E-mail is now firmly established as the primary form of commercial and personal communication. Telecommunications providers and internet service providers (ISPs), a large proportion of whose business is the trafficking of these e-mails, face particular problems when their contents arouse the interests of agencies charged with investigating criminal activity. Providers have to maintain a difficult balance between satisfying the requirements of the police, Special Branch or the intelligence services who seek to intercept and read e-mails, and protecting the legal rights of their customers who send them. Given that in the last 12 months those same agencies have increased their surveillance of terrorist as well as criminal activities, the pressure on providers to act as good citizens as well as lawful businesses is unlikely to diminish.
Whilst providers have a clear duty to assist the police in combating criminal or terrorist activity, they have equally clear responsibilities to their customers. The confidentiality of any information contained within an e-mail (not merely the substantive contents of the e-mail but the names and addresses of both sender and recipient) may be protected under specific confidentiality clauses in the contract between provider and customer. Failing this, an aggrieved customer may still be able to show that disclosure of an e-mail is a breach of the common law of confidentiality. Additionally, if providing access requires a copy to be made of that e-mail, a provider may be in breach of copyright law for authorising the copying of copyrighted material within or attached to the e-mail without the consent of the copyright owner.
On top of this sits the raft of statutory legislation currently in force to protect the rights of the individual – principally the Data Protection Act 1998 (the "DPA"), the Human Rights Act 1998 and the Regulation of Investigatory Powers Act 2000 ("RIPA"), which explicitly regulates the interception of electronic communications.
Increasingly our telecommunication and ISP clients are asking for advice on how best to assist the police with their enquiries without incurring liability of any type. Since the most appropriate response will depend upon the nature of the request from the police and of the information requested, the degree to which a provider can lawfully comply with such requests is not entirely clear.
However a recently decided Court of Appeal case may give providers some certainty of mind. In R v Ipswich Crown Court, ex parte NTL Group Ltd & Chief Constable Of Suffolk Constabulary (Interested Party) [ EWHC 1585 (Admin)] it was held that in complying with a properly obtained order by the police to investigate unopened e-mails, the provider is not committing an offence itself under Section 1(2) of RIPA; prior to this case there had been doubts on this point.
For the purposes of this discussion, the key subsections of Section 1 of RIPA state that:
(1) it shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of-
(a) a public postal service; or
(b) a public telecommunication system.
(2) It shall be an offence for a person-
(a) intentionally and without lawful authority, and
(b) otherwise than in circumstances in which his conduct is excluded by subsection (6) from criminal liability under this subsection, to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of a private telecommunication system.
(5) Conduct has lawful authority for the purposes of this section if, and only if, …(c) it is in exercise, in relation to any stored communication, of any statutory power that is exercised (apart from this section) for the purpose of obtaining information or of taking possession of any document or other property;
(6) The circumstances in which a person makes an interception of a communication in the course of its transmission by means of a private telecommunication system are such that his conduct is excluded from criminal liability under subsection (2) if-
(a) he is a person with a right to control the operation or the use of the system; or
(b) he has the express or implied consent of such a person to make the interception.
On the 27 September 2001, Ipswich County Court granted the Chief Constable of Suffolk County Constabulary an application for a special protection order under Section 9 and Schedule 1 of the Police and Criminal Evidence Act 1984 (“PACE”). The order required NTL to allow the police access to e-mails stored on its computer system from internet providers. The application for the Order was granted upon the uncontested basis that the police had good reason to believe that a number of persons were engaged in a wide-spread conspiracy to defraud and to obtain property by deception from members of the public, and that e-mails on NTL’s system contained material evidence for that case. At that initial hearing, NTL argued that they would not be able to comply with the order for three reasons:
NTL has a computer system which automatically stores e-mails from the relevant internet provider. NTL has a dual sub-system within its e-mail class system for the storage of e-mails, POP and IMAP. Customers decide whether to choose POP or IMAP, and NTL cannot change these options. If a customer chooses POP, e-mails are automatically deleted no later than one hour of their being read. Unread e-mails are kept for a limited period.
NTL argued that it was not possible to prevent e-mails from a targeted customer from being automatically deleted; the entire system would have to be changed to apply to all customers which, given the number of e-mails handled by NTL's server, may cause the system to crash.
Breach of confidence
NTL further disputed the application on the grounds that they hold all e-mails (whether read or unread) in confidence, and to comply with the police’s request would be a breach of that confidence.
Lastly, NTL disputed that they should not be required to comply with the Order on the grounds that to do so would involve them in committing offences under Section 1 of RIPA. For example, NTL argued that the only way of retaining e-mails of POP customers is to transfer a copy of those e-mails to a different e-mail address from that of the intended recipient; this would be unlawful under Section 1(2) of RIPA.
At the first hearing on the 27 September, the Judge ordered NTL to disclose the material to the police and held that NTL would not in the circumstances be committing any offence under RIPA by complying with the requirement contained in the application. NTL then sought an application for a judicial review of this decision, and this was heard before the Court of Appeal on the 22 July 2002.
The Court of Appeal ruled in support of the trial judge, and in reaching this decision resolved an apparent conflict between the provisions of PACE and Section 1 of RIPA. The problem for the provider is that the Order may give the police the authority to intercept e-mails, but it is not the police who will have to take the required action; it is the provider. Where does the provider's lawful authority come from? If it does not extend from that granted to the police, then the provider risks breaching the provisions of RIPA. If the provider then refuses to intercept e-mails in an attempt to avoid such a breach, it is then in contravention of the terms of the Order.
