ECC0097
Thank you for providing Microsoft with an opportunity to participate in the Treasury Committee inquiry on online advertising and economic crime. I am providing a response to your correspondence of 5th November 2021 on behalf of Microsoft Ireland Operations Limited, the operator of the Microsoft advertising platform accessible from the United Kingdom which we call “Microsoft Advertising.” We coordinated with other Microsoft affiliates, including Microsoft UK Limited and Microsoft Corporation, to provide a comprehensive response.
We share the concerns raised by the Treasury Committee and agree that online fraud is a serious issue. We recognize the need to minimize the harm caused by online fraud. Microsoft has a long history of working closely with governments, the industry, and other stakeholders to ensure the integrity of our services and, as we outline further below, we are committed to doing the same to tackle the issue of online advertising economic crime.
To the best of our knowledge, we are not aware of public sector bodies advertising financial fraud alerts with us, including the FCA in the last three years. We remain committed to cooperate with the relevant public bodies on consumer alerts, including via online advertising, as the situation may arise. Microsoft Advertising is supporting the Take 5 campaign by providing access to inventory on Microsoft’s owned and operated properties with an approximate value of £0.5M.
2
ECC0097
Microsoft Advertising promptly addresses legitimate requests from law enforcement, as well as other escalations, relating to advertisements which may violate our policies or that may otherwise pose a threat to consumer safety.
Microsoft has a dedicated team, LENS (Law Enforcement and National Security) to answer law enforcement requests. Microsoft may provide, in response to a valid domestic legal order, certain types of non-content data (such as registration details declared by the user at the time of account registration, or the services utilized) depending on the Microsoft service involved and the availability of such data.
To request content data (such as email content, technical headers, contact list, stored files, transaction logs), the law enforcement requestor must initiate an international judicial assistance procedure using the applicable Mutual Legal Assistance Treaty. This is because content data is commonly stored in international servers, often located across multiple jurisdictions. Once evidence (including this type of data) is located extraterritorially, the UK is obliged to follow the international system of judicial cooperation in criminal investigations and prosecutions to which it is party.
Microsoft will also comply with any valid legal orders (whether criminal or civil) for the preservation of data.
Microsoft handles such law enforcement requests through the Law Enforcement Portal available at https://leportal.microsoft.com and for non-emergency law enforcement request for preservation of disclosure of data. We have provided access to this Portal and related training to all principal UK law enforcement agencies. We have also created a facility for emergency requests (linked to situations like kidnapping, murder threats, terrorism threats, etc.) to be processed on a priority basis. Information is provided on a once off basis per incident where both law enforcement and Microsoft are satisfied that there is an immediate and credible threat of loss of life.1
Microsoft’s Digital Crimes Unit (“DCU”) – an international team of technical, legal, and business experts
– has since 2008 been fighting cybercrime, including online fraud.
One of DCU’s main focus areas is to investigate and file civil actions and criminal referrals to law enforcement against technical support scams, a form of financial consumer scam. Through fraudulent tactics, including via misleading online advertising, scammers convince victims to provide access to their devices or pay for fake IT services by impersonating reputable technology companies like Microsoft, and DCU leverages both data analytics and direct customer complaints to investigate criminal networks engaged in this fraud. In the UK, DCU collaborates with the City of London Police and NFIB (National Fraud Intelligence Bureau) to support tech support fraud investigations and drive preventive efforts to protect consumers. In 2019 this collaboration involving also Indian law enforcement authorities led to a
1 See a list of frequently asked questions on our law enforcement processes in our Law Enforcement Request Report: Law Enforcement Request Report | Microsoft CSR
2
ECC0097
series of arrests of fraudsters who had duped thousands of victims of their money in the UK and worldwide.
In addition, since 2010 the DCU has been focused on identifying, investigating, and ultimately disrupting cybercriminals’ malware distribution and communications infrastructures. To date DCU has led over 23 global botnet disruption operations (example: Tricot disrupted - Microsoft Security Blog) targeting the criminal infrastructure of different malware families or nation-state actors, and stopping them from distributing additional malware, controlling victims' computers, or targeting new victims. In partnership with governments and Internet Service Providers, DCU has also identified and helped to remediate more than 500 million victim computers through its Cyber Threat Intelligence Program (“CTIP”). This free-of- charge, information-sharing initiative enables Microsoft to provide to select partners (for example, government CERTs) threat intelligence obtained through DCU’s investigations and technical analysis of a criminal botnets’ command and control infrastructure. As a CTIP agreement signee, the National Cyber Security Centre receives this information related to UK victims and may use it to notify and help them clean malware out of their computing devices.
