Striking a Balance between Data Protection and Lawful Interception in the Provision of Communications Services

No Comments » September 6th, 2010 posted by // Categories: Science & Technology



F. Franklin Akinsuyi (LL.B, BL, MSc, LLM) MBCS[1]


[1] F. Franklin Akinsuyi is Founder and Course Director at DataLaws a UK based Information Technology Law Consultancy. Franklin can be contacted by email at fakinsuyi@datalaws.com visit www.datalaws.com

1. Introduction

Within the last 15 years the manner in which telecommunications systems are used has changed vastly with the introduction of liberalisation and competition measures.

Liberalisation has led to more players in the telecommunications arena in all areas of the sector.

Indeed the mobile phone market is an example of the shift in the major provision of telecommunications services from former state owned institutions to private organisations, while the Internet has spawned new service providers to the communications industry such as Internet Service Providers.

The introduction of these services and enterprises has led to the amendment and introduction of new legislation to regulate the manner by which these communications service providers operate. The objective of a number of these legislations is to protect the privacy and maintain the confidentiality of the subscriber’s communication and information when they use these systems to communicate.

While it is to be noted that privacy of communications legislations are to ensure that privacy and confidentiality of communications is maintained, it is to be observed that telecommunication systems are used by criminals and terrorists to transmit information about their activities. In certain instances these communications may be the only source for proving that individuals are involved in activities that are criminal or which threaten national security.

For instance in an investigation on insider dealing, almost the entire case rested on the date and time of telephone calls made between various defendants. Telephone records were obtained from business and home telephone numbers with the brokerage firm providing details of incoming and outgoing calls to clients[1].

As such it has become necessary for legislation to be introduced to permit law enforcement agencies to access the communications of individuals in the fight against terrorist and serious criminal activities.

This purpose of this essay is to highlight how the conflicting issues of privacy to communications and interception of communications affect communications service providers[2] in their efforts to provide confidential services on the one hand and law enforcement agencies fight against crime and terrorism on the other.

1.1 Methodology

The first phase of the essay will take the shape of analysing the concept of data protection and privacy with a view to analysing how legislation in this area affects communication services providers operations and their handling of personal data.

The next phase of the essay will look at legislation relating to lawful interception and data retention with a view to look at circumstances when the balance of maintaining privacy of communications data on the part of the communications provider interacts with the need for lawful enforcement agencies requirements relating to data retention and lawful interception.

The third phase will look at the issue of information security highlighting the effects data protection and data retention legislations have on how communications service providers implement information security measures when dealing with data retention and lawful interception.

The final phase of the essay will consist of conclusions and recommendations.

From a geographic perspective while telecommunications issues are a global phenomenon, this essay will focus mainly on how these concepts influence communications service providers in Europe and United States.

2. Data Protection and Communications:

2.1 Nature of the problem

The telecommunications industry has seen a large uptake in the manner in which people have been subscribing to the services that are being offered. Indeed this can be seen with the radical changes from the previously limited fixed line services in the earlier years to the introduction of the mobile telephone. The advent of the Internet along with the integration of voice, video, data and communications via a single stream[3] has led to cheaper and faster ways of communicating. New services rendered by mobile phone companies have indeed led to with the introduction of 2.5 and 3rd generation mobile phone networks made it possible for subscribers to send pictures, video and music to each other using these services.

Coupled with this technological development in communications, is the requirement to ensure the privacy of an individual’s data in line with current legislations when these technologies are being utilised.

The problem is that technology makes it much easier to infringe upon the rights of individuals especially with regards to their personal data. Numerous organisations[4] have identified this situation and have for years been championing the call for greater awareness to make sure that the individual’s fundamental human rights are not infringed.

It is a well-known fact that convergence of these technologies makes it easier for marketing companies to process data to profile people. Like wise it can be argued that it is also possible for criminals to easily gather information about others in their quest to forge identities[5] in their quest to commit crimes.

In recognition of the risks that can accrue to an individual, privacy laws have been enacted to define what constitutes legal and illegal activity when it comes to the protection of an individual’s data whilst it is being transmitted over telecommunication streams.

2.1.2 What is Personal Data?

The UK Data Protection Act[6] identifies personal data as follows, “data that relates to a living individual who can be identified from such data or and other information which is in the possession of, or is likely to come into the possession of, the data controller[7] and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual[8].

It must be stated here that personal data does not just relate to text, but can also relate to a CCTV[9] image[10].

2.1.3 What is data protection?

Data protection involves the implementation of administrative, technical or physical measures to guard against unauthorised access to such data.

It stems from legislative requirements such as the European Convention for the Protection of Human Rights and Freedoms[11] and has with the advancement in automated processing of data been influenced by new legislations such as Directive 1995/46/E.C “on the protection of individuals with regard to the processing of personal data and on the free movement of such data” hereinafter referred to as “the Data Protection Directive”[12] to the privacy and electronic commerce directive[13]. It involves the protection of personal data, which covers both facts and opinions about an individual.

An instance of privacy legislation can be illustrated with the European Convention on Human rights, which provides for the right of respect to private and family life[14]. It further provides that there shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and as is necessary in a democratic society in the interests of national security, public safety or the economic well being of the country, for the prevention of disorder or crime, for the protection of health or morals or for the protection of the rights and freedoms of others[15].

This has implications regarding information relating to data of individuals in relation to how it is kept processed and transmitted, this is so especially since misuse can lead to a breach of the aforementioned right.

2.1.4 Why do we need data protection?

The development of technology has led to more convenient methods of carrying out daily routines; indeed, many activities which in the past required physical presence before a purchase could be made of a product now only need the supply of personal details. The down side of this is that while it has led to faster means of communicating and development of business, there is especially with the advent of the Internet a rise in “identity theft”[16]. Also, with the proliferation of business activity a number of organisations have sprung up which have identified the fact that information about a person can be of value to other organisations.

This has led to a number of underhanded means of collecting personal information in what appear to be promotional information leaflets only for this information to be collated and then sold to marketing companies. It is this type of activity that has led to the call and development of data protection laws leading to stiff penalties for organisations that breach them. Indeed, under the UK 1998 Data Protection Act it is an offence for a person, knowingly or recklessly, without the consent of the data controller, to obtain personal data[17].

To buttress this point further an individual named Alistair Fraser, trading as Solent Credit Control[18], recently pleaded guilty to offences of unlawfully obtaining and selling personal information in breach of the Data Protection Act 1998. Mr Fraser had obtained the personal information of certain individuals by deception from the Department for Works and Pensions. He then sold the information to third parties. He was found guilty and fined. A feature of this case is the fact that it was brought to court by the Information Commissioner, thus showing that the Commissioner is prepared to use enforcement powers to combat and discover agencies that illegally obtain and sell personal information[19].

In the United States organisations that breach the provisions of data protection legislations relating to privacy of information are severely punished on conviction as can be illustrated where recently in United States of America (for the Federal Trade Commission) v. Hershey Foods Corporation[20]: In this case, Mrs. Fields Cookies and Hershey Foods Corporation each agreed to settle Federal Trade Commission charges that their Web sites violated the Children’s Online Privacy Protection Act (COPPA)[21] Rule by collecting personal information from children without first obtaining the proper parental consent. Mrs. Fields are to pay civil penalties of $100,000 while Hershey will pay civil penalties of $85,000. The separate settlements also bar the companies from violating the Rule in the future and represent the biggest COPPA penalties awarded to date. The COPPA Rule applies to operators of commercial Web sites and online services directed to children under the age of 13 and to general audience Web sites and online services that knowingly collect personal information from children under 13. Amongst other things, the Rule requires that Web site operators obtain verifiable consent from a parent or guardian before they collect personal information from children[22].

2.2 Data Protection Legislation:

In this section I will be analysing the various legislations relating to data protection taking into account data protection in the European Union and the United States with a view to looking at the different ways in which they have been implemented. Following that an analysis of the impact they have on telecommunications will be carried out.

National data protection laws have developed as electronic commerce has boomed. Indeed, with more coverage being given in the media relating to infringement of privacy, it is no wonder that countries have been more active in ensuring people know what their rights are in relation to these issues and also that data controllers[23] ensure data under their custody is processed in line with data protection legislations.

The European Union has developed a Framework for Data protection; this can be seen in the Data Protection Directive and the Privacy and Electronic Communications Directive[24].

In the United States data protection legislations generally target discrete information processing activities with the most important legislative protections for information privacy emphasising restraint on the government and certain commercial industries.[25] The Data Protection Directive embodies human rights principles and it is from here that we see how the fundamental provision on human right provision is incorporated by reference into the Data Protection Directive which in turn has to be implemented by member states. This is how the human right privacy principle is integrated into national law. This is the difference between the origins and objectives of privacy in the Europe and the United States of America.

2.2.1 EU Data Protection Principles

Data protection laws provide protection of the individual with regards to their personal data, however the question is how does one ensure from the onset that personal data is collected processed and transferred legitimately?

Data protection laws have basic principles that need to be adhered to. Indeed if one analyses for example the European Union Data Protection Directive one will notice that there are a number of principles that form parts of the body of data protection legislations worldwide.

These principles can be summarised as follows:

  • Personal data shall be processed fairly and lawfully[26] (see below for more on lawful processing)

Lawful processing is explained in Article 7 of the Directive which stipulates what constitutes legitimate processing of data

  • Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes[27].
  • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed[28].
  • Personal data shall be accurate and, where necessary, kept up to date[29].
  • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes[30].
  • Data subjects are afforded rights of access to their data[31].
  • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data[32].

While the above constitute the basic tenets of data protection, it must be mentioned that there are other issues that must be observed in protecting data when it is being processed. Article 7 of the Directive stipulates what constitutes lawful processing of data and it specifies that personal data may be processed only where:

  • the data subject has unambiguously given his consent[33], for sensitive data which includes information relating to race, political opinions, religious or philosophical belief, health or sex life, trade union membership, there must be explicit consent[34]
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract[35]
  • processing is necessary for compliance with a legal obligation to which the controller is subject[36]
  • processing is necessary in order to protect the vital interests of the data subject[37]
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed[38]
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection under Article 1(1).[39] [40]

These principles indicate that the data may only be used in accordance with the purpose for which it has been obtained from the data subject. This would thus mean that the use of the data for example, where it is collected for the opening of an online banking account, the data collected should be used solely for what it was originally intended. The data supplied should not be allowed to be used by the same company to market different products to the data subject or indeed sell the information to a third party organisation without the consent of the data subject. It is only after receiving consent that one can market other products to the person in question

2.2.2 The Directive on Privacy and Electronic Communications (2002/58/EC)[41]:

This directive repeals the Telecommunications Data Protection Directive (97/66/EC) and lays certain obligations on telecommunications companies and service providers.

