Posted: 19th Apr, 2011 By: MarkJ
The UK government has today revealed its final amendments to the
Regulation of Investigatory Powers Act 2000 (RIPA), which aim to prevent consumer broadband ISPs from
intercepting their customers personal internet communications (e.g. by tracking visited web page URL addresses).
The move is directly related to the previous government's
inability to clamp down on Phorm and the European Commission's (EC) subsequent demands for a proper implementation of its
internet and email privacy rules (
here).
Phorm controversially used
Deep Packet Inspection (DPI) technology, with the help of broadband ISPs (e.g. BT Webwise), to
monitor what websites customers visited for use in targeted advertising campaigns. At the time many likened this service to Spyware. TalkTalk has also used a vaguely similar method as part of its forthcoming security service (
here).
A central issue in this debate has been the one that surrounds customer "
consent" for
lawful interception without a warrant. Under the current RIPA rules an ISP could effectively claim that it had "
reasonable grounds for believing" that consent had been given (i.e. implied consent) and thus lawfully intercept. That will no longer be so easy.
Home Office Statement (PDF)RIPA provides the statutory framework which governs the interception of communications. There are a number of circumstances in which lawful interception may take place and these fall into two categories: warranted interception, which can only take place with the authority of the Secretary of State, and interception that may be lawful without a warrant.
The changes to ‘consent’ touch on interception that may be lawful without warrant. Communication service providers may lawfully intercept in accordance with section 3(3) of RIPA, for example to manage their networks, and under section 4(2) of RIPA and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.
Where businesses choose to carry out interception to provide value added services, which are at the discretion of service providers, section 3(1) of RIPA requires the
consent of both the sender and the intended recipient of the intercepted communication.
Under Article 15a of the E-Privacy Directive penalties for breaches in this area should be ‘effective, proportionate and dissuasive’. The
maximum penalty set out in the legislation that the government is bringing forward is now
£50,000. The new sanction applies to acts of unlawful interception that fall short of those requiring the requisite intent under section 1 and effectively captures unintentional acts.
The statutory amendments will be
supplemented by guidance provided by the Office of the Interception of Communications Commissioner [OICC]. The guidance will cover, amongst other things, the circumstances in which the Commissioner considers it appropriate to issue a monetary penalty notice, how the Commissioner will determine the amount of the penalty, when it would be appropriate to impose an enforcement obligation, and the mechanisms for the handling of complaints about unlawful interception under these Regulations.
As a result broadband
ISPs will now need to gain the clear consent of their customers before imposing any Phorm like service. The government has naturally made an
exception for network management purposes (e.g. Traffic Management, anti-spam systems etc.). In theory hiding such consent away in the general terms or privacy policies of a service will no longer be enough, although that has yet to be tested.
The scope of the sanction will not be limited to ISPs. Any person undertaking unintentional unlawful interception will now fall within the amended rules. The changes will now be laid down and are
subject to affirmative resolution in Parliament.