Is virus scanning interception?

Richard Clayton richard at highwayman.com
Mon, 15 Jul 2002 01:20:50 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <200207142052.40475.graham.todd@ntlworld.com>, Graham
<graham.todd@ntlworld.com> writes

>Common sense would indicate to me that virus checking by my ISP is 
>interception, although it might be lawful interception allowed by the RIP Act 
>and (a new piece of information for me) the Lawful Business Regulations.

The LBP don't affect the ISP's actions (except in so far as they have
their own employees). The ISP will be relying on RIP s3(3).

>  It 
>is interception because my ISP has raised a barrier to passing on the content 
>of my emails to their recipient and set up methods to examine those emails 
>before they are either quarantined or sent on to their recipient.  

as I've already indicated, there's lots of different mechanisms

>However, 
>that interception might be legal if it prevents damage to the system,

that's not a RIP test per se, the test is if it is part of the system...

> which a 
>virus like Code Red could do, or other systems to which the ISP is connected 
>such as home users, as a virus like Happy99 could do.

... but those ISPs who are providing the service will be doing it with a
view to reducing damage to either their systems or their customers'
systems (or both).

>What I am not clear is how the proposed Code of Practice could affect that 
>situation, and I am not at all clear on what those "further hoops to jump 
>through" might be.  Or have I got the fundamentals of this wrong?

By "further hoops" I mean that the CoP reminds employers of, for
example, the way in which data collected by interception should be
handled and how it should be clear that the intrusiveness is justified
by the benefits. However, the bulk of the CoP in this area is driven by
the need to conform to RIP restrictions or to "escape" through the
loopholes made available by the LBP Regulations.

Interestingly, on page 20 it recommends automatic systems 

    This can reduce the extent to which extraneous information is made
    available to any person other than the parties to a communication.
    For example, monitoring to protect the security of a computer system
    can generally be automated. Monitoring to detect references to
    matters of particular sensitivity, for example the name of a company
    involved in a merger negotiation, might also be automated. Automated
    monitoring systems are becoming increasingly sophisticated and their
    capabilities should be exploited to assist data protection
    compliance, for example through the ability to target monitoring at
    suspicious patterns of activity.

Finally, it's worth noting that it is a draft and is still being
consulted on. One therefore should not read too much into what it
currently says since any howlers can still be corrected.

- -- 
richard                                              Richard Clayton

They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety.         Benjamin Franklin

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBPTIVYhfnRQV/feRLEQKy4gCguaK4GqkOFzrFg8qdmyc7g9VOCoAAniOl
HARxpzAmD/eHEE24oGDfnRms
=FJFW
-----END PGP SIGNATURE-----