The main aim of this directive is to harmonise the provisions of Member States laws in relation to electronic communications to ensure an equivalent level of protection of fundamental rights and freedoms, particularly the right to privacy, processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the community[42]. One of the new developments of this Directive is that it extends controls on unsolicited direct marketing to all forms of electronic communications including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile telephones.

It is to be noted that the Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services[43] in public communications networks[44] in the Community.

An analysis of the salient points reveals the following in the Directives aims in ensuring fundamental human rights and freedoms particularly the right to privacy for subscribers of electronic communications:

2.2.2.1 Security Measures

The directive provides that communication service providers should adopt adequate security measures both from a technical and organisational point of view that are commensurate with the risks that can accrue. With the spate of recent high profile security breaches that have occurred it is paramount that telecommunications providers implement adequate logical and physical security measures to ensure data under their control is safe from unauthorised access, which may lead to loss of privacy. It goes further to provides that users should be made aware of risks that are beyond the control of the service provider[45].

While the Directive does not detail the technical measures Member States are to adhere to in order to ensure they are complying with the provisions of this Article, it must be pointed out that countries provide legislation on what measures to take in the event that information security is breached or what actions to take on individuals who breach systems. For instance, in the United Kingdom, section 1 of the Computer Misuse Act[46] makes unauthorised access to systems an offence. Also the OECD has provided guidelines to how communication service providers can implement information security on their networks[47]. Other measures that may be used to ensure information security measures are adequate include adopting standards such as ISO 17799 Code of practice for information security management[48] and ISO 15408 common criteria for information technology security.[49] Adopting or following these guides can provide for appropriate security on communication networks.

2.2.2.1.1 Impact on Communications Service Providers

The effect this legislation has on communications service providers is that it makes them obliged to notify subscribers of threats that cannot be prevented by the communications provider. This legislation recognises the fact that organisations have in the past been quiet about potential and actual information security breaches. The wording can thus be interpreted to mean that a positive action must be carried out by the service provider to warn subscribers of the threat that may accrue their personal information.

Note information security, as a whole will be discussed in more detail in a further section of this essay.

2.2.2.2 Confidentiality of Communications

In its attempt to maintain privacy of personal information, the directive requires service providers to ensure confidentiality of communications. This the directive states can be attained by making sure that communication over public telecommunications lines are free from interception and tapping save in the instance of lawful interception[50]. The article also provides that where communication networks are used in the processing of data, the data subject shall be informed why this is being carried out. The data subject has a right to refuse such processing[51].

There has been a great debate relating to the use of cookies[52]and the fact that they can invade the rights of user’s communications. The Directive in recognising this fact and in an attempt to curb their intrusion on subscribers communications provides in article 5 (3) that they can only be used if the subscriber or user is made aware in clear and comprehensive terms about how information gathered will be processed. The problem however with this legislation is the fact that cookies operate in the background without giving off any warnings that they are operating making them hard to detect. This makes it difficult to identify organisations that flaunt this law. Also since there are no sanctions placed on organisations that breach such confidentiality of communications requirements, this aspect of the article cannot be said to be adequate in the fight to keep communications confidential

2.2.2.2.1 Impact on Communications Service Providers

It should be noted here that most browsers have in the properties tab an option to configure cookies. As such I am of the opinion that since all users have the ability to accept or deny cookies at their fingertips; legislation is not the most appropriate means of dealing with this particular issue. Rather, communications service providers need to advertise and educate their subscribers of this functionality. While it may cost them money, it is an easier means of ensuring confidentiality and will be more effective than legislation.

2.2.2.3 Caller and Called Line Identification

It is to be noted that an individual’s telephone number is personal data going by the meaning given to data protection legislation.

In order to protect this, the directive further provides privacy rules in relation to caller and connected line identification. Here the directive states that subscribers must be issued with the possibility of withholding the identification of their telephone numbers when making a call along with being able to reject incoming calls where the incoming caller has refused showing their number[53]. It must be mentioned here however that while the Directive provides that caller and called line identification should adopt some privacy measures, these services are not mandatory. Where the implementation of these services may invoke either an undue cost burden on the service provider or in situations that make the provision of the service technically impossible, that provider must ensure this is made known to relevant parties in the member state.

It should also be mentioned that there are certain instances where it may be justifiable to override the elimination of calling line identification. These situations can arise for example where certain subscribers such as those that provide help lines have an interest in guaranteeing the anonymity of their clients. In these scenarios, it is paramount to protect the rights and interests of the party to withhold the presentation of the identification of the line to which the calling party is connected.

It is to be noted however that the provisions of this article may not be applicable where for instance the calls are made from some international networks that do not provide the same sort of offerings to their subscribers or where they do not have the same levels of data protection laws as The European Economic Area[54].

2.2.2.3.1 Impact on Communications Service Providers

It is to be noted that when there is a failure of the communications network to block caller line identification facilities such that a subscriber’s privacy is breached, the customer is entitled to have their privacy restored, at no extra cost by their telephone company in the form of the allocation of a new phone number[55]. In the UK this provision is implemented by sections 10 and 11 of the Privacy and Electronic Communications (EC Directive) Regulations 2003[56].

2.2.2.4 Location Data Restrictions

Where the repealed telecommunications privacy directive only related to calls in circuit switched connections such as is found in traditional voice telephony, the new directive covers all kinds of traffic data as generated by users of mobile communication devices.
Location data is a valuable tool that can be used in the mobile phone sector to identify the location of an individual[57] its use can be illustrated in the Danielle Jones case in the hunt for a missing child in the UK it was identified that calls purportedly form the girls phone to her uncle (later convicted for her murder) were in fact being made by her uncle from one location[58].

The directive in recognising the importance of location data provides that location data can be processed only if it is made anonymous or with the consent of the subscriber for a value added service but only for the duration that is necessary for the processing[59]. The subscriber must also be given the possibility to temporarily refuse such processing of location data information[60].

It is to be noted however that the directive does not state that technology should be used to enforce the requirement to keep location data private and confidential given the fact that it can be used to track an individuals movements

2.2.2.5 Emergency and Nuisance Calls

An exception to the privacy of caller line and location data is provided for in article 10 where the elimination of calling line identification and location data is sanctioned to trace nuisance calls and in relation to location data for it to be revealed on a temporary basis only to emergency services.

This article basically allows member states to allow for the restriction of a user or subscribers right to privacy in relation to calling line identification where for instance there is a complaint that some one is persistently calling someone else’s number and either keeps silent or hurls profanity at the person whose line is being called. In these situations it may become necessary to trace where these calls are originating from.

2.2.2.5.1 Impact on Communications Service Providers

The process of carrying out the above is that it will entitle providers of electronic communications services to provide access to the calling line identification data and also the location data without the knowledge or consent of the calling party constituting the nuisance.

The advantage of this legislation is that it caters for and takes into account the possibility of abuse of the privilege of calling line privacy.

It also takes into account the fact that there will be situations where being able to locate a person in distress in due time may be the difference between life and death and in such situations the right to privacy will be overlooked.

2.2.2.6 SPAM
Unsolicited mail (also known as Spam) has become a major problem it causes loss of work productivity in wasted time in deleting them and also is an invasion of privacy.

The directive in recognising the harmful effects of Spam provides that there shall be no automated communication using electronic mail or faxes for the purpose of direct marketing without the consent of the data owner[61]. The purpose of the directive in relation to SPAM is to make sure that EU member states strengthen data protection measures in relation to SPAM. The EU legislation supports the opt-in[62] rather than the opt-out[63]approach.

The problem with this piece of legislation however is the fact that due to the nature of the Internet it may be difficult to prosecute those that habitually send such unsolicited mail. Not only because it is possible for those that send such unsolicited mail utilising the Internet to take advantage of the ease with which one can set up an Internet infrastructure for a temporary period of time before shutting it down and setting up a similar site when they have suspicions that they are being investigated or if they are indeed shut down. But also because it is a well known fact that many of the top 50 Spammers originate from America such that while the legislation may direct marketers in Europe, those that send unsolicited mail from America will be out of the jurisdiction of the legislation. Indeed in response to this provision, the Direct Marketing Association[64] has raised concerns that this could penalise small companies that rely heavily on direct marketing but not protect the consumer from spam email that originates outside of the EU.

2.2.2.6.1 Impact on Communications Service Providers

Not only is SPAM a problem for users, it also affects communications service providers. Due to the fact that a single SPAM message can be sent to millions of email addresses at once, not only does it have the capability to take up communications service providers bandwidth[65] it can also have a negative impact on the availability of the service especially when such SPAM is infected with Virus. Another impact it has on communications service providers is that it can tie up staffing resources in the sense that when a new SPAM message is discovered the tools used to detect them may need to be reconfigured by technical staff. Communications service providers now deploy filtering tools which have the ability to block SPAM either by use of Boolean syntax or blocking of the IP address of the sender of the email. They have also need to include in their acceptable use policies statements that SPAM will not be tolerated and that subscribers who send SPAM may have their service terminated. All these measures add to the cost of providing services to subscribers which in turn can eat into profit margins.

2.2.2.7 National Security

There are certain situations that may lead to events that make safeguarding privacy of communications a secondary issue. Such situations are where national security is at risk and where criminal investigations are being carried out. Where these are determined to be taking place, law enforcement agencies may on having obtained permission by appropriate bodies breach the data subjects’ right to privacy of communications in their investigations of such events. It is to be noted that the legislation also allows for data to be retained for limited periods of time during the investigation of such situations[66].

2.2.2.7.1 Impact on Communications Service Providers

The duty to safeguard national security issues affects communications service providers due to the fact that the requirement for the retention and retrieval of data can be costly not only because it may necessitate the deployment of a whole range of new systems but also because it will mean that staff will need to be retrained. This can have an enormous effect on the margins of small communications service providers who may not have the resources to either buy the required systems or employ appropriate staff.

Note national security and cost issues will be looked at in further detail in this essay in discussions relating to data retention and lawful interception of communications.

2.3 United States and privacy of communication

In the United States privacy legislation does not stem from a central law such as the Data Protection Directives in Europe rather one finds sectoral laws, which affect certain sectors and industries. The United States has taken a sectoral approach to privacy regulation so that records held by third parties, such as consumer marketing profiles or telephone calling records, are generally not protected unless a legislature has enacted a specific law[67]. Due to this state of affairs the European Union still regards its data protection regime as one that requires special provisions such as the Safe harbour rule[68] when it comes to the transfer of data from EU member states to the United States.

In relation to privacy of communications, issues relating to Internet privacy have become prominent. A number of organisations such as eBay.com, Amazon.com and Yahoo.com have either changed user’s privacy settings or have changed privacy policies to the detriment of users.[69] Other organisations such as Microsoft and Intel were discovered to have released products that covertly track the activities of Internet users.[70]Significant controversy has arisen over online profiling, the practice of advertising companies to track Internet users and compile profiles on them in order to target banner advertisements. The largest of these advertisers, DoubleClick, ignited widespread public outrage when it began attaching personal information from a marketing firm it purchased to the estimated 100 million previously anonymous profiles it had collected.[71] The company backed down due to public opposition, a dramatic fall in its stock price and investigations from the FTC and several state attorneys general. In July 2000 the Federal Trade Commission reached an agreement with the Network Advertisers Initiative, a group consisting of the largest online advertisers including DoubleClick, which will allow for online profiling and any future merger of such databases to occur with only the opt-out consent.[72]

2.3.1 Privacy of Communication Laws In The United States

As has been mentioned Privacy laws in the United States are sectoral.

Communications privacy in the United States can be seen in the following legislations[73]:

2.3.1.1 The Telecommunications Act 1996[74]

This provides for the restriction to and use of customer information by telecommunications companies. It governs the disclosure of customer proprietary network information[75] and subscriber list information. Its primary aim is to protect the customer from having their information misused by the telecommunications provider.

It consists of a number of provisions that are similar to the European Directive on the processing of personal data and protection of privacy.

Among such provisions is the requirement for telecommunications companies to ensure the confidentiality of customer proprietary network information. In ensuring that this is carried out, the Act prohibits the carrier using subscriber information that has been provided by another carrier for its own marketing purposes[76].

The Act also provides that telecommunications carriers that receive customer information can only use, disclose or permit access to that information in the provision of the telecommunications service from which the information was obtained.

2.3.1.2 The Location of Privacy Protection Act of 2001[77]

This contains specific provisions in relation to keeping the privacy of location data of customers. It requires wireless technology providers to notify customers regarding the provider’s collection of information policies in relation to collecting call location data. It also requires the providers to obtain the customers prior consent before either selling or disclosing such information[78].

The provisions of this act portray an understanding by those responsible for enacting this legislation of the abuse and detriment to the customer in the event that location data is used for purposes other than those for which the customer provided the data.

This is illustrated where the Act prohibits providers of location-based services or applications from releasing customer’s location information for purposes beyond those for which the customer provides express authorisation[79]and ensure the integrity and security of location data.

2.3.1.3 Spyware Control and Privacy Protection Act 2001[80]

This Act can be likened to article 5 (3) of the Directive on Privacy and Electronic communications. It provides that users of any computer software that has the capability to collect information about the user’s use of the software, or computer to which that software connects, must obtain prior consent of the user by way of providing on the first electronic page of the instructions a warning that the software has the capability to obtain such information. It must also provide the persons names and address to which such information will be sent.

Information that has been collected should be kept confidential except where

disclosure is required by law enforcement agencies granted permission under a court order to view it.

Violations of this will be treated as a deceptive practice as proscribed by section 18 (a) (1)(B) of the FTC Act 15 U.S.C 57a (a) (1) (B).

An analysis of the European and U.S jurisdictions shows a similar thought process behind the implementation of laws relating to communications. There is a general understanding that privacy of the consumer is required.

It can be seen that data protection legislation provides a backdrop to which individuals can seek redress in the event that their rights are infringed and it also allows business to understand the limits to which they can go in their processing and use of personal data.

Law enforcement agencies are also restrained from encroaching on individual’s privacy, before they can view personal data they need to follow procedures such as obtaining a warrant and also proving reasons why national security is at stake or that a serious crime needs to be investigated prior to carrying out surveillance activities.

The question that needs to be answered is whether these laws are effective? Even

though the provisions of privacy laws provide sections in relation to how communications companies are to devise means by which personal data is processed, it is difficult to actually determine whether there is full compliance on the part of these organisations in relation to how they carry this out.

The United Kingdom Information Commissioner has expressed concerns relating to the enforcement of data protection legislation. He was of the opinion that the enforcement procedures are not well suited to the electronic commerce environment. For instance, where a website or service is being provided, that is not compliant with the laws and they are investigated, nothing stops them from relaunching under a new name and carrying on the same scam.

It must be mentioned here that even though these legislations have been enacted, there is still ignorance among data users in relation to what their rights are and when these have been infringed, according to a UK report only 42% of the public are aware of their rights under data protection laws[81]

A way to ensure people are aware of the provisions of data protection legislations would be the development and dissemination of awareness campaigns that highlight the importance and effects of these laws.

3. Law enforcement and privacy of communications

While it has been stated that there is a requirement that privacy must be guaranteed during communications, there are certain instances where law enforcement agencies are allowed to gain access to communications data without the consent of the data subject.

These instances occur when law enforcement agencies are investigating serious criminal activities or activities that may constitute a risk to national security. In the process of undertaking these investigations, communication service providers will invariably be asked to allow these law enforcement agencies to either intercept the data or gather information about the individual’s activity from data that has been retained by their systems in relation to the individual’s communication.

Laws such as The RIP (Maintenance of Interception Capability) Order 2002 in the UK and The Communications Assistance for Law Enforcement Agencies Act[82] hereinafter referred to as CALEA in the United States are examples of legislations that force communications service providers to assist law enforcement agencies in their endeavours to combat such activity.

This aspect of the essay will look at how these laws interact with privacy legislation showing how they act as a counterbalance to ensure that people do not misuse their rights to privacy by conducting criminal activity.

Mention has been made in this essay of instances where circumstances such as the need to combat criminal activity and safeguard national security may lead to data subject’s rights to privacy of communications being overridden. Actions that make up the activities in combating crime or detecting activities that may be a threat to national security include law enforcement agencies intercepting communications as well as sifting through communications data that may have been retained by communications service providers.

This section looks at the issue of lawful interception and data retention with a view to dispel concerns that they are an infringement on privacy rights and to show that the concepts go hand in hand with data privacy in the provision of electronic communication services it will also look at the impact these concepts have on communications service providers.

3.1 Why Lawful Interception?

Interception of a communication in the course of its transmission involves the modification, interference or the monitoring of the system while the communication is actually being transmitted[83]

Lawful interception is the terminology used to describe the means by which law enforcement agencies are authorised to intercept telecommunication sessions as prescribed by law.

The advancement of technology has led to the need for law enforcement agencies to curb criminal and terrorist activities. The problem has always been the fact that criminals have always been able keep a step ahead of the law in their clandestine activities. The convergence of communications systems has led to easier, faster and cheaper means of communicating, this in turn has allowed criminals and terrorists to be able to take advantage of these systems to communicate with each other or to use the systems to carry out illegal activities.

The convergence of voice, data and Internet technologies has led to a new type of communications network. Prior to convergence one mainly dealt with the circuit switched[84] fixed line telephone networks in relation to lawful interception. However with the explosion of the Internet has come the packet switched network[85]which is being touted as the replacement of the circuit switched network now that convergence has occurred.

Recent legislations have been enacted in order for lawful interceptions to be carried out on systems utilising these new communications technologies. In the UK, The Regulation of Investigatory Powers Act 2000 replaced the Interception of Communications Act 1985 to take account of technological advances in communications and to cater for the growing use of the Internet and electronic mail.

Interception of communications can take place in a number of ways:

  • Wire Tap: this involves the installation of a transmitting device on a telephone line, for the purpose of intercepting, and usually recording, telephone conversation and telephonic communications.
  • Location Tracker: This involves using devices to identify through the telecommunication system the location of an individual
  • Pen registers and trap and trace devices: A pen register records only the numbers of outgoing telephone calls. While a trap and trace device is used to capture the numbers of incoming telephone calls[86].

Below are examples of how communication systems can be intercepted;

  • Standard Telephones:

Standard telephone systems are susceptible to wiretaps. There are many locations where a wiretap can be placed. For example, microphones in many older telephones handsets can be replaced with one that can also transmit to a remote receiver. Taps can also be placed at the telephone boxes in the basements of buildings, on the lines outside the house, or on the telephone pole junction boxes near the target of the surveillance. A once common technique used by police forces was to remotely monitor calls by having lines run from a telephone company central office where the local switching equipment is located to a monitoring station in a government office.

  • Wireless Communications

The use of wireless telephones has become extremely common. There are also millions of cellular telephones in use. In developing countries, wireless communications such as cellular and satellite-based telephones are also popular as a means to avoid laying new telephone lines in areas that were previously undeveloped. However, they are easily intercepted and should not be thought of as giving greater protection from eaves dropping than fixed line phones.
Cordless telephone communications are especially easy to intercept. Many of the older models broadcast just above the top range of the AM radio band and conversations can be easily overheard with any AM radio and can be intercepted with an inexpensive radio scanner purchased at most electronics stores for under $100.00 in the United States. The range of interception can extend to nearly one mile.
Cellular phones have the same problems as cordless. They also broadcast over airwaves like a radio. Inexpensive scanners are available on the market that can intercept conversations. In addition, some cellular phones can be programmed to act as scanners to intercept other calls. There is also equipment available to law enforcement, which can track and monitor cellular conversations as they move around a city.

Unencrypted Wireless networks are also prone to scanning and intercept vulnerabilities and can actually be scanned using a Pringles tin[87] as an aerial with a laptop. If an attacker can sniff[88] the wireless traffic, it is possible to inject false traffic into a connection they may then be able to issue commands on behalf of a legitimate user by injecting traffic and hijacking their victim’s session.

  • Facsimile (fax) Machines:

It is also possible to intercept facsimile transmissions. A fax machine is essentially an inexpensive computer system that uses a well known standard for sending and receiving files. Commercial devices are widely available that automatically intercept faxes. In New York City, fax intercept machines were used as far back as 1990 by local police[89]. It is also possible to intercept faxes using a computer with specialised software and a fax modem[90].

The intentional interception of communications on public[91] and private[92] telecommunication systems without lawful authority is an offence[93].

It is to be noted that the offence of interception of private networks was not covered by the repealed Interception of Communication Act of 1985 as illustrated by

R V Effick[94] where the courts held that the interception of telephone communications via cordless telephones by the police was not covered by the Interception Act.

Indeed cases such as Halford v United Kingdom[95] provide typical examples of what can constitute unlawful interception of communications.

In this case the European Court of Appeal ruled that interception of telephone calls made on an internal system operated by the police was an infringement of Article 8 of the European Convention on Human Rights which provides amongst other rights the right of respect to ones privacy of correspondence. The only way this right may be interfered with is when it is performed by public authorities is in accordance with the law[96].

In the United Kingdom, the Regulation of Investigatory powers Act 2000 also covers interception of private telecommunication systems[97].

The 2003 Telecommunications Act also makes it an offence for one to disclose the content of messages or information concerning the use made of services provided[98]

However it is to be noted that there are certain circumstances where interception of communications will not be illegal, such situations are typically when law enforcement agencies are given the permission by a higher authority to intercept certain data communications.

