Last updated: 
1 month 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Home Office RIPA consultation

Wednesday, July 4, 2012 - 16:50

The Home Office have concluded that a couple of aspects of the Regulation of Investigatory Powers Act 2000 need to be fixed in order to comply with European law, and are doing a rapid consultation on the changes. Unfortunately although the consultation document is clear about what the problems are it doesn't give a clear idea (ideally, the proposed revised text) of how they propose to fix them.

Since the "obvious" amendments could actually have serious unintended consequences for network operations and service development, I've sent a JANET response pointing out the potential problems and asking for more clarity on whether the changes actually suffer from these problems:

Change 1: EC law requires a prohibition on "unintentional interception", as well as intentional. At the moment section 1(1) of the UK Act appears to require two "intentional" steps - that the person intended to do what they did, and that they intended it to have the effect of making content of communications available. As far as I can see, removing either of those intentions could bring a whole host of legitimate and careless activities into scope, for example turning on a wifi laptop in an area where there's an unencrypted network (intentional act with unintended consequences), or using a device whose software continues to use IP an address after its DHCP lease expires (iPads are the most recent of these). There's also a problem of whether a mistake in implementing what would otherwise be a lawful interception makes it unlawful. The consultation document states that mistakes in implementing an interception warrant would not be unlawful but does not give an explicit assurance for other types of lawful interception (e.g. those required for the operation of a network service).

Change 2: At the moment it's lawful under section 3(1) of RIPA to intercept traffic if you have reason to believe that both the sender and recipient have consented to this. The proposal is to change that to require that both parties actually have consented, so if one user passes the keyboard to someone else then the interceptor is immediately breaking the law. This wouldn't have a big effect for our current services, since none of those rely on this "dual-consent" provision, but it might stop us or others developing services that are based on the privacy-correct approach of actually asking users for permission!

The consultation also suggests that these new rules would be enforced by the Interception of Communications Commissioner, who currently oversees the use of interception warrants and data access powers by public authorities. I've suggested that if, as seems likely, most of the breaches will actually be failures of other kinds of privacy controls then the Information Commissioner (who will soon have a statutory right to hear about privacy breaches by network providers) is a more appropriate regulator.