Interception PDF

Title:
Striking a Balance between Data Protection and Lawful

Interception in the Provision of Communications Services
Franklin F Akinsuyi (LL.B, MSc, LLM)

March 2004
Copyright
Table Of Contents
..........................................................................................................................................
1. Introduction .............................................................................................................. 4
1.1 Methodology ....................................................................................................... 5
2. Data Protection and Communications: .................................................................. 6
2.1 Nature of the problem ....................................................................................... 6
2.1.2 What is Personal Data? .................................................................................. 7
2.1.3 What is data protection? ................................................................................ 8
2.1.4 Why do we need data protection? ................................................................. 9
2.2 Data Protection Legislation: ........................................................................... 11
2.2.1 EU Data Protection Principles ..................................................................... 12
2.2.2 The Directive on Privacy and Electronic Communications (2002/58/EC):
.................................................................................................................................. 15
2.2.2.1 Security Measures .................................................................................. 16
2.2.2.2 Confidentiality of Communications ......................................................... 17
2.2.2.3 Caller and Called Line Identification .......................................................... 19
2.2.2.5 Emergency and Nuisance Calls..................................................................... 21
2.3 United States and privacy of communication ................................................ 25
2.3.1 Privacy of Communication Laws In The United States ........................ 26
2.3.1.1 The Telecommunications Act 1996....................................................... 26
2.3.1.2 The Location of Privacy Protection Act of 2001 ................................. 27
2.3.1.3 Spyware Control and Privacy Protection Act 2001 ............................ 28
3. Law enforcement and privacy of communications ............................................. 30
3.1 Why Lawful Interception? .............................................................................. 32
3.3 What is intercepted under lawful Interception? ........................................... 38
3.4.1 Lawful Interception Laws in the United Kingdom .................................... 39
3.4.2 Lawful Interception in the United States .................................................... 42
3.4.3 Lawful Interception in Australia ................................................................. 45
3.5 Lawful Interception requirements of Communications service providers . 47
3.7 Data Retention...................................................................................................... 53
3.7.1 Impact of Data Retention Laws on Communications Service Providers
.............................................................................................................................. 57
3.8 Conclusion ........................................................................................................ 59
4 Information security and communications........................................................... 61
4.1 What is information security? ........................................................................ 61
4.1.1 Why Information Security? ......................................................................... 62
5 Concluding ............................................................................................................... 68
Bibliography ............................................................................................................... 72
1. Introduction
Within the last 10 years the manner in which telecommunications is used has changed
vastly since the introduction of liberalisation and competition measures.
Liberalisation has led to more players in the telecommunications arena in all areas of
the sector.
Indeed the mobile phone market is an example of the shift in the major provision of
telecommunications services from former state owned institutions to private
organisations, while the Internet has spawned new service providers to the
communications industry such as Internet Service Providers.
The introduction of these services and enterprises has led to the amendment and
introduction of new legislation to regulate the manner by which these
communications service providers operate. The objective of a number of these
legislations is to protect the privacy and maintain the confidentiality of the
subscribers communication and information when they use these systems to
communicate.
While it is to be noted that privacy of communications legislations are to ensure that
privacy and confidentiality of communications is maintained, it is to be observed that
telecommunication systems are used by criminals and terrorists to transmit
information about their activities. In certain instances these communications may be
the only source for proving that individuals are involved in activities that are criminal
or which threaten national security.
For instance in an investigation on insider dealing, almost the entire case rested on the
date and time of telephone calls made between various defendants. Telephone records
were obtained from business and home telephone numbers with the brokerage firm
providing details of incoming and outgoing calls to clients1.
As such it has become necessary for legislation to be introduced to permit law

enforcement agencies to access the communications of individuals in the fight against
terrorist and serious criminal activities.
This purpose of this essay is to highlight how the conflicting issues of privacy to
communications and interception of communications affect communications service
providers2 in their efforts to provide confidential services on the one hand and law
enforcement agencies fight against crime and terrorism on the other.
1.1 Methodology
The first phase of the essay will take the shape of analysing the concept of data
protection and privacy with a view to analysing how legislation in this area affects
communication services providers operations and their handling of personal data.
The next phase of the essay will look at legislation relating to lawful interception and
data retention with a view to look at circumstances when the balance of maintaining
privacy of communications data on the part of the communications provider interacts
with the need for lawful enforcement agencies requirements relating to data retention
and lawful interception.
The third phase will look at the issue of information security highlighting the effects
data protection and data retention legislations have on how communications service
See Tackling Insider Dealing p13 Home office Consultation Paper: Access To Communications Data
Respecting Privacy and Protecting the Public From Crime March 2003
2
Communications service provider in this essay includes Telecommunications Operators, Telephone
Service Providers, Internet service providers, Mobile Phone Operators, Communications Network
Operators
providers implement information security measures when dealing with data retention
and lawful interception.
The final phase of the essay will consist of conclusions and recommendations.
From a geographic perspective while telecommunications issues are a global
phenomenon, this essay will focus mainly on how these concepts influence
communications service providers in Europe and the United States.
2. Data Protection and Communications:

2.1 Nature of the problem
The telecommunications industry has seen a large uptake in the manner in which
people have been subscribing to the services that are being offered. Indeed this can be
seen with the radical changes from the previously limited fixed line services in the
earlier years to the introduction of the mobile telephone. The advent of the Internet
along with the integration of voice, video, data and communications via a single
stream3 has led to cheaper and faster ways of communicating. New services rendered
by mobile phone companies have indeed led to with the introduction of 2.5 and 3rd
generation mobile phone networks made it possible for subscribers to send pictures to
each other using these services.
Coupled with this technological development in communications, is the requirement
to ensure the privacy of an individuals data in line with current legislations when
these technologies are being utilised.
Also called convergence
The problem is that technology makes it much easier to infringe upon the rights of
individuals especially with regards to their personal data. Numerous organisations4
have identified this situation and have for years been championing the call for greater
awareness to make sure that the individuals fundamental human rights are not
infringed.
It is a well-known fact that convergence of these technologies makes it easier for
marketing companies to process data to profile people. Like wise it can be argued that
it is also possible for criminals to easily gather information about others in their quest
to forge identities5 in their quest to commit crimes.
In recognition of the risks that can accrue to an individual, privacy laws have been
enacted to define what constitutes legal and illegal activity when it comes to the
protection of an individuals data whilst it is being transmitted over
telecommunication streams.
2.1.2 What is Personal Data?

The UK Data Protection Act6 identifies personal data as follows, data that relates to a
living individual who can be identified from such data or and other information which
is in the possession of, or is likely to come into the possession of, the data controller7
and includes any expression of opinion about the individual and any indication of the
intentions of the data controller or any other person in respect of the individual8.
For example electronic privacy information centre www.epic.org and Electronic Frontier Foundation
www.eff.org
5
See Internet fraud watch www.fraud.org and Internet fraud centre www1.ifccfbi.gov
6
Data Protection Act 1998
7
Person entitled to hold data about individuals
8
Section 1(1) Data Protection Act 1998
It must be stated here that personal data does not just relate to text, but can also relate
to a CCTV9 image10.
2.1.3 What is data protection?
Data protection involves the implementation of administrative, technical or physical
measures to guard against unauthorised access to such data.
It stems from legislative requirements such as the European Convention for the
Protection of Human Rights and Freedoms11 and has with the advancement in
automated processing of data been influenced by new legislations such as Directive
1995/46/E.C on the protection of individuals with regard to the processing of
personal data and on the free movement of such data hereinafter referred to as the
Data Protection Directive12 to the privacy and electronic commerce directive13. It
involves the protection of personal data, which covers both facts and opinions about
an individual.
An instance of privacy legislation can be illustrated with the European Convention on
Human rights, which provides for the right of respect to private and family life14. It
further provides that there shall be no interference by a public authority with the
exercise of this right except such as in accordance with the law and as is necessary in
a democratic society in the interests of national security, public safety or the economic
Data Protection Act identifies data as information that is processed by means of equipment operating
automatically in response to instructions given for that purpose and is recorded with the intention that it
should be processed by means of such equipment.
10
See also CCTV Looking out for you Home office publication November 1994
11
Article 8 (1) Convention for the Protection of Human Rights and Fundamental Freedoms as
Amended by Protocol No 11
12
Directive 1995/46/E.C.[1995] 0.J. L281/31
13
Directive 2002/58/E.C OJ L 201/37
14
Article 8 (1) European Convention On Human Rights
well being of the country, for the prevention of disorder or crime, for the protection of
health or morals or for the protection of the rights and freedoms of others15.
This has implications regarding information relating to data of individuals in relation

to how it is kept processed and transmitted, this is so especially since misuse can lead
to a breach of the aforementioned right.
2.1.4 Why do we need data protection?
The development of technology has led to more convenient methods of carrying out
daily routines; indeed, many activities which in the past required physical presence
before a purchase could be made of a product now only need the supply of personal
details. The down side of this is that while it has led to faster means of
communicating and development of business, there is especially with the advent of
the Internet a rise in identity theft16. Also, with the proliferation of business activity
a number of organisations have sprung up which have identified the fact that
information about a person can be of value to other organisations.
This has led to a number of underhanded means of collecting personal information in

what appear to be promotional information leaflets only for this information to be
collated and then sold to marketing companies. It is this type of activity that has led to
the call and development of data protection laws leading to stiff penalties for
organisations that breach them. Indeed, under the UK 1998 Data Protection Act it is
15
Article 8 (2) European Convention On Human Rights

For the purpose of this essay Identity theft occurs when a person or group of people obtain and use
someone elses name, credit card number, social security number or other personal information without
that persons consent with the intent of using such information to commit fraud or other crime
16
an offence for a person, knowingly or recklessly, without the consent of the data
controller, to obtain personal data17.
To buttress this point further an individual named Alistair Fraser, trading as Solent
Credit Control18, recently pleaded guilty to offences of unlawfully obtaining and
selling personal information in breach of the Data Protection Act 1998. Mr Fraser had
obtained the personal information of certain individuals by deception from the
Department for Works and Pensions. He then sold the information to third parties. He
was found guilty and fined. A feature of this case is the fact that it was brought to
court by the Information Commissioner, thus showing that the Commissioner is
prepared to use enforcement powers to combat and discover agencies that illegally
obtain and sell personal information19.
In the United States organisations that breach the provisions of data protection
legislations relating to privacy of information are severely punished on conviction as
can be illustrated where recently in United States of America (for the Federal Trade
Commission) v. Hershey Foods Corporation20: In this case, Mrs. Fields Cookies and
Hershey Foods Corporation each agreed to settle Federal Trade Commission charges
that their Web sites violated the Children's Online Privacy Protection Act (COPPA)21
Rule by collecting personal information from children without first obtaining the
proper parental consent. Mrs. Fields are to pay civil penalties of $100,000 while
Hershey will pay civil penalties of $85,000. The separate settlements also bar the
companies from violating the Rule in the future and represent the biggest COPPA
penalties awarded to date. The COPPA Rule applies to operators of commercial Web
17
Section 55 (1&3) Data Protection Act 1998

See www.csa-uk.com/news-facts-press_index/newsletters/autumn202002.pdf page2
19
Section 60 (1) Data Protection Act 1998
20
see www.ftc.gov/opa/2003/02/hersheyfield.htm
21
15 U.S.C 6501-6505
18
10
sites and online services directed to children under the age of 13 and to general
audience Web sites and online services that knowingly collect personal information
from children under 13. Amongst other things, the Rule requires that Web site
operators obtain verifiable consent from a parent or guardian before they collect
personal information from children22.
2.2 Data Protection Legislation:
In this section I will be analysing the various legislations relating to data protection
taking into account data protection in the European Union and the United States with
a view to looking at the different ways in which they have been implemented.
Following that an analysis of the impact they have on telecommunications will be
carried out.
National data protection laws have developed as electronic commerce has boomed.
Indeed, with more coverage being given in the media relating to infringement of
privacy, it is no wonder that countries have been more active in ensuring people know
what their rights are in relation to these issues and also that data controllers23 ensure
data under their custody is processed in line with data protection legislations.
The European Union has developed a Framework for Data protection; this can be seen
in the Data Protection Directive and the Privacy and Electronic Communications
Directive24.
In the United States data protection legislations generally target discrete information
processing activities with the most important legislative protections for information
22
U.S.C 6502 b (1) A ii

