interception.pdf
-
Upload
monika-negi -
Category
Documents
-
view
5 -
download
0
Transcript of interception.pdf
-
1
Title:
Striking a Balance between Data Protection and Lawful
Interception in the Provision of Communications Services
Franklin F Akinsuyi (LL.B, MSc, LLM)
March 2004
Copyright
-
2
Table Of Contents .......................................................................................................................................... 1. Introduction .............................................................................................................. 4
1.1 Methodology ....................................................................................................... 5 2. Data Protection and Communications: .................................................................. 6
2.1 Nature of the problem ....................................................................................... 6 2.1.2 What is Personal Data? .................................................................................. 7 2.1.3 What is data protection? ................................................................................ 8 2.1.4 Why do we need data protection? ................................................................. 9 2.2 Data Protection Legislation: ........................................................................... 11 2.2.1 EU Data Protection Principles ..................................................................... 12 2.2.2 The Directive on Privacy and Electronic Communications (2002/58/EC):.................................................................................................................................. 15
2.2.2.1 Security Measures .................................................................................. 16 2.2.2.2 Confidentiality of Communications ......................................................... 17
2.2.2.3 Caller and Called Line Identification .......................................................... 19 2.2.2.5 Emergency and Nuisance Calls..................................................................... 21
2.3 United States and privacy of communication ................................................ 25 2.3.1 Privacy of Communication Laws In The United States ........................ 26 2.3.1.1 The Telecommunications Act 1996 ....................................................... 26 2.3.1.2 The Location of Privacy Protection Act of 2001 ................................. 27 2.3.1.3 Spyware Control and Privacy Protection Act 2001 ............................ 28
3. Law enforcement and privacy of communications ............................................. 30 3.1 Why Lawful Interception? .............................................................................. 32 3.3 What is intercepted under lawful Interception? ........................................... 38 3.4.1 Lawful Interception Laws in the United Kingdom .................................... 39 3.4.2 Lawful Interception in the United States .................................................... 42 3.4.3 Lawful Interception in Australia ................................................................. 45 3.5 Lawful Interception requirements of Communications service providers . 47
3.7 Data Retention ...................................................................................................... 53 3.7.1 Impact of Data Retention Laws on Communications Service Providers.............................................................................................................................. 57
3.8 Conclusion ........................................................................................................ 59 4 Information security and communications ........................................................... 61
4.1 What is information security? ........................................................................ 61 4.1.1 Why Information Security? ......................................................................... 62
5 Concluding ............................................................................................................... 68 Bibliography ............................................................................................................... 72
-
3
-
4
1. Introduction
Within the last 10 years the manner in which telecommunications is used has changed
vastly since the introduction of liberalisation and competition measures.
Liberalisation has led to more players in the telecommunications arena in all areas of
the sector.
Indeed the mobile phone market is an example of the shift in the major provision of
telecommunications services from former state owned institutions to private
organisations, while the Internet has spawned new service providers to the
communications industry such as Internet Service Providers.
The introduction of these services and enterprises has led to the amendment and
introduction of new legislation to regulate the manner by which these
communications service providers operate. The objective of a number of these
legislations is to protect the privacy and maintain the confidentiality of the
subscribers communication and information when they use these systems to
communicate.
While it is to be noted that privacy of communications legislations are to ensure that
privacy and confidentiality of communications is maintained, it is to be observed that
telecommunication systems are used by criminals and terrorists to transmit
information about their activities. In certain instances these communications may be
the only source for proving that individuals are involved in activities that are criminal
or which threaten national security.
For instance in an investigation on insider dealing, almost the entire case rested on the
date and time of telephone calls made between various defendants. Telephone records
-
5
were obtained from business and home telephone numbers with the brokerage firm
providing details of incoming and outgoing calls to clients1.
As such it has become necessary for legislation to be introduced to permit law
enforcement agencies to access the communications of individuals in the fight against
terrorist and serious criminal activities.
This purpose of this essay is to highlight how the conflicting issues of privacy to
communications and interception of communications affect communications service
providers2 in their efforts to provide confidential services on the one hand and law
enforcement agencies fight against crime and terrorism on the other.
1.1 Methodology
The first phase of the essay will take the shape of analysing the concept of data
protection and privacy with a view to analysing how legislation in this area affects
communication services providers operations and their handling of personal data.
The next phase of the essay will look at legislation relating to lawful interception and
data retention with a view to look at circumstances when the balance of maintaining
privacy of communications data on the part of the communications provider interacts
with the need for lawful enforcement agencies requirements relating to data retention
and lawful interception.
The third phase will look at the issue of information security highlighting the effects
data protection and data retention legislations have on how communications service
1 See Tackling Insider Dealing p13 Home office Consultation Paper: Access To Communications Data Respecting Privacy and Protecting the Public From Crime March 2003 2 Communications service provider in this essay includes Telecommunications Operators, Telephone Service Providers, Internet service providers, Mobile Phone Operators, Communications Network Operators
-
6
providers implement information security measures when dealing with data retention
and lawful interception.
The final phase of the essay will consist of conclusions and recommendations.
From a geographic perspective while telecommunications issues are a global
phenomenon, this essay will focus mainly on how these concepts influence
communications service providers in Europe and the United States.
2. Data Protection and Communications:
2.1 Nature of the problem
The telecommunications industry has seen a large uptake in the manner in which
people have been subscribing to the services that are being offered. Indeed this can be
seen with the radical changes from the previously limited fixed line services in the
earlier years to the introduction of the mobile telephone. The advent of the Internet
along with the integration of voice, video, data and communications via a single
stream3 has led to cheaper and faster ways of communicating. New services rendered
by mobile phone companies have indeed led to with the introduction of 2.5 and 3rd
generation mobile phone networks made it possible for subscribers to send pictures to
each other using these services.
Coupled with this technological development in communications, is the requirement
to ensure the privacy of an individuals data in line with current legislations when
these technologies are being utilised.
3 Also called convergence
-
7
The problem is that technology makes it much easier to infringe upon the rights of
individuals especially with regards to their personal data. Numerous organisations4
have identified this situation and have for years been championing the call for greater
awareness to make sure that the individuals fundamental human rights are not
infringed.
It is a well-known fact that convergence of these technologies makes it easier for
marketing companies to process data to profile people. Like wise it can be argued that
it is also possible for criminals to easily gather information about others in their quest
to forge identities5 in their quest to commit crimes.
In recognition of the risks that can accrue to an individual, privacy laws have been
enacted to define what constitutes legal and illegal activity when it comes to the
protection of an individuals data whilst it is being transmitted over
telecommunication streams.
2.1.2 What is Personal Data?
The UK Data Protection Act6 identifies personal data as follows, data that relates to a
living individual who can be identified from such data or and other information which
is in the possession of, or is likely to come into the possession of, the data controller7
and includes any expression of opinion about the individual and any indication of the
intentions of the data controller or any other person in respect of the individual8.
4 For example electronic privacy information centre www.epic.org and Electronic Frontier Foundation www.eff.org 5 See Internet fraud watch www.fraud.org and Internet fraud centre www1.ifccfbi.gov 6 Data Protection Act 1998 7 Person entitled to hold data about individuals 8 Section 1(1) Data Protection Act 1998
-
8
It must be stated here that personal data does not just relate to text, but can also relate
to a CCTV9 image10.
2.1.3 What is data protection?
Data protection involves the implementation of administrative, technical or physical
measures to guard against unauthorised access to such data.
