GreenNet CSIR Toolkit Briefing no. 13
Interception and Surveillance
The RIP Act and its implications for individuals and service providers
Written by Paul Mobbs for the
GreenNet Civil Society Internet Rights Project, 2002.
Those who control the legislature and the organisations of the state have long sought to discover
the activities of persons or groups considered a threat to the maintenance of control or order.
Although intrusive surveillance was initially developed to monitor the activities of
supporters of foreign powers, during the twentieth century it was increasingly used against
domestic targets; in particular groups such as journalists, trade unionists and environmentalists.
The Internet represents a new challenge to those organising state-sponsored surveillance. It has
increased the possibilities and forms of communication, and enabled the use of counter-surveillance
measures such as data encryption.
The UK government recently updated laws on surveillance, in order to take account of the new
conditions that the use of computers and the Internet has created.
of Investigatory Powers (RIP) Act 2000 amends previous legislation (The
Interception of Communications Act 1985 and the Police Act 1997) that enabled the
state to intercept communications.
There are serious concerns about the level of mass state surveillance that the
RIP Act enables. There are three key aspects
with significant implications for civil liberties:
This briefing examines these areas of concern and also takes account of the implications of other
relevant legislation, including the
- The requirement for maintaining interception at the request of the government;
- The types of surveillance that are authorised under the legislation; and
- The criteria that enable the issuing of warrants for surveillance.
Interception capabilities under the RIP Act
Monitoring the activities of individuals within society is very difficult. Information, be it
letters, phone calls or Internet services, are routed via random paths across telecommunications
networks. The only effective way of monitoring individuals' use of the Internet is to tap
communications at their source. It is for this purpose that section 12 of the RIP Act empowers a
Secretary of State (usually the Minister for the Home Office) to require telecommunications and
Internet service providers to 'maintain an interception capability' on their systems.
Interception capabilities vary according to the nature of the service involved. For
organisations who must operate under a licence, such as terrestrial, mobile and cable telephone
and postal service providers, it is likely that the maintenance of an interception capability
will be specified as part of their licence. If the providers refuse to comply, their license may
be revoked at some future date.
Where a service provider does not need a license to operate (such as providers of Internet
services) the process becomes more complex.
Under the RIP Act all service providers must develop and maintain interception
capabilities through the following procedures:
Under the system enabled by the Interception of Communication Act 1985, warrants for
interception granted by the Home Secretary identified specific individuals, or organisations,
and lasted for a specific period of time. The RIP Act is less precise, and more wide-ranging,
in this respect.
- Under section 12, paragraph 1, a notice is issued by a Minister of the Home Office
requiring that a service provider set up interception capabilities. The notice specifies
the steps required by the minister for the interception of communications (section 12, paragraph
2), and the forwarding of this information to the appropriate body (police, customs, security
services, etc.). The technical conditions of the notice are produced by those requiring the
interception, who may not of course have the required experience to define the terms of the
interception notice. The Act (under section 13) permits the Home Office to establish a Technical
Advisory Body to provide guidance to the Home Office and to organisations able to request
- The notice is served (section 12, paragraph 3) to a person identified in the notice as being
responsible for the aspects of the technical conditions specified in the notice. That
person may contest (section 12, paragraph 5) whether the terms of the notice are technically
feasible or correct in the modifications to systems required by the minister. In this case the
notice is referred to the Technical Advisory Body for a ruling.
- Although the general assumption in the Act is that the notice will be complied with, it is
open to the service provider to refuse to comply. In this case the minister may, after consultation
with all parties involved, seek a court injunction to force the service provider to implement
interception. Again, there are means whereby the service provider may contest the validity of
interception notice (see criteria for issuing notices below). A provider may contest the
notice, for example, on grounds of the implications for data protection or human rights. If the
injunction is confirmed by the court then the service provider must comply or face proceedings
for contempt of court (for which the penalties are very strict).
