URLs, IPs and interception

Peter Fairbrother ukcrypto at chiark.greenend.org.uk
Sat, 01 Mar 2008 00:43:27 +0000 

James Cox wrote:
> 
> On 29 Feb 2008, at 23:02, Peter Fairbrother wrote:
>>
>>
>> Part II doesn't make it an offence to give out traffic data, and it 
>> has been assumed that giving out traffic data is not interception, but 
>> I've just had a look at the relevant part of Part I again.
>>
>> S.2(5) says:
>> " (5) References in this Act to the interception of a communication in 
>> the course of its transmission by means of a postal service or 
>> telecommunication system do not include references to—
>>
>> (a) any conduct that takes place in relation only to so much of the 
>> communication as consists in any traffic data comprised in or attached 
>> to a communication (whether by the sender or otherwise) for the 
>> purposes of any postal service or telecommunication system by means of 
>> which it is being or may be transmitted; or
>>
>> (b) any such conduct, in connection with conduct falling within 
>> paragraph (a), as gives a person who is neither the sender nor the 
>> intended recipient only so much access to a communication as is 
>> necessary for the purpose of identifying traffic data so comprised or 
>> attached. "
>>
>>
>>
>> So afaict ISPs giving out or using _any_ traffic data, in any manner 
>> or form, is interception unless it is "conduct [...] for the purposes 
>> of any [...] telecommunication system".
>>
>> And, afaict (see 2(1)), that's only for purposes that facilitate the 
>> transmission of communications.
>>
>>
>>
>> So Phorm is out. And so is giving clickstream or URL data, or traffic 
>> data, to anyone unless authorised elsewhere.
> 
> i wonder how much t&c of your contract with the isp override the conduct 
> in the act... 

Not at all.

And t&c's can't override RIPA anyway.

Consensual interception is only lawful if _both_ parties agree to the 
interception, which is generally impossible (as, for instance, I don't 
agree to anyone intercepting my websites, and Phorm don't check whether 
I have given permission, as they are required to do under RIPA).


-- Peter Fairbrother