URLs, IPs and interception

Peter Fairbrother ukcrypto at chiark.greenend.org.uk
Sat, 01 Mar 2008 04:14:50 +0000 

James Cox wrote:
> 
> On 1 Mar 2008, at 00:43, Peter Fairbrother wrote:
> 
>> James Cox wrote:
>>> On 29 Feb 2008, at 23:02, Peter Fairbrother wrote:
>>>>
>>>> So afaict ISPs giving out or using _any_ traffic data, in any manner 
>>>> or form, is interception unless it is "conduct [...] for the 
>>>> purposes of any [...] telecommunication system".
>>>>
>>>> And, afaict (see 2(1)), that's only for purposes that facilitate the 
>>>> transmission of communications.
>>>>
>>>>
>>>>
>>>> So Phorm is out. And so is giving clickstream or URL data, or 
>>>> traffic data, to anyone unless authorised elsewhere.
>>> i wonder how much t&c of your contract with the isp override the 
>>> conduct in the act...
>>
>> Not at all.
>>
>> And t&c's can't override RIPA anyway.
>>
>> Consensual interception is only lawful if _both_ parties agree to the 
>> interception, which is generally impossible (as, for instance, I don't 
>> agree to anyone intercepting my websites, and Phorm don't check 
>> whether I have given permission, as they are required to do under RIPA).
> 
> 'not at all' wasn't the answer i was thinking on. 

but it's still the real answer.


Yes, RIPA is an act of
> parliament, a statute - law. But a contract is also covered by law too. 
> Whilst statute out-ranks tort, there's nothing stopping them from 
> interacting. I would therefore have a strong suspicion that the t&cs for 
> your connection with your isp will certainly contain clauses which 
> discuss handing over logs etc to law enforcement on request, 

I hope not - they can do so under a demand under RIPA, but they can't do 
so for any other reason (barring a few other laws).


but i'd
> also suspect that there would be sufficiently vague language which would 
> permit the kind of behaviour that has been discussed. 

Nope. See RIPA sections 1-3.


This may be in the
> form of disclaiming who owns the clickstream data (as the creator of the 
> system, do you own it? or does the facilitator who records it?) or 
> perhaps there may be clauses for aggregate data being used for quality 
> testing and user feedback (a great way to say 'advertising' btw).

It isn't about who owns it - it's about intercepting it.
> 
> my point is, whilst ripa protects the overt behavior of otherwise covert 
> surveillance and interception, i don't believe it necessarily governs 
> any or all commercial activities that an isp may partake in which other 
> parts of law may provide cover for. 

then you are simply wrong, because it does.


Remember, your first legal point of
> call with your isp are your t&cs, not some pre-agreed statutes - i would 
> consider ripa to be somewhat perpendicular to that.


Nope, that's simply just not how the law works. T&C's in a contract 
can't ignore statute, and they can't make something which would 
otherwise be illegal legal.



Of course I may be wrong, I am not a lawyer - Nicholas, would you care 
to comment? Simon, perhaps you could, possibly, in this case?


-- Peter Fairbrother