It stems from legislative requirements such as the European Convention for the
Protection of Human Rights and Freedoms11 and has with the advancement in
automated processing of data been influenced by new legislations such as Directive
1995/46/E.C on the protection of individuals with regard to the processing of
personal data and on the free movement of such data hereinafter referred to as the
Data Protection Directive12 to the privacy and electronic commerce directive13. It
involves the protection of personal data, which covers both facts and opinions about
an individual.
An instance of privacy legislation can be illustrated with the European Convention on
Human rights, which provides for the right of respect to private and family life14. It
further provides that there shall be no interference by a public authority with the
exercise of this right except such as in accordance with the law and as is necessary in
a democratic society in the interests of national security, public safety or the economic
9 Data Protection Act identifies data as information that is processed by means of equipment operating automatically in response to instructions given for that purpose and is recorded with the intention that it should be processed by means of such equipment. 10 See also CCTV Looking out for you Home office publication November 1994 11 Article 8 (1) Convention for the Protection of Human Rights and Fundamental Freedoms as Amended by Protocol No 11 12 Directive 1995/46/E.C.[1995] 0.J. L281/31 13 Directive 2002/58/E.C OJ L 201/37 14 Article 8 (1) European Convention On Human Rights
-
9
well being of the country, for the prevention of disorder or crime, for the protection of
health or morals or for the protection of the rights and freedoms of others15.
This has implications regarding information relating to data of individuals in relation
to how it is kept processed and transmitted, this is so especially since misuse can lead
to a breach of the aforementioned right.
2.1.4 Why do we need data protection?
The development of technology has led to more convenient methods of carrying out
daily routines; indeed, many activities which in the past required physical presence
before a purchase could be made of a product now only need the supply of personal
details. The down side of this is that while it has led to faster means of
communicating and development of business, there is especially with the advent of
the Internet a rise in identity theft16. Also, with the proliferation of business activity
a number of organisations have sprung up which have identified the fact that
information about a person can be of value to other organisations.
This has led to a number of underhanded means of collecting personal information in
what appear to be promotional information leaflets only for this information to be
collated and then sold to marketing companies. It is this type of activity that has led to
the call and development of data protection laws leading to stiff penalties for
organisations that breach them. Indeed, under the UK 1998 Data Protection Act it is
15 Article 8 (2) European Convention On Human Rights 16 For the purpose of this essay Identity theft occurs when a person or group of people obtain and use someone elses name, credit card number, social security number or other personal information without that persons consent with the intent of using such information to commit fraud or other crime
-
10
an offence for a person, knowingly or recklessly, without the consent of the data
controller, to obtain personal data17.
To buttress this point further an individual named Alistair Fraser, trading as Solent
Credit Control18, recently pleaded guilty to offences of unlawfully obtaining and
selling personal information in breach of the Data Protection Act 1998. Mr Fraser had
obtained the personal information of certain individuals by deception from the
Department for Works and Pensions. He then sold the information to third parties. He
was found guilty and fined. A feature of this case is the fact that it was brought to
court by the Information Commissioner, thus showing that the Commissioner is
prepared to use enforcement powers to combat and discover agencies that illegally
obtain and sell personal information19.
In the United States organisations that breach the provisions of data protection
legislations relating to privacy of information are severely punished on conviction as
can be illustrated where recently in United States of America (for the Federal Trade
Commission) v. Hershey Foods Corporation20: In this case, Mrs. Fields Cookies and
Hershey Foods Corporation each agreed to settle Federal Trade Commission charges
that their Web sites violated the Children's Online Privacy Protection Act (COPPA)21
Rule by collecting personal information from children without first obtaining the
proper parental consent. Mrs. Fields are to pay civil penalties of $100,000 while
Hershey will pay civil penalties of $85,000. The separate settlements also bar the
companies from violating the Rule in the future and represent the biggest COPPA
penalties awarded to date. The COPPA Rule applies to operators of commercial Web 17Section 55 (1&3) Data Protection Act 1998 18 See www.csa-uk.com/news-facts-press_index/newsletters/autumn202002.pdf page2 19 Section 60 (1) Data Protection Act 1998 20 see www.ftc.gov/opa/2003/02/hersheyfield.htm 21 15 U.S.C 6501-6505
-
11
sites and online services directed to children under the age of 13 and to general
audience Web sites and online services that knowingly collect personal information
from children under 13. Amongst other things, the Rule requires that Web site
operators obtain verifiable consent from a parent or guardian before they collect
personal information from children22.
2.2 Data Protection Legislation:
In this section I will be analysing the various legislations relating to data protection
taking into account data protection in the European Union and the United States with
a view to looking at the different ways in which they have been implemented.
Following that an analysis of the impact they have on telecommunications will be
carried out.
National data protection laws have developed as electronic commerce has boomed.
Indeed, with more coverage being given in the media relating to infringement of
privacy, it is no wonder that countries have been more active in ensuring people know
what their rights are in relation to these issues and also that data controllers23 ensure
data under their custody is processed in line with data protection legislations.
The European Union has developed a Framework for Data protection; this can be seen
in the Data Protection Directive and the Privacy and Electronic Communications
Directive24.
In the United States data protection legislations generally target discrete information
processing activities with the most important legislative protections for information 22 U.S.C 6502 b (1) A ii 23 A person who alone or jointly with others determines the purpose for which and manner in which personal data is to be processed Section 1(1) Data Protection Act 1998 24 Directive 2002/58/E.C OJ L 201/37 this Directive replaces Directive 1997/66/E.C [1998] O.J L24/1
-
12
privacy emphasising restraint on the government and certain commercial industries.25
The Data Protection Directive embodies human rights principles and it is from here
that we see how the fundamental provision on human right provision is incorporated
by reference into the Data Protection Directive which in turn has to be implemented
by member states. This is how the human right privacy principle is integrated into
national law. This is the difference between the origins and objectives of privacy in
the Europe and the United States of America.
2.2.1 EU Data Protection Principles
Data protection laws provide protection of the individual with regards to their
personal data, however the question is how does one ensure from the onset that
personal data is collected processed and transferred legitimately?
Data protection laws have basic principles that need to be adhered to. Indeed if one
analyses for example the European Union Data Protection Directive one will notice
that there are a number of principles that form parts of the body of data protection
legislations worldwide.
These principles can be summarised as follows:
Personal data shall be processed fairly and lawfully26 (see below for more on lawful processing)
Lawful processing is explained in Article 7 of the Directive which stipulates what
constitutes legitimate processing of data
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with
that purpose or those purposes27.
25 See Resolving Conflicting International Data Privacy Rules in Cyberspace Joel R Reidenberg May 52 STANFORD Law. Review. 1315 (2000) 26 Article 6(1a) Data Protection Directive 95/46/EC
-
13
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed28.
Personal data shall be accurate and, where necessary, kept up to date29. Personal data processed for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes30.
Data subjects are afforded rights of access to their data31. Appropriate technical and organisational measures shall be taken against
unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data32.
