number of specific questions.

OPERATION ORE

  In September 1999, the US Postal Inspection Service searched the premises of an American based online trading company known as Landslide Inc. this company was providing access for payment to adult pornography and child abuse images. Material was seized which included a database containing the list of subscribers. In September 2001, following the conviction of Thomas and Janice Reedy, owners of the company, Landslide Inc transaction information was received by the National Criminal Intelligence Service.

  Prior to any public statement alerting suspects to the investigation, 50 cases across 31 different police force areas were actioned. The overwhelming majority of these cases led to child abuse images being found on computers.

  In September 2002, the National Crime Squad took the responsibility for national co-ordination dealing with the dissemination of the subscriber data. This included a co-ordinated approach to the categorisation and prioritisation of individual suspects based on their potential access to children.

  This transaction data consisted of information submitted by a customer in purchasing access to the websites, which included their name, address, credit card number, email address and a customer selected password. In April 2004, following the first incitement case, further forensic work revealed the capture of the subscriber IP address and the credit card verification logs.

  In the majority of Operation Ore cases, police forces have used the data from Landslide Inc to commence investigations into the suspected possession of indecent images of a child. Once the individual packages were released to the forces, it was the responsibility of individual Chief Constables to decide whether to undertake investigations. Following investigation, forces considered whether offences had been committed and warranted judicial proceedings; each case was independently scrutinised by the local Crown Prosecution Service (CPS).

  To the best of my knowledge more than 2,450[1] individuals have been successfully held to account. This figure presently shows a 93 per cent rate of guilty pleas and includes more than 700 admitting their guilt in receiving a formal caution. In almost 2,300 cases, child abuse images were discovered. In 21 per cent of all dissemination cases, following an investigation, the Police Service took no further action.

  Following the publicity generated by some high profile cases and greater levels of awareness that an investigation was ongoing, the CPS developed a response for the occasions where no images were found. A CPS prosecution strategy emerged, focusing on the subscriber incitement of the Reedys to distribute child abuse material. The CPS additionally drew up and issued best practice guidelines.

  These incitement cases number only 161. This figure represents 1.8 per cent of the total dissemination of transaction data. In the majority of these cases (68 per cent), the individual admitted their guilt and received an adult caution with placement on the sex offenders register. The remaining cases were subject to court proceedings resulting in 24 convictions and two acquittals. The CPS chose not to proceed in 13 cases. Only 10 contested incitement cases presently remain outstanding.

  In these incitement cases, the evidential connection between the personal details provided, the identity of the user and a direct link to a site offering child abuse images is clearly key. This is a matter dealt with on a case by case basis, subject to the particular circumstances.

  I will now deal with the questions you have posed in your letter dated 26 April 2007.

Whether CEOP (or the police prior to the establishment of CEOP) have launched investigations into suspected online child abuse on the basis solely of the use of credit cards online

  CEOP has not launched investigations into suspected online child abuse cases in the context of Operation Ore. This is the responsibility for local police forces.

  In my experience when an Internet user subscribes to a website offering child abuse images, they provide personal data to a registration page. Similarly to the explanation above, this data may include:

—  Name.

—  Postal address.

—  Email address.

—  A personal password.

—  Their credit card details.

  In addition, the IP address of the subscriber may be captured by the system (the IP address can provide information indicating the address or location of the subscriber).

  This information is analysed by the local police who then attempt to identify the particular individual who accessed the site by providing that information. Their enquiries may include: postal address; any previous offending history; existing intelligence or other relevant information; and, whether the credit card was reported lost or stolen.

Whether CEOP (or the police) have sought and been granted search warrants to enter premises and seize materials on the basis solely of the use of credit cards online

  CEOP have not sought or been granted search warrants on the credit card information. However, CEOP cannot comment on what other police agencies may or may not have done.

Whether any prosecutions, in particular for incitement, have been brought, in particular under Operation Ore, on the basis solely of credit card information

  To the best of my knowledge, in all incitement cases, additional evidence beyond simple single credit card details have supported the prosecution. I understand that where there is doubt, suspects have been given the benefit of the doubt.

  In my view, where there is an allegation relating to child abuse (directly or indirectly) it is for the police to establish whether and by whom an offence has been committed, plus to ensure no children are at risk. If sufficient evidence exists and it is in the public interest, a file is submitted to the CPS for their consideration as to a prosecution or otherwise. The evidence is considered by the defence teams and their consultants. The veracity of that evidence is then further tested by the Courts to a standard that is beyond reasonable doubt.

  The police are under a duty to disclose material to the defence that either undermines the case for the prosecution or assists that of the defence. This obligation requires the police to pursue all reasonable lines of enquiry including those that point away from the suspect. Failure to comply with these obligations may result in the court refusing to allow the prosecution to continue and staying the case as an abuse of process. Whilst I am unable to comment on the disclosure decisions in individual cases I would expect that once a defendant has raised the possibility of his being the victim of credit card fraud, enquiries would be undertaken in order to ascertain if that was correct.

Whether any investigations or prosecutions are pending and if so, how many under Operation Ore in which the only evidence available is credit card evidence

  A number of investigations and prosecutions are pending. No prosecutions, to my knowledge, are pending where the only evidence available is a simple single credit card transaction. As already stated individual police forces are responsible for the investigation of individual cases.

