one-to-many messaging

Peter Fairbrother ukcrypto at chiark.greenend.org.uk
Thu, 03 Apr 2008 20:50:45 +0100 

Peter Fairbrother wrote:
> Chris Edwards wrote:
>> On Thu, 3 Apr 2008, Peter Fairbrother wrote:
>>
>> | port numbers are not covered by 2(5) as they are not there for the | 
>> purposes of the packet-passing service, so looking at port numbers is 
>> | always interception.
>>
>> One might argue that where "port 25 blocked" is a part of the service, 
>> then the ISP *does* need to look at port numbers for the purpose of 
>> passing on (or not) the packets.  Thus the port is traffic data.
> 
> For the purposes of RIPA section 2 it isn't traffic data, see 2(9).
> 
> Besides which, the 2(5) test is not just whether it is traffic data, it 
> is whether it is put there for the purpose of facilitating the 
> transmission of communications over the ISPs network - which port 
> numbers clearly aren't, they are put there for the purposes of the 
> endpoints, not the network.
> 
> You might argue that if port 25 traffic blocking is part of the contract 
> then the port 25 numbers are there for the purpose of facilitating the 
> transmission of communications - though to put it mildly I don't think 
> that would go very far (!) - but it's irrelevant anyway, looking at the 
> port numbers of the other traffic would still be interception.
> 
>> At work, our firewall looks at IP addresses and ports to decide 
>> whether or not to forward a packet.  In this case it seems quite easy 
>> to argue the port is traffic data.
> 
> Again, not according to RIPA 2(9).
> 
> And besides which your firewall is on your side of Lord Bassam's 
> doormat, so it doesn't matter anyway. Also, you are not a public comms 
> service provider. Also, even if they do intercept (unlikely) firewalls 
> would be lawful under 3(3).. and so on .. and on
> 
> -- Peter Fairbrother

One difference between 2(5) and 3(3) is that 2(5) is about the purposes 
of the system, and 3(3) is about the provision or operation of the service.

The purposes of the system are defined to be the transmission of 
communications. Port numbers are not needed to transmit communications, 
so looking at them is not excluded from being interception under 2(5).

The provision or operation of the service (note the service is not the 
same as they system) might require looking at port numbers, and that 
might be lawful under 3(3) - but it would still be interception.

-- Peter Fairbrother