- The duration of the intercept is specified as part of the conditions provided with the notice.
There is no reason why the intercept could not be permanent (see the paragraph on the
Cybercrime Convention below), or
that it could be renewed or extended by further notices issued by the minister.
- Part or all of any costs incurred by the service provider as part of the maintenance of
interception may be refunded, at the discretion of the Minister (under section 14).
The operation of Internet systems does not assign a specific communications channel for a
specific individual. Most people who connect to the Internet are given a different
numeric network address each time they
- the service provider must ensure that the target of the intercept is given a fixed network
address to enable the intercept; or
- the entire traffic of the service provider must be monitored. All of its users, not just one
targeted individual, would have their communications filtered and stored by the body requiring
The Cybercrime Convention
The UK has led negotiations on the
Convention that will enable states to monitor the use of the Internet by individuals or
groups. The purpose of this is to track the use of the 'Net by criminals and computer hackers.
To enable this monitoring, the communications data (that is, information on the origin and
destination of data packets transmitted
across the 'Net) created as people use the Internet must be logged and stored, and then kept as
part of a database that enables the extraction of information required by the law enforcement
bodies of the states involved.
It is likely that, in order to comply with the Convention, all service providers will have to log
at least some data, under orders created under section 12 of the RIP Act. It may be that, as well
as this day-to-day monitoring and logging, additional interceptions will be required where specific
groups are being targeted under the interception powers of the RIP Act, or by other states under
the terms of the Cybercrime Convention.
Types of surveillance
The main types of telecommunications covered by the RIP Act are:
Interception of these communications cannot take place without 'lawful authority'. The inclusion
within the Act of communications data
brings under the law services not specifically covered by previous legislation, such as email and
other Internet communications.
- Postal information - the carriage of documents;
- Telephony - the use of telephones to carry voice communications;
- Data - the use of telecommunications systems to carry fax, email or Internet data;
- Communications data - the information created as part of the transactions of telephony
and data that described the origin, destination and content of the communication.
The Act makes a distinction between public and private telecommunications systems:
- Owners of private telecommunications systems are considered to have a right to monitor their
own systems. It is an offence to intercept a communication if you are not the owner, or are not
authorised by the owner to do so.
- It is an offence to intercept communications from a public telecommunications system (section
1, paragraph 1) unless you are an authorised person with a warrant, or unless you are an engineer
maintaining the telecommunications system (engineers must not divulge the content of any communications
they may intercept as part of their work).
Monitoring traffic data
There has traditionally been much suspicion about the interception of communications, particularly
voice communications. In practical terms of mass-interception, it is
traffic data that is most valuable
to the authorities.
The Cybercrime Convention (Article 17) seeks to create a framework for the preservation of traffic
data from specific communications. Collecting traffic data is a cruder process than collecting
voice communications. The treaty defines traffic data as:
Section 2(9) of the RIP Act provides a cryptic
but more precise definition that not only specifies the source and destination of communications, but
also, in subparagraph (d), the nature or name of the file or information communicated:
- a code indicating a network, equipment or individual number or account, or similar identifying
designator, transmitted to or from any designated point in the chain of communication;
- information on the time, date, size, and duration of a communication;
- in any mode of transmission (including but not limited to mobile transmissions), any information
indicating the physical location to or from which a communication is transmitted.
(9) In this section "traffic data", in relation to any communication, means-
Traffic data is kept by telecommunications companies in order to create itemised bills. The traffic
data of an individual will contain links to many others who, in all likelihood, have nothing to do
with that individual's activities. Even so, these people may in turn be subject to some form of
surveillance, most likely using traffic
data. In this way, using software already available to police forces and the government, it is
possible to produce a map of an individual's networks of communications, to identify those with whom
an individual most often communicates, and disclose any particular patterns of activity by an
individual, or group of individuals.