A person who alone or jointly with others determines the purpose for which and manner in which
personal data is to be processed Section 1(1) Data Protection Act 1998
24
Directive 2002/58/E.C OJ L 201/37 this Directive replaces Directive 1997/66/E.C [1998] O.J L24/1
23
11
privacy emphasising restraint on the government and certain commercial industries.25

The Data Protection Directive embodies human rights principles and it is from here
that we see how the fundamental provision on human right provision is incorporated
by reference into the Data Protection Directive which in turn has to be implemented
by member states. This is how the human right privacy principle is integrated into
national law. This is the difference between the origins and objectives of privacy in
the Europe and the United States of America.
2.2.1 EU Data Protection Principles
Data protection laws provide protection of the individual with regards to their
personal data, however the question is how does one ensure from the onset that
personal data is collected processed and transferred legitimately?
Data protection laws have basic principles that need to be adhered to. Indeed if one
analyses for example the European Union Data Protection Directive one will notice
that there are a number of principles that form parts of the body of data protection
legislations worldwide.
These principles can be summarised as follows:
Personal data shall be processed fairly and lawfully26 (see below for more on
lawful processing)
Lawful processing is explained in Article 7 of the Directive which stipulates what

constitutes legitimate processing of data
Personal data shall be obtained only for one or more specified and lawful
purposes, and shall not be further processed in any manner incompatible with
that purpose or those purposes27.
25
See Resolving Conflicting International Data Privacy Rules in Cyberspace Joel R Reidenberg May
52 STANFORD Law. Review. 1315 (2000)
26
Article 6(1a) Data Protection Directive 95/46/EC
12
Personal data shall be adequate, relevant and not excessive in relation to the
purpose or purposes for which they are processed28.
Personal data shall be accurate and, where necessary, kept up to date29.
Personal data processed for any purpose or purposes shall not be kept for
longer than is necessary for that purpose or those purposes30.
Data subjects are afforded rights of access to their data31.
Appropriate technical and organisational measures shall be taken against

unauthorised or unlawful processing of personal data and against accidental
loss or destruction of, or damage to, personal data32.
While the above constitute the basic tenets of data protection, it must be mentioned
that there are other issues that must be observed in protecting data when it is being
processed. Article 7 of the Directive stipulates what constitutes lawful processing of
data and it specifies that personal data may be processed only where:
the data subject has unambiguously given his consent33, for sensitive data
which includes information relating to race, political opinions, religious or
philosophical belief, health or sex life, trade union membership, there must be
explicit consent34
27
Article 6(1b)
Article 6(1c)
29
Article 6(1d)
30
Article 6(1e)
31
Article 12
32
Article 17
33
Article 7 (a) Data Protection Directive 95/46/EC
34
Article 8(1)
28
13
processing is necessary for the performance of a contract to which the data

subject is party or in order to take steps at the request of the data subject prior
to entering into a contract35
processing is necessary for compliance with a legal obligation to which the

controller is subject36
processing is necessary in order to protect the vital interests of the data

subject37
processing is necessary for the performance of a task carried out in the public
interest or in the exercise of official authority vested in the controller or in a
third party to whom the data are disclosed38
processing is necessary for the purposes of the legitimate interests pursued by

the controller or by the third party or parties to whom the data are disclosed,
except where such interests are overridden by the interests or fundamental
rights and freedoms of the data subject which require protection under Article
1(1).39 40
These principles indicate that the data may only be used in accordance with the
purpose for which it has been obtained from the data subject. This would thus
mean that the use of the data for example, where it is collected for the opening of
an online banking account, the data collected should be used solely for what it
was originally intended. The data supplied should not be allowed to be used by
the same company to market different products to the data subject or indeed sell
35
Article 7 (b)
Article 7 (c)
37
Article 7 (d)
38
Article 7 (e)
39
Article 7 (f)
40
Article 1(1) states In accordance with this Directive, Member States shall protect the fundamental
rights and freedoms of natural persons, and in particular their right to privacy, with respect to the
processing of personal data.
36
14
the information to a third party organisation without the consent of the data
subject. It is only after receiving consent that one can market other products to the
person in question
2.2.2 The Directive on Privacy and Electronic Communications (2002/58/EC)41:
This directive repeals the Telecommunications Data Protection Directive (97/66/EC)
and lays certain obligations on telecommunications companies and service providers.
The main aim of this directive is to harmonise the provisions of Member States laws
in relation to electronic communications to ensure an equivalent level of protection of
fundamental rights and freedoms, particularly the right to privacy, processing of
personal data in the electronic communication sector and to ensure the free movement
of such data and of electronic communication equipment and services in the
community42. One of the new developments of this Directive is that it extends
controls on unsolicited direct marketing to all forms of electronic communications
including unsolicited commercial e-mail (UCE or Spam) and SMS to mobile
telephones.
It is to be noted that the Directive applies to the processing of personal data in

connection with the provision of publicly available electronic communications
services43 in public communications networks44 in the Community.
41
Directive 2002/58/E.C OJ L 201/37

Article 1 Directive on Privacy and Electronic Communications
43
According to European law, electronic communications service means a service normally provided
for the remuneration which wholly or mainly in the conveyance of signals on electronic
communications networks used for broadcasting, but exclude services providing, or exercising editorial
control over content transmitted using electronic communications networks and services. Article 2 (c)
Directive 2002/21/EC
44
According to European law, public communications network means an electronic communications
network used wholly or mainly for the provision of publicly available electronic communications
services. Article 2 (d) Directive 2002/21/EC
42
15
An analysis of the salient points reveals the following in the Directives aims in
ensuring fundamental human rights and freedoms particularly the right to privacy for
subscribers of electronic communications:
2.2.2.1 Security Measures

The directive provides that communication service providers should adopt adequate
security measures both from a technical and organisational point of view that are
commensurate with the risks that can accrue. With the spate of recent high profile
security breaches that have occurred it is paramount that telecommunications
providers implement adequate logical and physical security measures to ensure data
under their control is safe from unauthorised access, which may lead to loss of
privacy. It goes further to provides that users should be made aware of risks that are
beyond the control of the service provider45.
While the Directive does not detail the technical measures Member States are to
adhere to in order to ensure they are complying with the provisions of this Article, it
must be pointed out that countries provide legislation on what measures to take in the
event that information security is breached or what actions to take on individuals who
breach systems. For instance, in the United Kingdom, section 1 of the Computer
Misuse Act46 makes unauthorised access to systems an offence. Also the OECD has
provided guidelines to how communication service providers can implement
information security on their networks47. Other measures that may be used to ensure
45
Article 4 (1&2) Directive on Privacy and Electronic Communications

Computer Misuse Act 1990
47
OECD Guidelines for the security of information systems and networks see
www.oecd.org/dataoecd/59/0/1946946.pdf
46
16
information security measures are adequate include adopting standards such as ISO
17799 Code of practice for information security management48 and ISO 15408
common criteria for information technology security.49 Adopting or following these
guides can provide for appropriate security on communication networks.
2.2.2.1.1 Impact on Communications Service Providers

The effect this legislation has on communications service providers is that it makes
them obliged to notify subscribers of threats that cannot be prevented by the
communications provider. This legislation recognises the fact that organisations have
in the past been quiet about potential and actual information security breaches. The
wording can thus be interpreted to mean that a positive action must be carried out by
the service provider to warn subscribers of the threat that may accrue their personal
information.
Note information security, as a whole will be discussed in more detail in a further

section of this essay.
2.2.2.2 Confidentiality of Communications
In its attempt to maintain privacy of personal information, the directive requires
service providers to ensure confidentiality of communications. This the directive
states can be attained by making sure that communication over public
telecommunications lines are free from interception and tapping save in the instance
of lawful interception50. The article also provides that where communication networks
48
see www.bsi.org.uk
http://csrc.nist.gov/cc/ccv20/ccv2list.htm
50
Article 5 (1)
49
17
are used in the processing of data, the data subject shall be informed why this is being
carried out. The data subject has a right to refuse such processing51.
There has been a great debate relating to the use of cookies52and the fact that they can
invade the rights of users communications. The Directive in recognising this fact and
in an attempt to curb their intrusion on subscribers communications provides in article
5 (3) that they can only be used if the subscriber or user is made aware in clear and
comprehensive terms about how information gathered will be processed. The problem
however with this legislation is the fact that cookies operate in the background
without giving off any warnings that they are operating making them hard to detect.
This makes it difficult to identify organisations that flaunt this law. Also since there
are no sanctions placed on organisations that breach such confidentiality of
communications requirements, this aspect of the article cannot be said to be adequate
in the fight to keep communications confidential

It should be noted here that most browsers have in the properties tab an option to
configure cookies. As such I am of the opinion that since all users have the ability to
accept or deny cookies at their fingertips; legislation is not the most appropriate
means of dealing with this particular issue. Rather, communications service providers
need to advertise and educate their subscribers of this functionality. While it may cost
them money, it is an easier means of ensuring confidentiality and will be more
effective than legislation.
51
Article 5 (2)
Cookies are programs that are used to track users preferences when they visit a website. They can be
stored on ones hard drive without the users consent or knowledge.
52
18
2.2.2.3 Caller and Called Line Identification

It is to be noted that an individuals telephone number is personal data going by the
meaning given to data protection legislation.
In order to protect this, the directive further provides privacy rules in relation to caller
and connected line identification. Here the directive states that subscribers must be
issued with the possibility of withholding the identification of their telephone
numbers when making a call along with being able to reject incoming calls where the
incoming caller has refused showing their number53. It must be mentioned here
however that while the Directive provides that caller and called line identification
should adopt some privacy measures, these services are not mandatory. Where the
implementation of these services may invoke either an undue cost burden on the
service provider or in situations that make the provision of the service technically
impossible, that provider must ensure this is made known to relevant parties in the
member state.
It should also be mentioned that there are certain instances where it may be justifiable
to override the elimination of calling line identification. These situations can arise for
example where certain subscribers such as those that provide help lines have an
interest in guaranteeing the anonymity of their clients. In these scenarios, it is
paramount to protect the rights and interests of the party to withhold the presentation
of the identification of the line to which the calling party is connected.
It is to be noted however that the provisions of this article may not be applicable
where for instance the calls are made from some international networks that do not
53
Article 8
19
provide the same sort of offerings to their subscribers or where they do not have the
same levels of data protection laws as The European Economic Area54.