What impact the prevalance of online credit fraud and identity theft (most recently the hacking of TK Maxx) has had in your view of the reliability of unsupported credit card evidence as a basis for launching investigations and prosecutions for online child abuse

  This question has been previously addressed. However, I want to reiterate the point, that members of the Committee must be clear on the distinction between an investigation and prosecution. In my view, where such an allegation exists that relates to child sexual abuse, the police are duty bound to establish whether and by whom an offence may have been committed. That investigation in my view would never lead to a prosecution solely on the basis of simple credit card evidence.

  I note from your letter, that the Committee mentions a case. This inquiry, to my knowledge, was not proceeded with on the basis of unsupported credit card use, and a number of facts were taken into account by the relevant police service and thereafter the CPS before a decision to prosecute occurred. This matter can be further clarified in writing by the police service concerned if the Committee so wishes.

  I note you have chosen to accept Mr Campbell's magazine articles as evidence. I therefore think it appropriate that I respond to some specific issues raised.

Fraud

  Although I do not ignore the possibility of fraud, reading the PC Pro article, from the information available to me, I can not recognise the article's analysis or outcomes.

  Inevitably there will be some element of fraudulent activity on the Landslide Inc. system. I am, and remain, unaware of the "endemic" or "widespread" nature of fraud as suggested in Mr Campbell's article. I believe the proper place to debate the issue whilst cases are outstanding is in a court of law.

Fraud tested in the Courts

  In the incitement case of R v O'Shea, O'Shea took Coventry Magistrates Court to judicial review, challenging the sufficiency of evidence to justify his committal to to Crown Court. The High Court sitting in the Royal Courts of Justice dismissed the application, stating that details of email, postal address and credit card were sufficient for a jury to draw the conclusion, if so minded, that the person with that identity was the person who had keyed the information into the computer.

  In "C" v Chief Constable of "A" Police and "A" magistrates court, "C" sought that the police should formally acknowledge that there was no case against him and stop their Operation Ore instigated investigation. Albeit the local police did receive some criticism, rather than an apology, the High Court determined it had been reasonable for the police on the basis of the information disseminated and developed by them, to commence and continue an investigation. More specifically, the High Court found that the claimant's case fell far short of establishing that the police were bound to conclude that the claimant was a victim of identity theft. The lead Judge emphasised that what is perhaps a possibility should not be presented as a probability.

Kean Songy's post mortem report

  In relation to Mr Campbell's account of a post mortem study of Landslide, CEOP have obtained a statement from Mr Kean Songy. Songy states he had a limited conversation with Mr Campbell. He denies the assertions attributed to him, stating a review of credit card activity prior to the police search of Landslide Inc. does not translate into a post mortem study. Mr Songy cannot understand how Campbell has reached his conclusions. We note that Kean Songy suggests one of the possible options is that there was no fraud.

Defence access to the hard drives

  Following the copying of the Landslide Inc hard drives in October 2002, responding to CPS advice in meeting disclosure guidelines, arrangements were made for their examination by defence representatives. In providing the appropriate environment and facilities, two independent defence examiners were consulted. For the purpose of contested cases, defence representatives, including Duncan Campbell, have visited the examination facilities on numerous occasions.

  As the original material includes the abusive images of children, evidence of linked prosecutions, details of persons suspected of offences not yet dealt with and potentially information identifying innocent people, defence representatives were asked to sign a confidentiality agreement. Again, Duncan Campbell has signed such a document.

  In the case of R v Bird, the defence counsel using Mr Bates' services requested a copy of the entire database. Judge Baker agreed the defence team were permitted to inspect the Landslide Inc. system. However he was not persuaded that Mr Bates' lack of familiarity with Linux justified a full copy of the system nor that he was unable to conduct the work required save only at his own home.

Belfast Crown Court

  The defence produced a hand written note, requesting that parties exchange details of approximately 250,000 files on Landslide Inc. computers. This exchange was to include hash values of the hard drives, but not the content. This indicated to the prosecution team that the author of this document has access to the hard drives from Landslide Inc., potentially including indecent images of children.

  This note therefore may be evidence of an offence. As such, the PSNI on behalf of the prosecution declined to return it to the defence team. As soon as the Judge offered to retain the note, the PSNI officer co-operated with the court, exhibiting it as evidence of an offence and leaving it in possession of the court.

  Consideration was given as to whether Mr Campbell should be cautioned. A caution is not a threat. A caution is designed to protect an individual of whom there are grounds to suspect an offence may have been committed.

  If an individual claims to have copies of the Landslide Inc. hard drives, clarification is required to determine what they have and whether it has been obtained in accordance with the law. If their material includes abusive images such individuals may well be committing a criminal offence.

  CEOP are aware that Landslide Inc. transaction data has been released and distributed. This distribution is unauthorised. This information includes details of persons eliminated from enquiries and suspects who have yet to be dealt with. In my opinion, any unauthorised public release of this data is irresponsible, risking public identification of such individuals and potentially obstructing policing activity.

Co-operation

  I am aware the CPS in relation to Operation Ore disclosure obligations has written to both Mr Campbell and Mr Bates seeking information that would undermine the Ore generic evidence. I am advised to date Mr Campbell has provided no credible information. Mr Bates has not replied to their requests.

IN CONCLUSION

  In preparing this letter, I have tried to balance the public nature of the Committee's work with the sub judice of outstanding prosecutions. It is also difficult challenging points made without abusing the parliamentary privilege.

  I hope this letter whilst answering your questions, provides further clarity on Operation Ore. Should you wish further evidence, I am willing to attend your convenience in person.

1 June 2007