Lawful interception plays a crucial role in helping law enforcement agencies to combat criminal activity. Indeed, this can be illustrated with the linking of information about subscriber[99] and billing data in criminal and terrorist activities. To buttress this point further in the United States the use of lawful interception led to the successful conviction of sixty- five people involved in a fraud by defence contractors. The investigation of this case relied heavily on the interception of telephone calls[100].

Lawful interception involves the collaboration between law enforcement agencies and communication service providers. As such while there are laws dealing with the procedural and authorisation activities required for law enforcement agencies, so too are there laws relating to the obligations of telecommunications operators and service providers.

Lawful Interception typically involves three parties beginning with the law enforcement agency requesting permission in the form of a warrant or subpoena[101] from a higher authority in order to prove to the communications service provider that it has permission to intercept data it controls.

3.2 The Lawful Interception Process

In the United Kingdom the process of lawful interception typically commences with a warrant for such interception. This then proceeds with the collection of various forms of communications, the analysis of the intercepted data, and the preparation where sufficient evidence is gathered for the prosecution of persons whose data have been intercepted. Warrants in the UK are issued by the Secretary of State where he believes the issue of such warrant it is in the interest of national security, or it is to be used to prevent or detect crime or it is for the safeguarding of the economic well being of the country.[102]

The duration of warrants issued in relation to interception are valid for three months initially but on renewal are valid in the instance of national security for six months while those for serious crime are valid for a further three months following each subsequent renewal[103].

In the United States, The Federal electronic surveillance statutes[104] provide that a high-level Department of Justice official specifically approve the use of any of these types of electronic surveillance prior to an Assistant United States Attorney obtaining a court order authorising interception.

In Australia, warrants for lawful interception are granted by judges or nominated members of the Administrative Appeals Tribunal[105]

While it is important to maintain the principles and powers of lawful interception, the challenge of doing so correctly is tempered by the need to ensure that in carrying it out human rights and data protection legislations are not infringed.

While the main issue for lawful Interception of communications on public telephone systems is to identify criminal and terrorist activity, one needs to know exactly what data can be lawfully intercepted.

3.3 What is intercepted under lawful Interception?

Generally speaking when the right is granted to intercept a communication it will involve the intercepting of communications data, which embraces the “who”, “when” and “where” in relation to a communications transmission[106].

Communications data in turn can be broken down into the following categories:

  • Traffic data: This contains information that identifies who the subscriber contacted, their location as well as that of the person they have contacted and what time the contact was made.
  • Service data: This identifies services used by the subscriber and how long they were used.
  • Subscriber data: This identifies the user of the service their name address and telephone number[107]

3.4.1 Lawful Interception Laws in the United Kingdom

Lawful interception in the UK is primarily governed by the Regulation of Investigatory Powers Act 2000 (RIPA), and the Telecommunications Lawful business Practice Interception of Communications Regulations 2000[108].

RIPA provides for, and regulates the use of investigative powers, by public authorities[109]. It updates the law on the interception of communications previously provided by The Interception of Communications Act 1985 and the Police Act 1997. It now enables state authorities to intercept communications in line with technological changes such as the growth of the Internet.

Under the RIPA, the Police, Inland Revenue Customs and Excise and the security services may acquire access to communications data via the warrant; however this may be extended to other local authorities by order of the secretary of state thus allowing such authorities to lawfully intercept communications data.[110]

It is to be noted however that even though the Act allows for authorities to intercept data, this does not mean that they can share any information i.e. information derived from a lawful intercept warrant used by the police cannot then be shared with the Inland Revenue.

The Lawful Business Practices Regulations allow for the lawful interception of communications in the course of its transmission by means of a telecommunications system with or by consent of the system controller under the following conditions.

  • Monitoring the system to establish the existence of facts or ascertain compliance with regulatory or self regulatory practices or procedures relevant to the business (this could include but not be limited to ascertaining whether the business is abiding by its own policies)[111]
  • Monitoring quality control and staff training (but not for marketing or market research)[112]
  • Prevent or detect crime (including crimes such as fraud as well as infringement of IT related legislation such as the Computer Misuse Act 1990 or the Data Protection Act 1998)[113]
  • Investigate or detect unauthorised use of own communications systems (relevant to potential disciplinary action)[114]

It is to be noted that such interceptions are authorised only if the controller of the telecommunications system has made all reasonable efforts to inform potential users that such interceptions may be made.

The importance of this legislation is that it reduces the privacy rights of those that use private telecommunication systems

The police are empowered to obtain evidence in criminal investigations once they have obtained an order through the consent of a circuit judge. This is illustrated with the NTL[115] case where the high court confirmed the rights of the police to require a telecommunications provider (NTL) to take steps to intercept e-mails addressed to its customers. It is to be noted that this right was not exercised by powers under RIPA, rather they were as defined by the Police and Criminal Evidence Act 1984 (PACE) which allows a police constable to obtain access to excluded material or special procedure material for the purposes of a criminal investigation.[116]

Many are concerned that authorities enabled to access communications data under RIPA might abuse such powers. In an attempt to reduce authorities abusing such powers, safeguards have been introduced

These include:

  • Specifying clearly the persons designated to seek access to communications data
  • An accreditation scheme for certain individuals with access to communications data
  • Compliance with RIPA statutory code of practice
  • Oversight by the Interception of communications commissioner
  • Sanctions for the abuse of powers granted under RIPA[117]

3.4.2 Lawful Interception in the United States

In the United States interception of communications is illegal unless authorised by stringent rules that have been designed to protect privacy and allow the investigation of crime.

There are two basic pieces of Federal legislation: Electronic Communications Privacy Act (ECPA)[118], which concerns criminal investigations, and the Foreign Intelligence Surveillance Act (FISA), which concerns intelligence and counter intelligence operations. (For this part of the essay I will be dealing with ECPA)

In the United States, wiretap laws, and procedures used by state courts and law enforcement agencies to implement those laws, are subject to two important constraints: first, the Fourth Amendment to the United States Constitution, as incorporated in and made applicable to the states by the Fourteenth Amendment; and second, the restrictions of the ECPA.

These constraints were codified and made more specific in Title III of the Omnibus Crime Control and Safe Streets Act of 1969. This Act establishes the substantive and procedural requirements for federal interception orders and pre-empted less restrictive state requirements.[119] In 1986, Congress updated those requirements by means of the ECPA, which addressed newer communications technologies such as mobile telephones and electronic mail. This law provides the statutory framework that governs the real-time electronic surveillance of the contents of communications.

The ECPA broadly prohibits the interceptions of wire, oral and electronic communications, except where those interceptions comply with the ECPA requirements.[120]

These requirements are to ensure that law enforcement officers in their attempts to gather evidence of crimes through communications systems comply with statutes that protect individual privacy. Where interceptions will are made by law enforcement agencies, the ECPA specifies the authorisation levels of officials who may apply for an order, the crimes or categories of crimes in connection with which an order may be sought, the probable cause showing that the applicant must make, and the findings and minimisation requirements that the order must contain.[121] These are stringent procedures violations of which may result in the imposition of civil liability actions on lawful enforcement officials.

Authorisation of interception of oral or wire communications under the ECPA comes from the highest judicial officers namely the Attorney General, Deputy Attorney General, Associate Attorney General, or any Assistant Attorney General

For accountability purposes, the ECPA also requires state and federal courts issuing interception orders to make detailed reports concerning those orders to the Administrative Office of the United States Courts.[122]These reports are a means of ensuring that there is an audit trail of orders that have been granted.

In order to ensure privacy is not infringed, state authorised interceptions may only be carried out by the investigative or law enforcement officers having responsibility for the investigation of the offence to which the application is made. An exception to this rule is that private contractors may be permitted to conduct interceptions, so long as the contractor’s personnel are under the supervision of an investigative or law enforcement officer authorised to conduct the interception.[123]

It has to be mentioned however that while there is an argument that the statutory authority to hire contractors for surveillance duty frees professional law enforcement personnel from the drudgery of staffing monitoring stations, it complicates the task of ensuring that persons who conduct surveillance are experienced and properly trained in the intricacies of executing an electronic surveillance order[124]. It also creates opportunity for the infringement of privacy in the sense that contractors may not have the same duty of care that law enforcement officers have when dealing with intercepted data. Also it creates an opportunity to dismiss the accuracy and integrity of the analysis of the data.

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (hereinafter referred to as the PATRIOT Act) was enacted in 2001[125]. This Act increases the government’s ability to monitor communications, including e-mail and mobile phone conversations, and provides agencies to share such information. Its aim is to provide law enforcement agencies with the appropriate tools to prevent terrorism.

The Patriot Act however goes a step further than the ECPA in relation to Interception in that grants law enforcement agencies the power to access ISP networks without a warrant to track activities.

Section 216 of the Act significantly increases law enforcement authority to use trap and trace and pen register devices.

There is no doubt that national security interests must be safe guarded, however this Act does go beyond the scope of previous legislations that safeguard personal information from government intrusion. Indeed the fact that it allows law enforcement agencies to access communications data without a warrant raises an eyebrow as to whether we have seen the right to privacy of communications being revoked in the United States. Under ECPA certain procedures needed to be followed under the PATRIOT Act, a warrant is not required to track activities and government departments can share data. This is state of affairs is defiantly an encroachment on rights to privacy of communications.

3.4.3 Lawful Interception in Australia

In Australia, Lawful interception of communications is governed by the

Telecommunications Interception Act 1979 which has been amended recently by the Telecommunications Interception Legislation Amendment Act 2002

this amends the Telecommunications (Interception) Act 1979 to include child pornography, serious arson offences and offences involving acts of terrorism (newly created offences under the Commonwealth Criminal Code introduced by the Security Legislation Amendment (Terrorism) Act 2002) to the list of offences where a telecommunications intercept warrant may be sought.

The Act has two main objectives, first of which is to provide users of the Australian telecommunications services with privacy and the other contrasting albeit legal aspect of allowing for certain lawful interception under the auspices of a warrant where certain listed offences are deemed necessary to investigate,

Section seven of the Telecommunications Interception Act prohibits interception of a communication passing over a telecommunications system with certain exceptions one of which is that a warrant has been issued to allow for such interception. It is to be noted that such warrants are usually only provided to allow certain state law enforcement agencies the right to intercept. It is also to be noted under this regime that Law enforcement agencies are not permitted to access the content of messages (such as email, voice mail, SMS, etc) that are temporarily stored on a telecommunications service provider’s equipment during transit, unless they have obtained an interception warrant.

After a message has been delivered to the intended recipient (i.e. has completed its passage over the telecommunications system) law enforcement agencies can lawfully access the content of the message with a search or seizure warrant. Such a warrant may cover the recipient’s equipment (e.g. computer containing downloaded email) or the service provider’s equipment when a copy of the message remains on their equipment.