It is to be noted that when there is a failure of the communications network to block
caller line identification facilities such that a subscribers privacy is breached, the
customer is entitled to have their privacy restored, at no extra cost by their telephone
company in the form of the allocation of a new phone number55. In the UK this
provision is implemented by sections 10 and 11 of the Privacy and Electronic
Communications (EC Directive) Regulations 200356.
2.2.2.4 Location Data Restrictions

Where the repealed telecommunications privacy directive only related to calls in
circuit switched connections such as is found in traditional voice telephony, the new
directive covers all kinds of traffic data as generated by users of mobile
communication devices.
Location data is a valuable tool that can be used in the mobile phone sector to identify
the location of an individual57 its use can be illustrated in the Danielle Jones case in
the hunt for a missing child in the UK it was identified that calls purportedly form the
54
Guidelines for Customer Line Identification Displays Services and other related Services over
Electronic communications networks available at
www.oftel.go.uk/ind_groups/cli_group/docs/guidelines0902.pdf
55
See European Guidelines for Calling line Identification available at
www.europa.eu.int/ispo/infosec/telcompolicy/en/guidelines.pdf
56
The Privacy and Electronic Communications (EC Directive) Regulations 2003 came into force on
11th December 2003.
57
See Location Data is as sensitive as content data Alberto Escuardo Pascual Royal Insitute of
Technology 22nd November 2001 available at www.it.kth.se/~aep/publications/EUforum/20011127/EU-forum-locationdata.pdf
20
girls phone to her uncle (later convicted for her murder) were in fact being made by
her uncle from one location58.
The directive in recognising the importance of location data provides that location
data can be processed only if it is made anonymous or with the consent of the
subscriber for a value added service but only for the duration that is necessary for the
processing59. The subscriber must also be given the possibility to temporarily refuse
such processing of location data information60.
It is to be noted however that the directive does not state that technology should be
used to enforce the requirement to keep location data private and confidential given
the fact that it can be used to track an individuals movements
2.2.2.5 Emergency and Nuisance Calls

An exception to the privacy of caller line and location data is provided for in article
10 where the elimination of calling line identification and location data is sanctioned
to trace nuisance calls and in relation to location data for it to be revealed on a
temporary basis only to emergency services.
This article basically allows member states to allow for the restriction of a user or
subscribers right to privacy in relation to calling line identification where for instance
there is a complaint that some one is persistently calling someone elses number and
either keeps silent or hurls profanity at the person whose line is being called. In these
situations it may become necessary to trace where these calls are originating from.
58
See bbc.news.co.uk/2/low/technology/2593653.stm
60
Article 9(2)
59
21
The process of carrying out the above is that it will entitle providers of electronic
communications services to provide access to the calling line identification data and
also the location data without the knowledge or consent of the calling party
constituting the nuisance.
The advantage of this legislation is that it caters for and takes into account the
possibility of abuse of the privilege of calling line privacy.
It also takes into account the fact that there will be situations where being able to
locate a person in distress in due time may be the difference between life and death
and in such situations the right to privacy will be overlooked.
2.2.2.6 SPAM
Unsolicited mail (also known as Spam) has become a major problem it causes loss of
work productivity in wasted time in deleting them and also is an invasion of privacy.
The directive in recognising the harmful effects of Spam provides that there shall be
no automated communication using electronic mail or faxes for the purpose of direct
marketing without the consent of the data owner61. The purpose of the directive in
relation to SPAM is to make sure that EU member states strengthen data protection
measures in relation to SPAM. The EU legislation supports the opt-in62 rather than the
opt-out63approach.
The problem with this piece of legislation however is the fact that due to the nature of
the Internet it may be difficult to prosecute those that habitually send such unsolicited
61

In an opt-in regime, the consumer must affirmatively give permission to be sent information about
new products or sales, or to share the consumer's information with other companies in a business
relationship with the company where that consumer has an opt-in agreement. Generally, a consumer
must click on web site boxes or send an e- mail request to the company, or its affiliates in order to
authorise consumer e-mail.
63
In an opt-out regime, the privacy policy will indicate that the consumer is presumed to want
information about sales or new products which will be sent unless the consumer "opts out" of
receiving such.
62
22
mail. Not only because it is possible for those that send such unsolicited mail utilising
the Internet to take advantage of the ease with which one can set up an Internet
infrastructure for a temporary period of time before shutting it down and setting up a
similar site when they have suspicions that they are being investigated or if they are
indeed shut down. But also because it is a well known fact that many of the top 50
Spammers originate from America such that while the legislation may direct
marketers in Europe, those that send unsolicited mail from America will be out of the
jurisdiction of the legislation. Indeed in response to this provision, the Direct
Marketing Association64 has raised concerns that this could penalise small companies
that rely heavily on direct marketing but not protect the consumer from spam email
that originates outside of the EU.

Not only is SPAM a problem for users, it also affects communications service
providers. Due to the fact that a single SPAM message can be sent to millions of
email addresses at once, not only does it have the capability to take up
communications service providers bandwidth65 it can also have a negative impact on
the availability of the service especially when such SPAM is infected with Virus.
Another impact it has on communications service providers is that it can tie up
staffing resources in the sense that when a new SPAM message is discovered the tools
used to detect them may need to be reconfigured by technical staff. Communications
service providers now deploy filtering tools which have the ability to block SPAM
either by use of Boolean syntax or blocking of the IP address of the sender of the
64
/www.the-dma.org/
The amount of data that can be transmitted in a fixed amount of time. For digital devices, the
bandwidth is usually expressed in bits per second(bps) or bytes per second. For analog devices, the
bandwidth is expressed in cycles per second, or Hertz (Hz).
65
23
email. They have also need to include in their acceptable use policies statements that
SPAM will not be tolerated and that subscribers who send SPAM may have their
service terminated. All these measures add to the cost of providing services to
subscribers which in turn can eat into profit margins.
2.2.2.7 National Security

There are certain situations that may lead to events that make safeguarding privacy of
communications a secondary issue. Such situations are where national security is at
risk and where criminal investigations are being carried out. Where these are
determined to be taking place, law enforcement agencies may on having obtained
permission by appropriate bodies breach the data subjects right to privacy of
communications in their investigations of such events. It is to be noted that the
legislation also allows for data to be retained for limited periods of time during the
investigation of such situations66.

The duty to safeguard national security issues affects communications service
providers due to the fact that the requirement for the retention and retrieval of data
can be costly not only because it may necessitate the deployment of a whole range of
new systems but also because it will mean that staff will need to be retrained. This can
have an enormous effect on the margins of small communications service providers
who may not have the resources to either buy the required systems or employ
appropriate staff.
66
Article 15 (2) Directive on Privacy and Electronic Communications
24
Note national security and cost issues will be looked at in further detail in this essay in
discussions relating to data retention and lawful interception of communications.
2.3 United States and privacy of communication

In the United States privacy legislation does not stem from a central law such as the
Data Protection Directives in Europe rather one finds sectoral laws, which affect
certain sectors and industries. The United States has taken a sectoral approach to
privacy regulation so that records held by third parties, such as consumer marketing
profiles or telephone calling records, are generally not protected unless a legislature
has enacted a specific law67. Due to this state of affairs the European Union still
regards its data protection regime as one that requires special provisions such as the
Safe harbour rule68 when it comes to the transfer of data from EU member states to
the United States.
In relation to privacy of communications, issues relating to Internet privacy have

become prominent. A number of organisations such as eBay.com, Amazon.com and
Yahoo.com have either changed users privacy settings or have changed privacy
policies to the detriment of users.69 Other organisations such as Microsoft and Intel
were discovered to have released products that covertly track the activities of Internet
users.70Significant controversy has arisen over online profiling, the practice of
advertising companies to track Internet users and compile profiles on them in order to
target banner advertisements. The largest of these advertisers, DoubleClick, ignited
67
United States v. Miller, 425 US 435 (1976)

Explained further in this section
69
Chris J. Hoofnagle, Consumer Privacy In the E-Commerce Marketplace 2002, Third Annual Institute
on Privacy Law 1339, Practicing Law Institute G0-00W2 (June 2002), available at
http://www.epic.org/epic/staff/hoofnagle/plidraft2002.pdf
70
See Big Brother Inside Campaign http://www.bigbrotherinside.org
68
25
widespread public outrage when it began attaching personal information from a

marketing firm it purchased to the estimated 100 million previously anonymous
profiles it had collected.71 The company backed down due to public opposition, a
dramatic fall in its stock price and investigations from the FTC and several state
attorneys general. In July 2000 the Federal Trade Commission reached an agreement
with the Network Advertisers Initiative, a group consisting of the largest online
advertisers including DoubleClick, which will allow for online profiling and any
future merger of such databases to occur with only the opt-out consent.72
2.3.1 Privacy of Communication Laws In The United States

As has been mentioned Privacy laws in the United States are sectoral.
Communications privacy in the United States can be seen in the following
legislations73:
2.3.1.1 The Telecommunications Act 199674

This provides for the restriction to and use of customer information by
telecommunications companies. It governs the disclosure of customer proprietary
network information75 and subscriber list information. Its primary aim is to protect the
customer from having their information misused by the telecommunications provider.
71
See EPIC DoubleClick Pages http://www.epic.org/privacy/doubletrouble/.

For a detailed history and critical analysis of this agreement, see Electronic Privacy Information
Center (EPIC) and Junkbusters, "Network Advertising Initiative: Principles not Privacy," July 2000
http://www.epic.org/privacy/internet/NAI_analysis.html.
73
Note some of the legislations below are proposed legislations (Bills) and will be indicated as such in
the footnotes
74
47 U.S.C 222
75
Defined as constituting the quantity, technical configuration, type, destination, location and amount
of use of telecommunications service subscribed to by any customer of a telecommunications carrier
and that is made available to the carrier by the customer, solely by virtue of the customer carrier
relationship. It also includes information contained in bills relating to telephone exchange service or
telephone toll service received by a customer of a carrier.
72
26
It consists of a number of provisions that are similar to the European Directive on the
processing of personal data and protection of privacy.
Among such provisions is the requirement for telecommunications companies to
ensure the confidentiality of customer proprietary network information. In ensuring
that this is carried out, the Act prohibits the carrier using subscriber information that
has been provided by another carrier for its own marketing purposes76.
The Act also provides that telecommunications carriers that receive customer
information can only use, disclose or permit access to that information in the
provision of the telecommunications service from which the information was
obtained.
2.3.1.2 The Location of Privacy Protection Act of 200177

This contains specific provisions in relation to keeping the privacy of location data of
customers. It requires wireless technology providers to notify customers regarding the
providers collection of information policies in relation to collecting call location data.
It also requires the providers to obtain the customers prior consent before either
selling or disclosing such information78.
76
47 U.S.C 222 (b)

Proposed Legislation: S.1164 Location Privacy Protection Act of 2001, A bill to provide for the
enhanced protection of the privacy of location information of users of location-based services and
applications, and for other purposes. Sponsor: Senator Edwards, John (D-NC). Latest Major Action:
7/11/2001 Referred to U.S Senate committee: Senate Commerce, Science, and Transportation.
78
See section 3 a & b Location Privacy Protection Act 2001
77
27
The provisions of this act portray an understanding by those responsible for enacting
this legislation of the abuse and detriment to the customer in the event that location
data is used for purposes other than those for which the customer provided the data.
This is illustrated where the Act prohibits providers of location-based services or
applications from releasing customers location information for purposes beyond
those for which the customer provides express authorisation79and ensure the integrity
and security of location data.
2.3.1.3 Spyware Control and Privacy Protection Act 200180

This Act can be likened to article 5 (3) of the Directive on Privacy and Electronic
communications. It provides that users of any computer software that has the
capability to collect information about the users use of the software, or computer to
which that software connects, must obtain prior consent of the user by way of
providing on the first electronic page of the instructions a warning that the software
has the capability to obtain such information. It must also provide the persons names
and address to which such information will be sent.
Information that has been collected should be kept confidential except where
disclosure is required by law enforcement agencies granted permission under a court
order to view it.
79
section 3 (c) ( ii) Location Privacy Protection Act 2001
80
Proposed Legislation: S197 Spyware Control and Privacy Protection Act of 2001 A bill to provide
for the disclosure of the collection of information through computer software, and for other purposes.
Sponsor: Senator Edwards, John (D-NC). Latest Major Action: 1/29/2001 Referred to Senate
committee: Senate Commerce, Science, and Transportation
28
Violations of this will be treated as a deceptive practice as proscribed by section 18

