interception.pdf

1

Title:

Striking a Balance between Data Protection and Lawful

Interception in the Provision of Communications Services

Franklin F Akinsuyi (LL.B, MSc, LLM)

March 2004

Copyright

2

Table Of Contents .......................................................................................................................................... 1. Introduction .............................................................................................................. 4

1.1 Methodology ....................................................................................................... 5 2. Data Protection and Communications: .................................................................. 6

2.1 Nature of the problem ....................................................................................... 6 2.1.2 What is Personal Data? .................................................................................. 7 2.1.3 What is data protection? ................................................................................ 8 2.1.4 Why do we need data protection? ................................................................. 9 2.2 Data Protection Legislation: ........................................................................... 11 2.2.1 EU Data Protection Principles ..................................................................... 12 2.2.2 The Directive on Privacy and Electronic Communications (2002/58/EC):.................................................................................................................................. 15

2.2.2.1 Security Measures .................................................................................. 16 2.2.2.2 Confidentiality of Communications ......................................................... 17

2.2.2.3 Caller and Called Line Identification .......................................................... 19 2.2.2.5 Emergency and Nuisance Calls..................................................................... 21

2.3 United States and privacy of communication ................................................ 25 2.3.1 Privacy of Communication Laws In The United States ........................ 26 2.3.1.1 The Telecommunications Act 1996 ....................................................... 26 2.3.1.2 The Location of Privacy Protection Act of 2001 ................................. 27 2.3.1.3 Spyware Control and Privacy Protection Act 2001 ............................ 28

3. Law enforcement and privacy of communications ............................................. 30 3.1 Why Lawful Interception? .............................................................................. 32 3.3 What is intercepted under lawful Interception? ........................................... 38 3.4.1 Lawful Interception Laws in the United Kingdom .................................... 39 3.4.2 Lawful Interception in the United States .................................................... 42 3.4.3 Lawful Interception in Australia ................................................................. 45 3.5 Lawful Interception requirements of Communications service providers . 47

3.7 Data Retention ...................................................................................................... 53 3.7.1 Impact of Data Retention Laws on Communications Service Providers.............................................................................................................................. 57

3.8 Conclusion ........................................................................................................ 59 4 Information security and communications ........................................................... 61

4.1 What is information security? ........................................................................ 61 4.1.1 Why Information Security? ......................................................................... 62

5 Concluding ............................................................................................................... 68 Bibliography ............................................................................................................... 72

4

1. Introduction

Within the last 10 years the manner in which telecommunications is used has changed

vastly since the introduction of liberalisation and competition measures.

Liberalisation has led to more players in the telecommunications arena in all areas of

the sector.

Indeed the mobile phone market is an example of the shift in the major provision of

telecommunications services from former state owned institutions to private

organisations, while the Internet has spawned new service providers to the

communications industry such as Internet Service Providers.

The introduction of these services and enterprises has led to the amendment and

introduction of new legislation to regulate the manner by which these

communications service providers operate. The objective of a number of these

legislations is to protect the privacy and maintain the confidentiality of the

subscribers communication and information when they use these systems to

communicate.

While it is to be noted that privacy of communications legislations are to ensure that

privacy and confidentiality of communications is maintained, it is to be observed that

telecommunication systems are used by criminals and terrorists to transmit

information about their activities. In certain instances these communications may be

the only source for proving that individuals are involved in activities that are criminal

or which threaten national security.

For instance in an investigation on insider dealing, almost the entire case rested on the

date and time of telephone calls made between various defendants. Telephone records

5

were obtained from business and home telephone numbers with the brokerage firm

providing details of incoming and outgoing calls to clients1.

As such it has become necessary for legislation to be introduced to permit law

enforcement agencies to access the communications of individuals in the fight against

terrorist and serious criminal activities.

This purpose of this essay is to highlight how the conflicting issues of privacy to

communications and interception of communications affect communications service

providers2 in their efforts to provide confidential services on the one hand and law

enforcement agencies fight against crime and terrorism on the other.

1.1 Methodology

The first phase of the essay will take the shape of analysing the concept of data

protection and privacy with a view to analysing how legislation in this area affects

communication services providers operations and their handling of personal data.

The next phase of the essay will look at legislation relating to lawful interception and

data retention with a view to look at circumstances when the balance of maintaining

privacy of communications data on the part of the communications provider interacts

with the need for lawful enforcement agencies requirements relating to data retention

and lawful interception.

The third phase will look at the issue of information security highlighting the effects

data protection and data retention legislations have on how communications service

1 See Tackling Insider Dealing p13 Home office Consultation Paper: Access To Communications Data Respecting Privacy and Protecting the Public From Crime March 2003 2 Communications service provider in this essay includes Telecommunications Operators, Telephone Service Providers, Internet service providers, Mobile Phone Operators, Communications Network Operators

6

providers implement information security measures when dealing with data retention

and lawful interception.

The final phase of the essay will consist of conclusions and recommendations.

From a geographic perspective while telecommunications issues are a global

phenomenon, this essay will focus mainly on how these concepts influence

communications service providers in Europe and the United States.

2. Data Protection and Communications:

2.1 Nature of the problem

The telecommunications industry has seen a large uptake in the manner in which

people have been subscribing to the services that are being offered. Indeed this can be

seen with the radical changes from the previously limited fixed line services in the

earlier years to the introduction of the mobile telephone. The advent of the Internet

along with the integration of voice, video, data and communications via a single

stream3 has led to cheaper and faster ways of communicating. New services rendered

by mobile phone companies have indeed led to with the introduction of 2.5 and 3rd

generation mobile phone networks made it possible for subscribers to send pictures to

each other using these services.

Coupled with this technological development in communications, is the requirement

to ensure the privacy of an individuals data in line with current legislations when

these technologies are being utilised.

3 Also called convergence

7

The problem is that technology makes it much easier to infringe upon the rights of

individuals especially with regards to their personal data. Numerous organisations4

have identified this situation and have for years been championing the call for greater

awareness to make sure that the individuals fundamental human rights are not

infringed.

It is a well-known fact that convergence of these technologies makes it easier for

marketing companies to process data to profile people. Like wise it can be argued that

it is also possible for criminals to easily gather information about others in their quest

to forge identities5 in their quest to commit crimes.

In recognition of the risks that can accrue to an individual, privacy laws have been

enacted to define what constitutes legal and illegal activity when it comes to the

protection of an individuals data whilst it is being transmitted over

telecommunication streams.

2.1.2 What is Personal Data?

The UK Data Protection Act6 identifies personal data as follows, data that relates to a

living individual who can be identified from such data or and other information which

is in the possession of, or is likely to come into the possession of, the data controller7

and includes any expression of opinion about the individual and any indication of the

intentions of the data controller or any other person in respect of the individual8.

4 For example electronic privacy information centre www.epic.org and Electronic Frontier Foundation www.eff.org 5 See Internet fraud watch www.fraud.org and Internet fraud centre www1.ifccfbi.gov 6 Data Protection Act 1998 7 Person entitled to hold data about individuals 8 Section 1(1) Data Protection Act 1998

8

It must be stated here that personal data does not just relate to text, but can also relate

to a CCTV9 image10.

2.1.3 What is data protection?

Data protection involves the implementation of administrative, technical or physical

measures to guard against unauthorised access to such data.

