URLs, IPs and interception

James Cox ukcrypto at chiark.greenend.org.uk
Sat, 1 Mar 2008 03:43:22 +0000 

On 1 Mar 2008, at 00:43, Peter Fairbrother wrote:

> James Cox wrote:
>> On 29 Feb 2008, at 23:02, Peter Fairbrother wrote:
>>>
>>> So afaict ISPs giving out or using _any_ traffic data, in any  
>>> manner or form, is interception unless it is "conduct [...] for  
>>> the purposes of any [...] telecommunication system".
>>>
>>> And, afaict (see 2(1)), that's only for purposes that facilitate  
>>> the transmission of communications.
>>>
>>>
>>>
>>> So Phorm is out. And so is giving clickstream or URL data, or  
>>> traffic data, to anyone unless authorised elsewhere.
>> i wonder how much t&c of your contract with the isp override the  
>> conduct in the act...
>
> Not at all.
>
> And t&c's can't override RIPA anyway.
>
> Consensual interception is only lawful if _both_ parties agree to  
> the interception, which is generally impossible (as, for instance, I  
> don't agree to anyone intercepting my websites, and Phorm don't  
> check whether I have given permission, as they are required to do  
> under RIPA).

'not at all' wasn't the answer i was thinking on. Yes, RIPA is an act  
of parliament, a statute - law. But a contract is also covered by law  
too. Whilst statute out-ranks tort, there's nothing stopping them from  
interacting. I would therefore have a strong suspicion that the t&cs  
for your connection with your isp will certainly contain clauses which  
discuss handing over logs etc to law enforcement on request, but i'd  
also suspect that there would be sufficiently vague language which  
would permit the kind of behaviour that has been discussed. This may  
be in the form of disclaiming who owns the clickstream data (as the  
creator of the system, do you own it? or does the facilitator who  
records it?) or perhaps there may be clauses for aggregate data being  
used for quality testing and user feedback (a great way to say  
'advertising' btw).

my point is, whilst ripa protects the overt behavior of otherwise  
covert surveillance and interception, i don't believe it necessarily  
governs any or all commercial activities that an isp may partake in  
which other parts of law may provide cover for. Remember, your first  
legal point of call with your isp are your t&cs, not some pre-agreed  
statutes - i would consider ripa to be somewhat perpendicular to that.

-james