(a) (1)(B) of the FTC Act 15 U.S.C 57a (a) (1) (B).
An analysis of the European and U.S jurisdictions shows a similar thought process
behind the implementation of laws relating to communications. There is a general
understanding that privacy of the consumer is required.
It can be seen that data protection legislation provides a backdrop to which

individuals can seek redress in the event that their rights are infringed and it also
allows business to understand the limits to which they can go in their processing and
use of personal data.
Law enforcement agencies are also restrained from encroaching on individuals

privacy, before they can view personal data they need to follow procedures such as
obtaining a warrant and also proving reasons why national security is at stake or that a
serious crime needs to be investigated prior to carrying out surveillance activities.
The question that needs to be answered is whether these laws are effective? Even
though the provisions of privacy laws provide sections in relation to how
communications companies are to devise means by which personal data is processed,
it is difficult to actually determine whether there is full compliance on the part of
these organisations in relation to how they carry this out.
The United Kingdom Information Commissioner has expressed concerns relating to
the enforcement of data protection legislation. He was of the opinion that the
enforcement procedures are not well suited to the electronic commerce environment.
For instance, where a website or service is being provided, that is not compliant with
29
the laws and they are investigated, nothing stops them from relaunching under a new
name and carrying on the same scam.
It must be mentioned here that even though these legislations have been enacted, there
is still ignorance among data users in relation to what their rights are and when these
have been infringed, according to a UK report only 42% of the public are aware of
their rights under data protection laws81
A way to ensure people are aware of the provisions of data protection legislations
would be the development and dissemination of awareness campaigns that highlight
the importance and effects of these laws.
3. Law enforcement and privacy of communications

While it has been stated that there is a requirement that privacy must be guaranteed
during communications, there are certain instances where law enforcement agencies
are allowed to gain access to communications data without the consent of the data
subject.
These instances occur when law enforcement agencies are investigating serious
criminal activities or activities that may constitute a risk to national security. In the
process of undertaking these investigations, communication service providers will
invariably be asked to allow these law enforcement agencies to either intercept the
data or gather information about the individuals activity from data that has been
retained by their systems in relation to the individuals communication.
81
See Information Commissioner Annual Report and accounts for the year ending 31 March 2002,
HC913
30
Laws such as The RIP (Maintenance of Interception Capability) Order 2002 in the
UK and The Communications Assistance for Law Enforcement Agencies Act82
hereinafter referred to as CALEA in the United States are examples of legislations
that force communications service providers to assist law enforcement agencies in
their endeavours to combat such activity.
This aspect of the essay will look at how these laws interact with privacy legislation
showing how they act as a counterbalance to ensure that people do not misuse their
rights to privacy by conducting criminal activity.
Mention has been made in this essay of instances where circumstances such as the
need to combat criminal activity and safeguard national security may lead to data
subjects rights to privacy of communications being overridden. Actions that make up
the activities in combating crime or detecting activities that may be a threat to national
security include law enforcement agencies intercepting communications as well as
sifting through communications data that may have been retained by communications
service providers.
This section looks at the issue of lawful interception and data retention with a view to
dispel concerns that they are an infringement on privacy rights and to show that the
concepts go hand in hand with data privacy in the provision of electronic
communication services it will also look at the impact these concepts have on
communications service providers.
82
47 U.S.C 1001-1010
31
3.1 Why Lawful Interception?

Interception of a communication in the course of its transmission involves the
modification, interference or the monitoring of the system while the communication is
actually being transmitted83
Lawful interception is the terminology used to describe the means by which law
enforcement agencies are authorised to intercept telecommunication sessions as
prescribed by law.
The advancement of technology has led to the need for law enforcement agencies to
curb criminal and terrorist activities. The problem has always been the fact that
criminals have always been able keep a step ahead of the law in their clandestine
activities. The convergence of communications systems has led to easier, faster and
cheaper means of communicating, this in turn has allowed criminals and terrorists to
be able to take advantage of these systems to communicate with each other or to use
the systems to carry out illegal activities.
The convergence of voice, data and Internet technologies has led to a new type of
communications network. Prior to convergence one mainly dealt with the circuit
switched84 fixed line telephone networks in relation to lawful interception. However
with the explosion of the Internet has come the packet switched network85which is
being touted as the replacement of the circuit switched network now that convergence
has occurred.
83
Section 2 Regulation of Investigatory Powers Act 2000

Circuit switched networks are used for phone calls
85
Packet switched networks handle data which could include voice calls
84
32
Recent legislations have been enacted in order for lawful interceptions to be carried
out on systems utilising these new communications technologies. In the UK, The
Regulation of Investigatory Powers Act 2000 replaced the Interception of
Communications Act 1985 to take account of technological advances in
communications and to cater for the growing use of the Internet and electronic mail.
Interception of communications can take place in a number of ways:
Wire Tap: this involves the installation of a transmitting device on a telephone

line, for the purpose of intercepting, and usually recording, telephone
conversation and telephonic communications.
Location Tracker: This involves using devices to identify through the

telecommunication system the location of an individual
Pen registers and trap and trace devices: A pen register records only the
numbers of outgoing telephone calls. While a trap and trace device is used to
capture the numbers of incoming telephone calls86.
Below are examples of how communication systems can be intercepted;
Standard Telephones:
Standard telephone systems are susceptible to wiretaps. There are many
locations where a wiretap can be placed. For example, microphones in many
older telephones handsets can be replaced with one that can also transmit to a
remote receiver. Taps can also be placed at the telephone boxes in the
basements of buildings, on the lines outside the house, or on the telephone
pole junction boxes near the target of the surveillance. A once common
technique used by police forces was to remotely monitor calls by having lines
86
Trap and trace devices are one of the methods used by authorities in the United States to intercept
communications
33
run from a telephone company central office where the local switching
equipment is located to a monitoring station in a government office.
Wireless Communications
The use of wireless telephones has become extremely common. There are also
millions of cellular telephones in use. In developing countries, wireless
communications such as cellular and satellite-based telephones are also
popular as a means to avoid laying new telephone lines in areas that were
previously undeveloped. However, they are easily intercepted and should not
be thought of as giving greater protection from eaves dropping than fixed line
phones.
Cordless telephone communications are especially easy to intercept. Many of
the older models broadcast just above the top range of the AM radio band and
conversations can be easily overheard with any AM radio and can be
intercepted with an inexpensive radio scanner purchased at most electronics
stores for under $100.00 in the United States. The range of interception can
extend to nearly one mile.
Cellular phones have the same problems as cordless. They also broadcast over
airwaves like a radio. Inexpensive scanners are available on the market that
can intercept conversations. In addition, some cellular phones can be
programmed to act as scanners to intercept other calls. There is also equipment
available to law enforcement, which can track and monitor cellular
conversations as they move around a city.
Unencrypted Wireless networks are also prone to scanning and intercept
vulnerabilities and can actually be scanned using a Pringles tin87 as an aerial
87
Round aluminium type snack container
34
with a laptop. If an attacker can sniff88 the wireless traffic, it is possible to

inject false traffic into a connection they may then be able to issue commands
on behalf of a legitimate user by injecting traffic and hijacking their victims
session.
Facsimile (fax) Machines:

It is also possible to intercept facsimile transmissions. A fax machine is
essentially an inexpensive computer system that uses a well known standard
for sending and receiving files. Commercial devices are widely available that
automatically intercept faxes. In New York City, fax intercept machines were
used as far back as 1990 by local police89. It is also possible to intercept faxes
using a computer with specialised software and a fax modem90.
The intentional interception of communications on public91 and private92

telecommunication systems without lawful authority is an offence93.
It is to be noted that the offence of interception of private networks was not covered
by the repealed Interception of Communication Act of 1985 as illustrated by
R V Effick94 where the courts held that the interception of telephone communications
via cordless telephones by the police was not covered by the Interception Act.
Indeed cases such as Halford v United Kingdom95 provide typical examples of what
can constitute unlawful interception of communications.
88
Sniffing is the act of using a device to analyse network traffic relating to communication and
computer systems
89
Joseph Fried, Police Filch Faxes to Snare a Gambling Ring, NYT , June 3, 1990 at 33.
90
Eaves Dropping detecting David Bansar 1995
91
Section 9(1) Telecommunications Act 1984 defines public communication system as that so defined
by the Secretary of State as that authorised by licence via Section 8 of that Act
92
Any telecommunications system which not being a public telecommunication system is a system to
which is attached directly or indirectly to a public telecommunications system and there is apparatus
comprised of the system located in the United Kingdom for making the attachment to the public
communication system Section 2 (1b) RIPA 2000
93
Section 1 (1) Regulation of Investigatory Powers Act 2000
94
R V Effick 1984 Crim LR832, 99
35
In this case the European Court of Appeal ruled that interception of telephone calls
made on an internal system operated by the police was an infringement of Article 8 of
the European Convention on Human Rights which provides amongst other rights the
right of respect to ones privacy of correspondence. The only way this right may be
interfered with is when it is performed by public authorities is in accordance with the
law96.
In the United Kingdom, the Regulation of Investigatory powers Act 2000 also covers
interception of private telecommunication systems97.
The 2003 Telecommunications Act also makes it an offence for one to disclose the
content of messages or information concerning the use made of services provided98
However it is to be noted that there are certain circumstances where interception of
communications will not be illegal, such situations are typically when law
enforcement agencies are given the permission by a higher authority to intercept
certain data communications.
Lawful interception plays a crucial role in helping law enforcement agencies to

combat criminal activity. Indeed, this can be illustrated with the linking of
information about subscriber99 and billing data in criminal and terrorist activities. To
buttress this point further in the United States the use of lawful interception led to the
95
1997 IRLR 471

See Articles 8 (1) and 8(2) European Convention on Human Rights
97
Section 1(2) RIPA
98
Section 127 Communications Act 2003
99
Defined under Article 18 (3) of the Convention on Cyber Crime as any information, contained in the
form of computer data or any other form, that is held by a service provider, relating to subscribers of its
services.
96
36
successful conviction of sixty- five people involved in a fraud by defence contractors.

The investigation of this case relied heavily on the interception of telephone calls100.
Lawful interception involves the collaboration between law enforcement agencies and
communication service providers. As such while there are laws dealing with the
procedural and authorisation activities required for law enforcement agencies, so too
are there laws relating to the obligations of telecommunications operators and service
providers.
Lawful Interception typically involves three parties beginning with the law
enforcement agency requesting permission in the form of a warrant or subpoena101
from a higher authority in order to prove to the communications service provider that
it has permission to intercept data it controls.
3.2 The Lawful Interception Process

In the United Kingdom the process of lawful interception typically commences with a
warrant for such interception. This then proceeds with the collection of various forms
of communications, the analysis of the intercepted data, and the preparation where
sufficient evidence is gathered for the prosecution of persons whose data have been
intercepted. Warrants in the UK are issued by the Secretary of State where he believes
the issue of such warrant it is in the interest of national security, or it is to be used to
prevent or detect crime or it is for the safeguarding of the economic well being of the
country.102
The duration of warrants issued in relation to interception are valid for three months
initially but on renewal are valid in the instance of national security for six months
100
Ill Wind investigation see /www.eff.org/Privacy/Surveillance/CALEA/kallstrom_fbi_clipdt.testimony

101
Under the title III authorisations
102
Sections 5(3) and 7(1) RIPA 2000
37
while those for serious crime are valid for a further three months following each
subsequent renewal103.
In the United States, The Federal electronic surveillance statutes104 provide that a
high-level Department of Justice official specifically approve the use of any of these
types of electronic surveillance prior to an Assistant United States Attorney obtaining
a court order authorising interception.
In Australia, warrants for lawful interception are granted by judges or nominated
members of the Administrative Appeals Tribunal105
While it is important to maintain the principles and powers of lawful interception, the
challenge of doing so correctly is tempered by the need to ensure that in carrying it
out human rights and data protection legislations are not infringed.
While the main issue for lawful Interception of communications on public telephone
systems is to identify criminal and terrorist activity, one needs to know exactly what
data can be lawfully intercepted.
3.3 What is intercepted under lawful Interception?
Generally speaking when the right is granted to intercept a communication it will
involve the intercepting of communications data, which embraces the who, when
and where in relation to a communications transmission106.
Communications data in turn can be broken down into the following categories:
Traffic data: This contains information that identifies who the subscriber
contacted, their location as well as that of the person they have contacted and
what time the contact was made.
103
Report of the Interception of communications commissioner 2001

Referred to collectively as Title III and codified at 18 U.S.C. 2510,
105
Telecommunications (Interception) and Listening Device Amendment Act 1997
106
See Consultation Paper: Access to communications data, protecting privacy and protecting the
public from crime March 2003
104
38
Service data: This identifies services used by the subscriber and how long they
were used.
Subscriber data: This identifies the user of the service their name address and
telephone number107
3.4.1 Lawful Interception Laws in the United Kingdom