It stems from legislative requirements such as the European Convention for the

Protection of Human Rights and Freedoms11 and has with the advancement in

automated processing of data been influenced by new legislations such as Directive

1995/46/E.C on the protection of individuals with regard to the processing of

personal data and on the free movement of such data hereinafter referred to as the

Data Protection Directive12 to the privacy and electronic commerce directive13. It

involves the protection of personal data, which covers both facts and opinions about

an individual.

An instance of privacy legislation can be illustrated with the European Convention on

Human rights, which provides for the right of respect to private and family life14. It

further provides that there shall be no interference by a public authority with the

exercise of this right except such as in accordance with the law and as is necessary in

a democratic society in the interests of national security, public safety or the economic

9 Data Protection Act identifies data as information that is processed by means of equipment operating automatically in response to instructions given for that purpose and is recorded with the intention that it should be processed by means of such equipment. 10 See also CCTV Looking out for you Home office publication November 1994 11 Article 8 (1) Convention for the Protection of Human Rights and Fundamental Freedoms as Amended by Protocol No 11 12 Directive 1995/46/E.C.[1995] 0.J. L281/31 13 Directive 2002/58/E.C OJ L 201/37 14 Article 8 (1) European Convention On Human Rights

9

well being of the country, for the prevention of disorder or crime, for the protection of

health or morals or for the protection of the rights and freedoms of others15.

This has implications regarding information relating to data of individuals in relation

to how it is kept processed and transmitted, this is so especially since misuse can lead

to a breach of the aforementioned right.

2.1.4 Why do we need data protection?

The development of technology has led to more convenient methods of carrying out

daily routines; indeed, many activities which in the past required physical presence

before a purchase could be made of a product now only need the supply of personal

details. The down side of this is that while it has led to faster means of

communicating and development of business, there is especially with the advent of

the Internet a rise in identity theft16. Also, with the proliferation of business activity

a number of organisations have sprung up which have identified the fact that

information about a person can be of value to other organisations.

This has led to a number of underhanded means of collecting personal information in

what appear to be promotional information leaflets only for this information to be

collated and then sold to marketing companies. It is this type of activity that has led to

the call and development of data protection laws leading to stiff penalties for

organisations that breach them. Indeed, under the UK 1998 Data Protection Act it is

15 Article 8 (2) European Convention On Human Rights 16 For the purpose of this essay Identity theft occurs when a person or group of people obtain and use someone elses name, credit card number, social security number or other personal information without that persons consent with the intent of using such information to commit fraud or other crime

10

an offence for a person, knowingly or recklessly, without the consent of the data

controller, to obtain personal data17.

To buttress this point further an individual named Alistair Fraser, trading as Solent

Credit Control18, recently pleaded guilty to offences of unlawfully obtaining and

selling personal information in breach of the Data Protection Act 1998. Mr Fraser had

obtained the personal information of certain individuals by deception from the

Department for Works and Pensions. He then sold the information to third parties. He

was found guilty and fined. A feature of this case is the fact that it was brought to

court by the Information Commissioner, thus showing that the Commissioner is

prepared to use enforcement powers to combat and discover agencies that illegally

obtain and sell personal information19.

In the United States organisations that breach the provisions of data protection

legislations relating to privacy of information are severely punished on conviction as

can be illustrated where recently in United States of America (for the Federal Trade

Commission) v. Hershey Foods Corporation20: In this case, Mrs. Fields Cookies and

Hershey Foods Corporation each agreed to settle Federal Trade Commission charges

that their Web sites violated the Children's Online Privacy Protection Act (COPPA)21

Rule by collecting personal information from children without first obtaining the

proper parental consent. Mrs. Fields are to pay civil penalties of $100,000 while

Hershey will pay civil penalties of $85,000. The separate settlements also bar the

companies from violating the Rule in the future and represent the biggest COPPA

penalties awarded to date. The COPPA Rule applies to operators of commercial Web 17Section 55 (1&3) Data Protection Act 1998 18 See www.csa-uk.com/news-facts-press_index/newsletters/autumn202002.pdf page2 19 Section 60 (1) Data Protection Act 1998 20 see www.ftc.gov/opa/2003/02/hersheyfield.htm 21 15 U.S.C 6501-6505

11

sites and online services directed to children under the age of 13 and to general

audience Web sites and online services that knowingly collect personal information

from children under 13. Amongst other things, the Rule requires that Web site

operators obtain verifiable consent from a parent or guardian before they collect

personal information from children22.

2.2 Data Protection Legislation:

In this section I will be analysing the various legislations relating to data protection

taking into account data protection in the European Union and the United States with

a view to looking at the different ways in which they have been implemented.

Following that an analysis of the impact they have on telecommunications will be

carried out.

National data protection laws have developed as electronic commerce has boomed.

Indeed, with more coverage being given in the media relating to infringement of

privacy, it is no wonder that countries have been more active in ensuring people know

what their rights are in relation to these issues and also that data controllers23 ensure

data under their custody is processed in line with data protection legislations.

The European Union has developed a Framework for Data protection; this can be seen

in the Data Protection Directive and the Privacy and Electronic Communications

Directive24.

In the United States data protection legislations generally target discrete information

processing activities with the most important legislative protections for information 22 U.S.C 6502 b (1) A ii 23 A person who alone or jointly with others determines the purpose for which and manner in which personal data is to be processed Section 1(1) Data Protection Act 1998 24 Directive 2002/58/E.C OJ L 201/37 this Directive replaces Directive 1997/66/E.C [1998] O.J L24/1

12

privacy emphasising restraint on the government and certain commercial industries.25

The Data Protection Directive embodies human rights principles and it is from here

that we see how the fundamental provision on human right provision is incorporated

by reference into the Data Protection Directive which in turn has to be implemented

by member states. This is how the human right privacy principle is integrated into

national law. This is the difference between the origins and objectives of privacy in

the Europe and the United States of America.

2.2.1 EU Data Protection Principles

Data protection laws provide protection of the individual with regards to their

personal data, however the question is how does one ensure from the onset that

personal data is collected processed and transferred legitimately?

Data protection laws have basic principles that need to be adhered to. Indeed if one

analyses for example the European Union Data Protection Directive one will notice

that there are a number of principles that form parts of the body of data protection

legislations worldwide.

These principles can be summarised as follows:

Personal data shall be processed fairly and lawfully26 (see below for more on lawful processing)

Lawful processing is explained in Article 7 of the Directive which stipulates what

constitutes legitimate processing of data

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with

that purpose or those purposes27.

25 See Resolving Conflicting International Data Privacy Rules in Cyberspace Joel R Reidenberg May 52 STANFORD Law. Review. 1315 (2000) 26 Article 6(1a) Data Protection Directive 95/46/EC

13

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed28.

Personal data shall be accurate and, where necessary, kept up to date29. Personal data processed for any purpose or purposes shall not be kept for

longer than is necessary for that purpose or those purposes30.

Data subjects are afforded rights of access to their data31. Appropriate technical and organisational measures shall be taken against

unauthorised or unlawful processing of personal data and against accidental

loss or destruction of, or damage to, personal data32.

