Is virus scanning interception?

[Andrew Cormack]

I've just been checking the published draft of the Information
Commissioner's Code of Practice on Monitoring at Work (from
http://www.dataprotection.gov.uk/dpr/dpdoc.nsf click on Guidance and Other
Publications, then Codes of Practice). A side issue in that document, but
one that has confused me, is the definition of whether an automated
virus-scanning system necessarily performs interceptions.

According to page 29 of the Code: "An interception takes place if the
contents of a communication are made available, during the course of its
transmission, to someone other than the sender or intended recipient.
Examples of interception include a supervisor listening in to calls in a
call centre, a business opening e-mails stored on a server before they have
been read by the intended recipient, and an automated system that opens
e-mails and/or their attachments to check them for viruses."

Now I had interpreted tentatively the "person" of RIPA and definitely the
"someone" of this Code as being a flesh and blood person, so I've no problem
agreeing that the first two examples above being classed as interception.
But I have problems with the idea that a computer checking an e-mail against
a pattern book, and either forwarding or rejecting the mail based on the
match, is either a "person" or a "someone". Certainly if the system passes
infected mails to an operator, then it's interception, but if the mail is
simply forwarded or rejected, surely not????

As it is I have two issues with this interpretation, one human and one
technical. As a human I would actually like there to be a legal distinction
between a software virus checker and a human operator sitting there reading
every message, but this Code denies that the two situations are any
different under RIPA. As a technical person I have a real problem with the
idea that a piece of code transferring bytes between memory locations and
making a go/nogo decision is interception, because that's precisely what
every e-mail system on the Internet does to get messages from one place to
another. So is chiark doing an interception by distributing my mail?

I've actually been putting this point of view to the ICO for a while, and
I'd like to think that is what has caused the appearance in the list of
authorised business purposes on page 40 of the following, which I don't
recall seeing in previous drafts: "to ensure the security of the system and
its effective operation (e.g. to check for viruses or other threats to the
system, or to enable automated processes such as caching or load
distribution)."

So the net result of the current draft Code is that you are allowed to virus
check e-mail (under LBP) provided you've informed local users. That's fine
in practice, but I'm worried by the other nasties that might flow from the
precedent. For example, where does it leave thrid-party virus scanning
services? Before I have another bash at the ICO on this, I'd welcome
comments from other list members: is my interpretation wrong, and does it
matter anyway? And if anyone else thinks it matters and would like to point
it out to the commissioner's office I'd be very grateful so I don't appear
any more of a lonely obsessive than I really am ;-)

Cheers,
Andrew