Lawful interception in the UK is primarily governed by the Regulation of
Investigatory Powers Act 2000 (RIPA), and the Telecommunications Lawful business
Practice Interception of Communications Regulations 2000108.
RIPA provides for, and regulates the use of investigative powers, by public
authorities109. It updates the law on the interception of communications previously
provided by The Interception of Communications Act 1985 and the Police Act 1997.
It now enables state authorities to intercept communications in line with technological
changes such as the growth of the Internet.
Under the RIPA, the Police, Inland Revenue Customs and Excise and the security
services may acquire access to communications data via the warrant; however this
may be extended to other local authorities by order of the secretary of state thus
allowing such authorities to lawfully intercept communications data.110
It is to be noted however that even though the Act allows for authorities to intercept
data, this does not mean that they can share any information i.e. information derived
107
Section 21(4) RIPA 2000

SI 2000/2699
109
They are the police as defined in section 81(1) National Criminal Investigations Service, National
Crime squad, HMSO Customs and excise, The Inland Revenue, The security service, The Secret
Intelligence Service Government Communications Headquarters
110
Section 25(1g) RIPA 2000
108
39
from a lawful intercept warrant used by the police cannot then be shared with the
Inland Revenue.
The Lawful Business Practices Regulations allow for the lawful interception of
communications in the course of its transmission by means of a telecommunications
system with or by consent of the system controller under the following conditions.
Monitoring the system to establish the existence of facts or ascertain

compliance with regulatory or self regulatory practices or procedures relevant
to the business (this could include but not be limited to ascertaining whether
the business is abiding by its own policies)111
Monitoring quality control and staff training (but not for marketing or market
research)112
Prevent or detect crime (including crimes such as fraud as well as

infringement of IT related legislation such as the Computer Misuse Act 1990
or the Data Protection Act 1998)113
Investigate or detect unauthorised use of own communications systems

(relevant to potential disciplinary action)114
It is to be noted that such interceptions are authorised only if the controller of the
telecommunications system has made all reasonable efforts to inform potential users
that such interceptions may be made.
The importance of this legislation is that it reduces the privacy rights of those that use
private telecommunication systems
111
Section 3(1) (a) i(aa) Lawful business practices regulation

Section 3(1) (a) i(cc)
113
Section 3(1) (a) iii
114
Section 3(1) (a) iv
112
40
The police are empowered to obtain evidence in criminal investigations once they
have obtained an order through the consent of a circuit judge. This is illustrated with
the NTL115 case where the high court confirmed the rights of the police to require a
telecommunications provider (NTL) to take steps to intercept e-mails addressed to its
customers. It is to be noted that this right was not exercised by powers under RIPA,
rather they were as defined by the Police and Criminal Evidence Act 1984 (PACE)
which allows a police constable to obtain access to excluded material or special
procedure material for the purposes of a criminal investigation.116
Many are concerned that authorities enabled to access communications data under
RIPA might abuse such powers. In an attempt to reduce authorities abusing such
powers, safeguards have been introduced
These include:
Specifying clearly the persons designated to seek access to communications

data
An accreditation scheme for certain individuals with access to

communications data
Compliance with RIPA statutory code of practice
Oversight by the Interception of communications commissioner
Sanctions for the abuse of powers granted under RIPA117
115
Neutral Citation number: 2002 EWCH 1585

Section 9 Schedule1 Police and Criminal Evidence Act 1984
117
See Safeguards p23 Consultation Paper: Access to communications data, protecting privacy and
protecting the public from crime March 2003
116
41
3.4.2 Lawful Interception in the United States

In the United States interception of communications is illegal unless authorised by
stringent rules that have been designed to protect privacy and allow the investigation
of crime.
There are two basic pieces of Federal legislation: Electronic Communications Privacy
Act (ECPA)118, which concerns criminal investigations, and the Foreign Intelligence
Surveillance Act (FISA), which concerns intelligence and counter intelligence
operations. (For this part of the essay I will be dealing with ECPA)
In the United States, wiretap laws, and procedures used by state courts and law
enforcement agencies to implement those laws, are subject to two important
constraints: first, the Fourth Amendment to the United States Constitution, as
incorporated in and made applicable to the states by the Fourteenth Amendment; and
second, the restrictions of the ECPA.
These constraints were codified and made more specific in Title III of the Omnibus
Crime Control and Safe Streets Act of 1969. This Act establishes the substantive and
procedural requirements for federal interception orders and pre-empted less restrictive
state requirements.119 In 1986, Congress updated those requirements by means of the
ECPA, which addressed newer communications technologies such as mobile
telephones and electronic mail. This law provides the statutory framework that
governs the real-time electronic surveillance of the contents of communications.
118
Electronic Communications Privacy Act of 1986, Pub. L. No. 99-508, 100 Stat. 1848 (1986).
Omnibus Crime Control and Safe Streets Act of 1969, Pub. L. No. 90-351, 82 Stat. 197
(1968)(codified at 18 U.S.C. 2510-2521 (2000)), reprinted in USCCAN 1968 237.
119
42
The ECPA broadly prohibits the interceptions of wire, oral and electronic
communications, except where those interceptions comply with the ECPA
requirements.120
These requirements are to ensure that law enforcement officers in their attempts to
gather evidence of crimes through communications systems comply with statutes that
protect individual privacy. Where interceptions will are made by law enforcement
agencies, the ECPA specifies the authorisation levels of officials who may apply for
an order, the crimes or categories of crimes in connection with which an order may be
sought, the probable cause showing that the applicant must make, and the findings
and minimisation requirements that the order must contain.121 These are stringent
procedures violations of which may result in the imposition of civil liability actions
on lawful enforcement officials.
Authorisation of interception of oral or wire communications under the ECPA comes

from the highest judicial officers namely the Attorney General, Deputy Attorney
General, Associate Attorney General, or any Assistant Attorney General
For accountability purposes, the ECPA also requires state and federal courts issuing
interception orders to make detailed reports concerning those orders to the
Administrative Office of the United States Courts.122These reports are a means of
ensuring that there is an audit trail of orders that have been granted.
120
18 U.S.C. 2511.
Id. 2516-2518.
122
Id. 2519. Pen registers and trap-and-trade devices also are subject to federal statutory constraint.
Id. 3121-27.
121
43
In order to ensure privacy is not infringed, state authorised interceptions may only be
carried out by the investigative or law enforcement officers having responsibility for
the investigation of the offence to which the application is made. An exception to this
rule is that private contractors may be permitted to conduct interceptions, so long as
the contractors personnel are under the supervision of an investigative or law
enforcement officer authorised to conduct the interception.123
It has to be mentioned however that while there is an argument that the statutory
authority to hire contractors for surveillance duty frees professional law enforcement
personnel from the drudgery of staffing monitoring stations, it complicates the task of
ensuring that persons who conduct surveillance are experienced and properly trained
in the intricacies of executing an electronic surveillance order124. It also creates
opportunity for the infringement of privacy in the sense that contractors may not have
the same duty of care that law enforcement officers have when dealing with
intercepted data. Also it creates an opportunity to dismiss the accuracy and integrity
of the analysis of the data.
The Uniting and Strengthening America by Providing Appropriate Tools Required to

Intercept and Obstruct Terrorism Act (hereinafter referred to as the PATRIOT Act)
was enacted in 2001125. This Act increases the government's ability to monitor
communications, including e-mail and mobile phone conversations, and provides
agencies to share such information. Its aim is to provide law enforcement agencies
with the appropriate tools to prevent terrorism.
123
Id. 2518(5).
Focus Paper of Charles H. Kennedy Presented at 2002 Enforcing Privacy Rights symposium
125
The USA PATRIOT Act is not a stand-alone Act. It amends over 15 Federal Statutes visit:
www.llrx.com/features/libraryrecords.htm
124
44
The Patriot Act however goes a step further than the ECPA in relation to Interception
in that grants law enforcement agencies the power to access ISP networks without a
warrant to track activities.
Section 216 of the Act significantly increases law enforcement authority to use trap
and trace and pen register devices.
There is no doubt that national security interests must be safe guarded, however this
Act does go beyond the scope of previous legislations that safeguard personal
information from government intrusion. Indeed the fact that it allows law enforcement
agencies to access communications data without a warrant raises an eyebrow as to
whether we have seen the right to privacy of communications being revoked in the
United States. Under ECPA certain procedures needed to be followed under the
PATRIOT Act, a warrant is not required to track activities and government
departments can share data. This is state of affairs is defiantly an encroachment on
rights to privacy of communications.
3.4.3 Lawful Interception in Australia

In Australia, Lawful interception of communications is governed by the
Telecommunications Interception Act 1979 which has been amended recently by the
Telecommunications Interception Legislation Amendment Act 2002
this amends the Telecommunications (Interception) Act 1979 to include child
pornography, serious arson offences and offences involving acts of terrorism (newly
created offences under the Commonwealth Criminal Code introduced by the Security
45
Legislation Amendment (Terrorism) Act 2002) to the list of offences where a

telecommunications intercept warrant may be sought.
The Act has two main objectives, first of which is to provide users of the Australian
telecommunications services with privacy and the other contrasting albeit legal aspect
of allowing for certain lawful interception under the auspices of a warrant where
certain listed offences are deemed necessary to investigate,
Section seven of the Telecommunications Interception Act prohibits interception of a

communication passing over a telecommunications system with certain exceptions
one of which is that a warrant has been issued to allow for such interception. It is to
be noted that such warrants are usually only provided to allow certain state law
enforcement agencies the right to intercept. It is also to be noted under this regime
that Law enforcement agencies are not permitted to access the content of messages
(such as email, voice mail, SMS, etc) that are temporarily stored on a
telecommunications service provider's equipment during transit, unless they have
obtained an interception warrant.
After a message has been delivered to the intended recipient (i.e. has completed its
passage over the telecommunications system) law enforcement agencies can lawfully
access the content of the message with a search or seizure warrant. Such a warrant
may cover the recipient's equipment (e.g. computer containing downloaded email) or
the service provider's equipment when a copy of the message remains on their
equipment.
46
Certain safegauards to ensure interception is not abused have been placed into the Act
this can be illustrated where the Australian police and National crime authority are to
mainatain a record of intercepted messages
3.5 Lawful Interception requirements of Communications service providers
Co-operation is required between law enforcement agencies and communication
providers. The dilemma for the communications service providers however is the
balance between customer confidentiality and the assistance in the curbing and
detection of criminal activity.
Lawful Intercept places a number of duties on communications service providers,

indeed a number of articles have been published relating to objection by such
communications service providers of added cost and system usage which may hamper
an already decreasing client base due to over saturated markets.
In providing this assistance to agencies that have been granted the right to intercept
communications, the communications service providers role begins with its obligation
to maintain an intercept capability as may be required by the Secretary of State126this
is further backed up by the RIP (Maintenance of Interception Capability) Order 2002
which lays interception obligations upon communications service providers who
provide a public telecommunications service to more than 10,000 persons in any one
or more parts of the United Kingdom127.
An explanation of these obligations can be seen in the following:
126
127
Section 12 Regulation of Investigatory Powers Act 2000

See Citation 2 (3a) RIP Maintenance of Interception Capability Order 2002
47
The provision of a mechanism for implementing interceptions within one

working day of their being informed that the interception has been
appropriately authorised128.This obligation can be deemed a time is of the
essence provision. There is no doubt that in being able to nip crime in the bud
or determine that criminal activity has taken place the sooner an investigation
is able to be carried out the better will be that chances that this can be proved.
In fulfilling this obligation Communications service providers undertake the
first step in collaboration to combat crime and terrorist activity.
Ensure the interception, in its entirety, of all communications and related

communications data authorised by the interception warrant and to ensure
their almost real time transmission to a hand-over point within their
network129. This provision ensures that there is nothing left out in relation to
the data that has been intercepted meaning that the integrity of the data must
be maintained between the systems on which the data is transmitted and that
is used to intercept the communications. This will ensure that all necessary
aspects of the communication are included in the investigations.
Ensure the intercepted communication and the related communications data

will be transmitted so that they can be unambiguously correlated.130 This
provision is a follow through of the previous section in that it provides for the
entire interception and the communications relating to it to be linked to each
128
Article 2(5) RIP Maintenance of Interception Capability Order 2002