While the above constitute the basic tenets of data protection, it must be mentioned
that there are other issues that must be observed in protecting data when it is being
processed. Article 7 of the Directive stipulates what constitutes lawful processing of
data and it specifies that personal data may be processed only where:
the data subject has unambiguously given his consent33, for sensitive data which includes information relating to race, political opinions, religious or
philosophical belief, health or sex life, trade union membership, there must be
explicit consent34
27 Article 6(1b) 28 Article 6(1c) 29 Article 6(1d) 30 Article 6(1e) 31 Article 12 32 Article 17 33 Article 7 (a) Data Protection Directive 95/46/EC 34 Article 8(1)
-
14
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior
to entering into a contract35
processing is necessary for compliance with a legal obligation to which the controller is subject36
processing is necessary in order to protect the vital interests of the data subject37
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a
third party to whom the data are disclosed38
processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed,
except where such interests are overridden by the interests or fundamental
rights and freedoms of the data subject which require protection under Article
1(1).39 40
These principles indicate that the data may only be used in accordance with the
purpose for which it has been obtained from the data subject. This would thus
mean that the use of the data for example, where it is collected for the opening of
an online banking account, the data collected should be used solely for what it
was originally intended. The data supplied should not be allowed to be used by
the same company to market different products to the data subject or indeed sell
35 Article 7 (b) 36 Article 7 (c) 37 Article 7 (d) 38 Article 7 (e) 39 Article 7 (f) 40 Article 1(1) states In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data.
-
15
the information to a third party organisation without the consent of the data
subject. It is only after receiving consent that one can market other products to the
person in question
2.2.2 The Directive on Privacy and Electronic Communications (2002/58/EC)41:
This directive repeals the Telecommunications Data Protection Directive (97/66/EC)
and lays certain obligations on telecommunications companies and service providers.
The main aim of this directive is to harmonise the provisions of Member States laws
in relation to electronic communications to ensure an equivalent level of protection of
fundamental rights and freedoms, particularly the right to privacy, processing of
personal data in the electronic communication sector and to ensure the free movement
of such data and of electronic communication equipment and services in the
community42. One of the new developments of this Directive is that it extends
controls on unsolicited direct marketing to all forms of electronic communications
including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile
telephones.
It is to be noted that the Directive applies to the processing of personal data in
connection with the provision of publicly available electronic communications
services43 in public communications networks44 in the Community.
41 Directive 2002/58/E.C OJ L 201/37 42 Article 1 Directive on Privacy and Electronic Communications 43 According to European law, electronic communications service means a service normally provided for the remuneration which wholly or mainly in the conveyance of signals on electronic communications networks used for broadcasting, but exclude services providing, or exercising editorial control over content transmitted using electronic communications networks and services. Article 2 (c) Directive 2002/21/EC 44 According to European law, public communications network means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services. Article 2 (d) Directive 2002/21/EC
-
16
An analysis of the salient points reveals the following in the Directives aims in
ensuring fundamental human rights and freedoms particularly the right to privacy for
subscribers of electronic communications:
2.2.2.1 Security Measures
The directive provides that communication service providers should adopt adequate
security measures both from a technical and organisational point of view that are
commensurate with the risks that can accrue. With the spate of recent high profile
security breaches that have occurred it is paramount that telecommunications
providers implement adequate logical and physical security measures to ensure data
under their control is safe from unauthorised access, which may lead to loss of
privacy. It goes further to provides that users should be made aware of risks that are
beyond the control of the service provider45.
While the Directive does not detail the technical measures Member States are to
adhere to in order to ensure they are complying with the provisions of this Article, it
must be pointed out that countries provide legislation on what measures to take in the
event that information security is breached or what actions to take on individuals who
breach systems. For instance, in the United Kingdom, section 1 of the Computer
Misuse Act46 makes unauthorised access to systems an offence. Also the OECD has
provided guidelines to how communication service providers can implement
information security on their networks47. Other measures that may be used to ensure
45 Article 4 (1&2) Directive on Privacy and Electronic Communications 46 Computer Misuse Act 1990 47OECD Guidelines for the security of information systems and networks see www.oecd.org/dataoecd/59/0/1946946.pdf
-
17
information security measures are adequate include adopting standards such as ISO
17799 Code of practice for information security management48 and ISO 15408
common criteria for information technology security.49 Adopting or following these
guides can provide for appropriate security on communication networks.
2.2.2.1.1 Impact on Communications Service Providers
The effect this legislation has on communications service providers is that it makes
them obliged to notify subscribers of threats that cannot be prevented by the
communications provider. This legislation recognises the fact that organisations have
in the past been quiet about potential and actual information security breaches. The
wording can thus be interpreted to mean that a positive action must be carried out by
the service provider to warn subscribers of the threat that may accrue their personal
information.
Note information security, as a whole will be discussed in more detail in a further
section of this essay.
2.2.2.2 Confidentiality of Communications
In its attempt to maintain privacy of personal information, the directive requires
service providers to ensure confidentiality of communications. This the directive
states can be attained by making sure that communication over public
telecommunications lines are free from interception and tapping save in the instance
of lawful interception50. The article also provides that where communication networks
48 see www.bsi.org.uk 49 http://csrc.nist.gov/cc/ccv20/ccv2list.htm 50 Article 5 (1)
-
18
are used in the processing of data, the data subject shall be informed why this is being
carried out. The data subject has a right to refuse such processing51.
There has been a great debate relating to the use of cookies52and the fact that they can
invade the rights of users communications. The Directive in recognising this fact and
in an attempt to curb their intrusion on subscribers communications provides in article
5 (3) that they can only be used if the subscriber or user is made aware in clear and
comprehensive terms about how information gathered will be processed. The problem
however with this legislation is the fact that cookies operate in the background
without giving off any warnings that they are operating making them hard to detect.
This makes it difficult to identify organisations that flaunt this law. Also since there
are no sanctions placed on organisations that breach such confidentiality of
communications requirements, this aspect of the article cannot be said to be adequate
in the fight to keep communications confidential
2.2.2.2.1 Impact on Communications Service Providers
It should be noted here that most browsers have in the properties tab an option to
configure cookies. As such I am of the opinion that since all users have the ability to
accept or deny cookies at their fingertips; legislation is not the most appropriate
means of dealing with this particular issue. Rather, communications service providers
need to advertise and educate their subscribers of this functionality. While it may cost
them money, it is an easier means of ensuring confidentiality and will be more
effective than legislation.
51 Article 5 (2) 52 Cookies are programs that are used to track users preferences when they visit a website. They can be stored on ones hard drive without the users consent or knowledge.
-
19
2.2.2.3 Caller and Called Line Identification
It is to be noted that an individuals telephone number is personal data going by the
meaning given to data protection legislation.
In order to protect this, the directive further provides privacy rules in relation to caller
and connected line identification. Here the directive states that subscribers must be
issued with the possibility of withholding the identification of their telephone
numbers when making a call along with being able to reject incoming calls where the
incoming caller has refused showing their number53. It must be mentioned here
however that while the Directive provides that caller and called line identification
should adopt some privacy measures, these services are not mandatory. Where the
implementation of these services may invoke either an undue cost burden on the
service provider or in situations that make the provision of the service technically
impossible, that provider must ensure this is made known to relevant parties in the
member state.
It should also be mentioned that there are certain instances where it may be justifiable
to override the elimination of calling line identification. These situations can arise for
example where certain subscribers such as those that provide help lines have an
interest in guaranteeing the anonymity of their clients. In these scenarios, it is
paramount to protect the rights and interests of the party to withhold the presentation
of the identification of the line to which the calling party is connected.
It is to be noted however that the provisions of this article may not be applicable
where for instance the calls are made from some international networks that do not
53 Article 8
-
20
provide the same sort of offerings to their subscribers or where they do not have the
same levels of data protection laws as The European Economic Area54.