While the above constitute the basic tenets of data protection, it must be mentioned

that there are other issues that must be observed in protecting data when it is being

processed. Article 7 of the Directive stipulates what constitutes lawful processing of

data and it specifies that personal data may be processed only where:

the data subject has unambiguously given his consent33, for sensitive data which includes information relating to race, political opinions, religious or

philosophical belief, health or sex life, trade union membership, there must be

explicit consent34

27 Article 6(1b) 28 Article 6(1c) 29 Article 6(1d) 30 Article 6(1e) 31 Article 12 32 Article 17 33 Article 7 (a) Data Protection Directive 95/46/EC 34 Article 8(1)

14

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior

to entering into a contract35

processing is necessary for compliance with a legal obligation to which the controller is subject36

processing is necessary in order to protect the vital interests of the data subject37

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a

third party to whom the data are disclosed38

processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed,

except where such interests are overridden by the interests or fundamental

rights and freedoms of the data subject which require protection under Article

1(1).39 40

These principles indicate that the data may only be used in accordance with the

purpose for which it has been obtained from the data subject. This would thus

mean that the use of the data for example, where it is collected for the opening of

an online banking account, the data collected should be used solely for what it

was originally intended. The data supplied should not be allowed to be used by

the same company to market different products to the data subject or indeed sell

35 Article 7 (b) 36 Article 7 (c) 37 Article 7 (d) 38 Article 7 (e) 39 Article 7 (f) 40 Article 1(1) states In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data.

15

the information to a third party organisation without the consent of the data

subject. It is only after receiving consent that one can market other products to the

person in question

2.2.2 The Directive on Privacy and Electronic Communications (2002/58/EC)41:

This directive repeals the Telecommunications Data Protection Directive (97/66/EC)

and lays certain obligations on telecommunications companies and service providers.

The main aim of this directive is to harmonise the provisions of Member States laws

in relation to electronic communications to ensure an equivalent level of protection of

fundamental rights and freedoms, particularly the right to privacy, processing of

personal data in the electronic communication sector and to ensure the free movement

of such data and of electronic communication equipment and services in the

community42. One of the new developments of this Directive is that it extends

controls on unsolicited direct marketing to all forms of electronic communications

including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile

telephones.

It is to be noted that the Directive applies to the processing of personal data in

connection with the provision of publicly available electronic communications

services43 in public communications networks44 in the Community.

41 Directive 2002/58/E.C OJ L 201/37 42 Article 1 Directive on Privacy and Electronic Communications 43 According to European law, electronic communications service means a service normally provided for the remuneration which wholly or mainly in the conveyance of signals on electronic communications networks used for broadcasting, but exclude services providing, or exercising editorial control over content transmitted using electronic communications networks and services. Article 2 (c) Directive 2002/21/EC 44 According to European law, public communications network means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services. Article 2 (d) Directive 2002/21/EC

16

An analysis of the salient points reveals the following in the Directives aims in

ensuring fundamental human rights and freedoms particularly the right to privacy for

subscribers of electronic communications:

2.2.2.1 Security Measures

The directive provides that communication service providers should adopt adequate

security measures both from a technical and organisational point of view that are

commensurate with the risks that can accrue. With the spate of recent high profile

security breaches that have occurred it is paramount that telecommunications

providers implement adequate logical and physical security measures to ensure data

under their control is safe from unauthorised access, which may lead to loss of

privacy. It goes further to provides that users should be made aware of risks that are

beyond the control of the service provider45.

While the Directive does not detail the technical measures Member States are to

adhere to in order to ensure they are complying with the provisions of this Article, it

must be pointed out that countries provide legislation on what measures to take in the

event that information security is breached or what actions to take on individuals who

breach systems. For instance, in the United Kingdom, section 1 of the Computer

Misuse Act46 makes unauthorised access to systems an offence. Also the OECD has

provided guidelines to how communication service providers can implement

information security on their networks47. Other measures that may be used to ensure

45 Article 4 (1&2) Directive on Privacy and Electronic Communications 46 Computer Misuse Act 1990 47OECD Guidelines for the security of information systems and networks see www.oecd.org/dataoecd/59/0/1946946.pdf

17

information security measures are adequate include adopting standards such as ISO

17799 Code of practice for information security management48 and ISO 15408

common criteria for information technology security.49 Adopting or following these

guides can provide for appropriate security on communication networks.

2.2.2.1.1 Impact on Communications Service Providers

The effect this legislation has on communications service providers is that it makes

them obliged to notify subscribers of threats that cannot be prevented by the

communications provider. This legislation recognises the fact that organisations have

in the past been quiet about potential and actual information security breaches. The

wording can thus be interpreted to mean that a positive action must be carried out by

the service provider to warn subscribers of the threat that may accrue their personal

information.

Note information security, as a whole will be discussed in more detail in a further

section of this essay.

2.2.2.2 Confidentiality of Communications

In its attempt to maintain privacy of personal information, the directive requires

service providers to ensure confidentiality of communications. This the directive

states can be attained by making sure that communication over public

telecommunications lines are free from interception and tapping save in the instance

of lawful interception50. The article also provides that where communication networks

48 see www.bsi.org.uk 49 http://csrc.nist.gov/cc/ccv20/ccv2list.htm 50 Article 5 (1)

18

are used in the processing of data, the data subject shall be informed why this is being

carried out. The data subject has a right to refuse such processing51.

There has been a great debate relating to the use of cookies52and the fact that they can

invade the rights of users communications. The Directive in recognising this fact and

in an attempt to curb their intrusion on subscribers communications provides in article

5 (3) that they can only be used if the subscriber or user is made aware in clear and

comprehensive terms about how information gathered will be processed. The problem

however with this legislation is the fact that cookies operate in the background

without giving off any warnings that they are operating making them hard to detect.

This makes it difficult to identify organisations that flaunt this law. Also since there

are no sanctions placed on organisations that breach such confidentiality of

communications requirements, this aspect of the article cannot be said to be adequate

in the fight to keep communications confidential


It should be noted here that most browsers have in the properties tab an option to

configure cookies. As such I am of the opinion that since all users have the ability to

accept or deny cookies at their fingertips; legislation is not the most appropriate

means of dealing with this particular issue. Rather, communications service providers

need to advertise and educate their subscribers of this functionality. While it may cost

them money, it is an easier means of ensuring confidentiality and will be more

effective than legislation.

51 Article 5 (2) 52 Cookies are programs that are used to track users preferences when they visit a website. They can be stored on ones hard drive without the users consent or knowledge.

19

2.2.2.3 Caller and Called Line Identification

It is to be noted that an individuals telephone number is personal data going by the

meaning given to data protection legislation.

In order to protect this, the directive further provides privacy rules in relation to caller

and connected line identification. Here the directive states that subscribers must be

issued with the possibility of withholding the identification of their telephone

numbers when making a call along with being able to reject incoming calls where the

incoming caller has refused showing their number53. It must be mentioned here

however that while the Directive provides that caller and called line identification

should adopt some privacy measures, these services are not mandatory. Where the

implementation of these services may invoke either an undue cost burden on the

service provider or in situations that make the provision of the service technically

impossible, that provider must ensure this is made known to relevant parties in the

member state.

It should also be mentioned that there are certain instances where it may be justifiable

to override the elimination of calling line identification. These situations can arise for

example where certain subscribers such as those that provide help lines have an

interest in guaranteeing the anonymity of their clients. In these scenarios, it is

paramount to protect the rights and interests of the party to withhold the presentation

of the identification of the line to which the calling party is connected.

It is to be noted however that the provisions of this article may not be applicable

where for instance the calls are made from some international networks that do not

53 Article 8

20

provide the same sort of offerings to their subscribers or where they do not have the

same levels of data protection laws as The European Economic Area54.