Article 2(6)
130
Article 2(7)
129
48
other such that there can be no disputes in relation to the intercepted data. This
would for instance mean that where permission is granted to intercept
communications of intercepted data carried out on the first of September 2003
between 12:45pm and 1:15pm should not be mistaken and distinguished from
unrelated data intercepted on September between 1:16pm and 1:55pm. In
other words the data that has been intercepted and the communications
transmitted with it should be unmistakably linked.
Ensure that the hand-over interface131 complies with any requirements

communicated by the Secretary of State to the ISP or Telecommunications
service provider, which, where practicable and appropriate, will be in line with
agreed industry standards (such as those of the European Telecommunications
Standards Institute)132.This obviously relates to minimum technological
requirements as to the adequacy of the point of interchange between the
ISP/Telecommunications system and the law enforcements interception
systems133.
Ensure filtering to provide only the traffic data associated with the warranted
telecommunications identifier where reasonable134There is no doubt that this
provision recognises the fact that there must be accuracy and integrity of the
communications that are to undergo surveillance as such in attempting to
131
The handover interface is the physical and logical interface across which the interception measures
are requested from network operator/access provider/service provider, and the results of the
interception is delivered from the network operator/access provider/service provider to a law
enforcement monitoring facility
132
Article 2(8)
133
For more information on standards relating to interception see www.opemtap.org.documents/es201671.pdf
134
Article 2(9)
49
minimise errors it provides for the requirement that the data to be intercepted
should be separated from any other data not associated with the
communication under surveillance.
Ensure that the person on whose application the interception warrant was
issued is able to remove any electronic protection applied by the ISP to the
intercepted communication and the related communications data135; In
recognising the fact that data can be eavesdropped on while it is being
transmitted, it is not unusual in order to ensure the confidentiality of the data
while it is being transmitted to secure it with encryption. Where the decryption
key is available to the CSP this provision obliges it to use the key to decrypt
the communications into legible form for the law enforcement agency to
decipher the communications.
Ensure that the reliability of the interception capability is at least equal to the
reliability of the public telecommunications service carrying the
communication, which is being intercepted136. This provision recognises the
fact that complications may arise where one system is not functioning as well
as the other. Such a scenario may lead to a situation where data is corrupted by
the less reliable system which has the potential of making the datas integrity
being disputed as such the provision requires both the system used for
intercepting the communications and that which transmitted the
communications to be working to the same efficiency levels.
135
136
Article2 (10)
Article 2(12)
50
In the United States obligations to provide interception capabilites on Telcos/ISPs is

governed by the Communications Assistance for Law Enforcement Act (CALEA)
1994137. To ensure that law enforcement agencies can continue to conduct court
authorised surveillance of wire or electronic communications, CALEA states that
telecommunications carriers must meet the assistance capability requirements set
forth in Section 103 of the Act namely:
Interception of Communications Content

This constitutes the first subsection of section 103 and it provides that
telecommunications carriers must ensure that they are capable of expeditiously
isolating, and enabling the government to intercept, pursuant to appropriate
legal authorisation, all wire and electronic communications to or from a
particular subscriber within that carrier's network138. This subsection mirrors
the requirement laid down by the RIP maintenance of interception order 2002
for Communications service providers to assist law enforcement agencies
granted permission to lawfully intercept data.
Access to Call Identifying Information

This second subsection provides that carriers must ensure that they are capable
of expeditiously isolating, and enabling the government to access, pursuant to
appropriate legal authorisation, all call identifying information reasonably
available to the carrier. Such information, however, if acquired solely through
pen registers or trap and trace devices, does not include information that may
137
138
(Public Law 103414; 47 U.S.C. 1001-1010)

Section 103 (1) CALEA
51
disclose the physical location of the subscriber, except to the extent that the
telephone number can determine location139.
Delivery of Communications Content and Call-Identifying Information

Making up the third subsection of section 103 this provides that carriers must
be able to deliver intercepted communications and call identifying information
to a location specified by the government, other than the carriers premises.
The information must be made available to the government in a format that
can be transmitted over communications channels and either translated or
converted into useable form140. This provides a host of obligations on carriers
one of which can be illustrated in the last requirement. It is to be noted that
data is transmitted via packets in bits and bytes that cannot in their raw format
be understood by humans. This aspect of the subsection in recognising this
fact puts the burden on carriers to ensure that law enforcement agencies
receive the data in intelligible form.
Protection of Privacy and Security of Communications

The fourth subsection provides that carriers must be capable of conducting
interceptions and providing access to call identifying information
unobtrusively. Carriers must also protect the privacy and security of
communications and call-identifying information not authorised to be
intercepted, as well as information about the government's interception of call
content and access to call-identifying information. The requirement that
interceptions be conducted in a manner that will minimise the interception of
139
140
Section 103 (2)

Section 103 (3)
52
unauthorised communications was intended to avoid improper intrusion on

rights of privacy141.
3.7 Data Retention

When one analyses current legislations, one can definitely see the conflicts at work
between carrying out the provision of services to subscribers, maintaining their
confidentialities and privacy on the one hand and protecting citizens from criminal
and terrorist activities on the other hand.
The result of these legislations is the placement of a number of obligations laid in the
path of communications service providers when it comes to maintaining the privacy
of subscribers and assisting law enforcement agencies in their battle against crime and
terrorism. One of these obligations can be seen when it comes to the retention of data.
Current legislations oblige communications service providers to assist law

enforcement agencies in their bids to prevent and detect criminal and terrorist
activities. Laws such as the RIP (Maintenance of Interception Capability) Order 2002
in the UK and CALEA in the United States provide for Communication companies to
maintain an interception function.
Section 103 of CALEA requires carriers to ensure their equipment and services are
capable of isolating and allowing the government to intercept communications as well
as call-identifying information.
The Directive on Privacy and Electronic Communications also provides in article 15

that member states provide legislations for the retention of data.
141
Section 103 (4)
53
Legislations have with the advent of the September 11 attacks also been enacted as a
recognition of the importance in retaining communications data for analysis in
identifying suspicious traits. This has spurned the issue of data retention, which
involves the storing of communications data such that it can be retrieved at a later
date by law enforcement, intelligence and security agencies. Data retention differs
from lawful interception, which involves the capture in real time of communications
content.
Indeed in the UK the Anti-terrorism, Crime and Security Act 2001 (ATCS) was
passed almost immediately after the September attacks in the United States. Part 11 of
the Act sets out requirements for retention of communications data.
Section 103 of the Act allows the secretary of state to issue a code of practice to
communications providers on the retention of communications data they have
obtained or which is in their possession142. It is to be noted however that there is no
provision given relating to the maximum period of time within which data must be
retained. However in response to a EU questionnaire on data retention143, the UK
stated that currently the time periods under consideration vary according to the data
type. Usually the period ranges from a minimum 6 months to a maximum of twelve
for retained data.
It must be stated that one of the conflicts relating to retention of data is the issue of its
legality especially where human rights are concerned. The retention of data by
communications service providers for periods longer than is required for business
may contravene issues in respect of privacy as provided for by Article 8 of the
142
Section 102 Antiterrorism Crime and Security Act 2001

Room Document No 7 (EU member states answers to questionnaire on traffic data retention 16
September 2002 by European Council Multidisciplinary Group on Organised Crime
143
54
European Convention on Human Rights. Also to be noted is the fact that one of the
data protection principles provides that data that has been processed should not be
retained longer than is necessary for the reason that it has been processed.144
Indeed some communications service providers fearful that a data regime is adopted
would make the courts treat them as public authorities and so they as well as any
requesting authority would be open to action under the Human Rights Act. However
in his evidence Dr Walden stated that this was a small risk, going on to say that if the
ATCS Act was not human rights compliant then it would not be unlawful for the
Communication Service provider to comply with it145.
The All Party Internet Group in its critical report called for the code of practice to be
made mandatory so that ISPs would be protected from legal action under the Human
Rights Act and the Data Protection Act when complying with measures in the code of
practice146.
Appendix A of the Consultation Paper on a Code of Practice for Voluntary Retention
of Communications Data provides the time periods deemed necessary by the
Secretary of State for communications service providers to retain communications
data for national security purposes147. The retention of such data in the normal course
of business by communications data may be retained for either longer or shorter time
frames. This obviously leads to a scenario of dual data retention regimes. Where these
data retention regimes are used in conjunction of each other, then in order for them
not to be in contravention of the data retention principle of the Data Protection Act,
then when the shorter of the two time frames expires data may only be retained for the
144
Fifth principle Data Protection Act 1998

See Communications Data: Report of an inquiry by the All Party Internet Group January 2003
paragraph 136
146
See recommendation 178 page 33 Communications Data: Report of an inquiry by the All Party
Internet Group January 2003
147
See Appendix A pages 26 27 Consultation Paper on a Code of Practice for Voluntary Retention of
Communications Data March 2003
145
55
purpose of the longer period. For example if the first period to expire relates to
national security then after its expiry the remaining period of retention can only be for
business purposes and on expiry of that period the data must be made anonymous or
be deleted.
The question then is what sort of data is to be retained? A good staring point for this is
the ATCS which provides that the secretary of state issues a code of practice relating
to data held or obtained by communications providers148. This would suggest that it is
data that is obtained during the normal course of business operations, which is
communications data. RIPAs definition breaks communications data into three
different categories mainly traffic data, use made of service and other information
relating to the subscriber.149 An analysis of this definition shows that the following
types of data will need to be retained:
Subscriber information
Consisting amongst other things of the subscribers name, date of birth, billing
address, telephone number and email address, IP address at registration
Telephony data
Including amongst other data all numbers associated with the call, date, time start
duration and end of the call, for GPRS150 and 3G date and time of connection of
the call
SMS151, EMS152 and MMS153 data
This includes calling and called number IMEI154, date and time of sending
Email Data
148
Section 102 (1) Antiterrorism Crime and Security Act 2001

Section 21(4) Regulation Of Investigatory Powers Act 2000
150
General Packet Radio Service
151
Short Messaging Service
152
Enhanced Messaging Service
153
Multimedia Messaging Service
154
International mobile equipment identifier
149
56
This consists amongst other data of the logon user name date and time of
logon/logoff , information relating to email sent such as the authentication name
date and time sent
ISP Data
This will include user login name and the IP address assigned CLI155 and number
dialled
Web Activity Logs
To include proxy server logs IP Address used and URLs that have been visited
note this will not include the content of the communication
Other Services
This will if available consist of the logon and log off times of Instant message
type services
Collateral Data
This will normally involve data required to interpret other communications data156
Data Retention United States

It is to be noted at this point that while data retention laws are prominent in Europe,
the same cannot be said for the United States which does not currently have specific
data retention legislation.
3.7.1 Impact of Data Retention Laws on Communications Service

Providers
Communications service providers need to study the code of practice for data
retention in order to identify how their compliance with these regulations will impact
155
Calling Line Identifier

