Is virus scanning interception?

[Nicholas Bohm]

At 16:34 12/07/2002 +0100, James Hammerton wrote:
> >
> > I've just been checking the published draft of the Information
> > Commissioner's Code of Practice on Monitoring at Work (from
> > http://www.dataprotection.gov.uk/dpr/dpdoc.nsf click on Guidance and Other
> > Publications, then Codes of Practice). A side issue in that document, but
> > one that has confused me, is the definition of whether an automated
> > virus-scanning system necessarily performs interceptions.
> >
> > According to page 29 of the Code: "An interception takes place if the
> > contents of a communication are made available, during the course of its
> > transmission, to someone other than the sender or intended recipient.
> > Examples of interception include a supervisor listening in to calls in a
> > call centre, a business opening e-mails stored on a server before they have
> > been read by the intended recipient, and an automated system that opens
> > e-mails and/or their attachments to check them for viruses."
>
>I am not a lawyer.
>
>This appears to be different from RIPA. RIPA, section 2(2) states:
>
>"For the purposes of this Act, but subject to the following
>provisions of this section, a person intercepts a communication in the
>course of its transmission by means of a telecommunication system if,
>and only if, he-
>
>
>     (a) so modifies or interferes with the system, or its operation,
>
>     (b) so monitors transmissions made by means of the system, or
>
>     (c) so monitors transmissions made by wireless telegraphy to or
>     from apparatus comprised in the system,
>
>as to make some or all of the contents of the communication available,
>while being transmitted, to a person other than the sender or intended
>recipient of the communication."
>
>This explicitly refers to making the contents of the communication
>available to another person (and the conditions that follow do not
>alter this as far as I can tell). So unless RIPA defines a person so
>as to include an automated virus checker, the ICO appears to be at odds
>with RIPA.

I am a lawyer, and this seems to me exactly right.

"Person" includes a company or other body corporate, but not a machine.  No 
doubt automated virus checking could be set up in such a way as to make the 
communication available to an unintended recipient, but there seems no 
reason why it has to be set up that way; and if it isn't then it isn't 
statutory interception.

>Regards

Nicholas

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone   01279 871272    (+44 1279 871272)
Fax     01279 870215    (+44 1279 870215)
Mobile  07715 419728 (+44 7715 419728)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF