URLs, IPs and interception

[James Cox]

>>>>>
>>>>> So Phorm is out. And so is giving clickstream or URL data, or  
>>>>> traffic data, to anyone unless authorised elsewhere.
>>>> i wonder how much t&c of your contract with the isp override the  
>>>> conduct in the act...
>>>
>>> Not at all.
>>>
>>> And t&c's can't override RIPA anyway.
>>>
>>> Consensual interception is only lawful if _both_ parties agree to  
>>> the interception, which is generally impossible (as, for instance,  
>>> I don't agree to anyone intercepting my websites, and Phorm don't  
>>> check whether I have given permission, as they are required to do  
>>> under RIPA).
>> 'not at all' wasn't the answer i was thinking on.
>
> but it's still the real answer.

see my other email; it's all about interpretation.

>> Yes, RIPA is an act of parliament, a statute - law. But a contract  
>> is also covered by law too. Whilst statute out-ranks tort, there's  
>> nothing stopping them from interacting. I would therefore have a  
>> strong suspicion that the t&cs for your connection with your isp  
>> will certainly contain clauses which discuss handing over logs etc  
>> to law enforcement on request,
>>
> I hope not - they can do so under a demand under RIPA, but they  
> can't do so for any other reason (barring a few other laws).

RIPA handles intercepts, primarily. I see no reason If the logs exist  
then asking the court to subpoena them would be an issue.

> but i'd
>> also suspect that there would be sufficiently vague language which  
>> would permit the kind of behaviour that has been discussed.
>
> Nope. See RIPA sections 1-3.

I'll refer you to your t&cs with the ISP from sections 1 till the end  
it will cover all-eventualities-waffle designed to indemnify.

>
> This may be in the
>> form of disclaiming who owns the clickstream data (as the creator  
>> of the system, do you own it? or does the facilitator who records  
>> it?) or perhaps there may be clauses for aggregate data being used  
>> for quality testing and user feedback (a great way to say  
>> 'advertising' btw).
>
> It isn't about who owns it - it's about intercepting it.
>> my point is, whilst ripa protects the overt behavior of otherwise  
>> covert surveillance and interception, i don't believe it  
>> necessarily governs any or all commercial activities that an isp  
>> may partake in which other parts of law may provide cover for.
>
> then you are simply wrong, because it does.

RIPA stands for Regulation of Investigatory Powers, not Regulation of  
Internet Service Providers.

>> Remember, your first legal point of call with your isp are your  
>> t&cs, not some pre-agreed statutes - i would consider ripa to be  
>> somewhat perpendicular to that.
>>
>
> Nope, that's simply just not how the law works. T&C's in a contract  
> can't ignore statute, and they can't make something which would  
> otherwise be illegal legal.

I'm not saying they would, i'm saying that you signed a contract.  
Whilst criminal law always supercedes civil law, you'd be surprised  
how much of this purposefully lives in civil law. ergo, i don't  
believe you can reference one clause in one document and think you  
have declared a winner. please see my other email on what i mean by  
this.

>
>
> Of course I may be wrong, I am not a lawyer - Nicholas, would you  
> care to comment? Simon, perhaps you could, possibly, in this case?

as may i; i'd very much like to here from actual lawyers - though i  
stick to my guns: outside of strictly criminal, law is mostly about  
how you go about interpreting it. I suspect RIPA's function is about  
enabling surveillance, not about prohibiting commercial activities  
concerning click stream data. Therein lies my argument - as soon as  
you find an edge case, you don't necessarily have a clear answer.