See Appendix A Consultation Paper on a Code of Practice for Voluntary Retention of
Communications Data March 2003
156
57
how they operate. This will require them to assess amongst other things the detailed
requirements of the code of practice, the manner in which policies such as data
protection, collection, archiving and security are to be implemented and also the
manner in which processes for handling requests for the disclosure of data subject
information are to be handled157. After this analysis is performed, technical measures
in relation to their operations will need to be adapted to ensure that the retention of
such data can in fact be carried out.
The communications service providers technical solutions to cater for data retention
will invariably consist of ensuring their systems are capable of archiving such data
this will involve ensuring systems have the capacity to store such data for the
stipulated time periods as warranted by the code of practice. They will also need to
ensure that they have appropriate systems tools to assist in the retrieval of data when a
request comes in. This also involves the formatting of data to ensure it can be
interpreted by the requesting agency. Coupled with this will be the need to ensure that
data cannot be compromised, this will encapsulate implementing information security
and quality assurance measures.
As has previously been mentioned, the cost to the communication service provider in
retaining data can be extremely huge. It has been identified that the high cost of the
requirement by communications service providers to retain data may lead to a barrier
of entry to would be participants to the market, which may in turn harm competition
along with making the subscriber being made to offset the costs by being asked to pay
157
See page 11 White Paper on Data Retention for Regulatory Compliance 2002 Cartesian Group
58
higher service charges158. It has thus been suggested that governments should assist in
covering the costs of mandatory data retention infrastructures and also bear some
costs where requests are made for access to retained data159.
3.8 Conclusion
In summarising this section of the essay, it can be seen that lawful interception does
not go against the principles of data protection legislations. Rather it can be said that it
provides the check that is needed to fight criminals who abuse the privileges granted
by communications privacy rights in their attempts to use it as a clock to carry out
serious criminal or terrorist activity.
In order to ensure that privacy of communications is not infringed by the provisions of

the laws relating to legal interception, the provisions of the legislations places
obligations on law enforcement agencies and the communications service providers as
can be illustrated for instance by the requirement to filter only the communications
required by law enforcement agencies as provided by Part 2 section 9 of The
Regulation of Investigatory Powers (Maintenance of Interception Capability) Order
2002160. This illustrates that the legislation recognises that data being intercepted must
only relate to that which is identified by the warrant issued such that only persons or
people who are suspected of committing serious offences or participating in activities
against national security interests lose their right to privacy of their data
158
See Common Industry Statement on Storage of Traffic Data for Law Enforcement Purposes page 8
4th June 2003. Available at
www.statewatch.org/news/2003/jun/CommonIndustryPositionondataretention.pdf
159
see reference at page 9
160
Statutory Instrument 2002 No. 1931 The Regulation of Investigatory Powers (Maintenance of
Interception Capability) Order 2002
59
communications. In these circumstances such infringement is acceptable as is

illustrated by the European Convention on Human Rights, which provides for such
interference in Article 8(2).
There is no doubt that the rise in criminal activity has led to amendments in
legislation to cater for new methods of communicating. The legislations are attempts
to close the gap between the sophistication of criminal activity using communication
systems and the law in being able to provide legislation to close any loopholes due to
a lack of appropriate legislation in these areas.
While these laws are aimed at ensuring law enforcement, agencies must operate
within the perimeters of the law when they intercept communications, indeed in the
United states sanctions in the form of civil liabilities can accrue to those that do not
adhere to procedures.
It can thus be said that there are certain instances when the privacy of an individual
whose actions go against national security laws or who has committed or is in the
process of committing a serious crime may have their data accessed without the
communications service provider being made liable for not keeping such data
confidential. It should by now be realised by all individuals that with the manner in
which computers are used to either commit crime or used to transmit messages that
provide information on how or when a crime is to take place time, that law
enforcement agencies will at some point have to gain access to such data so that they
can either prevent the crime from taking place or use the data to prove that certain
individuals are responsible for criminal activity. This cannot be said to be a
60
contravention or infringement on the data subjects privacy rights. Rather it can be

seen as a collaboration between law enforcement agencies and communications
service providers to thwart the success of criminal and terrorist activity.
However legislation such as the PATRIOT Act does send a warning that the right to
privacy of communications as we know it may be over. Also such legislation can
indeed be a catalyst for other legislations being enacted which place the right to
privacy of the individual on a lower level than the right of the state to monitor
communications for signs of criminal or terrorist activity.
4 Information security and communications

4.1 What is information security?
Information security relates to the protection of data to ensure its confidentiality,
integrity and availability and can be likened to an asset that adds value to an
organisation and consequently needs to be implemented across the entire
organisational environment161.
One of the basic misconceptions about information security is that it is all about
technology. This conception can be no further from the truth. Indeed while technology
enhances security it only forms part of a wider process. Other factors such as
appropriately skilled resources; policies and procedures, assessments, training and
161
See ISO 17799 first edition 2000-12-01
61
educational awareness along with management and legal requirements form the full
process of deploying appropriate security measures162.
It can be seen from the previous sections of this essay that implementation of
information security measures are a critical factor in reducing the risks of personal
data being compromised. Information security assists in ensuring the integrity of
exchange of communications data between systems of the CSP and those of agencies
granted permission to intercept the communications. Both the Data Protection and the
Privacy and Electronic Communications Directives contain articles that provide that
adequate security measures should be implemented.
4.1.1 Why Information Security?

The rapid development of telecommunication networks has led to greater
opportunities for criminals to use communications systems to commit crimes.
Their ability to successfully commit these crimes without detection may be attributed
in part to inadequate security legislation, inadequate implementation of security
technology, or lack of user awareness in relation to the risks. Typical crimes
committed against communication systems that may breach confidentiality include
but are not limited to the following:
Hacking or Cracking163 communications networks with the objective of

gaining access to personal information, which has the potential of breaching
the confidentiality and privacy of personal information.
162
See Thomas J.Smedinghoff: Developing U.S Legal Standard for Cybersecurity pages 4-11 may
2003 available at www.bmck.com/ecommerce/articles-s.htm
163
In the truest sense of the word, "hacking" involves actions taken by a dedicated programming expert
who believes in sharing his expertise and experiences with other hackers. A hacker does not believe in
62
Unlawful interception of communications data which has the potential of

breaching the confidentiality of information
Unauthorised modification of information which has the potential of breaching

the confidentiality, integrity and availability of information
With the rise in the spate of attacks on communications networks, a number of issues
came to light. The first was that many of these attacks were targeted at commercial
enterprises that were rich in customer information, and secondly that many of these
attacks were successful because corporations did not have effective security measures
to either alert when these attacks were occurring and also because they had not
implemented appropriate security measures to stop these attacks from being
successful.
As a result of the realisation that customer information could be compromised, and

also the potential for such information being used to create false identities and be used
in the perpetration of other criminal activity, legislations were either amended or
enacted to make corporate entities implement information security measures that are
appropriate to the risks that they faced from both internal and external information
security breaches.
The effects of information security on communications service providers is two

pronged. These can be looked at from a data protection stand point i.e. duties the
vandalising or maliciously destroying data, or in stealing data of any kind. On the other hand
"cracking" involves actions carried out by an individual or group intent on causing malicious harm to a
network or computer, or to steal information beneficial to themselves like passwords, credit card
numbers and the like. For ease of use, the term "hacking" will be used here to refer to either a hacker or
cracker, and is used to describe the act of an individual or individuals who enter or tries to enter a
computer or network without authorisation.
63
communications service provider owes to its subscribers in protecting their data and
secondly the duties it owes to law enforcement agencies in their quest to tackle crime.
I shall look at the laws relating to information security in relation to subscribers

personal data before approaching the obligations relating to when it applies to lawful
interception and retention of data.
Laws relating to communications security can be found in legislations such as the EU

Privacy and Communications Directive. Article 4 (1) stipulates that adequate security
measures must be implemented by organisations that process personal information.
This law is transposed into national legislations of Member States. In the UK this can
be illustrated by section 5 of the 2003 Privacy and Electronic Communications (EC
Directive) Regulations which states that providers of public electronic
communications service should take appropriate technical and organisational
measures to safeguard the security of that service.164 The Regulations define
appropriate measures as being those that are taken in relation to technological
developments and the cost of implementing it in proportion to the risks of
safeguards165.
The seventh principle of the UK Data Protection Act also provides that appropriate
levels of security must be implemented in proportion to any harm that may arise due
to unlawful processing or unauthorised access and also the nature of data to be
protected.166
164
Section 5 (1) Privacy and Electronic Communications (EC Directive) Regulations 2003
Section 5 (4) Privacy and Electronic Communications (EC Directive) Regulations 2003
166
Part 2 section 9 (a & b) Data Protection Act 1998 Sch 1
165
64
It is to be noted that while these legislations provide communications service

providers with the responsibility of deploying information security measures, there is
recognition of the fact that information security is a moving target and as such there
may be situations where the measures adopted by the communications service
provider may not be adequate thereby allowing for the possibility of subscribers being
left vulnerable. In recognising this, the laws allow the communication service
providers to advise subscribers on measures they may take to in minimise the risk of
breach167. With the recent spate of Virus168 attacks such as Nimda and Mydoom along
with the sophistication of hackers to modify and insert software code which can be
used to gather personal and confidential information, it has become necessary for
communications service providers to notify subscribers that they may need to utilise
up-to-date antivirus software and other measures such as encryption when
transmitting personal and sensitive data over the Internet to minimise their exposure
to successful security breaches.
In the United States, legislation has been passed in California to the effect that
businesses are now obliged to disclose any breach of the security of their systems to
any California resident whose unencrypted personal information was, or is reasonably
believed to have been, acquired by an unauthorised person169.
While these obligations point to what a communications provider must do to ensure

customer information is protected, the question arises as to what remedies accrue to
167
Article 4 (2) Directive 2002/58/EC

A computer virus is a program designed to spread itself by first infecting executable files or the
system areas of hard and floppy disks and then making copies of itself. They usually operate without
the knowledge or authorisation of the computer user.
168
169
California Civil Code Sections 1798.29 and 1798.82 1798.84
65
users whose data have been compromised due to service providers not implementing
security measures?
In the United Kingdom, data protection offences are dealt with by the Information
Commissioner170 whose powers enable him to prosecute those that breach principles
of the Data Protection Act171. It is to be noted however that while there is no specific
offence in relation to not implementing adequate security measures, the Information
Commissioner may where he is satisfied that data protection principles have been
contravened serve an enforcement notice requiring compliance172. A subscriber whose
information has been breached due to lack of adequate security measures, may lay an
official complaint to the information commissioner who will look at each event be on
the merits. Punishments for contravention tend to vary from the serving of the above
mentioned enforcement notices, a 5000 fine or an unlimited fine173.
The second aspect of security communications service providers have to cater for
relates to retention of data. As has been mentioned in earlier sections of this essay,
communications service providers have an obligation to maintain data retention
capabilities174 thus mandating the retention of the traffic and location data of all
communications taking place over mobile phones, SMS, landline telephones, faxes, emails, chat rooms, the Internet, or any other electronic communication device.
Communications service providers will need to ensure that systems on which retained
data is held also have adequate security measures placed on them. Measures taken
170
The information commissioner is an independent officer who is appointed directly by Her Majesty
the Queen and reports directly to parliament
171
Powers and duties of the commissioner, Chapter 7 Data Protection Act 1998 Legal Guidance. see:
www.informationcommissioner.gov.uk/cms/DocumentUploads/Data%20Protection%20Act%201998%
20Legal%20Guidance.pdf
172
Section 40 (1) Data Protection Act 1998
173
Enquires made to the information commissioners office in relation to sanctions imposed for breach
of security measures call +44 1625 545 700
174
Article 15(1) Directive 2002/58/EC
66
will need to ensure that the data maintains its confidentiality, integrity and
availability. Adequate measures in technical terms will need to include ensuring the
data is stored on systems that have restricted access along with logging175 facilities
which identify who accessed data, what times they accessed such data and whether
any modifications were made to the data during the time the user of the system logged
on. This is obviously a paramount requirement due to the fact that the evidence that
may be given in relation to the data may lead to the aversion of a criminal or terrorist
activity or indeed the acquittal or conviction for an alleged offence.
For successful implementation of lawful intercept systems, appropriate security
measures need to be implemented to ensure access control and authentication at the
hand-over interface. The methods for achieving this can be seen in standards such as
the ETSI standard for lawful interception176. The access control and authentication
issues are extremely important as it has been identified by the 2003 FBI computer
crime survey177of 488 respondents, 77% stated that the likely source of attack on
proprietary information was disgruntled employees.
It can thus be seen that communications service providers are being influenced on
how they adopt information security measures by legislation not only for the
protection of subscriber personal data but also in the maintaining if systems that may
provide information to law enforcement agencies in the fight against crime and
terrorist activities.
175
See also Part 2 section 13 of The Regulation of Investigatory Powers (Maintenance of Interception
Capability) Order 2002
176
See Telecommunications Security Lawful interception available at www.etsi.org