2.2.2.3.1 Impact on Communications Service Providers
It is to be noted that when there is a failure of the communications network to block
caller line identification facilities such that a subscribers privacy is breached, the
customer is entitled to have their privacy restored, at no extra cost by their telephone
company in the form of the allocation of a new phone number55. In the UK this
provision is implemented by sections 10 and 11 of the Privacy and Electronic
Communications (EC Directive) Regulations 200356.
2.2.2.4 Location Data Restrictions
Where the repealed telecommunications privacy directive only related to calls in
circuit switched connections such as is found in traditional voice telephony, the new
directive covers all kinds of traffic data as generated by users of mobile
communication devices.
Location data is a valuable tool that can be used in the mobile phone sector to identify
the location of an individual57 its use can be illustrated in the Danielle Jones case in
the hunt for a missing child in the UK it was identified that calls purportedly form the
54 Guidelines for Customer Line Identification Displays Services and other related Services over Electronic communications networks available at www.oftel.go.uk/ind_groups/cli_group/docs/guidelines0902.pdf 55 See European Guidelines for Calling line Identification available at www.europa.eu.int/ispo/infosec/telcompolicy/en/guidelines.pdf 56 The Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force on 11th December 2003. 57 See Location Data is as sensitive as content data Alberto Escuardo Pascual Royal Insitute of Technology 22nd November 2001 available at www.it.kth.se/~aep/publications/EU-forum/20011127/EU-forum-locationdata.pdf
-
21
girls phone to her uncle (later convicted for her murder) were in fact being made by
her uncle from one location58.
The directive in recognising the importance of location data provides that location
data can be processed only if it is made anonymous or with the consent of the
subscriber for a value added service but only for the duration that is necessary for the
processing59. The subscriber must also be given the possibility to temporarily refuse
such processing of location data information60.
It is to be noted however that the directive does not state that technology should be
used to enforce the requirement to keep location data private and confidential given
the fact that it can be used to track an individuals movements
2.2.2.5 Emergency and Nuisance Calls
An exception to the privacy of caller line and location data is provided for in article
10 where the elimination of calling line identification and location data is sanctioned
to trace nuisance calls and in relation to location data for it to be revealed on a
temporary basis only to emergency services.
This article basically allows member states to allow for the restriction of a user or
subscribers right to privacy in relation to calling line identification where for instance
there is a complaint that some one is persistently calling someone elses number and
either keeps silent or hurls profanity at the person whose line is being called. In these
situations it may become necessary to trace where these calls are originating from.
2.2.2.5.1 Impact on Communications Service Providers
58 See bbc.news.co.uk/2/low/technology/2593653.stm 59 Article 9 Directive on Privacy and Electronic Communications 60 Article 9(2)
-
22
The process of carrying out the above is that it will entitle providers of electronic
communications services to provide access to the calling line identification data and
also the location data without the knowledge or consent of the calling party
constituting the nuisance.
The advantage of this legislation is that it caters for and takes into account the
possibility of abuse of the privilege of calling line privacy.
It also takes into account the fact that there will be situations where being able to
locate a person in distress in due time may be the difference between life and death
and in such situations the right to privacy will be overlooked.
2.2.2.6 SPAM
Unsolicited mail (also known as Spam) has become a major problem it causes loss of
work productivity in wasted time in deleting them and also is an invasion of privacy.
The directive in recognising the harmful effects of Spam provides that there shall be
no automated communication using electronic mail or faxes for the purpose of direct
marketing without the consent of the data owner61. The purpose of the directive in
relation to SPAM is to make sure that EU member states strengthen data protection
measures in relation to SPAM. The EU legislation supports the opt-in62 rather than the
opt-out63approach.
The problem with this piece of legislation however is the fact that due to the nature of
the Internet it may be difficult to prosecute those that habitually send such unsolicited
61 Article 13 Directive on Privacy and Electronic Communications 62 In an opt-in regime, the consumer must affirmatively give permission to be sent information about new products or sales, or to share the consumer's information with other companies in a business relationship with the company where that consumer has an opt-in agreement. Generally, a consumer must click on web site boxes or send an e- mail request to the company, or its affiliates in order to authorise consumer e-mail. 63 In an opt-out regime, the privacy policy will indicate that the consumer is presumed to want information about sales or new products which will be sent unless the consumer "opts out" of receiving such.
-
23
mail. Not only because it is possible for those that send such unsolicited mail utilising
the Internet to take advantage of the ease with which one can set up an Internet
infrastructure for a temporary period of time before shutting it down and setting up a
similar site when they have suspicions that they are being investigated or if they are
indeed shut down. But also because it is a well known fact that many of the top 50
Spammers originate from America such that while the legislation may direct
marketers in Europe, those that send unsolicited mail from America will be out of the
jurisdiction of the legislation. Indeed in response to this provision, the Direct
Marketing Association64 has raised concerns that this could penalise small companies
that rely heavily on direct marketing but not protect the consumer from spam email
that originates outside of the EU.
2.2.2.6.1 Impact on Communications Service Providers
Not only is SPAM a problem for users, it also affects communications service
providers. Due to the fact that a single SPAM message can be sent to millions of
email addresses at once, not only does it have the capability to take up
communications service providers bandwidth65 it can also have a negative impact on
the availability of the service especially when such SPAM is infected with Virus.
Another impact it has on communications service providers is that it can tie up
staffing resources in the sense that when a new SPAM message is discovered the tools
used to detect them may need to be reconfigured by technical staff. Communications
service providers now deploy filtering tools which have the ability to block SPAM
either by use of Boolean syntax or blocking of the IP address of the sender of the
64 /www.the-dma.org/ 65 The amount of data that can be transmitted in a fixed amount of time. For digital devices, the bandwidth is usually expressed in bits per second(bps) or bytes per second. For analog devices, the bandwidth is expressed in cycles per second, or Hertz (Hz).
-
24
email. They have also need to include in their acceptable use policies statements that
SPAM will not be tolerated and that subscribers who send SPAM may have their
service terminated. All these measures add to the cost of providing services to
subscribers which in turn can eat into profit margins.
2.2.2.7 National Security
There are certain situations that may lead to events that make safeguarding privacy of
communications a secondary issue. Such situations are where national security is at
risk and where criminal investigations are being carried out. Where these are
determined to be taking place, law enforcement agencies may on having obtained
permission by appropriate bodies breach the data subjects right to privacy of
communications in their investigations of such events. It is to be noted that the
legislation also allows for data to be retained for limited periods of time during the
investigation of such situations66.
2.2.2.7.1 Impact on Communications Service Providers
The duty to safeguard national security issues affects communications service
providers due to the fact that the requirement for the retention and retrieval of data
can be costly not only because it may necessitate the deployment of a whole range of
new systems but also because it will mean that staff will need to be retrained. This can
have an enormous effect on the margins of small communications service providers
who may not have the resources to either buy the required systems or employ
appropriate staff.
66 Article 15 (2) Directive on Privacy and Electronic Communications
-
25
Note national security and cost issues will be looked at in further detail in this essay in
discussions relating to data retention and lawful interception of communications.
