Feeds

Police may have had a duty to notify phone-hacking victims

Make sure no-one's listening in when you do, though

  • alert
  • submit to reddit

High performance access to file storage

The Metropolitan Police knew that numerous mobile phones had been illegally hacked by private investigators but failed to alert the phones' owners, according to The Guardian newspaper. If so, the victims should have been told, a privacy expert has said.

The Guardian alleged this week that Rupert Murdoch's News Group newspapers paid out more than £1 million to settle legal cases that threatened to expose evidence of journalists using private investigators to hack into the private mobile phone messages of numerous public figures.

"The suppressed legal cases are linked to the jailing in January 2007 of News of the World reporter Clive Goodman for hacking into the mobile phones of three royal staff," it reports. It also adds that at that time, News Group newspapers' parent, News International, claimed that it knew of no other journalist involved in hacking phones.

It cites two unnamed sources in the Met, one of whom claims that officers found evidence of "two or three thousand" mobile phones having been hacked. The Guardian says that the Met failed to notify the owners of those phones and says that the evidence calls that failure into question.

Rosemary Jay, a data protection expert at Pinsent Masons, the law firm behind OUT-LAW.COM, said that if police knew the details of numerous hacked phones, they would have had a duty to notify the phones' owners.

The hacking of phones is a crime under the Regulation of Investigatory Powers Act 2000. According to Jay, police would have a duty under the Data Protection Act to notify the victims.

"If a crime has been committed in the way that is suggested and police knew the people affected, I think police would have a duty themselves under the Data Protection Act to notify the victims," she said. "That would have given them an opportunity at least to change their mobile phone numbers."

The Data Protection Act says that personal data must be processed fairly and lawfully. It also says that when personal data is obtained from someone other than the subject, the controller of that data must ensure that the subject is given some basic information about the circumstances of the data being obtained.

"This would not apply if telling individuals would entail a disproportionate effort, or in cases where the disclosure would prejudice the prevention or detection of crime," said Jay. "But I struggle to see how the police could rely on either of these justifications. Calling these people is neither laborious nor likely to hamper any investigation."

The Guardian also alleges unauthorised access to confidential databases, such as telephone accounts, bank records and the DVLA's vehicle database. That is an offence under section 55 of the Data Protection Act, but not one that can be punished by a custodial sentence.

In 2006, Information Commissioner Richard Thomas called for that to change, arguing that the 'blagging' of personal data had to be deterred. He said that the illegal buying and selling of personal information should carry a maximum penalty of two years' imprisonment.

The Criminal Justice and Immigration Act of 2008 provides for that custodial sentence, but the provision has never been brought into force.

"I expect that the new Commissioner, Christopher Graham, will call for that change on the back of today's allegations," said Jay.

"There is a defence to section 55 and the new amendment where the circumstances of the blagging can be justified as being in the public interest – but that will not justify fishing expeditions," she said. "Amid today's allegations that blagging was systematic, affecting thousands of individuals, there are unlikely to be more than a handful of cases that can be justified as being in the public interest."

A spokesman for the Information Commissioner's Office told OUT-LAW today: "Any changes to the law are of course a matter for the Ministry of Justice but the ICO continues to believe that custodial sentences are needed as an effective deterrent to those who might be tempted to take part in the unlawful trade in personal information."

"We will be watching the blagging market closely, will prosecute any case supported by evidence and will highlight future breaches of section 55 of the Data Protection Act to Ministers and to Parliament," the spokesman said.

Under RIPA, both the hacker of a mobile phone and those who commissioned the hacking would face the risk of prosecution. There is no public interest defence in that law.

The Met police declined to comment on the accuracy of the Guardian's allegations.

Copyright © 2009, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

High performance access to file storage

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Big Content goes after Kim Dotcom
Six studios sling sueballs at dead download destination
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Singapore decides 'three strikes' laws are too intrusive
When even a prurient island nation thinks an idea is dodgy it has problems
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.