See page 8 CSI/FBI Computer Crime and Security Survey available upon request from Computer
Security Institute www.gocsi.com/press/200020407.html
177
67
5 Concluding
As is evident in the body of this essay, the issue of privacy is a fundamental social
principle. Ensuring that there is an appropriate legal framework to ensure privacy is
not infringed upon and when it is that the legislation is able to provide the vehicle for
appropriate sanctions is paramount.
The enactment of legislation has had an impact on communication service providers

in that they now have to cater for the demands of two groups each with varying
requirements for the services the communications service provider offers.
The first is the privacy of subscriber/client information and the second being the
provision of assistance to law enforcement agencies in their fight against crime.
This is where the balance between privacy of the individual and the combat of
criminal activity are linked.
In order to ensure that law enforcement agencies do not abuse their power when they
are granted access to communications data, there is no doubt that safeguards need to
be implemented in the form of procedures that are duly followed to the letter along
with a monitoring and audit of the usage of such privileges granted to law
enforcement agencies.
While it can be stated that data retention legislation is a reaction to events that
occurred on Sept 11th 2001, legislation relating to the processing of personal data and
lawful interception have been enacted or amended recently as a reaction to changes in
68
technology. For instance the new privacy and electronic communications directive
now includes provisions relating to location data.
In order for the above mentioned legislations to have bite, they need to ensure
communications service providers adopt a more rigorous approach to maintaining
privacy of communications and personal data. One of such ways would in my view be
to ensure that technologies that can be used to enforce these laws are adopted
immediately by communications service providers. This can be effected by regulatory
bodies making it mandatory for them to provide certificates of compliance on an
annual basis stating that they (CSPs) have adopted latest technologies as specified by
these bodies. Where organisations do not provide certificates on due dates, sanctions
must be imposed for non compliance which should include both a monetary fine
along with publication on the regulators site of the names of providers that are in
breach.
In order to ensure that the certificates are genuine regulatory bodies must have the
power to randomly select certified communications service providers to ensure that
information provided is accurate.
While on the one hand the effect of such measures on communication service
providers would be that they purchase, maintain and update these technologies, it will
provide a means of showing that are capable of meeting the requirements of their
clients in relation to maintaining privacy of communications. Such a measure will
also provide easier means of detecting when a service provider is not meeting its
obligations.
69
It must be mentioned that as electronic commerce grows, technologies that will enable
criminals to subvert communications networks either in the form of gaining
unauthorised access to networks, using false or stolen identities to pay for goods and
or services and also to commit terrorist activities will become more widespread . With
this in mind it is apparent that more robust authentication and screening technologies
which are able to filter communications using artificial intelligence screening
capabilities will be required to be developed and utilised by communications
providers. With this state of activity it can be seen that there is the possibility that the
role of the communication service provider over the next decade will shift from that
of providing a communications services to one where it is being used as the first point
of contact to thwart criminal and terrorist activities conducted via communications
networks.
Also to ensure healthy competition in the communications service provider
environment, governments need to come up with a policy on subsidising the costs of
retaining data.
As a last thought I believe that a harmonised legal framework on minimum
information security must be adopted and be legally binding on communications
service providers. While the Data Protection Directive and the Privacy of
Communications Directive have made mention of the fact that information security
measures must be implemented, there needs to be a separate information security
legislation which specifically outlines the minimum requirements that should be put
into practice by organisations that handle personal data. This framework will
undoubtedly need to be of global dimension and universally accepted by all countries
otherwise criminals and hackers will look to attack systems belonging to those with
the least effective measures which in turn may impact other environments worldwide.
70
The adopted information security legislation should have wordings similar to the
Gramm-Leach-Bliley Act in the United States along with implementation of technical
measures as identified by both ISO 15408 and ISO 17799. The effect of this on
communication service providers is that it will also mean that they deploy more
resources in the way of staffing, training and technology to ensure information
security meets these minimum requirements.
These recommendations along with better awareness campaigns will allow the general
public understand fully the issues surrounding the need for lawful interception and
retention of private information especially when there is a need to thwart criminal
activity and remove threats to national security. It will also help to dispel the fear that
there is an erosion of rights to privacy.
71
Bibliography:
Access to Communications Data: Respecting privacy and protecting the public from
crime, Consultation Paper March 2003
American Civil Liberties Union 1998 Big Brother in the Wires: Wiretapping in the
Digital Age, March 1998. Available at
www.aclu.org/issues/cyber/wiretap_brother.html
Akdeniz Y 2001, The Case against RIP at www.sourceuk.net/indexf.html?01546
Bohm et al, 2000 Electronic Commerce: Who Carries the Risk of Fraud? The
Journal of Information, Law and Technology (JILT). www.elj.warwick.ac.uk/jilt/003/bohm.html
Bro & Hengesbaugh 2001, Implementing the U.S.-EU Data Privacy Safe Harbor
available at www.bmck.com/ecommerce/articles-p.htm
Bygrave L 2002, Data Protection Law: Approaching its rationale, logic and limits
Carter D L & Katz A J 1997, Computer Crime: An Emerging Challenge for Law
Enforcement.
Cartesian Group 2002, Data Retention for regulatory Compliance
CCTV Looking out for you Home office publication November 1994
CSI/FBI Computer crime and security survey 2003
Cyber-Rights & Cyber-Liberties (UK), "Who Watches the Watchmen: Part III - ISP
Capabilities for the Provision of Personal Information to the Police," February 1999,
at http://www.cyber-rights.org/privacy/watchmen-iii.htm
Economist Intelligence Unit 200: Private Investigations: Data Privacy and the
challenge to business available at www.ebusinessforum.com/upload/privacy.pdf
72
Eisner R S 2002, Ignorance Isn't Bliss: What you need to know about EU data privacy
law, Legal Research Centre
Elliot C 1999, The legality of the interception of electronic communications: a
concise survey of the principal legal issues and instruments under international,
European and national law
Goemans C 2002, Law enforcement and data privacy: difficulties to accommodate
Hoofnagle C J 2002, Consumer Privacy In the E-Commerce Marketplace, Third
Annual Institute on Privacy Law 1339, Practicing Law Institute G0-00W2
Policy leadership on cyber security questioned: Cyber crime Law Report Vol 3 No 8
2003
Electronic Privacy Information Centre and Privacy International 2002, Privacy and
Human Rights, An international survey of privacy laws and developments available at
www.privacyinternational.org/survey/phr2003/
Rathmell A 2002, Regulating Security: Telecoms Regulation and Information
Security
Joint Economic Committee United States Congress 2002 Security in the information
age: New Challenges, New Strategies
Pascual A E 2001, Location data is as sensitive as content data available at
www.it.kth.se/~aep/publications/EU-forum/ 20011127/EU-forum-locationdata.pdf
OFTEL 2002, Guidelines on the essential requirements for network security and
integrity and criteria for restriction of access to the network available at
www.ofcom.org.uk/.../acts/sacot/resp2002/essential_requirements_for_network_secur
ity_and_integrity.htm Reed & Angel 2000, Computer law
73
Reidenberg J R, Resolving Conflicting International Data Privacy Rules in

Cyberspace 52 Stanford Law. Review 1315 (2000)
Smedinghoff T J 2003, Defining Corporate Cybersecurity Obligations: Impact of the
Final U.S. National Strategy to Secure Cyberspace available at
www.ccni.org/freedocs/finalnat-2003.pdf
Smedinghoff T J 2002, Developing a U.S Legal Standard for Cybersecurity available
at www.bmck.com/ecommerce/US%20cybersecurity%20standards.pdf
Smith, R G 2001, Cross-border economic crime: the agenda for reform, Trends &
Issues in Crime and Criminal Justice, no. 202, Australian Institute of Criminology,
Canberra.
Stratford J S & Stratford J 1998, Data Protection and privacy in the United States and
Europe available at www.iassistdata.org/publications/iq/iq22/iqvol223stratford.pdf
Sutter G 2001, A Tale of Two Interception Regimes: RIP v CALEA, a comparison.
Available at www.bileta.ac.uk/01papers/sutter.html
Tedeschi B, Patriot Act Curbing Data Retention New York Times October 13, 2003
United States department of Justice 2000 Identity Theft and Fraud available at
www.usdoj.gov/criminal/fraud/idtheft.htm
74

Interception PDF

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Interception PDF

Enviado por

Direitos autorais:

Formatos disponíveis

Title:

Striking a Balance between Data Protection and Lawful

Franklin F Akinsuyi (LL.B, MSc, LLM)

As such it has become necessary for legislation to be introduced to permit law

2. Data Protection and Communications:

Also called convergence

2.1.2 What is Personal Data?

This has implications regarding information relating to data of individuals in relation

This has led to a number of underhanded means of collecting personal information in

Article 8 (2) European Convention On Human Rights

Section 55 (1&3) Data Protection Act 1998

U.S.C 6502 b (1) A ii

privacy emphasising restraint on the government and certain commercial industries.25

Lawful processing is explained in Article 7 of the Directive which stipulates what

Personal data shall be accurate and, where necessary, kept up to date29.

Data subjects are afforded rights of access to their data31.

Appropriate technical and organisational measures shall be taken against

processing is necessary for the performance of a contract to which the data

processing is necessary for compliance with a legal obligation to which the

processing is necessary in order to protect the vital interests of the data

processing is necessary for the purposes of the legitimate interests pursued by

It is to be noted that the Directive applies to the processing of personal data in

Directive 2002/58/E.C OJ L 201/37

2.2.2.1 Security Measures

Article 4 (1&2) Directive on Privacy and Electronic Communications

2.2.2.1.1 Impact on Communications Service Providers

Note information security, as a whole will be discussed in more detail in a further

2.2.2.2.1 Impact on Communications Service Providers

2.2.2.3 Caller and Called Line Identification

2.2.2.3.1 Impact on Communications Service Providers

2.2.2.4 Location Data Restrictions

2.2.2.5 Emergency and Nuisance Calls

2.2.2.5.1 Impact on Communications Service Providers

Article 13 Directive on Privacy and Electronic Communications

2.2.2.6.1 Impact on Communications Service Providers

2.2.2.7 National Security

2.2.2.7.1 Impact on Communications Service Providers

Article 15 (2) Directive on Privacy and Electronic Communications

2.3 United States and privacy of communication

In relation to privacy of communications, issues relating to Internet privacy have

United States v. Miller, 425 US 435 (1976)

widespread public outrage when it began attaching personal information from a

2.3.1 Privacy of Communication Laws In The United States

2.3.1.1 The Telecommunications Act 199674

See EPIC DoubleClick Pages http://www.epic.org/privacy/doubletrouble/.

2.3.1.2 The Location of Privacy Protection Act of 200177

47 U.S.C 222 (b)

2.3.1.3 Spyware Control and Privacy Protection Act 200180

section 3 (c) ( ii) Location Privacy Protection Act 2001

Violations of this will be treated as a deceptive practice as proscribed by section 18

It can be seen that data protection legislation provides a backdrop to which

Law enforcement agencies are also restrained from encroaching on individuals

3. Law enforcement and privacy of communications

3.1 Why Lawful Interception?

Section 2 Regulation of Investigatory Powers Act 2000

Wire Tap: this involves the installation of a transmitting device on a telephone

Location Tracker: This involves using devices to identify through the

Below are examples of how communication systems can be intercepted;

Round aluminium type snack container

with a laptop. If an attacker can sniff88 the wireless traffic, it is possible to

Facsimile (fax) Machines:

The intentional interception of communications on public91 and private92

Lawful interception plays a crucial role in helping law enforcement agencies to