2.3 United States and privacy of communication
In the United States privacy legislation does not stem from a central law such as the
Data Protection Directives in Europe rather one finds sectoral laws, which affect
certain sectors and industries. The United States has taken a sectoral approach to
privacy regulation so that records held by third parties, such as consumer marketing
profiles or telephone calling records, are generally not protected unless a legislature
has enacted a specific law67. Due to this state of affairs the European Union still
regards its data protection regime as one that requires special provisions such as the
Safe harbour rule68 when it comes to the transfer of data from EU member states to
the United States.
In relation to privacy of communications, issues relating to Internet privacy have
become prominent. A number of organisations such as eBay.com, Amazon.com and
Yahoo.com have either changed users privacy settings or have changed privacy
policies to the detriment of users.69 Other organisations such as Microsoft and Intel
were discovered to have released products that covertly track the activities of Internet
users.70Significant controversy has arisen over online profiling, the practice of
advertising companies to track Internet users and compile profiles on them in order to
target banner advertisements. The largest of these advertisers, DoubleClick, ignited
67 United States v. Miller, 425 US 435 (1976) 68 Explained further in this section 69 Chris J. Hoofnagle, Consumer Privacy In the E-Commerce Marketplace 2002, Third Annual Institute on Privacy Law 1339, Practicing Law Institute G0-00W2 (June 2002), available at http://www.epic.org/epic/staff/hoofnagle/plidraft2002.pdf 70 See Big Brother Inside Campaign http://www.bigbrotherinside.org
-
26
widespread public outrage when it began attaching personal information from a
marketing firm it purchased to the estimated 100 million previously anonymous
profiles it had collected.71 The company backed down due to public opposition, a
dramatic fall in its stock price and investigations from the FTC and several state
attorneys general. In July 2000 the Federal Trade Commission reached an agreement
with the Network Advertisers Initiative, a group consisting of the largest online
advertisers including DoubleClick, which will allow for online profiling and any
future merger of such databases to occur with only the opt-out consent.72
2.3.1 Privacy of Communication Laws In The United States
As has been mentioned Privacy laws in the United States are sectoral.
Communications privacy in the United States can be seen in the following
legislations73:
2.3.1.1 The Telecommunications Act 199674
This provides for the restriction to and use of customer information by
telecommunications companies. It governs the disclosure of customer proprietary
network information75 and subscriber list information. Its primary aim is to protect the
customer from having their information misused by the telecommunications provider.
71 See EPIC DoubleClick Pages http://www.epic.org/privacy/doubletrouble/. 72 For a detailed history and critical analysis of this agreement, see Electronic Privacy Information Center (EPIC) and Junkbusters, "Network Advertising Initiative: Principles not Privacy," July 2000 http://www.epic.org/privacy/internet/NAI_analysis.html. 73 Note some of the legislations below are proposed legislations (Bills) and will be indicated as such in the footnotes 74 47 U.S.C 222 75 Defined as constituting the quantity, technical configuration, type, destination, location and amount of use of telecommunications service subscribed to by any customer of a telecommunications carrier and that is made available to the carrier by the customer, solely by virtue of the customer carrier relationship. It also includes information contained in bills relating to telephone exchange service or telephone toll service received by a customer of a carrier.
-
27
It consists of a number of provisions that are similar to the European Directive on the
processing of personal data and protection of privacy.
Among such provisions is the requirement for telecommunications companies to
ensure the confidentiality of customer proprietary network information. In ensuring
that this is carried out, the Act prohibits the carrier using subscriber information that
has been provided by another carrier for its own marketing purposes76.
The Act also provides that telecommunications carriers that receive customer
information can only use, disclose or permit access to that information in the
provision of the telecommunications service from which the information was
obtained.
2.3.1.2 The Location of Privacy Protection Act of 200177
This contains specific provisions in relation to keeping the privacy of location data of
customers. It requires wireless technology providers to notify customers regarding the
providers collection of information policies in relation to collecting call location data.
It also requires the providers to obtain the customers prior consent before either
selling or disclosing such information78.
76 47 U.S.C 222 (b) 77 Proposed Legislation: S.1164 Location Privacy Protection Act of 2001, A bill to provide for the enhanced protection of the privacy of location information of users of location-based services and applications, and for other purposes. Sponsor: Senator Edwards, John (D-NC). Latest Major Action: 7/11/2001 Referred to U.S Senate committee: Senate Commerce, Science, and Transportation. 78 See section 3 a & b Location Privacy Protection Act 2001
-
28
The provisions of this act portray an understanding by those responsible for enacting
this legislation of the abuse and detriment to the customer in the event that location
data is used for purposes other than those for which the customer provided the data.
This is illustrated where the Act prohibits providers of location-based services or
applications from releasing customers location information for purposes beyond
those for which the customer provides express authorisation79and ensure the integrity
and security of location data.
2.3.1.3 Spyware Control and Privacy Protection Act 200180
This Act can be likened to article 5 (3) of the Directive on Privacy and Electronic
communications. It provides that users of any computer software that has the
capability to collect information about the users use of the software, or computer to
which that software connects, must obtain prior consent of the user by way of
providing on the first electronic page of the instructions a warning that the software
has the capability to obtain such information. It must also provide the persons names
and address to which such information will be sent.
Information that has been collected should be kept confidential except where
disclosure is required by law enforcement agencies granted permission under a court
order to view it.
79 section 3 (c) ( ii) Location Privacy Protection Act 2001
80 Proposed Legislation: S197 Spyware Control and Privacy Protection Act of 2001 A bill to provide for the disclosure of the collection of information through computer software, and for other purposes. Sponsor: Senator Edwards, John (D-NC). Latest Major Action: 1/29/2001 Referred to Senate committee: Senate Commerce, Science, and Transportation
-
29
Violations of this will be treated as a deceptive practice as proscribed by section 18
(a) (1)(B) of the FTC Act 15 U.S.C 57a (a) (1) (B).
An analysis of the European and U.S jurisdictions shows a similar thought process
behind the implementation of laws relating to communications. There is a general
understanding that privacy of the consumer is required.
It can be seen that data protection legislation provides a backdrop to which
individuals can seek redress in the event that their rights are infringed and it also
allows business to understand the limits to which they can go in their processing and
use of personal data.
Law enforcement agencies are also restrained from encroaching on individuals
privacy, before they can view personal data they need to follow procedures such as
obtaining a warrant and also proving reasons why national security is at stake or that a
serious crime needs to be investigated prior to carrying out surveillance activities.
The question that needs to be answered is whether these laws are effective? Even
though the provisions of privacy laws provide sections in relation to how
communications companies are to devise means by which personal data is processed,
it is difficult to actually determine whether there is full compliance on the part of
these organisations in relation to how they carry this out.
The United Kingdom Information Commissioner has expressed concerns relating to
the enforcement of data protection legislation. He was of the opinion that the
enforcement procedures are not well suited to the electronic commerce environment.
For instance, where a website or service is being provided, that is not compliant with
-
30
the laws and they are investigated, nothing stops them from relaunching under a new
name and carrying on the same scam.
It must be mentioned here that even though these legislations have been enacted, there
is still ignorance among data users in relation to what their rights are and when these
have been infringed, according to a UK report only 42% of the public are aware of
their rights under data protection laws81
A way to ensure people are aware of the provisions of data protection legislations
would be the development and dissemination of awareness campaigns that highlight
the importance and effects of these laws.
3. Law enforcement and privacy of communications
While it has been stated that there is a requirement that privacy must be guaranteed
during communications, there are certain instances where law enforcement agencies
are allowed to gain access to communications data without the consent of the data
subject.