Certain safegauards to ensure interception is not abused have been placed into the Act this can be illustrated where the Australian police and National crime authority are to mainatain a record of intercepted messages

3.5 Lawful Interception requirements of Communications service providers

Co-operation is required between law enforcement agencies and communication providers. The dilemma for the communications service providers however is the balance between customer confidentiality and the assistance in the curbing and detection of criminal activity.

Lawful Intercept places a number of duties on communications service providers, indeed a number of articles have been published relating to objection by such communications service providers of added cost and system usage which may hamper an already decreasing client base due to over saturated markets.

In providing this assistance to agencies that have been granted the right to intercept communications, the communications service providers role begins with its obligation to maintain an intercept capability as may be required by the Secretary of State[126]this is further backed up by the RIP (Maintenance of Interception Capability) Order 2002 which lays interception obligations upon communications service providers who provide a public telecommunications service to more than 10,000 persons in any one or more parts of the United Kingdom[127].

An explanation of these obligations can be seen in the following:

  • The provision of a mechanism for implementing interceptions within one working day of their being informed that the interception has been appropriately authorised[128].This obligation can be deemed a “time is of the essence” provision. There is no doubt that in being able to nip crime in the bud or determine that criminal activity has taken place the sooner an investigation is able to be carried out the better will be that chances that this can be proved. In fulfilling this obligation Communications service providers undertake the first step in collaboration to combat crime and terrorist activity.
  • Ensure the interception, in its entirety, of all communications and related communications data authorised by the interception warrant and to ensure their almost real time transmission to a hand-over point within their network[129]. This provision ensures that there is nothing left out in relation to the data that has been intercepted meaning that the integrity of the data must be maintained between the systems on which the data is transmitted and that is used to intercept the communications. This will ensure that all necessary aspects of the communication are included in the investigations.
  • Ensure the intercepted communication and the related communications data will be transmitted so that they can be unambiguously correlated.[130] This provision is a follow through of the previous section in that it provides for the entire interception and the communications relating to it to be linked to each other such that there can be no disputes in relation to the intercepted data. This would for instance mean that where permission is granted to intercept communications of intercepted data carried out on the first of September 2003 between 12:45pm and 1:15pm should not be mistaken and distinguished from unrelated data intercepted on September between 1:16pm and 1:55pm. In other words the data that has been intercepted and the communications transmitted with it should be unmistakably linked.
  • Ensure that the hand-over interface[131] complies with any requirements communicated by the Secretary of State to the ISP or Telecommunications service provider, which, where practicable and appropriate, will be in line with agreed industry standards (such as those of the European Telecommunications Standards Institute)[132].This obviously relates to minimum technological requirements as to the adequacy of the point of interchange between the ISP/Telecommunications system and the law enforcements interception systems[133].
  • Ensure filtering to provide only the traffic data associated with the warranted telecommunications identifier where reasonable[134]There is no doubt that this provision recognises the fact that there must be accuracy and integrity of the communications that are to undergo surveillance as such in attempting to minimise errors it provides for the requirement that the data to be intercepted should be separated from any other data not associated with the communication under surveillance.
  • Ensure that the person on whose application the interception warrant was issued is able to remove any electronic protection applied by the ISP to the intercepted communication and the related communications data[135]; In recognising the fact that data can be eavesdropped on while it is being transmitted, it is not unusual in order to ensure the confidentiality of the data while it is being transmitted to secure it with encryption. Where the decryption key is available to the CSP this provision obliges it to use the key to decrypt the communications into legible form for the law enforcement agency to decipher the communications.
  • Ensure that the reliability of the interception capability is at least equal to the reliability of the public telecommunications service carrying the communication, which is being intercepted[136]. This provision recognises the fact that complications may arise where one system is not functioning as well as the other. Such a scenario may lead to a situation where data is corrupted by the less reliable system which has the potential of making the data’s integrity being disputed as such the provision requires both the system used for intercepting the communications and that which transmitted the communications to be working to the same efficiency levels.

In the United States obligations to provide interception capabilites on Telcos/ISPs is governed by the Communications Assistance for Law Enforcement Act (CALEA) 1994[137]. To ensure that law enforcement agencies can continue to conduct court authorised surveillance of wire or electronic communications, CALEA states that telecommunications carriers must meet the assistance capability requirements set forth in Section 103 of the Act namely:

  • Interception of Communications Content
    This constitutes the first subsection of section 103 and it provides that telecommunications carriers must ensure that they are capable of expeditiously isolating, and enabling the government to intercept, pursuant to appropriate legal authorisation, all wire and electronic communications to or from a particular subscriber within that carrier’s network[138]. This subsection mirrors the requirement laid down by the RIP maintenance of interception order 2002 for Communications service providers to assist law enforcement agencies granted permission to lawfully intercept data.
  • Access to Call Identifying Information
    This second subsection provides that carriers must ensure that they are capable of expeditiously isolating, and enabling the government to access, pursuant to appropriate legal authorisation, all call identifying information reasonably available to the carrier. Such information, however, if acquired solely through pen registers or trap and trace devices, does not include information that may disclose the physical location of the subscriber, except to the extent that the telephone number can determine location[139].
  • Delivery of Communications Content and Call-Identifying Information
    Making up the third subsection of section 103 this provides that carriers must be able to deliver intercepted communications and call identifying information to a location specified by the government, other than the carrier’s premises. The information must be made available to the government in a format that can be transmitted over communications channels and either translated or converted into useable form[140]. This provides a host of obligations on carriers one of which can be illustrated in the last requirement. It is to be noted that data is transmitted via packets in bits and bytes that cannot in their raw format be understood by humans. This aspect of the subsection in recognising this fact puts the burden on carriers to ensure that law enforcement agencies receive the data in intelligible form.
  • Protection of Privacy and Security of Communications
    The fourth subsection provides that carriers must be capable of conducting interceptions and providing access to call identifying information unobtrusively. Carriers must also protect the privacy and security of communications and call-identifying information not authorised to be intercepted, as well as information about the government’s interception of call content and access to call-identifying information. The requirement that interceptions be conducted in a manner that will minimise the interception of unauthorised communications was intended to avoid improper intrusion on rights of privacy[141].

3.7 Data Retention

When one analyses current legislations, one can definitely see the conflicts at work between carrying out the provision of services to subscribers, maintaining their confidentialities and privacy on the one hand and protecting citizens from criminal and terrorist activities on the other hand.

The result of these legislations is the placement of a number of obligations laid in the path of communications service providers when it comes to maintaining the privacy of subscribers and assisting law enforcement agencies in their battle against crime and terrorism. One of these obligations can be seen when it comes to the retention of data.

Current legislations oblige communications service providers to assist law enforcement agencies in their bids to prevent and detect criminal and terrorist activities. Laws such as the RIP (Maintenance of Interception Capability) Order 2002 in the UK and CALEA in the United States provide for Communication companies to maintain an interception function.

Section 103 of CALEA requires carriers to ensure their equipment and services are capable of isolating and allowing the government to intercept communications as well as call-identifying information.

The Directive on Privacy and Electronic Communications also provides in article 15 that member states provide legislations for the retention of data.

Legislations have with the advent of the September 11 attacks also been enacted as a recognition of the importance in retaining communications data for analysis in identifying suspicious traits. This has spurned the issue of data retention, which involves the storing of communications data such that it can be retrieved at a later date by law enforcement, intelligence and security agencies. Data retention differs from lawful interception, which involves the capture in real time of communications content.

Indeed in the UK the Anti-terrorism, Crime and Security Act 2001 (ATCS) was passed almost immediately after the September attacks in the United States. Part 11 of the Act sets out requirements for retention of communications data.

Section 103 of the Act allows the secretary of state to issue a code of practice to communications providers on the retention of communications data they have obtained or which is in their possession[142]. It is to be noted however that there is no provision given relating to the maximum period of time within which data must be retained. However in response to a EU questionnaire on data retention[143], the UK stated that currently the time periods under consideration vary according to the data type. Usually the period ranges from a minimum 6 months to a maximum of twelve for retained data.

It must be stated that one of the conflicts relating to retention of data is the issue of its legality especially where human rights are concerned. The retention of data by communications service providers for periods longer than is required for business may contravene issues in respect of privacy as provided for by Article 8 of the European Convention on Human Rights. Also to be noted is the fact that one of the data protection principles provides that data that has been processed should not be retained longer than is necessary for the reason that it has been processed.[144]

Indeed some communications service providers fearful that a data regime is adopted would make the courts treat them as public authorities and so they as well as any requesting authority would be open to action under the Human Rights Act. However in his evidence Dr Walden stated that this was a small risk, going on to say that if the ATCS Act was not human rights compliant then it would not be unlawful for the Communication Service provider to comply with it[145].

The All Party Internet Group in its critical report called for the code of practice to be made mandatory so that ISPs would be protected from legal action under the Human Rights Act and the Data Protection Act when complying with measures in the code of practice[146].

Appendix A of the Consultation Paper on a Code of Practice for Voluntary Retention of Communications Data provides the time periods deemed necessary by the Secretary of State for communications service providers to retain communications data for national security purposes[147]. The retention of such data in the normal course of business by communications data may be retained for either longer or shorter time frames. This obviously leads to a scenario of dual data retention regimes. Where these data retention regimes are used in conjunction of each other, then in order for them not to be in contravention of the data retention principle of the Data Protection Act, then when the shorter of the two time frames expires data may only be retained for the purpose of the longer period. For example if the first period to expire relates to national security then after its expiry the remaining period of retention can only be for business purposes and on expiry of that period the data must be made anonymous or be deleted.

The question then is what sort of data is to be retained? A good staring point for this is the ATCS which provides that the secretary of state issues a code of practice relating to data held or obtained by communications providers[148]. This would suggest that it is data that is obtained during the normal course of business operations, which is communications data. RIPA’s definition breaks communications data into three different categories mainly traffic data, use made of service and other information relating to the subscriber.[149] An analysis of this definition shows that the following types of data will need to be retained:

  • Subscriber information

Consisting amongst other things of the subscribers’ name, date of birth, billing address, telephone number and email address, IP address at registration

  • Telephony data

Including amongst other data all numbers associated with the call, date, time start duration and end of the call, for GPRS[150] and 3G date and time of connection of the call

This includes calling and called number IMEI[154], date and time of sending

  • Email Data

This consists amongst other data of the logon user name date and time of logon/logoff , information relating to email sent such as the authentication name date and time sent

  • ISP Data

This will include user login name and the IP address assigned CLI[155] and number dialled

  • Web Activity Logs

To include proxy server logs IP Address used and URL’s that have been visited note this will not include the content of the communication

  • Other Services

This will if available consist of the logon and log off times of Instant message type services

  • Collateral Data

This will normally involve data required to interpret other communications data[156]

Data Retention United States

It is to be noted at this point that while data retention laws are prominent in Europe, the same cannot be said for the United States which does not currently have specific data retention legislation.

3.7.1 Impact of Data Retention Laws on Communications Service Providers

Communications service providers need to study the code of practice for data retention in order to identify how their compliance with these regulations will impact how they operate. This will require them to assess amongst other things the detailed requirements of the code of practice, the manner in which policies such as data protection, collection, archiving and security are to be implemented and also the manner in which processes for handling requests for the disclosure of data subject information are to be handled[157]. After this analysis is performed, technical measures in relation to their operations will need to be adapted to ensure that the retention of such data can in fact be carried out.

The communications service provider’s technical solutions to cater for data retention will invariably consist of ensuring their systems are capable of archiving such data this will involve ensuring systems have the capacity to store such data for the stipulated time periods as warranted by the code of practice. They will also need to ensure that they have appropriate systems tools to assist in the retrieval of data when a request comes in. This also involves the formatting of data to ensure it can be interpreted by the requesting agency. Coupled with this will be the need to ensure that data cannot be compromised, this will encapsulate implementing information security and quality assurance measures.

As has previously been mentioned, the cost to the communication service provider in retaining data can be extremely huge. It has been identified that the high cost of the requirement by communications service providers to retain data may lead to a barrier of entry to would be participants to the market, which may in turn harm competition along with making the subscriber being made to offset the costs by being asked to pay higher service charges[158]. It has thus been suggested that governments should assist in covering the costs of mandatory data retention infrastructures and also bear some costs where requests are made for access to retained data[159].

3.8 Conclusion

In summarising this section of the essay, it can be seen that lawful interception does not go against the principles of data protection legislations. Rather it can be said that it provides the check that is needed to fight criminals who abuse the privileges granted by communications privacy rights in their attempts to use it as a clock to carry out serious criminal or terrorist activity.

In order to ensure that privacy of communications is not infringed by the provisions of the laws relating to legal interception, the provisions of the legislations places obligations on law enforcement agencies and the communications service providers as can be illustrated for instance by the requirement to filter only the communications required by law enforcement agencies as provided by Part 2 section 9 of The Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002[160]. This illustrates that the legislation recognises that data being intercepted must only relate to that which is identified by the warrant issued such that only persons or people who are suspected of committing serious offences or participating in activities against national security interests lose their right to privacy of their data communications. In these circumstances such infringement is acceptable as is illustrated by the European Convention on Human Rights, which provides for such interference in Article 8(2).

There is no doubt that the rise in criminal activity has led to amendments in legislation to cater for new methods of communicating. The legislations are attempts to close the gap between the sophistication of criminal activity using communication systems and the law in being able to provide legislation to close any loopholes due to a lack of appropriate legislation in these areas.

While these laws are aimed at ensuring law enforcement, agencies must operate within the perimeters of the law when they intercept communications, indeed in the United states sanctions in the form of civil liabilities can accrue to those that do not adhere to procedures.

It can thus be said that there are certain instances when the privacy of an individual whose actions go against national security laws or who has committed or is in the process of committing a serious crime may have their data accessed without the communications service provider being made liable for not keeping such data confidential. It should by now be realised by all individuals that with the manner in which computers are used to either commit crime or used to transmit messages that provide information on how or when a crime is to take place time, that law enforcement agencies will at some point have to gain access to such data so that they can either prevent the crime from taking place or use the data to prove that certain individuals are responsible for criminal activity. This cannot be said to be a contravention or infringement on the data subject’s privacy rights. Rather it can be seen as a collaboration between law enforcement agencies and communications service providers to thwart the success of criminal and terrorist activity.

However legislation such as the PATRIOT Act does send a warning that the right to privacy of communications as we know it may be over. Also such legislation can indeed be a catalyst for other legislations being enacted which place the right to privacy of the individual on a lower level than the right of the state to monitor communications for signs of criminal or terrorist activity.

4 Information security and communications

4.1 What is information security?

Information security relates to the protection of data to ensure its confidentiality, integrity and availability and can be likened to an asset that adds value to an organisation and consequently needs to be implemented across the entire organisational environment[161].

One of the basic misconceptions about information security is that it is all about technology. This conception can be no further from the truth. Indeed while technology enhances security it only forms part of a wider process. Other factors such as appropriately skilled resources; policies and procedures, assessments, training and educational awareness along with management and legal requirements form the full process of deploying appropriate security measures[162].

It can be seen from the previous sections of this essay that implementation of information security measures are a critical factor in reducing the risks of personal data being compromised. Information security assists in ensuring the integrity of exchange of communications data between systems of the CSP and those of agencies granted permission to intercept the communications. Both the Data Protection and the Privacy and Electronic Communications Directives contain articles that provide that adequate security measures should be implemented.

4.1.1 Why Information Security?

The rapid development of telecommunication networks has led to greater opportunities for criminals to use communications systems to commit crimes.

Their ability to successfully commit these crimes without detection may be attributed in part to inadequate security legislation, inadequate implementation of security technology, or lack of user awareness in relation to the risks. Typical crimes committed against communication systems that may breach confidentiality include but are not limited to the following:

  • Hacking or Cracking[163] communications networks with the objective of gaining access to personal information, which has the potential of breaching the confidentiality and privacy of personal information.
  • Unlawful interception of communications data which has the potential of breaching the confidentiality of information
  • Unauthorised modification of information which has the potential of breaching the confidentiality, integrity and availability of information

With the rise in the spate of attacks on communications networks, a number of issues came to light. The first was that many of these attacks were targeted at commercial enterprises that were rich in customer information, and secondly that many of these attacks were successful because corporations did not have effective security measures to either alert when these attacks were occurring and also because they had not implemented appropriate security measures to stop these attacks from being successful.

As a result of the realisation that customer information could be compromised, and also the potential for such information being used to create false identities and be used in the perpetration of other criminal activity, legislations were either amended or enacted to make corporate entities implement information security measures that are appropriate to the risks that they faced from both internal and external information security breaches.

The effects of information security on communications service providers is two pronged. These can be looked at from a data protection stand point i.e. duties the communications service provider owes to its subscribers in protecting their data and secondly the duties it owes to law enforcement agencies in their quest to tackle crime.

I shall look at the laws relating to information security in relation to subscribers personal data before approaching the obligations relating to when it applies to lawful interception and retention of data.

Laws relating to communications security can be found in legislations such as the EU Privacy and Communications Directive. Article 4 (1) stipulates that adequate security measures must be implemented by organisations that process personal information. This law is transposed into national legislations of Member States. In the UK this can be illustrated by section 5 of the 2003 Privacy and Electronic Communications (EC Directive) Regulations which states that providers of public electronic communications service should take appropriate technical and organisational measures to safeguard the security of that service.[164] The Regulations define appropriate measures as being those that are taken in relation to technological developments and the cost of implementing it in proportion to the risks of safeguards[165].
The seventh principle of the UK Data Protection Act also provides that appropriate levels of security must be implemented in proportion to any harm that may arise due to unlawful processing or unauthorised access and also the nature of data to be protected.[166]

It is to be noted that while these legislations provide communications service providers with the responsibility of deploying information security measures, there is recognition of the fact that information security is a moving target and as such there may be situations where the measures adopted by the communications service provider may not be adequate thereby allowing for the possibility of subscribers being left vulnerable. In recognising this, the laws allow the communication service providers to advise subscribers on measures they may take to in minimise the risk of breach[167]. With the recent spate of Virus[168] attacks such as Nimda and Mydoom along with the sophistication of hackers to modify and insert software code which can be used to gather personal and confidential information, it has become necessary for communications service providers to notify subscribers that they may need to utilise up-to-date antivirus software and other measures such as encryption when transmitting personal and sensitive data over the Internet to minimise their exposure to successful security breaches.

In the United States, legislation has been passed in California to the effect that businesses are now obliged to disclose any breach of the security of their systems to any California resident whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorised person[169].

While these obligations point to what a communications provider must do to ensure customer information is protected, the question arises as to what remedies accrue to users whose data have been compromised due to service providers not implementing security measures?

In the United Kingdom, data protection offences are dealt with by the Information Commissioner[170] whose powers enable him to prosecute those that breach principles of the Data Protection Act[171]. It is to be noted however that while there is no specific offence in relation to not implementing adequate security measures, the Information Commissioner may where he is satisfied that data protection principles have been contravened serve an enforcement notice requiring compliance[172]. A subscriber whose information has been breached due to lack of adequate security measures, may lay an official complaint to the information commissioner who will look at each event be on the merits. Punishments for contravention tend to vary from the serving of the above mentioned enforcement notices, a £5000 fine or an unlimited fine[173].

The second aspect of security communications service providers have to cater for relates to retention of data. As has been mentioned in earlier sections of this essay, communications service providers have an obligation to maintain data retention capabilities[174] thus mandating the retention of the traffic and location data of all communications taking place over mobile phones, SMS, landline telephones, faxes, e-mails, chat rooms, the Internet, or any other electronic communication device.

Communications service providers will need to ensure that systems on which retained data is held also have adequate security measures placed on them. Measures taken will need to ensure that the data maintains its confidentiality, integrity and availability. Adequate measures in technical terms will need to include ensuring the data is stored on systems that have restricted access along with logging[175] facilities which identify who accessed data, what times they accessed such data and whether any modifications were made to the data during the time the user of the system logged on. This is obviously a paramount requirement due to the fact that the evidence that may be given in relation to the data may lead to the aversion of a criminal or terrorist activity or indeed the acquittal or conviction for an alleged offence.

For successful implementation of lawful intercept systems, appropriate security measures need to be implemented to ensure access control and authentication at the hand-over interface. The methods for achieving this can be seen in standards such as the ETSI standard for lawful interception[176]. The access control and authentication issues are extremely important as it has been identified by the 2003 FBI computer crime survey[177]of 488 respondents, 77% stated that the likely source of attack on proprietary information was disgruntled employees.

It can thus be seen that communications service providers are being influenced on how they adopt information security measures by legislation not only for the protection of subscriber personal data but also in the maintaining if systems that may provide information to law enforcement agencies in the fight against crime and terrorist activities.

5 Concluding

As is evident in the body of this essay, the issue of privacy is a fundamental social principle. Ensuring that there is an appropriate legal framework to ensure privacy is not infringed upon and when it is that the legislation is able to provide the vehicle for appropriate sanctions is paramount.

The enactment of legislation has had an impact on communication service providers in that they now have to cater for the demands of two groups each with varying requirements for the services the communications service provider offers.

The first is the privacy of subscriber/client information and the second being the provision of assistance to law enforcement agencies in their fight against crime.

This is where the balance between privacy of the individual and the combat of criminal activity are linked.

In order to ensure that law enforcement agencies do not abuse their power when they are granted access to communications data, there is no doubt that safeguards need to be implemented in the form of procedures that are duly followed to the letter along with a monitoring and audit of the usage of such privileges granted to law enforcement agencies.