It is to be noted that when there is a failure of the communications network to block

caller line identification facilities such that a subscribers privacy is breached, the

customer is entitled to have their privacy restored, at no extra cost by their telephone

company in the form of the allocation of a new phone number55. In the UK this

provision is implemented by sections 10 and 11 of the Privacy and Electronic

Communications (EC Directive) Regulations 200356.

2.2.2.4 Location Data Restrictions

Where the repealed telecommunications privacy directive only related to calls in

circuit switched connections such as is found in traditional voice telephony, the new

directive covers all kinds of traffic data as generated by users of mobile

communication devices.

Location data is a valuable tool that can be used in the mobile phone sector to identify

the location of an individual57 its use can be illustrated in the Danielle Jones case in

the hunt for a missing child in the UK it was identified that calls purportedly form the

54 Guidelines for Customer Line Identification Displays Services and other related Services over Electronic communications networks available at www.oftel.go.uk/ind_groups/cli_group/docs/guidelines0902.pdf 55 See European Guidelines for Calling line Identification available at www.europa.eu.int/ispo/infosec/telcompolicy/en/guidelines.pdf 56 The Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force on 11th December 2003. 57 See Location Data is as sensitive as content data Alberto Escuardo Pascual Royal Insitute of Technology 22nd November 2001 available at www.it.kth.se/~aep/publications/EU-forum/20011127/EU-forum-locationdata.pdf

21

girls phone to her uncle (later convicted for her murder) were in fact being made by

her uncle from one location58.

The directive in recognising the importance of location data provides that location

data can be processed only if it is made anonymous or with the consent of the

subscriber for a value added service but only for the duration that is necessary for the

processing59. The subscriber must also be given the possibility to temporarily refuse

such processing of location data information60.

It is to be noted however that the directive does not state that technology should be

used to enforce the requirement to keep location data private and confidential given

the fact that it can be used to track an individuals movements

2.2.2.5 Emergency and Nuisance Calls

An exception to the privacy of caller line and location data is provided for in article

10 where the elimination of calling line identification and location data is sanctioned

to trace nuisance calls and in relation to location data for it to be revealed on a

temporary basis only to emergency services.

This article basically allows member states to allow for the restriction of a user or

subscribers right to privacy in relation to calling line identification where for instance

there is a complaint that some one is persistently calling someone elses number and

either keeps silent or hurls profanity at the person whose line is being called. In these

situations it may become necessary to trace where these calls are originating from.


58 See bbc.news.co.uk/2/low/technology/2593653.stm 59 Article 9 Directive on Privacy and Electronic Communications 60 Article 9(2)

22

The process of carrying out the above is that it will entitle providers of electronic

communications services to provide access to the calling line identification data and

also the location data without the knowledge or consent of the calling party

constituting the nuisance.

The advantage of this legislation is that it caters for and takes into account the

possibility of abuse of the privilege of calling line privacy.

It also takes into account the fact that there will be situations where being able to

locate a person in distress in due time may be the difference between life and death

and in such situations the right to privacy will be overlooked.

2.2.2.6 SPAM

Unsolicited mail (also known as Spam) has become a major problem it causes loss of

work productivity in wasted time in deleting them and also is an invasion of privacy.

The directive in recognising the harmful effects of Spam provides that there shall be

no automated communication using electronic mail or faxes for the purpose of direct

marketing without the consent of the data owner61. The purpose of the directive in

relation to SPAM is to make sure that EU member states strengthen data protection

measures in relation to SPAM. The EU legislation supports the opt-in62 rather than the

opt-out63approach.

The problem with this piece of legislation however is the fact that due to the nature of

the Internet it may be difficult to prosecute those that habitually send such unsolicited

61 Article 13 Directive on Privacy and Electronic Communications 62 In an opt-in regime, the consumer must affirmatively give permission to be sent information about new products or sales, or to share the consumer's information with other companies in a business relationship with the company where that consumer has an opt-in agreement. Generally, a consumer must click on web site boxes or send an e- mail request to the company, or its affiliates in order to authorise consumer e-mail. 63 In an opt-out regime, the privacy policy will indicate that the consumer is presumed to want information about sales or new products which will be sent unless the consumer "opts out" of receiving such.

23

mail. Not only because it is possible for those that send such unsolicited mail utilising

the Internet to take advantage of the ease with which one can set up an Internet

infrastructure for a temporary period of time before shutting it down and setting up a

similar site when they have suspicions that they are being investigated or if they are

indeed shut down. But also because it is a well known fact that many of the top 50

Spammers originate from America such that while the legislation may direct

marketers in Europe, those that send unsolicited mail from America will be out of the

jurisdiction of the legislation. Indeed in response to this provision, the Direct

Marketing Association64 has raised concerns that this could penalise small companies

that rely heavily on direct marketing but not protect the consumer from spam email

that originates outside of the EU.


Not only is SPAM a problem for users, it also affects communications service

providers. Due to the fact that a single SPAM message can be sent to millions of

email addresses at once, not only does it have the capability to take up

communications service providers bandwidth65 it can also have a negative impact on

the availability of the service especially when such SPAM is infected with Virus.

Another impact it has on communications service providers is that it can tie up

staffing resources in the sense that when a new SPAM message is discovered the tools

used to detect them may need to be reconfigured by technical staff. Communications

service providers now deploy filtering tools which have the ability to block SPAM

either by use of Boolean syntax or blocking of the IP address of the sender of the

64 /www.the-dma.org/ 65 The amount of data that can be transmitted in a fixed amount of time. For digital devices, the bandwidth is usually expressed in bits per second(bps) or bytes per second. For analog devices, the bandwidth is expressed in cycles per second, or Hertz (Hz).

24

email. They have also need to include in their acceptable use policies statements that

SPAM will not be tolerated and that subscribers who send SPAM may have their

service terminated. All these measures add to the cost of providing services to

subscribers which in turn can eat into profit margins.

2.2.2.7 National Security

There are certain situations that may lead to events that make safeguarding privacy of

communications a secondary issue. Such situations are where national security is at

risk and where criminal investigations are being carried out. Where these are

determined to be taking place, law enforcement agencies may on having obtained

permission by appropriate bodies breach the data subjects right to privacy of

communications in their investigations of such events. It is to be noted that the

legislation also allows for data to be retained for limited periods of time during the

investigation of such situations66.


The duty to safeguard national security issues affects communications service

providers due to the fact that the requirement for the retention and retrieval of data

can be costly not only because it may necessitate the deployment of a whole range of

new systems but also because it will mean that staff will need to be retrained. This can

have an enormous effect on the margins of small communications service providers

who may not have the resources to either buy the required systems or employ

appropriate staff.

66 Article 15 (2) Directive on Privacy and Electronic Communications

25

Note national security and cost issues will be looked at in further detail in this essay in

discussions relating to data retention and lawful interception of communications.

2.3 United States and privacy of communication

In the United States privacy legislation does not stem from a central law such as the

Data Protection Directives in Europe rather one finds sectoral laws, which affect

certain sectors and industries. The United States has taken a sectoral approach to

privacy regulation so that records held by third parties, such as consumer marketing

profiles or telephone calling records, are generally not protected unless a legislature

has enacted a specific law67. Due to this state of affairs the European Union still

regards its data protection regime as one that requires special provisions such as the

Safe harbour rule68 when it comes to the transfer of data from EU member states to

the United States.

