The Home Office have concluded that a couple of aspects of the Regulation of Investigatory Powers Act 2000 need to be fixed in order to comply with European law, and are doing a rapid consultation on the changes. Unfortunately although the consultation document is clear about what the problems are it doesn’t give a clear idea (ideally, the proposed revised text) of how they propose to fix them.
Since the “obvious” amendments could actually have serious unintended consequences for network operations and service development, I’ve sent a JANET response pointing out the potential problems and asking for more clarity on whether the changes actually suffer from these problems:
Change 1: EC law requires a prohibition on “unintentional interception”, as well as intentional. At the moment section 1(1) of the UK Act appears to require two “intentional” steps – that the person intended to do what they did, and that they intended it to have the effect of making content of communications available. As far as I can see, removing either of those intentions could bring a whole host of legitimate and careless activities into scope, for example turning on a wifi laptop in an area where there’s an unencrypted network (intentional act with unintended consequences), or using a device whose software continues to use IP an address after its DHCP lease expires (iPads are the most recent of these). There’s also a problem of whether a mistake in implementing what would otherwise be a lawful interception makes it unlawful. The consultation document states that mistakes in implementing an interception warrant would not be unlawful but does not give an explicit assurance for other types of lawful interception (e.g. those required for the operation of a network service).
Change 2: At the moment it’s lawful under section 3(1) of RIPA to intercept traffic if you have reason to believe that both the sender and recipient have consented to this. The proposal is to change that to require that both parties actually have consented, so if one user passes the keyboard to someone else then the interceptor is immediately breaking the law. This wouldn’t have a big effect for our current services, since none of those rely on this “dual-consent” provision, but it might stop us or others developing services that are based on the privacy-correct approach of actually asking users for permission!
The consultation also suggests that these new rules would be enforced by the Interception of Communications Commissioner, who currently oversees the use of interception warrants and data access powers by public authorities. I’ve suggested that if, as seems likely, most of the breaches will actually be failures of other kinds of privacy controls then the Information Commissioner (who will soon have a statutory right to hear about privacy breaches by network providers) is a more appropriate regulator.