The Court agreed that it was not the police who required the "lawful authority" to intercept under Section 1(5) of RIPA, but the provider "if [the provider] was to give effect to the clear statutory provisions" under which the police are granted the Order. If NTL were not in a position to take that action without committing an offence then, concluded the Court, the power under Section 9 of PACE "would be almost totally worthless". Consequently, it cannot have been the intention of Parliament in drafting Section 1 of RIPA that it should defeat the powers of the police under Section 9 of PACE.
Therefore, where an internet service provider or telecommunications provider has to divert unopened e-mails to retain them in order to comply with a police investigation authorised by an order under PACE, there is no offence committed by that provider under Section 1(2) of RIPA. The lawful authority granted to the police implicitly extends to the provider and therefore allows them to provide access to material they hold under Section 1(6) without any risk of a breach of Section 1(2) of RIPA.
In the light of this interpretative analysis, it seems unlikely that a court will sanction the refusal by a provider to co-operate with criminal investigations if the police have secured the necessary Order under PACE, or some other form of statutory authorisation. Equally, however, it could be argued that providers now have some authority to justify such an intrusion to their customers. Providers might want to market this apparent dilemma to their advantage. Compliance with the requests of the investigatory services may be more than a legal necessity - it can be an indication to customer and competitor alike that the provider is a responsible and professional carrier, and so enhance the reputation and goodwill of that provider.
Unjustified and unsanctioned interception of emails remains clearly unacceptable. But in the same way that most of us accept the presence of CCTV cameras in public areas where it can be shown that they materially reduce or prevent criminal activity, we might also be persuaded that the interception of our emails can be for the greater public good. We would want our chosen provider to defend the integrity and confidentiality of our correspondence to the fullest extent possible but accept that, if properly regulated and used specifically, interception may have social benefits. What everyone needs – police, provider or customer - is clear guidance on the issue; hopefully the recent decision in R v Ipswich County Court goes some way to meeting this need.
How best then to respond to a request for assistance from the police? As I have already said, this will depend upon the nature and form of the request. Where the police have secured an Order under PACE or similar authority under other legislation (such as a warrant under the Prevention Of Terrorism Act 2000) then compliance will be relatively straightforward. Such orders may, after R v Ipswich County Court, convey to the provider the necessary authority to act, and will specify the extent of the interception, the information sought and the intended target(s).
The "necessary authority" need not be a formal Order. For example, the provider may have concerns that compliance with a request may result in a breach of their obligations under the DPA. On this occasion we advise clients to obtain from the police a signed letter stating that personal data stored on their system is required for a criminal investigation, and that for the provider to seek the consent of the data subject for the release of that information would itself prejudice the successful completion of these investigations. The Information Commissioner has indicated to us that this would be sufficient for a provider to claim the benefit of the exemption set out in Section 29 of the DPA in respect of personal data processed for the purposes of preventing or detecting criminal activity.
On the issue of compliance with the DPA, providers should also note the decision in another Court of Appeal case, Totalise Plc V (1) Motley Fool Ltd (2) Interactive Investor Ltd (2001) [ EWCA Civ 1897]. The Court held that where there is "a genuine doubt" over the legality of disclosure of personal data, and the provider is under an "appropriate legal obligation" of confidentiality to its own customers, the provider can require the party seeking disclosure to go to Court for an order for such disclosure. This would allow the provider to justify the disclosure of the data since to do so would be no more than acting in compliance with that Order. Accordingly, that provider would not be in breach of the DPA by disclosing that information.
Frequently, however, the police often adopt a less formal approach. Usually an informal discussion takes place in which the police will tell the provider (albeit in general terms) what they are looking for and what they want to try to achieve. Experience suggests that our clients' favour this informality, as it allows them to be seen to be assisting the police but does not require them to do anything more substantive at this stage.
The provider may have a better idea than the police of the appropriate Act or section of an Act for the information required; an informal discussion will reveal this. For example, the police may press for a wide-ranging warrant under the Prevention Of Terrorism Act 2000 when in fact all that the provider might want to see would be documentation consistent with the exemption provision set out in in Sections 27-39 of the DPA. Alternatively, if the information required was more than a subscriber's name or address, the provider may push for a warrant in order to protect itself from any potential liability. It has also been our client's experience that these discussions can be technical in nature - if, for example, the data is old then the provider may no longer hold it or indeed may not hold any data which is likely to require a warrant or court order.
Since on occasion the police will automatically seek the strongest warrant or order available to them, irrespective of its appropriateness, there is a practical advantage in the informal approach as well. The police may wish to rely on unnecessarily severe powers to seize and retain data. To comply may mean allowing the police to remove servers, causing systems to grind to a halt and resulting in avoidable administrative chaos – this was one of NTL's arguments in R v Ipswich County Court. A co-operative discussion may persuade the police to use less stringent but more focused powers, with commensurately less impact on the provider's ability to carry on its business.
Irrespective of how the informal discussions proceed, a provider should consider doing nothing more until the relevant paperwork arrives from the police. During preliminary conversations the police may not reveal anything to the provider at all. Special Branch in particular are unlikely to discuss substantive issues until they have obtained the necessary exemption documentation under the DPA or secured an Order under PACE. Furthermore, they will lose little time in reminding providers (usually in writing) of their obligations under the Prevention of Terrorism Act 2000 Terrorism Act not to tip off third parties. But a provider is still justified in not assisting any police force further until the appropriate paperwork has arrived and is correct.
Finally, the prudent provider will ensure that agreements governing the provision of services to customers set out the extent to which the provider can and will disclose e-mails on its system to an investigating agency if there are reasonable grounds to believe that the customer may have committed an unlawful act.
This article was written with the kind assistance of Daemonn Brody at Netscalibur UK Limited.