In relation to privacy of communications, issues relating to Internet privacy have

become prominent. A number of organisations such as eBay.com, Amazon.com and

Yahoo.com have either changed users privacy settings or have changed privacy

policies to the detriment of users.69 Other organisations such as Microsoft and Intel

were discovered to have released products that covertly track the activities of Internet

users.70Significant controversy has arisen over online profiling, the practice of

advertising companies to track Internet users and compile profiles on them in order to

target banner advertisements. The largest of these advertisers, DoubleClick, ignited

67 United States v. Miller, 425 US 435 (1976) 68 Explained further in this section 69 Chris J. Hoofnagle, Consumer Privacy In the E-Commerce Marketplace 2002, Third Annual Institute on Privacy Law 1339, Practicing Law Institute G0-00W2 (June 2002), available at http://www.epic.org/epic/staff/hoofnagle/plidraft2002.pdf 70 See Big Brother Inside Campaign http://www.bigbrotherinside.org

26

widespread public outrage when it began attaching personal information from a

marketing firm it purchased to the estimated 100 million previously anonymous

profiles it had collected.71 The company backed down due to public opposition, a

dramatic fall in its stock price and investigations from the FTC and several state

attorneys general. In July 2000 the Federal Trade Commission reached an agreement

with the Network Advertisers Initiative, a group consisting of the largest online

advertisers including DoubleClick, which will allow for online profiling and any

future merger of such databases to occur with only the opt-out consent.72

2.3.1 Privacy of Communication Laws In The United States

As has been mentioned Privacy laws in the United States are sectoral.

Communications privacy in the United States can be seen in the following

legislations73:

2.3.1.1 The Telecommunications Act 199674

This provides for the restriction to and use of customer information by

telecommunications companies. It governs the disclosure of customer proprietary

network information75 and subscriber list information. Its primary aim is to protect the

customer from having their information misused by the telecommunications provider.

71 See EPIC DoubleClick Pages http://www.epic.org/privacy/doubletrouble/. 72 For a detailed history and critical analysis of this agreement, see Electronic Privacy Information Center (EPIC) and Junkbusters, "Network Advertising Initiative: Principles not Privacy," July 2000 http://www.epic.org/privacy/internet/NAI_analysis.html. 73 Note some of the legislations below are proposed legislations (Bills) and will be indicated as such in the footnotes 74 47 U.S.C 222 75 Defined as constituting the quantity, technical configuration, type, destination, location and amount of use of telecommunications service subscribed to by any customer of a telecommunications carrier and that is made available to the carrier by the customer, solely by virtue of the customer carrier relationship. It also includes information contained in bills relating to telephone exchange service or telephone toll service received by a customer of a carrier.

27

It consists of a number of provisions that are similar to the European Directive on the

processing of personal data and protection of privacy.

Among such provisions is the requirement for telecommunications companies to

ensure the confidentiality of customer proprietary network information. In ensuring

that this is carried out, the Act prohibits the carrier using subscriber information that

has been provided by another carrier for its own marketing purposes76.

The Act also provides that telecommunications carriers that receive customer

information can only use, disclose or permit access to that information in the

provision of the telecommunications service from which the information was

obtained.

2.3.1.2 The Location of Privacy Protection Act of 200177

This contains specific provisions in relation to keeping the privacy of location data of

customers. It requires wireless technology providers to notify customers regarding the

providers collection of information policies in relation to collecting call location data.

It also requires the providers to obtain the customers prior consent before either

selling or disclosing such information78.

76 47 U.S.C 222 (b) 77 Proposed Legislation: S.1164 Location Privacy Protection Act of 2001, A bill to provide for the enhanced protection of the privacy of location information of users of location-based services and applications, and for other purposes. Sponsor: Senator Edwards, John (D-NC). Latest Major Action: 7/11/2001 Referred to U.S Senate committee: Senate Commerce, Science, and Transportation. 78 See section 3 a & b Location Privacy Protection Act 2001

28

The provisions of this act portray an understanding by those responsible for enacting

this legislation of the abuse and detriment to the customer in the event that location

data is used for purposes other than those for which the customer provided the data.

This is illustrated where the Act prohibits providers of location-based services or

applications from releasing customers location information for purposes beyond

those for which the customer provides express authorisation79and ensure the integrity

and security of location data.

2.3.1.3 Spyware Control and Privacy Protection Act 200180

This Act can be likened to article 5 (3) of the Directive on Privacy and Electronic

communications. It provides that users of any computer software that has the

capability to collect information about the users use of the software, or computer to

which that software connects, must obtain prior consent of the user by way of

providing on the first electronic page of the instructions a warning that the software

has the capability to obtain such information. It must also provide the persons names

and address to which such information will be sent.

Information that has been collected should be kept confidential except where

disclosure is required by law enforcement agencies granted permission under a court

order to view it.

79 section 3 (c) ( ii) Location Privacy Protection Act 2001

80 Proposed Legislation: S197 Spyware Control and Privacy Protection Act of 2001 A bill to provide for the disclosure of the collection of information through computer software, and for other purposes. Sponsor: Senator Edwards, John (D-NC). Latest Major Action: 1/29/2001 Referred to Senate committee: Senate Commerce, Science, and Transportation

29

Violations of this will be treated as a deceptive practice as proscribed by section 18

(a) (1)(B) of the FTC Act 15 U.S.C 57a (a) (1) (B).

An analysis of the European and U.S jurisdictions shows a similar thought process

behind the implementation of laws relating to communications. There is a general

understanding that privacy of the consumer is required.

It can be seen that data protection legislation provides a backdrop to which

individuals can seek redress in the event that their rights are infringed and it also

allows business to understand the limits to which they can go in their processing and

use of personal data.

Law enforcement agencies are also restrained from encroaching on individuals

privacy, before they can view personal data they need to follow procedures such as

obtaining a warrant and also proving reasons why national security is at stake or that a

serious crime needs to be investigated prior to carrying out surveillance activities.

The question that needs to be answered is whether these laws are effective? Even

though the provisions of privacy laws provide sections in relation to how

communications companies are to devise means by which personal data is processed,

it is difficult to actually determine whether there is full compliance on the part of

these organisations in relation to how they carry this out.

The United Kingdom Information Commissioner has expressed concerns relating to

the enforcement of data protection legislation. He was of the opinion that the

enforcement procedures are not well suited to the electronic commerce environment.

For instance, where a website or service is being provided, that is not compliant with

30

the laws and they are investigated, nothing stops them from relaunching under a new

name and carrying on the same scam.

It must be mentioned here that even though these legislations have been enacted, there

is still ignorance among data users in relation to what their rights are and when these

have been infringed, according to a UK report only 42% of the public are aware of

their rights under data protection laws81

A way to ensure people are aware of the provisions of data protection legislations

would be the development and dissemination of awareness campaigns that highlight

the importance and effects of these laws.

3. Law enforcement and privacy of communications

While it has been stated that there is a requirement that privacy must be guaranteed

during communications, there are certain instances where law enforcement agencies

are allowed to gain access to communications data without the consent of the data

subject.

These instances occur when law enforcement agencies are investigating serious

criminal activities or activities that may constitute a risk to national security. In the

process of undertaking these investigations, communication service providers will

invariably be asked to allow these law enforcement agencies to either intercept the

data or gather information about the individuals activity from data that has been

retained by their systems in relation to the individuals communication.

