Roland Perry - "is an ISP a 'Person'?"

Dave Howe DaveHowe at gmx.co.uk
Tue, 1 Oct 2002 21:29:02 +0100 

Peter Fairbrother wrote:
> The expression in RIPA is "make available", not "see".
but the distinction is the same yes? if mail passing though the server is to
be deemed "made available" to the body corporate, then the machine must be
considered a part of its owner. It is difficult to claim that one act of
automatic processing (virus scanning say) is interception and another act
(simple passthough; accepting mail as a closed packet and forwarding to the
best next hop mailserver) isn't.

> The "person" who controls the machine is the person making use of
> content, is the "person" to whom the content is "made available" (for
> his use, as input to the scanner's decision-making process), and is
> the RIPA "person" involved.
I can see how a machine that delivers selected mail to a recipient not
intended by the mail's author is "making available" that mail to that
recipient; it is less obvious how one that appends a signature file, virus
cleans or de-mimes a mail message before passing it to its intended
recipient is "making available" that mail to the machine's owner.

> Inspecting would be lawful under 5(6) (and probably other clauses
> too). As you'd only need to inspect traffic data the onus is less -
That is difficult to determine; it is easy to say "oh, only the routing
information need be processed" but computers rarely make a clean distinction
between content and header info; it would be difficult to determine if a
given line in the DATA section of a mail message was routing info (servers
passed though for example) or content (a Subject: line) without scanning
until you encounter content data. and of course some borderline header info
(such as the date/time stamp) might come after indisputable content (again,
the subject line)
Webmail is also problematic - you can't possibly scan webmail accesses for
header information; all you can hope to do is intercept POST statements made
to the webserver and identify a login (and password!) for a specific user as
a signal to begin monitoring;

> I think they both are.  Echo-cancelling is lawful under 3(3), and
> rejecting mail based on size is probably lawful under 3(3) too, if
> it's done "for purposes connected with the provision or operation of
> the service".
and you can define mail rejection based on size as lawful but based on viral
signature as unlawful?

> Makes a nonsense of the usual meaning of "interception" of course,
> but RIPA has already mangled the word quite irreparably, under any
> interpretation.
What else is new? :)