Microsoft Advertising contributes to the Microsoft Security Response Center (“MSRC”)’s Microsoft Interflow,2 a security and threat information exchange platform for cybersecurity analysts and researchers. Through the exchange of information, the MSRC aims to protect customers from current and emerging threats related to security and privacy including risks of fraud or identity theft.
Finally, as of July this year, Microsoft is also a member of the Stop Scams UK organization, a collaboration bringing together banks, telecommunications firms, and the technology sector, to fight online fraud in the UK.
Data privacy regulations restrict when and how we are able to share personal user data. We are committed to working with the rest of the industry and law enforcement, including through our participation in the Online Fraud Steering Group (“OSFG”), to create measures to reduce the threat of fraud online within the roam of applicable regulations, including data privacy regulations.
Microsoft Advertising financial products and services advertising policy3 (“the Policy”) requires advertisers based in the United Kingdom to comply with the Financial Services and Markets Act 2000
2 See MSRC - Microsoft Security Response Center
3 See https://about.ads.microsoft.com/en-gb/resources/policies/financial-products-and-services-policies.
6
ECC0097
(“FSMA”) and the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 and specifies that:
(a) any advertiser carrying out a regulated activity under FSMA must be authorized by the FCA; and
(b) advertisements must adhere to regulatory requirements.
Furthermore, the Policy acknowledges online fraud as a serious issue and does not permit advertisements for, among other things, non-regulated binary options, ponzi schemes, pyramid schemes, solicitation of money from search users, and offerings that imply that non-participation might result in loss or bad fortune.
While an advertiser retains ownership of and responsibility for their ad content, the advertiser must agree to our terms when signing up for a Microsoft Advertising account and must comply with all applicable laws. Microsoft Advertising monitors the platform and removes ads and advertisers that violate our agreement and policies.
Furthermore, Microsoft Advertising has a formal engagement with the ASA. Microsoft Advertising responds to ASA enquiries and assists the ASA on an ad hoc basis with specific requests which may include requests to take down ads that contravene the ASA Code of Non-broadcast Advertising and Direct & Promotional Marketing (“ASA CAP Code”). Whilst advertisers are responsible for their compliance with the ASA CAP Code, Microsoft’s Advertising Policies on restricted and disallowed advertising content reflect and, in some cases, go further than the ASA CAP Code.4
We constantly review and update our policies and processes to ensure a safe online experience for our users and keep up with the ongoing challenges presented by “bad actors.” Microsoft ingests the FCA’s warning list for content takedown purposes. Additionally, we are actively exploring further pre-vetting mechanisms for advertisers engaged in financial promotions to UK consumers. We are actively engaged with the FCA, as well as industry trade groups, to assess the technical and operational feasibility of such options to tackle economic crimes issues holistically, while still providing legitimate financial firms with the best online advertising services at their disposal.
Microsoft Advertising’s commitment to consumer safety is reflected in the actions we have taken to remove advertisements and advertiser accounts that violated our policies. As reported in our Ad Quality blog,5 in 2020 we suspended nearly 300,000 accounts from the Microsoft Advertising platform, up 30% from 2019. We also removed 1.6 billion bad ads while 270,000 sites were also removed from our system.
4 Following consultation and a request from the ASA working with the Internet Advertising Bureau (“IAB”) in the UK in 2018, Microsoft agreed to add a link to the ASA CAP Code which can be found on ASA’s UK Advertising Policy homepage. The Microsoft Advertising Policies and Guidelines page now includes the following statement: “For additional marketing regulations in the United Kingdom, please see the CAP Code, which is administered by the Advertising Standards Authority.”
5 See https://about.ads.microsoft.com/en-us/blog/post/march-2021/ad-quality-year-in-review-2020.
6
ECC0097
As mentioned, Microsoft Advertising takes an active role in scrutinising advertisements it carries through its advertising policies which include specific rules on advertising financial products and services. Our Policy prohibits advertisement for products or services designed to facilitate illegal purposes, including tax avoidance and evasion schemes. More generally, our Misleading Content Policy6 prohibits advertising content that is misleading, deceptive, fraudulent, or that can be harmful to its users, including advertisements that contain unsubstantiated claims, or that falsely claim or imply endorsements or affiliations with third party products.
We employ dedicated operational support and engineering resources to enforce these policies, combining automated and manual enforcement methods to prevent or take down advertisements that violate our policies. Every advertisement loaded into the Microsoft Advertising system is subject to these enforcement methods, which leverage off machine-learning techniques, automated screening, the expertise of its operations team, and dedicated user safety experts. In addition, Microsoft Advertising conducts a manual review of all advertisements flagged to its customer support team and removes advertisements that violate its policies.
We are unable to provide an exact figure of revenue generated from paid-for advertising for financial services offered by firms which are not authorized by the FCA as we do not track and categorise advertising revenue in this way.
As previously mentioned, we are actively exploring further pre-vetting mechanisms for advertisers engaged in financial promotions to UK consumers. Recognizing the complexities and challenges in this area, we are assessing the viability of such mechanisms based upon both technical and operational feasibility. We consider associated costs as an investment in further enhancing the quality and safety of our advertising network. As we are considering various options and mechanisms which will require different financial investments, including investments that may be only partially attributable to the issue at hand, we cannot accurately estimate the associated costs.
6 See https://about.ads.microsoft.com/en-gb/resources/policies/misleading-content-policies.
6
ECC0097
Consistent with our commitment to reducing online fraud, we welcome further constructive discussions to address online economic crimes across the entire online advertising industry. We participated in the Government’s Tackling Online Fraud roundtable meeting on 29 April 2021 chaired by the Ministers of State for Countering Extremism and for Digital and Culture together with other industry participants on this very topic. We are now participating in the follow-up to that meeting – the OFSG and its sub-group, the Online Fraud Delivery Group (“OFDG”) where we are working with law enforcement, the financial services sector and other tech companies on a series of voluntary measures to reduce the threat of fraud online. The OFSG will report into the Home Office’s Joint Fraud Taskforce. Our view is that it is important for action against online fraud to be on a coordinated and industrywide basis both to ensure a consistent approach and to avoid the risk of opening loopholes and consequent arbitrage opportunities to scammers. On this basis Microsoft Advertising welcomes the OFSG’s discussions on the creation of a set of principles in form of a Digital Charter.
In addition to the OFSG meeting on 29 April, Microsoft representatives have attended the following meetings with Government departments and agencies:
19 November 2019 – Meeting with the FCA to discuss Stop the Scams programme 21 April 2021 – Pre roundtable meeting with Home Office and DCMS
17 May 2021 – OFSG - Home Office/DCMS/FCA/NCA all invited/attended 16 June 2021 – Meeting with the FCA
22 June 2021 - OFSG - Home Office/DCMS/FCA/NCA all invited 6 July 2021 – Meeting with the FCA
15 July 2021 - OFDG - Home Office/DCMS/FCA/NCA all invited
15 July 2021 - OFDG Education and awareness sub-group -NCA invited 28 July 2021 – OFDG Online Advertising sub-group
18 Aug 2021 – OFDG Education and awareness sub-group – NCA invited 18 Aug 2021 – Internet Advertising Bureau and the FCA?
3 Sept 2021 – OFSG - Home Office/DCMS/FCA/NCA all invited 6 Sept 2021 – OFDG Innovation and prevention sub-group
29 Sept 2021 – OFDG – Home Office/DCMS/FCA/NCA all invited 4 Nov 2021 – OFDG- Home Office/DCMS/FCA/NCA all invited 17 Nov 2021 – Meeting with the FCA
The above list is accurate to the best of our knowledge, but we do not keep a comprehensive central register of all our meetings with the Government so online fraud and financial crime may have been discussed at other meetings. Some of the meetings above have many attendees so although representatives of government departments were invited, we cannot confirm in every case whether they attended.
6
ECC0097
As previously mentioned, we constantly review and update our policies and processes to ensure a safe online experience for our users and keep up with the ongoing challenges presented by bad actors. We are confident that the investments we are making in removing and preventing fraudulent or misleading advertisements will decrease the risk of customer fraud or other financial loss on our platform.
We are also aware of the ongoing challenges presented by bad actors who employ sophisticated techniques to elude our detection mechanisms and endanger consumers and our legitimate customers alike. Our legitimate advertisers may fall victim of account compromise or payment instrument fraud issues. We developed processes to mitigate the likelihood and negative repercussions of such occurrences, including by issuing refunds to our advertisers whose payment method was used without authorization to fund advertising on our platform.
Acknowledging our strong commitment to consumer safety and the complexity of the matter at hand, we believe that online economic crimes need to be addressed holistically across the entire online advertising industry, in close collaboration with the subject-matter experts in this area, such as the FCA.
Thank you for giving us an opportunity to share our views and the activities that we currently undertake to tackle online fraud with the Treasury Committee. Please do not hesitate to contact us should you have any further questions regarding the matters detailed in this letter.
Yours sincerely,
December 2021
7