(a) any data identifying, or purporting to identify, any person, apparatus or location to or from
which the communication is or may be transmitted,
but that expression includes data identifying a computer file or computer program, access to which
is obtained, or which is run, by means of the communication to the extent only that the file or
program is identified by reference to the apparatus in which it is stored.
(b) any data identifying or selecting, or purporting to identify or select, apparatus through which,
or by means of which, the communication is or may be transmitted,
(c) any data comprising signals for the actuation of apparatus used for the purposes of a
telecommunication system for effecting (in whole or in part) the transmission of any communication,
(d) any data identifying the data or other data as data comprised in or attached to a particular
Communications data provides a very effective method of mapping people's activity. It is likely that
traffic data will be initially requested from service providers as part of the interception
capabilities requirements of the RIP Act.
The Cybercrime Convention provides for the
collation and sharing of such information between signatories of the Convention. This means that a
priority will be to secure the collection and archiving of this information as soon as possible. It
is likely that the Home Office will require the disclosure of system logs containing information on:
Much of this information is already logged automatically by server systems; some of it is archived,
and some simply deleted. Such information is routinely used for checking system security, and for
identifying whether there have been attempts to gain unauthorised access to the server. It is also
a low volume activity in terms of the effort required to collect and forward it to an agency
charged with collection.
- the periods of time that certain accounts on the system were active, and the email addresses and
network addresses assigned to those users during this period;
- the source and destination addresses of emails logged through the mail system, or through email
- the network addresses of users using the services on the service provider's system, such as web
servers, chat rooms and Usenet systems.
The Home Office is likely to seek to collect information on traffic data first, therefore, before
proceeding to force more complex disclosure of data streams (such as forwarding a particular user's
entire data transactions to a government server).
The criteria for issuing interception warrants
The criteria specified in the section 5(3) of the RIP Act for issuing warrants are fairly
(3) Subject to the following provisions of this section, a warrant is necessary on grounds
falling within this subsection if it is necessary-
... but in relation to communications data a slightly different set of criteria apply (under
(a) in the interests of national security;
(b) for the purpose of preventing or detecting serious crime;
(c) for the purpose of safeguarding the economic well-being of the United Kingdom; or
(d) for the purpose, in circumstances appearing to the Secretary of State to be equivalent to
those in which he would issue a warrant by virtue of paragraph (b), of giving effect to the
provisions of any international mutual assistance agreement.
(2) It is necessary on grounds falling within this subsection to obtain communications data
if it is necessary-
The reason for this difference is that the collection of communications data is regarded as
being less intrusive than the interception of the content of the actual communication. It is
also regarded as being available for wider use by the state.
(a) in the interests of national security;
(b) for the purpose of preventing or detecting crime or of preventing disorder;
(c) in the interests of the economic well-being of the United Kingdom;
(d) in the interests of public safety;
(e) for the purpose of protecting public health;
(f) for the purpose of assessing or collecting any tax, duty, levy or other imposition,
contribution or charge payable to a government department;
(g) for the purpose, in an emergency, of preventing death or injury or any damage to a person's
physical or mental health, or of mitigating any injury or damage to a person's physical or
mental health; or
(h) for any purpose (not falling within paragraphs (a) to (g)) which is specified for the
purposes of this subsection by an order made by the Secretary of State.
It could be argued that if records of communications data are databased with those of other
individuals, collection may be just as invasive of a person's social or political activities
as interception. This is particularly true where people are being investigated on the grounds
of common purpose.
Common purpose is defined in clauses contained in the
Services Act 1996 and the
Act 1997. These Acts state that...
conduct which constitutes one or more offences shall be regarded as serious crime where it
involves conduct by a large number of persons in pursuit of a common purpose.
This covers ordinary criminal activity, but it would also cover the civil disobedience activities
associated with social or environmental protests. As many of these campaigns are organised via
the Internet, the collection of communications data for people accessing certain Internet sites,
or exchanging emails with certain groups, could be used to clamp down on many of the kinds of
social and environmental campaign that have we have seen in recent years.