81 See Information Commissioner Annual Report and accounts for the year ending 31 March 2002, HC913

31

Laws such as The RIP (Maintenance of Interception Capability) Order 2002 in the

UK and The Communications Assistance for Law Enforcement Agencies Act82

hereinafter referred to as CALEA in the United States are examples of legislations

that force communications service providers to assist law enforcement agencies in

their endeavours to combat such activity.

This aspect of the essay will look at how these laws interact with privacy legislation

showing how they act as a counterbalance to ensure that people do not misuse their

rights to privacy by conducting criminal activity.

Mention has been made in this essay of instances where circumstances such as the

need to combat criminal activity and safeguard national security may lead to data

subjects rights to privacy of communications being overridden. Actions that make up

the activities in combating crime or detecting activities that may be a threat to national

security include law enforcement agencies intercepting communications as well as

sifting through communications data that may have been retained by communications

service providers.

This section looks at the issue of lawful interception and data retention with a view to

dispel concerns that they are an infringement on privacy rights and to show that the

concepts go hand in hand with data privacy in the provision of electronic

communication services it will also look at the impact these concepts have on

communications service providers.

82 47 U.S.C 1001-1010

32

3.1 Why Lawful Interception?

Interception of a communication in the course of its transmission involves the

modification, interference or the monitoring of the system while the communication is

actually being transmitted83

Lawful interception is the terminology used to describe the means by which law

enforcement agencies are authorised to intercept telecommunication sessions as

prescribed by law.

The advancement of technology has led to the need for law enforcement agencies to

curb criminal and terrorist activities. The problem has always been the fact that

criminals have always been able keep a step ahead of the law in their clandestine

activities. The convergence of communications systems has led to easier, faster and

cheaper means of communicating, this in turn has allowed criminals and terrorists to

be able to take advantage of these systems to communicate with each other or to use

the systems to carry out illegal activities.

The convergence of voice, data and Internet technologies has led to a new type of

communications network. Prior to convergence one mainly dealt with the circuit

switched84 fixed line telephone networks in relation to lawful interception. However

with the explosion of the Internet has come the packet switched network85which is

being touted as the replacement of the circuit switched network now that convergence

has occurred.

83 Section 2 Regulation of Investigatory Powers Act 2000 84 Circuit switched networks are used for phone calls 85 Packet switched networks handle data which could include voice calls

33

Recent legislations have been enacted in order for lawful interceptions to be carried

out on systems utilising these new communications technologies. In the UK, The

Regulation of Investigatory Powers Act 2000 replaced the Interception of

Communications Act 1985 to take account of technological advances in

communications and to cater for the growing use of the Internet and electronic mail.

Interception of communications can take place in a number of ways:

Wire Tap: this involves the installation of a transmitting device on a telephone line, for the purpose of intercepting, and usually recording, telephone

conversation and telephonic communications.

Location Tracker: This involves using devices to identify through the telecommunication system the location of an individual

Pen registers and trap and trace devices: A pen register records only the numbers of outgoing telephone calls. While a trap and trace device is used to

capture the numbers of incoming telephone calls86.

Below are examples of how communication systems can be intercepted;

Standard Telephones: Standard telephone systems are susceptible to wiretaps. There are many

locations where a wiretap can be placed. For example, microphones in many

older telephones handsets can be replaced with one that can also transmit to a

remote receiver. Taps can also be placed at the telephone boxes in the

basements of buildings, on the lines outside the house, or on the telephone

pole junction boxes near the target of the surveillance. A once common

technique used by police forces was to remotely monitor calls by having lines

86 Trap and trace devices are one of the methods used by authorities in the United States to intercept communications

34

run from a telephone company central office where the local switching

equipment is located to a monitoring station in a government office.

Wireless Communications The use of wireless telephones has become extremely common. There are also

millions of cellular telephones in use. In developing countries, wireless

communications such as cellular and satellite-based telephones are also

popular as a means to avoid laying new telephone lines in areas that were

previously undeveloped. However, they are easily intercepted and should not

be thought of as giving greater protection from eaves dropping than fixed line

phones.

Cordless telephone communications are especially easy to intercept. Many of

the older models broadcast just above the top range of the AM radio band and

conversations can be easily overheard with any AM radio and can be

intercepted with an inexpensive radio scanner purchased at most electronics

stores for under $100.00 in the United States. The range of interception can

extend to nearly one mile.

Cellular phones have the same problems as cordless. They also broadcast over

airwaves like a radio. Inexpensive scanners are available on the market that

can intercept conversations. In addition, some cellular phones can be

programmed to act as scanners to intercept other calls. There is also equipment

available to law enforcement, which can track and monitor cellular

conversations as they move around a city.

Unencrypted Wireless networks are also prone to scanning and intercept

vulnerabilities and can actually be scanned using a Pringles tin87 as an aerial

87 Round aluminium type snack container

35

with a laptop. If an attacker can sniff88 the wireless traffic, it is possible to

inject false traffic into a connection they may then be able to issue commands

on behalf of a legitimate user by injecting traffic and hijacking their victims

session.

Facsimile (fax) Machines: It is also possible to intercept facsimile transmissions. A fax machine is

essentially an inexpensive computer system that uses a well known standard

for sending and receiving files. Commercial devices are widely available that

automatically intercept faxes. In New York City, fax intercept machines were

used as far back as 1990 by local police89. It is also possible to intercept faxes

using a computer with specialised software and a fax modem90.

The intentional interception of communications on public91 and private92

telecommunication systems without lawful authority is an offence93.

It is to be noted that the offence of interception of private networks was not covered

by the repealed Interception of Communication Act of 1985 as illustrated by

R V Effick94 where the courts held that the interception of telephone communications

via cordless telephones by the police was not covered by the Interception Act.

Indeed cases such as Halford v United Kingdom95 provide typical examples of what

can constitute unlawful interception of communications.

88 Sniffing is the act of using a device to analyse network traffic relating to communication and computer systems 89 Joseph Fried, Police Filch Faxes to Snare a Gambling Ring, NYT , June 3, 1990 at 33. 90 Eaves Dropping detecting David Bansar 1995 91 Section 9(1) Telecommunications Act 1984 defines public communication system as that so defined by the Secretary of State as that authorised by licence via Section 8 of that Act 92 Any telecommunications system which not being a public telecommunication system is a system to which is attached directly or indirectly to a public telecommunications system and there is apparatus comprised of the system located in the United Kingdom for making the attachment to the public communication system Section 2 (1b) RIPA 2000 93Section 1 (1) Regulation of Investigatory Powers Act 2000 94 R V Effick 1984 Crim LR832, 99

36

In this case the European Court of Appeal ruled that interception of telephone calls

made on an internal system operated by the police was an infringement of Article 8 of

the European Convention on Human Rights which provides amongst other rights the

right of respect to ones privacy of correspondence. The only way this right may be

interfered with is when it is performed by public authorities is in accordance with the

law96.

In the United Kingdom, the Regulation of Investigatory powers Act 2000 also covers

interception of private telecommunication systems97.

The 2003 Telecommunications Act also makes it an offence for one to disclose the

content of messages or information concerning the use made of services provided98

However it is to be noted that there are certain circumstances where interception of

communications will not be illegal, such situations are typically when law

enforcement agencies are given the permission by a higher authority to intercept

certain data communications.

