Consultation on change to RIP interception definition ("unintentional interception")

Andrew Cormack Andrew.Cormack at ja.net
Wed Nov 17 15:38:11 GMT 2010 

Hi Matthew

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Matthew Pemble
> Sent: 17 November 2010 15:10
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Consultation on change to RIP interception definition
> ("unintentional interception")
> 
> On 17 November 2010 14:50, Andrew Cormack <Andrew.Cormack at ja.net>
> wrote:
> > Sorry to come back to this, but I've been trying to make sense
> (again, lacking any draft amended text) of what might constitute an
> "unintentional unlawful interception". And failing, so I hope someone
> here can help.
> 
> Does the current wording of the Act make it a strict liability
> offence? If not, then there must be mens rea. So, logically, you must
> have intended to implement the interception (or be negligent as to
> whether your act implemented an interception.)

The mens rea for the current offence seems to be in s1(1) "It shall be an offence for a person INTENTIONALLY and without lawful authority to intercept,.."

I presume that means both intention to do the action, and intention as to its outcome. So I was interpreting the new "unintentional interception" idea as deleting or modifying at least one of those "intentions"? If it removes both then it does start to look like a strict liability offence, which is scary given the breadth of the definition of "make available" that this list have come up with in the past :(

> Therefore, for it to have been "unintentionally unlawful", what could
> apply?
> 
> * A sincere but incorrect belief that the intention was lawful
> (including presentation to a techie of an apparently legal warrant
> that had been incorrectly processed)?

Seems even harsher on the techie than my examples below :( 

> * An attempt to implement a lawful interception (either through
> warrant or LBPR) which was incorrectly but not negligently applied and
> resulting in a too-wide or otherwise non-approved interception?

The consultation paper specifically addresses the question of a mistake in implementing a warrant, and says that's ok. I very much hope that also applies to LBPR and "provision of service" (s3(3)) lawful interception, but the consultation paper is silent on those.

And if so, it really doesn't seem to leave much, hence my puzzlement

> Something else?
> 
> > 1) postmaster attempts to re-direct a mis-addressed e-mail and puts a
> typo in the To: address?
> > 2) postmaster does nothing, but a system fault results in all mails
> coming to him (yes, I've been there)
> > 3) network manager runs a wireless sniffer to check a problem with
> his own network and picks up a packet from next door?
> > 4) user turns on wifi card and receives packets from lots of wifi
> networks in addition to his own?
> > 5) network manager uploads latest firmware to a network switch,
> thereby clearing its memory and turning it (for a while) into a
> broadcast hub?
> 
> I think all these, but particularly 2 and 5, lack any mens rea.

They all fail the *current* mens rea, but all but 2 are intentional acts with unintended consequences. So there is some mens rea

> > All seem to satisfy most of the requirements of the definition, but
> even a civil penalty seems a bit harsh for most of them...
> 
> I would think that 5, depending on the organisation's change
> management procedures, might be worth a strong word from their
> manager. Otherwise it all (unless the email in 1 was especially
> sensitive) falls into the "shit happens" category of IT issues.

I very much agree (though I've come across switches where a short period of hubbishess is the only option). I'm just worried that this is being presented as a quick fix and I can see an awful lot of ways it might have unintended consequences.

Andrew

> M.
> 
> --
> Matthew Pemble

More information about the ukcrypto mailing list