RIPA and Surveillance on Social Networking

Sites

Micheál O’ FloinnLecturer in Cyber-Security Law

30th January 2014

2

Consider the suitability of the Regulation of Investigatory Powers Act 2000 for regulating Social Networking Site surveillance.

Purpose of today

3

The range of Social Media Apps and Sites

4

Facebook

•1.19 billion MAUs

•728 million daily users (24 million in UK)

•Average time spent on Facebook per month: 8.3 hours

•Average number of Facebook friends: 130

5

Jose Rodrigo Arechiga-Gamboa: aka El Chino Anthrax

And the temptation is there for all…

6

SNS as an Information Society Service:• Electronic Commerce Directive (2000/31/EC).

Recital 17 :

“this definition covers any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data, and at the individual request of a recipient of a service...”

SNS as an Electronic Communication Service (ECS)?• Framework Directive 2002/21/EC, Article 2(c):

“electronic communications service means a service normally � �provided for remuneration which consists wholly or mainly in the conveyance of signals on electronic communications networks...”

Regulatory Definition of SNS Providers

7

• A ‘telecommunications service’?

s. 2(1): “… means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service)”

• Imposing interception capabilities under s. 12 RIPA?

• Provision of communications data as a telecommunications operator under s. 22(4) RIPA?

• SNSs as a private telecommunications system. • interceptions of communications on SNS platforms could constitute

offences under s. 1(2) RIPA.

Situating SNSs within RIPA

8

Investigations •Police fishing• Likely modus operandi illustrated in Brown [2010] EWCA

Crim 1203

•Surveillance of known suspects

•Levels of engagement

Methods of using SNSs

9

Monitoring Public Profiles.•Can Article 8 ECHR be engaged?Laws LJ: 3 anti-dotes to pervasive application of Art. 8:1.Infringement must attain a certain level of seriousness2.There must be a reasonable expectation of privacy 3.The justifications available to the State in Article 8(2) may curtail the potential breadth of Article 8(1)

•Cumulative breach: “we are to look at all the circumstances of the case in order to see whether article 8(1) is engaged.”

Wood v Commissioner of Police for the Metropolis [2009]

Levels of engagement (1)

10

It’s public information, so it’s fair game?•Kinloch v HM Advocate (2012) •“I think that the answer to it is to be found by considering whether the appellant had a reasonable expectation of privacy while he was in public view … He took the risk of being seen and of his movements being noted down. The criminal nature of what he was doing, if that was what it was found to be, was not an aspect of his private life that he was entitled to keep private.” Lord Hope

•The danger of over-reliance! • Viewing v. repeated viewing, scraping, storage

etc.

Monitoring Public Profiles.

11

Surveillance broadly defined by s.48(2) RIPA• Monitoring/ observing activities or communications…

•Directed surveillance (s. 26(2))

1. covert

2. for the purposes of a specific investigation or a specific operation

3. in such a manner as is likely to result in the obtaining of private information about a person...

4. otherwise than by way of an immediate response to events...

•Private information (s. 26(10))• Café example: “the accumulation of information is likely to

result in the obtaining of private information” (Code of Practice for Covert Surveillance)

Need for authorisation for directed surveillance?

12

“I am encouraged by the increasingly mature debate relating to the use of the Internet for investigative purposes, especially the use of social networking sites. […] There are points of detail to work out, particularly in relation to repeated viewing of a publicly available site…” Chief Surveillance Commissioner, Sir Christopher Rose, OSC Annual Report 2012-3, para. 5.7.

To be continued…

13

Level of engagement 2: Fake Profiles

14

Computer Misuse Act 1990 • s. 1(1) “A person is guilty of an offence if—

(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;

(b)the access he intends to secure, or to enable to be secured, is unauthorised; and

(c)he knows at the time when he causes the computer to perform the function that that is the case.”

• s. 10 “Section 1(1) above has effect without prejudice to the operation—

(a) in England and Wales of any enactment relating to powers of inspection, search or seizure;”

Use of fake profiles : a criminal offence?

15

Data Protection Act 1998

s. 55(1)A person must not knowingly or recklessly, without the consent of the data controller—

(a) obtain or disclose personal data or the information contained in personal data ...

(2)Subsection (1) does not apply to a person who shows—

(a)that the obtaining, disclosing or procuring—(i)was necessary for the purpose of preventing or detecting crime...

Use of fake profiles : a criminal offence?

16

Belgian Investigators

17

“Article 8 protects ... a right to personal development, and the right to establish and develop relationships with other human beings and the outside world” S v UK (2008) 48 EHRR 1169, para. 66

• CHIS or directed surveillance?

Establishing a friendship

18

Monitoring Wall Postings • CHIS cannot engage in interceptions without further

authorisation. • Offence s. 1(2)

• Could the viewing of individuals’ profile-comments constitute the interception of communications?

• Interception if someone “monitors transmissions made by means of the system ... as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication” (s. 2(2)).

CHIS Activity and Interceptions

19

s. 2(7): Time of transmission includes “any time when the system by means of which the communication is being, or has been transmitted, is used for storing it in a manner that enables the intended recipient to collect it or otherwise have access to it.”

R v Coulson and Kuttner [2013] EWCA Crim 1026• Central argument: s. 2(7) does not extend the time of transmission after

first access by intended recipient.

• Rejected the appellants’ arguments:“…the period of storage covered by the section does not come to an end on first access or collection by the intended recipient, but it continues for so long as the system is used to store the communication.”

• S. 3(1)? • SNS as recipient.

CHIS activity and Interceptions

20

“With the increasing use of computers as a means of alternative communications, is he certain not only that the present system will be extended in a way that will maintain the proper procedures, but, equally, that the development of new electronic communications and their use in so many instances will be covered--or will surveillance increasingly be done using completely different methods and so be very difficult to check?”

RIPA Commons Debates 6 Mar 2000, Column 771 Mrs. Gwyneth Dunwoody

Conclusion