Lawful interception plays a crucial role in helping law enforcement agencies to

combat criminal activity. Indeed, this can be illustrated with the linking of

information about subscriber99 and billing data in criminal and terrorist activities. To

buttress this point further in the United States the use of lawful interception led to the

95 1997 IRLR 471 96 See Articles 8 (1) and 8(2) European Convention on Human Rights 97 Section 1(2) RIPA 98 Section 127 Communications Act 2003 99 Defined under Article 18 (3) of the Convention on Cyber Crime as any information, contained in the form of computer data or any other form, that is held by a service provider, relating to subscribers of its services.

37

successful conviction of sixty- five people involved in a fraud by defence contractors.

The investigation of this case relied heavily on the interception of telephone calls100.

Lawful interception involves the collaboration between law enforcement agencies and

communication service providers. As such while there are laws dealing with the

procedural and authorisation activities required for law enforcement agencies, so too

are there laws relating to the obligations of telecommunications operators and service

providers.

Lawful Interception typically involves three parties beginning with the law

enforcement agency requesting permission in the form of a warrant or subpoena101

from a higher authority in order to prove to the communications service provider that

it has permission to intercept data it controls.

3.2 The Lawful Interception Process

In the United Kingdom the process of lawful interception typically commences with a

warrant for such interception. This then proceeds with the collection of various forms

of communications, the analysis of the intercepted data, and the preparation where

sufficient evidence is gathered for the prosecution of persons whose data have been

intercepted. Warrants in the UK are issued by the Secretary of State where he believes

the issue of such warrant it is in the interest of national security, or it is to be used to

prevent or detect crime or it is for the safeguarding of the economic well being of the

country.102

The duration of warrants issued in relation to interception are valid for three months

initially but on renewal are valid in the instance of national security for six months

100 Ill Wind investigation see /www.eff.org/Privacy/Surveillance/CALEA/kallstrom_fbi_clip-dt.testimony 101 Under the title III authorisations 102 Sections 5(3) and 7(1) RIPA 2000

38

while those for serious crime are valid for a further three months following each

subsequent renewal103.

In the United States, The Federal electronic surveillance statutes104 provide that a

high-level Department of Justice official specifically approve the use of any of these

types of electronic surveillance prior to an Assistant United States Attorney obtaining

a court order authorising interception.

In Australia, warrants for lawful interception are granted by judges or nominated

members of the Administrative Appeals Tribunal105

While it is important to maintain the principles and powers of lawful interception, the

challenge of doing so correctly is tempered by the need to ensure that in carrying it

out human rights and data protection legislations are not infringed.

While the main issue for lawful Interception of communications on public telephone

systems is to identify criminal and terrorist activity, one needs to know exactly what

data can be lawfully intercepted.

3.3 What is intercepted under lawful Interception?

Generally speaking when the right is granted to intercept a communication it will

involve the intercepting of communications data, which embraces the who, when

and where in relation to a communications transmission106.

Communications data in turn can be broken down into the following categories:

Traffic data: This contains information that identifies who the subscriber contacted, their location as well as that of the person they have contacted and

what time the contact was made.

103 Report of the Interception of communications commissioner 2001 104 Referred to collectively as Title III and codified at 18 U.S.C. 2510, 105 Telecommunications (Interception) and Listening Device Amendment Act 1997 106 See Consultation Paper: Access to communications data, protecting privacy and protecting the public from crime March 2003

39

Service data: This identifies services used by the subscriber and how long they were used.

Subscriber data: This identifies the user of the service their name address and telephone number107

3.4.1 Lawful Interception Laws in the United Kingdom

Lawful interception in the UK is primarily governed by the Regulation of

Investigatory Powers Act 2000 (RIPA), and the Telecommunications Lawful business

Practice Interception of Communications Regulations 2000108.

RIPA provides for, and regulates the use of investigative powers, by public

authorities109. It updates the law on the interception of communications previously

provided by The Interception of Communications Act 1985 and the Police Act 1997.

It now enables state authorities to intercept communications in line with technological

changes such as the growth of the Internet.

Under the RIPA, the Police, Inland Revenue Customs and Excise and the security

services may acquire access to communications data via the warrant; however this

may be extended to other local authorities by order of the secretary of state thus

allowing such authorities to lawfully intercept communications data.110

It is to be noted however that even though the Act allows for authorities to intercept

data, this does not mean that they can share any information i.e. information derived

107 Section 21(4) RIPA 2000 108 SI 2000/2699 109 They are the police as defined in section 81(1) National Criminal Investigations Service, National Crime squad, HMSO Customs and excise, The Inland Revenue, The security service, The Secret Intelligence Service Government Communications Headquarters 110 Section 25(1g) RIPA 2000

40

from a lawful intercept warrant used by the police cannot then be shared with the

Inland Revenue.

The Lawful Business Practices Regulations allow for the lawful interception of

communications in the course of its transmission by means of a telecommunications

system with or by consent of the system controller under the following conditions.

Monitoring the system to establish the existence of facts or ascertain compliance with regulatory or self regulatory practices or procedures relevant

to the business (this could include but not be limited to ascertaining whether

the business is abiding by its own policies)111

Monitoring quality control and staff training (but not for marketing or market research)112

Prevent or detect crime (including crimes such as fraud as well as infringement of IT related legislation such as the Computer Misuse Act 1990

or the Data Protection Act 1998)113

Investigate or detect unauthorised use of own communications systems (relevant to potential disciplinary action)114

It is to be noted that such interceptions are authorised only if the controller of the

telecommunications system has made all reasonable efforts to inform potential users

that such interceptions may be made.

The importance of this legislation is that it reduces the privacy rights of those that use

private telecommunication systems

111 Section 3(1) (a) i(aa) Lawful business practices regulation 112 Section 3(1) (a) i(cc) 113 Section 3(1) (a) iii 114 Section 3(1) (a) iv

41

The police are empowered to obtain evidence in criminal investigations once they

have obtained an order through the consent of a circuit judge. This is illustrated with

the NTL115 case where the high court confirmed the rights of the police to require a

telecommunications provider (NTL) to take steps to intercept e-mails addressed to its

customers. It is to be noted that this right was not exercised by powers under RIPA,

rather they were as defined by the Police and Criminal Evidence Act 1984 (PACE)

which allows a police constable to obtain access to excluded material or special

procedure material for the purposes of a criminal investigation.116

Many are concerned that authorities enabled to access communications data under

RIPA might abuse such powers. In an attempt to reduce authorities abusing such

powers, safeguards have been introduced

These include:

Specifying clearly the persons designated to seek access to communications data

An accreditation scheme for certain individuals with access to communications data

Compliance with RIPA statutory code of practice Oversight by the Interception of communications commissioner Sanctions for the abuse of powers granted under RIPA117

115 Neutral Citation number: 2002 EWCH 1585 116 Section 9 Schedule1 Police and Criminal Evidence Act 1984 117 See Safeguards p23 Consultation Paper: Access to communications data, protecting privacy and protecting the public from crime March 2003

42

3.4.2 Lawful Interception in the United States

In the United States interception of communications is illegal unless authorised by

stringent rules that have been designed to protect privacy and allow the investigation

of crime.

