Is virus scanning interception - The final word??

Quentin Campbell Q.G.Campbell at newcastle.ac.uk
Fri, 26 Jul 2002 16:15:20 +0100 

> -----Original Message-----
> From: Roland Perry [mailto:roland@linx.net]
> Sent: 26 July 2002 15:49
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Is virus scanning interception - The final word??
>=20
>=20
> In message
> <AFB26DF151B3D511BB2B009027C2C7A957EAF0@controller1.ukerna.ac.uk>,
> Andrew Cormack <A.Cormack@ukerna.ac.uk> writes
> >I've just been checking the published draft of the Information
> >Commissioner's Code of Practice on Monitoring at Work (from=20
> >http://www.dataprotection.gov.uk/dpr/dpdoc.nsf click on Guidance and=20
> >Other Publications, then Codes of Practice). A side issue in that=20
> >document, but one that has confused me, is the definition of=20
> whether an
> >automated virus-scanning system necessarily performs interceptions.
> >
> >According to page 29 of the Code: "An interception takes
> place if the
> >contents of a communication are made available, during the course of
> >its transmission, to someone other than the sender or intended=20
> >recipient. Examples of interception include a supervisor=20
> listening in
> >to calls in a call centre, a business opening e-mails stored on a
> >server before they have been read by the intended recipient, and an=20
> >automated system that opens e-mails and/or their attachments=20
> to check
> >them for viruses."
>=20
> I've just had a phone conversation the relevant bit of the
> OIC, and their main response to my particular concern (on=20
> behalf of ISPs operating automated virus checkers) is that=20
> the CoP only applies to the
> *workplace* and therefore [all of it] is irrelevant as far as=20
> anything done by network operators providing a service to=20
> their customers is concerned. Put another way, they are only=20
> concerned about *employers* snooping on *employees*.
>=20
> However, they agreed with all my views on the legislative
> basis, and will reconsider the wording in order to perhaps=20
> make it clearer that as long as the infected email is=20
> deleted, or quarantined for fetching by the intended=20
> recipient only, there's no Interception.

Hold on a minute and run the last two lines past me again - if you copy
to quarantine the infected attachment but still deliver the rest of the
message to the recipient then you do not consider that "interception" as
defined by RIPA?

A second problem I have with the OIC guidance is that I operate a mail
service within the "workplace" (a university), at least as far as staff
e-mail is concerned, so this guidance muddies the waters even further.

We explicitly do not quarantine any infected attachment(s) we find. We
just disinfect or delete them and deliver what we can of the rest of the
message. Quarantining usually requires a third party to make the
quarantined part available to the intended recipient which is why we
have avoided even considering it.

Quentin
---
PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own." =20