Is virus scanning interception - The final word??
Peter Fairbrother
zenadsl6186 at zen.co.uk
Mon, 05 Aug 2002 17:43:35 +0100
> Roland Perry wrote:
> In message
> <AFB26DF151B3D511BB2B009027C2C7A957EAF0@controller1.ukerna.ac.uk>,
> Andrew Cormack <A.Cormack@ukerna.ac.uk> writes
>> I've just been checking the published draft of the Information
>> Commissioner's Code of Practice on Monitoring at Work (from
>> http://www.dataprotection.gov.uk/dpr/dpdoc.nsf click on Guidance and Other
>> Publications, then Codes of Practice). A side issue in that document, but
>> one that has confused me, is the definition of whether an automated
>> virus-scanning system necessarily performs interceptions.
>>
>> According to page 29 of the Code: "An interception takes place if the
>> contents of a communication are made available, during the course of its
>> transmission, to someone other than the sender or intended recipient.
>> Examples of interception include a supervisor listening in to calls in a
>> call centre, a business opening e-mails stored on a server before they have
>> been read by the intended recipient, and an automated system that opens
>> e-mails and/or their attachments to check them for viruses."
>
> I've just had a phone conversation the relevant bit of the OIC, and
> their main response to my particular concern (on behalf of ISPs
> operating automated virus checkers) is that the CoP only applies to the
> *workplace* and therefore [all of it] is irrelevant as far as anything
> done by network operators providing a service to their customers is
> concerned. Put another way, they are only concerned about *employers*
> snooping on *employees*.
>
> However, they agreed with all my views on the legislative basis, and
> will reconsider the wording in order to perhaps make it clearer that as
> long as the infected email is deleted, or quarantined for fetching by
> the intended recipient only, there's no Interception.
David Clancy (the chap at the OIC you spoke to) has taken advice, following
which the opinion of the OIC is that automated virus scanning is
interception, and there will not be any changes in relation to this area of
the code.
Don't get your knickers in a twist. The OIC (although by no means a
definitive authority, or even particularly concerned in the matter) also
apparently agrees with, or at least does not reject, my suggestion that
virus scanning by ISP's is made lawful by section 3(3) of RIPA even when
done in order to protect clients' machines.
-- Peter Fairbrother