While it can be stated that data retention legislation is a reaction to events that occurred on Sept 11th 2001, legislation relating to the processing of personal data and lawful interception have been enacted or amended recently as a reaction to changes in technology. For instance the new privacy and electronic communications directive now includes provisions relating to location data.

In order for the above mentioned legislations to have bite, they need to ensure communications service providers adopt a more rigorous approach to maintaining privacy of communications and personal data. One of such ways would in my view be to ensure that technologies that can be used to enforce these laws are adopted immediately by communications service providers. This can be effected by regulatory bodies making it mandatory for them to provide certificates of compliance on an annual basis stating that they (CSP’s) have adopted latest technologies as specified by these bodies. Where organisations do not provide certificates on due dates, sanctions must be imposed for non compliance which should include both a monetary fine along with publication on the regulators site of the names of providers that are in breach.

In order to ensure that the certificates are genuine regulatory bodies must have the power to randomly select certified communications service providers to ensure that information provided is accurate.

While on the one hand the effect of such measures on communication service providers would be that they purchase, maintain and update these technologies, it will provide a means of showing that are capable of meeting the requirements of their clients in relation to maintaining privacy of communications. Such a measure will also provide easier means of detecting when a service provider is not meeting its obligations.

It must be mentioned that as electronic commerce grows, technologies that will enable criminals to subvert communications networks either in the form of gaining unauthorised access to networks, using false or stolen identities to pay for goods and or services and also to commit terrorist activities will become more widespread . With this in mind it is apparent that more robust authentication and screening technologies which are able to filter communications using artificial intelligence screening capabilities will be required to be developed and utilised by communications providers. With this state of activity it can be seen that there is the possibility that the role of the communication service provider over the next decade will shift from that of providing a communications services to one where it is being used as the first point of contact to thwart criminal and terrorist activities conducted via communications networks.

Also to ensure healthy competition in the communications service provider environment, governments need to subsidise the costs of retaining data.

As a last thought I believe that a harmonised legal framework on minimum information security must be adopted and be legally binding on communications service providers. While the Data Protection Directive and the Privacy of Communications Directive have made mention of the fact that information security measures must be implemented, there needs to be a separate information security legislation which specifically outlines the minimum requirements that should be put into practice by organisations that handle personal data. This framework will undoubtedly need to be of global dimension and universally accepted by all countries otherwise criminals and hackers will look to attack systems belonging to those with the least effective measures which in turn may impact other environments worldwide. The adopted information security legislation should have wordings similar to the Gramm-Leach-Bliley Act in the United States along with implementation of technical measures as identified by both ISO 15408 and ISO 17799. The effect of this on communication service providers is that it will also mean that they deploy more resources in the way of staffing, training and technology to ensure information security meets these minimum requirements.

These recommendations along with better awareness campaigns will allow the general public understand fully the issues surrounding the need for lawful interception and retention of private information especially when there is a need to thwart criminal activity and remove threats to national security. It will also help to dispel the fear that there is an erosion of rights to privacy.

Bibliography:

Access to Communications Data: Respecting privacy and protecting the public from crime, Consultation Paper March 2003

Akdeniz Y 2001, The Case against RIP at www.sourceuk.net/indexf.html?01546

Bro & Hengesbaugh 2001, Implementing the U.S.-EU Data Privacy ‘Safe Harbor’

Bygrave L 2002, Data Protection Law: Approaching its rationale, logic and limits

Carter D L & Katz A J 1997, Computer Crime: An Emerging Challenge for Law Enforcement.

Cartesian Group 2002, Data Retention for regulatory Compliance

CCTV Looking out for you Home office publication November 1994

CSI/FBI Computer crime and security survey 2003

Cyber-Rights & Cyber-Liberties (UK), “Who Watches the Watchmen: Part III – ISP Capabilities for the Provision of Personal Information to the Police,” February 1999, at http://www.cyber-rights.org/privacy/watchmen-iii.htm

Eisner R S 2002, Ignorance Isn’t Bliss: What you need to know about EU data privacy law, Legal Research Centre

Elliot C 1999, The legality of the interception of electronic communications: a concise survey of the principal legal issues and instruments under international, European and national law

Goemans C 2002, Law enforcement and data privacy: difficulties to accommodate

Hoofnagle C J 2002, Consumer Privacy In the E-Commerce Marketplace, Third Annual Institute on Privacy Law 1339, Practicing Law Institute G0-00W2

Policy leadership on cyber security questioned: Cyber crime Law Report Vol 3 No 8 2003

Electronic Privacy Information Centre and Privacy International 2002, Privacy and Human Rights, An international survey of privacy laws and developments

Rathmell A 2002, Regulating Security: Telecoms Regulation and Information Security

Joint Economic Committee United States Congress 2002 Security in the information age: New Challenges, New Strategies

Pascual A E 2001, Location data is as sensitive as content data

OFTEL 2002, Guidelines on the essential requirements for network security and integrity and criteria for restriction of access to the network

Reidenberg J R, Resolving Conflicting International Data Privacy Rules in Cyberspace 52 STANFORD Law. Review 1315 (2000)

Smedinghoff T J 2003, Defining Corporate Cybersecurity Obligations: Impact of the Final U.S. National Strategy to Secure Cyberspace

Smedinghoff T J 2002, Developing a U.S Legal Standard for Cybersecurity

Smith, R G 2001, “Cross-border economic crime: the agenda for reform”, Trends & Issues in Crime and Criminal Justice, no. 202, Australian Institute of Criminology, Canberra.

Stratford J S & Stratford J 1998, Data Protection and privacy in the United States and Europe

Sutter G 2001, A Tale of Two Interception Regimes: RIP v CALEA, a comparison.

Tedeschi B, Patriot Act Curbing Data Retention New York Times October 13, 2003


[1] See Tackling Insider Dealing p13 Home office Consultation Paper: Access To Communications Data Respecting Privacy and Protecting the Public From Crime March 2003

[2] Communications service provider in this essay includes Telecommunications Operators, Telephone Service Providers, Internet service providers, Mobile Phone Operators, Communications Network Operators

[3] Also called convergence

[4] For example electronic privacy information centre www.epic.org and Electronic Frontier Foundation www.eff.org

[5] See Internet fraud watch www.fraud.org and Internet fraud centre www1.ifccfbi.gov

[6] Data Protection Act 1998

[7] Person entitled to hold data about individuals

[8] Section 1(1) Data Protection Act 1998

[9] Data Protection Act identifies data as information that is processed by means of equipment operating automatically in response to instructions given for that purpose and is recorded with the intention that it should be processed by means of such equipment.

[10] See also CCTV Looking out for you Home office publication November 1994

[11] Article 8 (1) Convention for the Protection of Human Rights and Fundamental Freedoms as Amended by Protocol No 11

[12] Directive 1995/46/E.C.[1995] 0.J. L281/31

[13] Directive 2002/58/E.C OJ L 201/37

[14] Article 8 (1) European Convention On Human Rights

[15] Article 8 (2) European Convention On Human Rights

[16] For the purpose of this essay “Identity theft” occurs when a person or group of people obtain and use someone else’s name, credit card number, social security number or other personal information without that persons consent with the intent of using such information to commit fraud or other crime

[17]Section 55 (1&3) Data Protection Act 1998

[18] See www.csa-uk.com/news-facts-press_index/newsletters/autumn202002.pdf page2

[19] Section 60 (1) Data Protection Act 1998

[20] see www.ftc.gov/opa/2003/02/hersheyfield.htm

[21] 15 U.S.C 6501-6505

[22] U.S.C 6502 b (1) A ii

[23] A person who alone or jointly with others determines the purpose for which and manner in which personal data is to be processed Section 1(1) Data Protection Act 1998

[24] Directive 2002/58/E.C OJ L 201/37 this Directive replaces Directive 1997/66/E.C [1998] O.J L24/1

[25] See Resolving Conflicting International Data Privacy Rules in Cyberspace Joel R Reidenberg May 52 STANFORD Law. Review. 1315 (2000)

[26] Article 6(1a) Data Protection Directive 95/46/EC

[27] Article 6(1b)

[28] Article 6(1c)

[29] Article 6(1d)

[30] Article 6(1e)

[31] Article 12

[32] Article 17

[33] Article 7 (a) Data Protection Directive 95/46/EC

[34] Article 8(1)

[35] Article 7 (b)

[36] Article 7 (c)

[37] Article 7 (d)

[38] Article 7 (e)

[39] Article 7 (f)

[40] Article 1(1) states “In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy, with respect to the processing of personal data.”

[41] Directive 2002/58/E.C OJ L 201/37

[42] Article 1 Directive on Privacy and Electronic Communications

[43] According to European law, electronic communications service means a service normally provided for the remuneration which wholly or mainly in the conveyance of signals on electronic communications networks used for broadcasting, but exclude services providing, or exercising editorial control over content transmitted using electronic communications networks and services. Article 2 (c) Directive 2002/21/EC

[44] According to European law, public communications network means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services. Article 2 (d) Directive 2002/21/EC

[45] Article 4 (1&2) Directive on Privacy and Electronic Communications

[46] Computer Misuse Act 1990

[47]OECD Guidelines for the security of information systems and networks see www.oecd.org/dataoecd/59/0/1946946.pdf

[48] see www.bsi.org.uk

[49] http://csrc.nist.gov/cc/ccv20/ccv2list.htm

[50] Article 5 (1)

[51] Article 5 (2)

[52] Cookies are programs that are used to track user’s preferences when they visit a website. They can be stored on ones hard drive without the users consent or knowledge.

[53] Article 8

[54] Guidelines for Customer Line Identification Displays Services and other related Services over Electronic communications networks available at www.oftel.go.uk/ind_groups/cli_group/docs/guidelines0902.pdf

[55] See European Guidelines for Calling line Identification available at www.europa.eu.int/ispo/infosec/telcompolicy/en/guidelines.pdf

[56] The Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force on 11th December 2003.

[57] See Location Data is as sensitive as content data Alberto Escuardo Pascual Royal Insitute of Technology 22nd November 2001 available at www.it.kth.se/~aep/publications/EU-forum/20011127/EU-forum-locationdata.pdf

[58] See bbc.news.co.uk/2/low/technology/2593653.stm

[59] Article 9 Directive on Privacy and Electronic Communications

[60] Article 9(2)

[61] Article 13 Directive on Privacy and Electronic Communications

[62] In an opt-in regime, the consumer must affirmatively give permission to be sent information about new products or sales, or to share the consumer’s information with other companies in a business relationship with the company where that consumer has an opt-in agreement. Generally, a consumer must click on web site boxes or send an e- mail request to the company, or its affiliates in order to authorise consumer e-mail.

[63] In an opt-out regime, the privacy policy will indicate that the consumer is presumed to want information about sales or new products which will be sent unless the consumer “opts out” of receiving such.

