Feeds

Police legal advice gives spam RIPA protection

None for your read messages though

Combat fraud and increase customer satisfaction

The voicemail hacking incident is still exercising MPs – especially the Labour ones who did little to protect individual privacy during the party's decade in power (see last week’s blog).

So when Assistant Commissioner John Yates of the Metropolitan Police Service (MPS) gave evidence on “Specialist Operations” to the Home Affairs Select Committee (last week), MPs on the Committee took the opportunity to ask a range of questions about the lack of prosecutions re such hacking.

Yates’ answers reveal that the MPS has obtained legal advice from a leading QC which, if applied in practice, means that unread spam messages receive a high level of privacy protection under the Regulation of Investigatory Powers Act (RIPA) whereas read private email messages of immense confidentiality do not receive any privacy protection from RIPA. Don’t believe me? Then read on.

In relation to the incidence of “voice mail hacking”, Yates said the following (at Q5):

Hacking is defined in a very prescriptive way by the Regulation of Investigatory Powers Act and it’s very, very prescriptive and it’s very difficult to prove.... There are very few offences that we are able to actually prove that have been hacked. That is, intercepting the voicemail prior to the owner of that voicemail intercepting it him or herself.

Note my emphasis on “prior to the owner of that voicemail intercepting it him or herself”? What does that imply?

Consider the relevant provisions of RIPA and its definition of interception. Section 2(2) of RIPA states that “a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if [he makes] some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication”. Section 2(4) states that an “interception of a communication” has also to be “in the course of its transmission” by any public or private telecommunications system.

I had not appreciated the significance of “in the course of its transmission” or “while being transmitted” until now – but John Yates’ testimony has put an end to that. What Yates appears to be telling the Home Affairs Committee is that the MPS legal advice states that once the lawful recipients have read or listened to their Inbox messages, there can be no interception in connection with those messages. The RIPA offence falls away because each read message “has been transmitted” rather than “is being transmitted”.

So consider your email (or telephone) inbox. According to the MPS legal advice, if someone gains unauthorised access your unaccessed voicemail or inbox messages, there is an interception of communications under RIPA, and the risk of a custodial sentence. If you have read your messages, there is unlikely to be an interception and no RIPA offence. Of course Section 55 offence under the Data Protection Act could be engaged, but that is not going to frighten anyone (see last week’s blog).

Now consider what you did today. In your email inbox will be all sorts of messages, some of which you will no doubt leave unread (eg spam in your deleted items folder), and some of which you will undoubtedly read and subsequently cherish (eg mailings from me or Amberhawk). The unread deleted messages gain the full protection of RIPA, whereas those messages that you have read do not. In other words, the MPS legal advice appears to imply that RIPA provides a very a topsy-turvy world of privacy protection.

However, there is a more serious side to the MPS legal advice. If it is correct, then any claim that RIPA provides a high level of protection against the misuse of RIPA powers by law enforcement agencies could easily be misplaced. For instance, suppose the law enforcement agencies wanted to gain access to the content of your email inbox: in relation to the content of your read messages, there would be no interference, and there would be no need to obtain a warrant, because RIPA is not even engaged. RIPA’s warrant provisions only cover unread messages.

However, access to the content of your read inbox items would be protected by the Data Protection Act. As this legislation provides for very minor offences and a weak, underfunded, regulatory regime, that is why the MPS legal advice has far more worrying consequences.

It is for this reason that the arguments underpinning the MPS legal advice have to be published in full - Mr Yates' comments on RIPA cannot be left to gather dust. If they are seen to be correct, then Parliament needs to call for a complete review of all RIPA powers, as when it provided public authorities with intercepting powers in 1999, Parliament had in mind the content of all messages – not just the unread ones.

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

SANS - Survey on application security programs

More from The Register

next story
EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?
Wait 'til this one hits your pension fund where it hurts
Systems meltdown plunges US immigration courts into pen-and-paper stone age
Massive outage could last four weeks, sources claim
RIP net neutrality? FCC boss mulls 'two-speed internet'
Financial fast track to replace level competitive playing field, report claims
Lavabit loses contempt of court appeal over protecting Snowden, customers
Judges rule complaints about government power are too little, too late
UK.gov chucks £28m at F1 tech for buses and diggers plan
Well, not really F1 but who's heard of LMP and VLN*?
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
Record labels sue Pandora over vintage song royalties
Companies want payout on recordings made before 1972
Edward Snowden on his Putin TV appearance: 'Why all the criticism?'
Denies Q&A cameo was meant to slam US, big-up Russia
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.