These instances occur when law enforcement agencies are investigating serious
criminal activities or activities that may constitute a risk to national security. In the
process of undertaking these investigations, communication service providers will
invariably be asked to allow these law enforcement agencies to either intercept the
data or gather information about the individuals activity from data that has been
retained by their systems in relation to the individuals communication.
81 See Information Commissioner Annual Report and accounts for the year ending 31 March 2002, HC913
-
31
Laws such as The RIP (Maintenance of Interception Capability) Order 2002 in the
UK and The Communications Assistance for Law Enforcement Agencies Act82
hereinafter referred to as CALEA in the United States are examples of legislations
that force communications service providers to assist law enforcement agencies in
their endeavours to combat such activity.
This aspect of the essay will look at how these laws interact with privacy legislation
showing how they act as a counterbalance to ensure that people do not misuse their
rights to privacy by conducting criminal activity.
Mention has been made in this essay of instances where circumstances such as the
need to combat criminal activity and safeguard national security may lead to data
subjects rights to privacy of communications being overridden. Actions that make up
the activities in combating crime or detecting activities that may be a threat to national
security include law enforcement agencies intercepting communications as well as
sifting through communications data that may have been retained by communications
service providers.
This section looks at the issue of lawful interception and data retention with a view to
dispel concerns that they are an infringement on privacy rights and to show that the
concepts go hand in hand with data privacy in the provision of electronic
communication services it will also look at the impact these concepts have on
communications service providers.
82 47 U.S.C 1001-1010
-
32
3.1 Why Lawful Interception?
Interception of a communication in the course of its transmission involves the
modification, interference or the monitoring of the system while the communication is
actually being transmitted83
Lawful interception is the terminology used to describe the means by which law
enforcement agencies are authorised to intercept telecommunication sessions as
prescribed by law.
The advancement of technology has led to the need for law enforcement agencies to
curb criminal and terrorist activities. The problem has always been the fact that
criminals have always been able keep a step ahead of the law in their clandestine
activities. The convergence of communications systems has led to easier, faster and
cheaper means of communicating, this in turn has allowed criminals and terrorists to
be able to take advantage of these systems to communicate with each other or to use
the systems to carry out illegal activities.
The convergence of voice, data and Internet technologies has led to a new type of
communications network. Prior to convergence one mainly dealt with the circuit
switched84 fixed line telephone networks in relation to lawful interception. However
with the explosion of the Internet has come the packet switched network85which is
being touted as the replacement of the circuit switched network now that convergence
has occurred.
83 Section 2 Regulation of Investigatory Powers Act 2000 84 Circuit switched networks are used for phone calls 85 Packet switched networks handle data which could include voice calls
-
33
Recent legislations have been enacted in order for lawful interceptions to be carried
out on systems utilising these new communications technologies. In the UK, The
Regulation of Investigatory Powers Act 2000 replaced the Interception of
Communications Act 1985 to take account of technological advances in
communications and to cater for the growing use of the Internet and electronic mail.
Interception of communications can take place in a number of ways:
Wire Tap: this involves the installation of a transmitting device on a telephone line, for the purpose of intercepting, and usually recording, telephone
conversation and telephonic communications.
Location Tracker: This involves using devices to identify through the telecommunication system the location of an individual
Pen registers and trap and trace devices: A pen register records only the numbers of outgoing telephone calls. While a trap and trace device is used to
capture the numbers of incoming telephone calls86.
Below are examples of how communication systems can be intercepted;
Standard Telephones: Standard telephone systems are susceptible to wiretaps. There are many
locations where a wiretap can be placed. For example, microphones in many
older telephones handsets can be replaced with one that can also transmit to a
remote receiver. Taps can also be placed at the telephone boxes in the
basements of buildings, on the lines outside the house, or on the telephone
pole junction boxes near the target of the surveillance. A once common
technique used by police forces was to remotely monitor calls by having lines
86 Trap and trace devices are one of the methods used by authorities in the United States to intercept communications
-
34
run from a telephone company central office where the local switching
equipment is located to a monitoring station in a government office.
Wireless Communications The use of wireless telephones has become extremely common. There are also
millions of cellular telephones in use. In developing countries, wireless
communications such as cellular and satellite-based telephones are also
popular as a means to avoid laying new telephone lines in areas that were
previously undeveloped. However, they are easily intercepted and should not
be thought of as giving greater protection from eaves dropping than fixed line
phones.
Cordless telephone communications are especially easy to intercept. Many of
the older models broadcast just above the top range of the AM radio band and
conversations can be easily overheard with any AM radio and can be
intercepted with an inexpensive radio scanner purchased at most electronics
stores for under $100.00 in the United States. The range of interception can
extend to nearly one mile.
Cellular phones have the same problems as cordless. They also broadcast over
airwaves like a radio. Inexpensive scanners are available on the market that
can intercept conversations. In addition, some cellular phones can be
programmed to act as scanners to intercept other calls. There is also equipment
available to law enforcement, which can track and monitor cellular
conversations as they move around a city.
Unencrypted Wireless networks are also prone to scanning and intercept
vulnerabilities and can actually be scanned using a Pringles tin87 as an aerial
87 Round aluminium type snack container
-
35
with a laptop. If an attacker can sniff88 the wireless traffic, it is possible to
inject false traffic into a connection they may then be able to issue commands
on behalf of a legitimate user by injecting traffic and hijacking their victims
session.
Facsimile (fax) Machines: It is also possible to intercept facsimile transmissions. A fax machine is
essentially an inexpensive computer system that uses a well known standard
for sending and receiving files. Commercial devices are widely available that
automatically intercept faxes. In New York City, fax intercept machines were
used as far back as 1990 by local police89. It is also possible to intercept faxes
using a computer with specialised software and a fax modem90.
The intentional interception of communications on public91 and private92
telecommunication systems without lawful authority is an offence93.
It is to be noted that the offence of interception of private networks was not covered
by the repealed Interception of Communication Act of 1985 as illustrated by
R V Effick94 where the courts held that the interception of telephone communications
via cordless telephones by the police was not covered by the Interception Act.
Indeed cases such as Halford v United Kingdom95 provide typical examples of what
can constitute unlawful interception of communications.
88 Sniffing is the act of using a device to analyse network traffic relating to communication and computer systems 89 Joseph Fried, Police Filch Faxes to Snare a Gambling Ring, NYT , June 3, 1990 at 33. 90 Eaves Dropping detecting David Bansar 1995 91 Section 9(1) Telecommunications Act 1984 defines public communication system as that so defined by the Secretary of State as that authorised by licence via Section 8 of that Act 92 Any telecommunications system which not being a public telecommunication system is a system to which is attached directly or indirectly to a public telecommunications system and there is apparatus comprised of the system located in the United Kingdom for making the attachment to the public communication system Section 2 (1b) RIPA 2000 93Section 1 (1) Regulation of Investigatory Powers Act 2000 94 R V Effick 1984 Crim LR832, 99
-
36
In this case the European Court of Appeal ruled that interception of telephone calls
made on an internal system operated by the police was an infringement of Article 8 of
the European Convention on Human Rights which provides amongst other rights the
right of respect to ones privacy of correspondence. The only way this right may be
interfered with is when it is performed by public authorities is in accordance with the
law96.
In the United Kingdom, the Regulation of Investigatory powers Act 2000 also covers
interception of private telecommunication systems97.