[64] /www.the-dma.org/

[65] The amount of data that can be transmitted in a fixed amount of time. For digital devices, the bandwidth is usually expressed in bits per second(bps) or bytes per second. For analog devices, the bandwidth is expressed in cycles per second, or Hertz (Hz).

[66] Article 15 (2) Directive on Privacy and Electronic Communications

[67] United States v. Miller, 425 US 435 (1976)

[68] Explained further in this section

[69] Chris J. Hoofnagle, Consumer Privacy In the E-Commerce Marketplace 2002, Third Annual Institute on Privacy Law 1339, Practicing Law Institute G0-00W2 (June 2002), available at http://www.epic.org/epic/staff/hoofnagle/plidraft2002.pdf

[70] See Big Brother Inside Campaign http://www.bigbrotherinside.org

[71] See EPIC DoubleClick Pages http://www.epic.org/privacy/doubletrouble/.

[72] For a detailed history and critical analysis of this agreement, see Electronic Privacy Information Center (EPIC) and Junkbusters, “Network Advertising Initiative: Principles not Privacy,” July 2000 http://www.epic.org/privacy/internet/NAI_analysis.html.

[73] Note some of the legislations below are proposed legislations (Bills) and will be indicated as such in the footnotes

[74] 47 U.S.C 222

[75] Defined as constituting the quantity, technical configuration, type, destination, location and amount of use of telecommunications service subscribed to by any customer of a telecommunications carrier and that is made available to the carrier by the customer, solely by virtue of the customer carrier relationship. It also includes information contained in bills relating to telephone exchange service or telephone toll service received by a customer of a carrier.

[76] 47 U.S.C 222 (b)

[77] Proposed Legislation: S.1164 Location Privacy Protection Act of 2001, A bill to provide for the enhanced protection of the privacy of location information of users of location-based services and applications, and for other purposes. Sponsor: Senator Edwards, John (D-NC). Latest Major Action: 7/11/2001 Referred to U.S Senate committee: Senate Commerce, Science, and Transportation.

[78] See section 3 a & b Location Privacy Protection Act 2001

[79] section 3 (c) ( ii) Location Privacy Protection Act 2001

[80] Proposed Legislation: S197 Spyware Control and Privacy Protection Act of 2001 A bill to provide for the disclosure of the collection of information through computer software, and for other purposes. Sponsor: Senator Edwards, John (D-NC). Latest Major Action: 1/29/2001 Referred to Senate committee: Senate Commerce, Science, and Transportation

[81] See Information Commissioner Annual Report and accounts for the year ending 31 March 2002, HC913

[82] 47 U.S.C 1001-1010

[83] Section 2 Regulation of Investigatory Powers Act 2000

[84] Circuit switched networks are used for phone calls

[85] Packet switched networks handle data which could include voice calls

[86] Trap and trace devices are one of the methods used by authorities in the United States to intercept communications

[87] Round aluminium type snack container

[88] Sniffing is the act of using a device to analyse network traffic relating to communication and computer systems

[89] Joseph Fried, Police Filch Faxes to Snare a Gambling Ring, NYT , June 3, 1990 at 33.

[90] Eaves Dropping detecting David Bansar 1995

[91] Section 9(1) Telecommunications Act 1984 defines public communication system as that so defined by the Secretary of State as that authorised by licence via Section 8 of that Act

[92] Any telecommunications system which not being a public telecommunication system is a system to which is attached directly or indirectly to a public telecommunications system and there is apparatus comprised of the system located in the United Kingdom for making the attachment to the public communication system Section 2 (1b) RIPA 2000

[93]Section 1 (1) Regulation of Investigatory Powers Act 2000

[94] R V Effick 1984 Crim LR832, 99

[95] 1997 IRLR 471

[96] See Articles 8 (1) and 8(2) European Convention on Human Rights

[97] Section 1(2) RIPA

[98] Section 127 Communications Act 2003

[99] Defined under Article 18 (3) of the Convention on Cyber Crime as any information, contained in the form of computer data or any other form, that is held by a service provider, relating to subscribers of its services….

[100] Ill Wind investigation see /www.eff.org/Privacy/Surveillance/CALEA/kallstrom_fbi_clip-dt.testimony

[101] Under the title III authorisations

[102] Sections 5(3) and 7(1) RIPA 2000

[103] Report of the Interception of communications commissioner 2001

[104] Referred to collectively as Title III and codified at 18 U.S.C. § 2510,

[105] Telecommunications (Interception) and Listening Device Amendment Act 1997

[106] See Consultation Paper: Access to communications data, protecting privacy and protecting the public from crime March 2003

[107] Section 21(4) RIPA 2000

[108] SI 2000/2699

[109] They are the police as defined in section 81(1) National Criminal Investigations Service, National Crime squad, HMSO Customs and excise, The Inland Revenue, The security service, The Secret Intelligence Service Government Communications Headquarters

[110] Section 25(1g) RIPA 2000

[111] Section 3(1) (a) i(aa) Lawful business practices regulation

[112] Section 3(1) (a) i(cc)

[113] Section 3(1) (a) iii

[114] Section 3(1) (a) iv

[115] Neutral Citation number: 2002 EWCH 1585

[116] Section 9 Schedule1 Police and Criminal Evidence Act 1984

[117] See Safeguards p23 Consultation Paper: Access to communications data, protecting privacy and protecting the public from crime March 2003

[118] Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986).

[119] Omnibus Crime Control and Safe Streets Act of 1969, Pub. L. No. 90-351, 82 Stat. 197 (1968)(codified at 18 U.S.C. § § 2510-2521 (2000)), reprinted in USCCAN 1968 237.

[120] 18 U.S.C. § 2511.

[121] Id. § 2516-2518.

[122] Id. § 2519. Pen registers and trap-and-trade devices also are subject to federal statutory constraint. Id. § § 3121-27.

[123] Id. § 2518(5).

[124] Focus Paper of Charles H. Kennedy Presented at 2002 Enforcing Privacy Rights symposium

[125] The USA PATRIOT Act is not a stand-alone Act. It amends over 15 Federal Statutes visit: www.llrx.com/features/libraryrecords.htm

[126] Section 12 Regulation of Investigatory Powers Act 2000

[127] See Citation 2 (3a) RIP Maintenance of Interception Capability Order 2002

[128] Article 2(5) RIP Maintenance of Interception Capability Order 2002

[129] Article 2(6)

[130] Article 2(7)

[131] The handover interface is the physical and logical interface across which the interception measures are requested from network operator/access provider/service provider, and the results of the interception is delivered from the network operator/access provider/service provider to a law enforcement monitoring facility

[132] Article 2(8)

[133] For more information on standards relating to interception see www.opemtap.org.documents/es201-671.pdf

[134] Article 2(9)

[135] Article2 (10)

[136] Article 2(12)

[137] (Public Law 103414; 47 U.S.C. 1001-1010)

[138] Section 103 (1) CALEA

[139] Section 103 (2)

[140] Section 103 (3)

[141] Section 103 (4)

[142] Section 102 Antiterrorism Crime and Security Act 2001

[143] Room Document No 7 (EU member states answers to questionnaire on traffic data retention 16 September 2002 by European Council Multidisciplinary Group on Organised Crime

[144] Fifth principle Data Protection Act 1998

[145] See Communications Data: Report of an inquiry by the All Party Internet Group January 2003 paragraph 136

[146] See recommendation 178 page 33 Communications Data: Report of an inquiry by the All Party Internet Group January 2003

[147] See Appendix A pages 26 –27 Consultation Paper on a Code of Practice for Voluntary Retention of Communications Data March 2003

[148] Section 102 (1) Antiterrorism Crime and Security Act 2001

[149] Section 21(4) Regulation Of Investigatory Powers Act 2000

[150] General Packet Radio Service

[151] Short Messaging Service

[152] Enhanced Messaging Service

[153] Multimedia Messaging Service

[154] International mobile equipment identifier

[155] Calling Line Identifier

[156] See Appendix A Consultation Paper on a Code of Practice for Voluntary Retention of Communications Data March 2003

[157] See page 11 White Paper on Data Retention for Regulatory Compliance 2002 Cartesian Group

[158] See Common Industry Statement on Storage of Traffic Data for Law Enforcement Purposes page 8 4th June 2003. Available at www.statewatch.org/news/2003/jun/CommonIndustryPositionondataretention.pdf

[159] see reference at page 9

[160] Statutory Instrument 2002 No. 1931 The Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002

[161] See ISO 17799 first edition 2000-12-01

[162] See Thomas J.Smedinghoff: Developing U.S Legal Standard for Cybersecurity pages 4-11 may 2003 available at www.bmck.com/ecommerce/articles-s.htm

[163] In the truest sense of the word, “hacking” involves actions taken by a dedicated programming expert who believes in sharing his expertise and experiences with other hackers. A hacker does not believe in vandalising or maliciously destroying data, or in stealing data of any kind. On the other hand “cracking” involves actions carried out by an individual or group intent on causing malicious harm to a network or computer, or to steal information beneficial to themselves like passwords, credit card numbers and the like. For ease of use, the term “hacking” will be used here to refer to either a hacker or cracker, and is used to describe the act of an individual or individuals who enter or tries to enter a computer or network without authorisation.

[164] Section 5 (1) Privacy and Electronic Communications (EC Directive) Regulations 2003

[165] Section 5 (4) Privacy and Electronic Communications (EC Directive) Regulations 2003

[166] Part 2 section 9 (a & b) Data Protection Act 1998 Sch 1

[167] Article 4 (2) Directive 2002/58/EC

[168] A computer virus is a program designed to spread itself by first infecting executable files or the system areas of hard and floppy disks and then making copies of itself. They usually operate without the knowledge or authorisation of the computer user.

[169] California Civil Code Sections 1798.29 and 1798.82 – 1798.84

[170] The information commissioner is an independent officer who is appointed directly by Her Majesty the Queen and reports directly to parliament

[171] Powers and duties of the commissioner, Chapter 7 Data Protection Act 1998 Legal Guidance. see: www.informationcommissioner.gov.uk/cms/DocumentUploads/Data%20Protection%20Act%201998%20Legal%20Guidance.pdf

[172] Section 40 (1) Data Protection Act 1998

[173] Enquires made to the information commissioners office in relation to sanctions imposed for breach of security measures call +44 1625 545 700

[174] Article 15(1) Directive 2002/58/EC

[175] See also Part 2 section 13 of The Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002

[176] See Telecommunications Security Lawful interception available at www.etsi.org

[177] See page 8 CSI/FBI Computer Crime and Security Survey available upon request from Computer Security Institute www.gocsi.com/press/200020407.html

Opt In Image
Send Me Free Email Updates

(enter your email address below)

Tags: , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Reply

*

Home | About | Contact | Login