Responsibilities of service providers to protect privacy
Service providers have clear responsibilities under the law:
These obligations will depend upon the scope of the interception sought. The RIP Act, however,
provides no immunity  for a service provider who wrongly
discloses personal information as part of an interception. As a party to interception the
provider would be liable if the intercept was subsequently proven to be unlawful.
- They have a contractual responsibility to those whose data they are being asked to pass on,
particularly where there is a specific obligation in the contract relating to the protection of
personal information from intrusion by any party;
- There is an obligation under the Data
Protection Act 1998 to protect data, and ensure that any parties to whom data might be
passed provide appropriate protection for that information; and
- There is a requirement to have regard to the European
Convention on Human Rights (enacted
in the UK by the Human Rights Act 1998), not just in terms of those who are subject to
surveillance, but also in terms of the protection of the individual's or company's
 rights and responsibilities under the Act.
When presented with a notice for the maintenance of interception under the RIP Act, the service
provider may need to obtain legal advice on whether the intrusion is warranted according to the
tests under the Act, and whether compliance with these tests is sufficient to justify the breach
of the rights of the individual(s) involved.
In cases where interception is very broadly based, covering many people who may have no clear
connection with each other, it could, clearly, be open to challenge on the grounds of maintaining
the obligations of the service provider as outlined above.
Where an individual is the subject of an interception warrant, it may be more difficult to
challenge the basis of the interception, assuming that evidence to justify the intrusion into
personal privacy will be specific to the circumstances.
This briefing has been written in the context of the legal framework currently in force in the UK.
If you live outside the UK you will need to make yourself aware of the procedures operating in your
own country. Key points you will need to find out are:
You should also contact any civil liberties organisations operating in your country. They may be
able to provide you with much of the information you need on laws relating to surveillance and
interception of communications.
- Is your government a party to the Cybercrime Convention, if so, what laws have they put forward
to implement the requirements of the treaty for monitoring and surveillance?
- What current procedures or laws govern the interception of private communications, and how do
- Are there any laws in your country that require Internet service providers to turn over the
communications of a person to the police or security services?
- Are there any appeals or review procedures for Internet service providers who wish to oppose
interception, or for individuals who have been the subject of interception?
The GreenNet Internet Rights Project
GreenNet is the UK member
of the Association for Progressive
Communications (APC), and is leading the European section of the APC's
Civil Society Internet Rights
Project. The primary goal of this project is to provide the resources and tools necessary to
defend and expand space and opportunities for social campaigning work on the Internet against the
emerging threats to civil society's use of the 'Net. This involves developing ways and means of
defending threatened material and campaigning, as well as lobbying to ensure a favourable legal
situation for free expression on issues of public interest.
Until recently, the social norms of Internet communities, together with a very open architecture
based on supporting these norms, regulated the Internet, and was responsible for its openness.
The main forces of regulation now, however, are the business sector and government legislation.
Corporations and governments are pressing for fundamental changes in legislation and in the
architecture of the Internet. Unless challenged, these moves could radically change the nature of
the 'Net, making it a place of oppressive controls instead of freedom and openness. It is in this
context that APC's Internet Rights project is being developed.
This briefing is
in a series that document different aspects of work and communication across the Internet.
Although written from the perspective of the UK, much of its content is applicable to other parts
of Europe. There is continuing work on these issues, as part of the European project. If you wish
to know more about these briefings, or the European section of the APC Civil Society Internet
Rights Project, you should contact GreenNet. You should also check the APC's web site to see if
there is already a national APC member in your country who may be able to provide local help, or
with whom you may be able to work to develop Internet rights resources for your own country.
- The UK's interpretation of the European Convention on Human Rights is exceptional in that it
grants human rights to corporations equal to those of an individual.
- See section 79 of the RIP Act in relation to the liability of corporate organisations.