There are two basic pieces of Federal legislation: Electronic Communications Privacy

Act (ECPA)118, which concerns criminal investigations, and the Foreign Intelligence

Surveillance Act (FISA), which concerns intelligence and counter intelligence

operations. (For this part of the essay I will be dealing with ECPA)

In the United States, wiretap laws, and procedures used by state courts and law

enforcement agencies to implement those laws, are subject to two important

constraints: first, the Fourth Amendment to the United States Constitution, as

incorporated in and made applicable to the states by the Fourteenth Amendment; and

second, the restrictions of the ECPA.

These constraints were codified and made more specific in Title III of the Omnibus

Crime Control and Safe Streets Act of 1969. This Act establishes the substantive and

procedural requirements for federal interception orders and pre-empted less restrictive

state requirements.119 In 1986, Congress updated those requirements by means of the

ECPA, which addressed newer communications technologies such as mobile

telephones and electronic mail. This law provides the statutory framework that

governs the real-time electronic surveillance of the contents of communications.

118 Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986). 119 Omnibus Crime Control and Safe Streets Act of 1969, Pub. L. No. 90-351, 82 Stat. 197 (1968)(codified at 18 U.S.C. 2510-2521 (2000)), reprinted in USCCAN 1968 237.

43

The ECPA broadly prohibits the interceptions of wire, oral and electronic

communications, except where those interceptions comply with the ECPA

requirements.120

These requirements are to ensure that law enforcement officers in their attempts to

gather evidence of crimes through communications systems comply with statutes that

protect individual privacy. Where interceptions will are made by law enforcement

agencies, the ECPA specifies the authorisation levels of officials who may apply for

an order, the crimes or categories of crimes in connection with which an order may be

sought, the probable cause showing that the applicant must make, and the findings

and minimisation requirements that the order must contain.121 These are stringent

procedures violations of which may result in the imposition of civil liability actions

on lawful enforcement officials.

Authorisation of interception of oral or wire communications under the ECPA comes

from the highest judicial officers namely the Attorney General, Deputy Attorney

General, Associate Attorney General, or any Assistant Attorney General

For accountability purposes, the ECPA also requires state and federal courts issuing

interception orders to make detailed reports concerning those orders to the

Administrative Office of the United States Courts.122These reports are a means of

ensuring that there is an audit trail of orders that have been granted.

120 18 U.S.C. 2511. 121 Id. 2516-2518. 122 Id. 2519. Pen registers and trap-and-trade devices also are subject to federal statutory constraint. Id. 3121-27.

44

In order to ensure privacy is not infringed, state authorised interceptions may only be

carried out by the investigative or law enforcement officers having responsibility for

the investigation of the offence to which the application is made. An exception to this

rule is that private contractors may be permitted to conduct interceptions, so long as

the contractors personnel are under the supervision of an investigative or law

enforcement officer authorised to conduct the interception.123

It has to be mentioned however that while there is an argument that the statutory

authority to hire contractors for surveillance duty frees professional law enforcement

personnel from the drudgery of staffing monitoring stations, it complicates the task of

ensuring that persons who conduct surveillance are experienced and properly trained

in the intricacies of executing an electronic surveillance order124. It also creates

opportunity for the infringement of privacy in the sense that contractors may not have

the same duty of care that law enforcement officers have when dealing with

intercepted data. Also it creates an opportunity to dismiss the accuracy and integrity

of the analysis of the data.

The Uniting and Strengthening America by Providing Appropriate Tools Required to

Intercept and Obstruct Terrorism Act (hereinafter referred to as the PATRIOT Act)

was enacted in 2001125. This Act increases the government's ability to monitor

communications, including e-mail and mobile phone conversations, and provides

agencies to share such information. Its aim is to provide law enforcement agencies

with the appropriate tools to prevent terrorism.

123 Id. 2518(5). 124 Focus Paper of Charles H. Kennedy Presented at 2002 Enforcing Privacy Rights symposium 125 The USA PATRIOT Act is not a stand-alone Act. It amends over 15 Federal Statutes visit: www.llrx.com/features/libraryrecords.htm

45

The Patriot Act however goes a step further than the ECPA in relation to Interception

in that grants law enforcement agencies the power to access ISP networks without a

warrant to track activities.

Section 216 of the Act significantly increases law enforcement authority to use trap

and trace and pen register devices.

There is no doubt that national security interests must be safe guarded, however this

Act does go beyond the scope of previous legislations that safeguard personal

information from government intrusion. Indeed the fact that it allows law enforcement

agencies to access communications data without a warrant raises an eyebrow as to

whether we have seen the right to privacy of communications being revoked in the

United States. Under ECPA certain procedures needed to be followed under the

PATRIOT Act, a warrant is not required to track activities and government

departments can share data. This is state of affairs is defiantly an encroachment on

rights to privacy of communications.

3.4.3 Lawful Interception in Australia

In Australia, Lawful interception of communications is governed by the

Telecommunications Interception Act 1979 which has been amended recently by the

Telecommunications Interception Legislation Amendment Act 2002

this amends the Telecommunications (Interception) Act 1979 to include child

pornography, serious arson offences and offences involving acts of terrorism (newly

created offences under the Commonwealth Criminal Code introduced by the Security

46

Legislation Amendment (Terrorism) Act 2002) to the list of offences where a

telecommunications intercept warrant may be sought.

The Act has two main objectives, first of which is to provide users of the Australian

telecommunications services with privacy and the other contrasting albeit legal aspect

of allowing for certain lawful interception under the auspices of a warrant where

certain listed offences are deemed necessary to investigate,

Section seven of the Telecommunications Interception Act prohibits interception of a

communication passing over a telecommunications system with certain exceptions

one of which is that a warrant has been issued to allow for such interception. It is to

be noted that such warrants are usually only provided to allow certain state law

enforcement agencies the right to intercept. It is also to be noted under this regime

that Law enforcement agencies are not permitted to access the content of messages

(such as email, voice mail, SMS, etc) that are temporarily stored on a

telecommunications service provider's equipment during transit, unless they have

obtained an interception warrant.

After a message has been delivered to the intended recipient (i.e. has completed its

passage over the telecommunications system) law enforcement agencies can lawfully

access the content of the message with a search or seizure warrant. Such a warrant

may cover the recipient's equipment (e.g. computer containing downloaded email) or

the service provider's equipment when a copy of the message remains on their

equipment.

47

Certain safegauards to ensure interception is not abused have been placed into the Act

this can be illustrated where the Australian police and National crime authority are to

mainatain a record of intercepted messages

3.5 Lawful Interception requirements of Communications service providers

Co-operation is required between law enforcement agencies and communication

providers. The dilemma for the communications service providers however is the

balance between customer confidentiality and the assistance in the curbing and

detection of criminal activity.

Lawful Intercept places a number of duties on communications service providers,

indeed a number of articles have been published relating to objection by such

communications service providers of added cost and system usage which may hamper

an already decreasing client base due to over saturated markets.

In providing this assistance to agencies that have been granted the right to intercept

communications, the communications service providers role begins with its obligation

to maintain an intercept capability as may be required by the Secretary of State126this

is further backed up by the RIP (Maintenance of Interception Capability) Order 2002

which lays interception obligations upon communications service providers who

provide a public telecommunications service to more than 10,000 persons in any one

or more parts of the United Kingdom127.

An explanation of these obligations can be seen in the following:

126 Secti

interception.pdf

Documents

Transcript of interception.pdf