Roland Perry - "is an ISP a 'Person'?"

Peter Fairbrother zenadsl6186 at zen.co.uk
Tue, 01 Oct 2002 22:55:45 +0100 

> Dave Howe wrote:

> Peter Fairbrother wrote:
>> The expression in RIPA is "make available", not "see".
> but the distinction is the same yes? if mail passing though the server is=
 to
> be deemed "made available" to the body corporate, then the machine must b=
e
> considered a part of its owner. It is difficult to claim that one act of
> automatic processing (virus scanning say) is interception and another act
> (simple passthough; accepting mail as a closed packet and forwarding to t=
he
> best next hop mailserver) isn't.

It depends on the definitions in s2 of RIPA:

{- 2(2): For the purposes of this Act, but subject to the following
provisions of this section, a person intercepts a communication in the
course of its transmission by means of a telecommunication system if, and
only if, he-=20
=A0
=A0   =20
(a) so modifies or interferes with the system, or its operation,
=A0   =20
(b) so monitors transmissions made by means of the system, or
=A0   =20
(c) so monitors transmissions made by wireless telegraphy to or from
apparatus comprised in the system,

=A0    as to make some or all of the contents of the communication available,
while being transmitted, to a person other than the sender or intended
recipient of the communication. -}


It's these acts that are interception, not reading others' email. Don't
blame me, I didn't write it! However the ability to read others' email
usually implies actions that come under (a) or (b) have occurred.

>=20
>> The "person" who controls the machine is the person making use of
>> content, is the "person" to whom the content is "made available" (for
>> his use, as input to the scanner's decision-making process), and is
>> the RIPA "person" involved.
> I can see how a machine that delivers selected mail to a recipient not
> intended by the mail's author is "making available" that mail to that
> recipient; it is less obvious how one that appends a signature file, viru=
s
> cleans or de-mimes a mail message before passing it to its intended
> recipient is "making available" that mail to the machine's owner.

It makes content available for the person who runs the machine to use, even
if he doesn't read it. The words "see" and "read" do not appear in Ch1 of
RIPA.

>=20
>> Inspecting would be lawful under 5(6) (and probably other clauses
>> too). As you'd only need to inspect traffic data the onus is less -
> That is difficult to determine; it is easy to say "oh, only the routing
> information need be processed" but computers rarely make a clean distinct=
ion
> between content and header info; it would be difficult to determine if a
> given line in the DATA section of a mail message was routing info (server=
s
> passed though for example) or content (a Subject: line) without scanning
> until you encounter content data. and of course some borderline header in=
fo
> (such as the date/time stamp) might come after indisputable content (agai=
n,
> the subject line)

Yes it's difficult, and you may have to scan content without wishing to, bu=
t
that doesn't make much difference to whether the whole process is lawful in
most circumstances.

> Webmail is also problematic - you can't possibly scan webmail accesses fo=
r
> header information; all you can hope to do is intercept POST statements m=
ade
> to the webserver and identify a login (and password!) for a specific user=
 as
> a signal to begin monitoring;

SEP, I think. The easy way would be to "ask" the webmail server to do it fo=
r
you.=20

Tapping the server's connection and filtering it would be harder, but
probably legal under RIPA. It would be interception, but lawful under a
warrant. For DPA reasons it should be done by a machine not a human, if
possible.

>=20
>> I think they both are.  Echo-cancelling is lawful under 3(3), and
>> rejecting mail based on size is probably lawful under 3(3) too, if
>> it's done "for purposes connected with the provision or operation of
>> the service".
> and you can define mail rejection based on size as lawful but based on vi=
ral
> signature as unlawful?

No. Viral scanning is probably lawful in most cases, as is rejection based
on size. Both are lawful interception. The lawfulness is based on the
purpose for which the interception is done. Both are measures to protect th=
e
service.=20

The test is if it's done "for purposes connected with the provision or
operation of the service". If not, it's probably unlawful for ISP's to do i=
t
without a warrant. Remarkably sensible, for RIPA. This is about _Public_
ISP's.

Incidently, on reflection(!), I was wrong about echo-cancelling, it's not
interception - there is no act of modification, interference or monitoring
"as to" (which I take to mean both "with the effect of" and "intended to")
make content available.

>=20
>> Makes a nonsense of the usual meaning of "interception" of course,
>> but RIPA has already mangled the word quite irreparably, under any
>> interpretation.
> What else is new? :)

:)