The 2003 Telecommunications Act also makes it an offence for one to disclose the
content of messages or information concerning the use made of services provided98
However it is to be noted that there are certain circumstances where interception of
communications will not be illegal, such situations are typically when law
enforcement agencies are given the permission by a higher authority to intercept
certain data communications.
Lawful interception plays a crucial role in helping law enforcement agencies to
combat criminal activity. Indeed, this can be illustrated with the linking of
information about subscriber99 and billing data in criminal and terrorist activities. To
buttress this point further in the United States the use of lawful interception led to the
95 1997 IRLR 471 96 See Articles 8 (1) and 8(2) European Convention on Human Rights 97 Section 1(2) RIPA 98 Section 127 Communications Act 2003 99 Defined under Article 18 (3) of the Convention on Cyber Crime as any information, contained in the form of computer data or any other form, that is held by a service provider, relating to subscribers of its services.
-
37
successful conviction of sixty- five people involved in a fraud by defence contractors.
The investigation of this case relied heavily on the interception of telephone calls100.
Lawful interception involves the collaboration between law enforcement agencies and
communication service providers. As such while there are laws dealing with the
procedural and authorisation activities required for law enforcement agencies, so too
are there laws relating to the obligations of telecommunications operators and service
providers.
Lawful Interception typically involves three parties beginning with the law
enforcement agency requesting permission in the form of a warrant or subpoena101
from a higher authority in order to prove to the communications service provider that
it has permission to intercept data it controls.
3.2 The Lawful Interception Process
In the United Kingdom the process of lawful interception typically commences with a
warrant for such interception. This then proceeds with the collection of various forms
of communications, the analysis of the intercepted data, and the preparation where
sufficient evidence is gathered for the prosecution of persons whose data have been
intercepted. Warrants in the UK are issued by the Secretary of State where he believes
the issue of such warrant it is in the interest of national security, or it is to be used to
prevent or detect crime or it is for the safeguarding of the economic well being of the
country.102
The duration of warrants issued in relation to interception are valid for three months
initially but on renewal are valid in the instance of national security for six months
100 Ill Wind investigation see /www.eff.org/Privacy/Surveillance/CALEA/kallstrom_fbi_clip-dt.testimony 101 Under the title III authorisations 102 Sections 5(3) and 7(1) RIPA 2000
-
38
while those for serious crime are valid for a further three months following each
subsequent renewal103.
In the United States, The Federal electronic surveillance statutes104 provide that a
high-level Department of Justice official specifically approve the use of any of these
types of electronic surveillance prior to an Assistant United States Attorney obtaining
a court order authorising interception.
In Australia, warrants for lawful interception are granted by judges or nominated
members of the Administrative Appeals Tribunal105
While it is important to maintain the principles and powers of lawful interception, the
challenge of doing so correctly is tempered by the need to ensure that in carrying it
out human rights and data protection legislations are not infringed.
While the main issue for lawful Interception of communications on public telephone
systems is to identify criminal and terrorist activity, one needs to know exactly what
data can be lawfully intercepted.
3.3 What is intercepted under lawful Interception?
Generally speaking when the right is granted to intercept a communication it will
involve the intercepting of communications data, which embraces the who, when
and where in relation to a communications transmission106.
Communications data in turn can be broken down into the following categories:
Traffic data: This contains information that identifies who the subscriber contacted, their location as well as that of the person they have contacted and
what time the contact was made.
103 Report of the Interception of communications commissioner 2001 104 Referred to collectively as Title III and codified at 18 U.S.C. 2510, 105 Telecommunications (Interception) and Listening Device Amendment Act 1997 106 See Consultation Paper: Access to communications data, protecting privacy and protecting the public from crime March 2003
-
39
Service data: This identifies services used by the subscriber and how long they were used.
Subscriber data: This identifies the user of the service their name address and telephone number107
3.4.1 Lawful Interception Laws in the United Kingdom
Lawful interception in the UK is primarily governed by the Regulation of
Investigatory Powers Act 2000 (RIPA), and the Telecommunications Lawful business
Practice Interception of Communications Regulations 2000108.
RIPA provides for, and regulates the use of investigative powers, by public
authorities109. It updates the law on the interception of communications previously
provided by The Interception of Communications Act 1985 and the Police Act 1997.
It now enables state authorities to intercept communications in line with technological
changes such as the growth of the Internet.
Under the RIPA, the Police, Inland Revenue Customs and Excise and the security
services may acquire access to communications data via the warrant; however this
may be extended to other local authorities by order of the secretary of state thus
allowing such authorities to lawfully intercept communications data.110
It is to be noted however that even though the Act allows for authorities to intercept
data, this does not mean that they can share any information i.e. information derived
107 Section 21(4) RIPA 2000 108 SI 2000/2699 109 They are the police as defined in section 81(1) National Criminal Investigations Service, National Crime squad, HMSO Customs and excise, The Inland Revenue, The security service, The Secret Intelligence Service Government Communications Headquarters 110 Section 25(1g) RIPA 2000
-
40
from a lawful intercept warrant used by the police cannot then be shared with the
Inland Revenue.
The Lawful Business Practices Regulations allow for the lawful interception of
communications in the course of its transmission by means of a telecommunications
system with or by consent of the system controller under the following conditions.
Monitoring the system to establish the existence of facts or ascertain compliance with regulatory or self regulatory practices or procedures relevant
to the business (this could include but not be limited to ascertaining whether
the business is abiding by its own policies)111
Monitoring quality control and staff training (but not for marketing or market research)112
Prevent or detect crime (including crimes such as fraud as well as infringement of IT related legislation such as the Computer Misuse Act 1990
or the Data Protection Act 1998)113
Investigate or detect unauthorised use of own communications systems (relevant to potential disciplinary action)114
It is to be noted that such interceptions are authorised only if the controller of the
telecommunications system has made all reasonable efforts to inform potential users
that such interceptions may be made.
The importance of this legislation is that it reduces the privacy rights of those that use
private telecommunication systems
111 Section 3(1) (a) i(aa) Lawful business practices regulation 112 Section 3(1) (a) i(cc) 113 Section 3(1) (a) iii 114 Section 3(1) (a) iv
-
41
The police are empowered to obtain evidence in criminal investigations once they
have obtained an order through the consent of a circuit judge. This is illustrated with
the NTL115 case where the high court confirmed the rights of the police to require a
telecommunications provider (NTL) to take steps to intercept e-mails addressed to its
customers. It is to be noted that this right was not exercised by powers under RIPA,
rather they were as defined by the Police and Criminal Evidence Act 1984 (PACE)
which allows a police constable to obtain access to excluded material or special
procedure material for the purposes of a criminal investigation.116
Many are concerned that authorities enabled to access communications data under
RIPA might abuse such powers. In an attempt to reduce authorities abusing such
powers, safeguards have been introduced
These include:
Specifying clearly the persons designated to seek access to communications data
An accreditation scheme for certain individuals with access to communications data
Compliance with RIPA statutory code of practice Oversight by the Interception of communications commissioner Sanctions for the abuse of powers granted under RIPA117
115 Neutral Citation number: 2002 EWCH 1585 116 Section 9 Schedule1 Police and Criminal Evidence Act 1984 117 See Safeguards p23 Consultation Paper: Access to communications data, protecting privacy and protecting the public from crime March 2003
-
42
3.4.2 Lawful Interception in the United States
In the United States interception of communications is illegal unless authorised by
stringent rules that have been designed to protect privacy and allow the investigation
of crime.
There are two basic pieces of Federal legislation: Electronic Communications Privacy
Act (ECPA)118, which concerns criminal investigations, and the Foreign Intelligence
Surveillance Act (FISA), which concerns intelligence and counter intelligence
operations. (For this part of the essay I will be dealing with ECPA)
In the United States, wiretap laws, and procedures used by state courts and law
enforcement agencies to implement those laws, are subject to two important
constraints: first, the Fourth Amendment to the United States Constitution, as
incorporated in and made applicable to the states by the Fourteenth Amendment; and
second, the restrictions of the ECPA.
These constraints were codified and made more specific in Title III of the Omnibus
Crime Control and Safe Streets Act of 1969. This Act establishes the substantive and
procedural requirements for federal interception orders and pre-empted less restrictive
state requirements.119 In 1986, Congress updated those requirements by means of the
ECPA, which addressed newer communications technologies such as mobile
telephones and electronic mail. This law provides the statutory framework that
governs the real-time electronic surveillance of the contents of communications.
118 Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986). 119 Omnibus Crime Control and Safe Streets Act of 1969, Pub. L. No. 90-351, 82 Stat. 197 (1968)(codified at 18 U.S.C. 2510-2521 (2000)), reprinted in USCCAN 1968 237.
-
43
The ECPA broadly prohibits the interceptions of wire, oral and electronic
communications, except where those interceptions comply with the ECPA
requirements.120
These requirements are to ensure that law enforcement officers in their attempts to
gather evidence of crimes through communications systems comply with statutes that
protect individual privacy. Where interceptions will are made by law enforcement
agencies, the ECPA specifies the authorisation levels of officials who may apply for
an order, the crimes or categories of crimes in connection with which an order may be
sought, the probable cause showing that the applicant must make, and the findings
and minimisation requirements that the order must contain.121 These are stringent
procedures violations of which may result in the imposition of civil liability actions
on lawful enforcement officials.
Authorisation of interception of oral or wire communications under the ECPA comes
from the highest judicial officers namely the Attorney General, Deputy Attorney
General, Associate Attorney General, or any Assistant Attorney General
For accountability purposes, the ECPA also requires state and federal courts issuing
interception orders to make detailed reports concerning those orders to the
Administrative Office of the United States Courts.122These reports are a means of
ensuring that there is an audit trail of orders that have been granted.
120 18 U.S.C. 2511. 121 Id. 2516-2518. 122 Id. 2519. Pen registers and trap-and-trade devices also are subject to federal statutory constraint. Id. 3121-27.
-
44
In order to ensure privacy is not infringed, state authorised interceptions may only be
carried out by the investigative or law enforcement officers having responsibility for
the investigation of the offence to which the application is made. An exception to this
rule is that private contractors may be permitted to conduct interceptions, so long as
the contractors personnel are under the supervision of an investigative or law
enforcement officer authorised to conduct the interception.123
It has to be mentioned however that while there is an argument that the statutory
authority to hire contractors for surveillance duty frees professional law enforcement
personnel from the drudgery of staffing monitoring stations, it complicates the task of
ensuring that persons who conduct surveillance are experienced and properly trained
in the intricacies of executing an electronic surveillance order124. It also creates
opportunity for the infringement of privacy in the sense that contractors may not have
the same duty of care that law enforcement officers have when dealing with
intercepted data. Also it creates an opportunity to dismiss the accuracy and integrity
of the analysis of the data.
The Uniting and Strengthening America by Providing Appropriate Tools Required to
Intercept and Obstruct Terrorism Act (hereinafter referred to as the PATRIOT Act)
was enacted in 2001125. This Act increases the government's ability to monitor
communications, including e-mail and mobile phone conversations, and provides
agencies to share such information. Its aim is to provide law enforcement agencies
with the appropriate tools to prevent terrorism.
123 Id. 2518(5). 124 Focus Paper of Charles H. Kennedy Presented at 2002 Enforcing Privacy Rights symposium 125 The USA PATRIOT Act is not a stand-alone Act. It amends over 15 Federal Statutes visit: www.llrx.com/features/libraryrecords.htm
-
45
The Patriot Act however goes a step further than the ECPA in relation to Interception
in that grants law enforcement agencies the power to access ISP networks without a
warrant to track activities.
Section 216 of the Act significantly increases law enforcement authority to use trap
and trace and pen register devices.
There is no doubt that national security interests must be safe guarded, however this
Act does go beyond the scope of previous legislations that safeguard personal
information from government intrusion. Indeed the fact that it allows law enforcement
agencies to access communications data without a warrant raises an eyebrow as to
whether we have seen the right to privacy of communications being revoked in the
United States. Under ECPA certain procedures needed to be followed under the
PATRIOT Act, a warrant is not required to track activities and government
departments can share data. This is state of affairs is defiantly an encroachment on
rights to privacy of communications.
3.4.3 Lawful Interception in Australia
In Australia, Lawful interception of communications is governed by the
Telecommunications Interception Act 1979 which has been amended recently by the
Telecommunications Interception Legislation Amendment Act 2002
this amends the Telecommunications (Interception) Act 1979 to include child
pornography, serious arson offences and offences involving acts of terrorism (newly
created offences under the Commonwealth Criminal Code introduced by the Security
-
46
Legislation Amendment (Terrorism) Act 2002) to the list of offences where a
telecommunications intercept warrant may be sought.
The Act has two main objectives, first of which is to provide users of the Australian
telecommunications services with privacy and the other contrasting albeit legal aspect
of allowing for certain lawful interception under the auspices of a warrant where
certain listed offences are deemed necessary to investigate,
Section seven of the Telecommunications Interception Act prohibits interception of a
communication passing over a telecommunications system with certain exceptions
one of which is that a warrant has been issued to allow for such interception. It is to
be noted that such warrants are usually only provided to allow certain state law
enforcement agencies the right to intercept. It is also to be noted under this regime
that Law enforcement agencies are not permitted to access the content of messages
(such as email, voice mail, SMS, etc) that are temporarily stored on a
telecommunications service provider's equipment during transit, unless they have
obtained an interception warrant.
After a message has been delivered to the intended recipient (i.e. has completed its
passage over the telecommunications system) law enforcement agencies can lawfully
access the content of the message with a search or seizure warrant. Such a warrant
may cover the recipient's equipment (e.g. computer containing downloaded email) or
the service provider's equipment when a copy of the message remains on their
equipment.
-
47
Certain safegauards to ensure interception is not abused have been placed into the Act
this can be illustrated where the Australian police and National crime authority are to
mainatain a record of intercepted messages
3.5 Lawful Interception requirements of Communications service providers
Co-operation is required between law enforcement agencies and communication
providers. The dilemma for the communications service providers however is the
balance between customer confidentiality and the assistance in the curbing and
detection of criminal activity.
Lawful Intercept places a number of duties on communications service providers,
indeed a number of articles have been published relating to objection by such
communications service providers of added cost and system usage which may hamper
an already decreasing client base due to over saturated markets.
In providing this assistance to agencies that have been granted the right to intercept
communications, the communications service providers role begins with its obligation
to maintain an intercept capability as may be required by the Secretary of State126this
is further backed up by the RIP (Maintenance of Interception Capability) Order 2002
which lays interception obligations upon communications service providers who
provide a public telecommunications service to more than 10,000 persons in any one
or more parts of the United Kingdom127.
An explanation of these obligations can be seen in the following:
126 Secti