Can Cameron stop social media?

Egypt Internet Blackout (© Arbor Networks)

This excellent graphic from Arbor Networks shows how Internet traffic to and from Egypt fell off a cliff between 27 and 28 January 2011.  At about the same time mobile phone operators in Egypt reported that they were required to close down their networks in certain areas of the country.

On Thursday, 11 August 2011 David Cameron made a lengthy statement in the House of Commons to open the parliamentary debate on public order, following extenisve rioting in London and other English cities.  Notably, he said:

Everyone watching these horrific actions will be struck by how they were organised via social media. Free flow of information can be used for good, but it can also be used for ill, so we are working with the police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality.

Could the UK Government follow Egypt and order an Internet blackout and mobile phone network shutdown, or at least block access via Internet (including by mobile phone) to social media platforms?

Internet Blackout

The Communications Act 2003 contains a broad power that could be used by a Secretary of State to close down or restrict access to the Internet, at least by ordering UK-based communications providers to close or restrict access to any international gateways.  Section 132 begins:

132 Powers to require suspension or restriction of a provider’s entitlement

(1)  If the Secretary of State has reasonable grounds for believing that it is necessary to do so—

(a)  to protect the public from any threat to public safety or public health, or

(b)  in the interests of national security,

he may, by a direction to OFCOM, require them to give a direction under subsection (3) to a person (“the relevant provider”) who provides an electronic communications network or electronic communications service or who makes associated facilities available.

(2)  OFCOM must comply with a requirement of the Secretary of State under subsection (1) by giving to the relevant provider such direction under subsection (3) as they consider necessary for the purpose of complying with the Secretary of State’s direction.

(3)  A direction under this section is—

(a)  a direction that the entitlement of the relevant provider to provide electronic communications networks or electronic communications services, or to make associated facilities available, is suspended (either generally or in relation to particular networks, services or facilities); or

(b)  a direction that that entitlement is restricted in the respects set out in the direction.

Whilst the word “reasonable” gives any affected communications provider the hope that a capricious direction of the Secretary of State could be reined in by an urgent judicial review, what amounts to a critical threat to public safety or, especially, national security is not a judgement a court is likely to wish to overturn.  In any event, section 132 can itself be considered unnecessary in the light of Part 2 of the Civil Contingencies Act 2004.

This part of the 2004 Act replaced the Emergency Powers Act 1920.  It is highly recommended reading for any conspiracy theorist or anyone deeply cynical about the ability of politicians to act reasonably and sensibly in the event of any serious emergency affecting the UK.  In summary, the 2004 Act gives the Executive extraordinary powers to make emergency regulations.  Providing by regulation that internet service providers must deny access to international gateways or particular websites or servers could easily be achieved.

Mobile Phone Network Shutdown

The Secretary of State would not even need to consider making emergency regulations under the 2004 Act in order to shut down mobile phone networks.  A direction made under Section 132 of the Communications Act 2003 would suffice.  Each of the mobile phone operators has in their Wireless Telegraphy Act licences a provision in the same or substantially the same form as the following:

Ofcom may in the event of a national or local state of emergency being declared require the Radio Equipment to be modified or restricted in use, or temporarily or permanently closed down either immediately or on the expiry of such period as Ofcom may specify. Ofcom shall exercise this power by a written notice served on the Licensee or by a general notice applicable to holders of this class of Licence. (See Ofcom’s Template 2G Licence.)

So once Ofcom got the direction from the Secretary of State, it would have to do the dirty work and order the mobile phone operators to close down their networks.

Interception of Social Media

From David Cameron’s statement quoted above, it would appear that the Government’s thinking is that social media networks would be closed down when it was suspected or known that “violence, disorder and criminality” was being plotted.  This implies that there will need to be monitoring of these networks.  The problems in carrying out this monitoring are technical, not legal.  All that would be required legally is an interception warrant made under section 5 of the Regulation of Investigatory Powers Act 2000 (RIPA):

5  Interception with a warrant

(1)  Subject to the following provisions of this Chapter, the Secretary of State may issue a warrant authorising or requiring the person to whom it is addressed, by any such conduct as may be described in the warrant, to secure any one or more of the following—

(a) the interception in the course of their transmission by means of a postal service or telecommunication system of the communications described in the warrant;

(b) the making, in accordance with an international mutual assistance agreement, of a request for the provision of such assistance in connection with, or in the form of, an interception of communications as may be so described;

(c) the provision, in accordance with an international mutual assistance agreement, to the competent authorities of a country or territory outside the United Kingdom of any such assistance in connection with, or in the form of, an interception of communications as may be so described;

(d) the disclosure, in such manner as may be so described, of intercepted material obtained by any interception authorised or required by the warrant, and of related communications data.

(2) The Secretary of State shall not issue an interception warrant unless he believes—

(a) that the warrant is necessary on grounds falling within subsection (3); and

(b) that the conduct authorised by the warrant is proportionate to what is sought to be achieved by that conduct.

(3) Subject to the following provisions of this section, a warrant is necessary on grounds falling within this subsection if it is necessary—

(a) in the interests of national security;

(b) for the purpose of preventing or detecting serious crime;

(c) for the purpose of safeguarding the economic well-being of the United Kingdom; or

(d) for the purpose, in circumstances appearing to the Secretary of State to be equivalent to those in which he would issue a warrant by virtue of paragraph (b), of giving effect to the provisions of any international mutual assistance agreement.

(4) The matters to be taken into account in considering whether the requirements of subsection (2) are satisfied in the case of any warrant shall include whether the information which it is thought necessary to obtain under the warrant could reasonably be obtained by other means.

(5) A warrant shall not be considered necessary on the ground falling within subsection (3)(c) unless the information which it is thought necessary to obtain is information relating to the acts or intentions of persons outside the British Islands.

(6) The conduct authorised by an interception warrant shall be taken to include—

(a) all such conduct (including the interception of communications not identified by the warrant) as it is necessary to undertake in order to do what is expressly authorised or required by the warrant;

(b) conduct for obtaining related communications data; and

(c) conduct by any person which is conduct in pursuance of a requirement imposed by or on behalf of the person to whom the warrant is addressed to be provided with assistance with giving effect to the warrant.

This looks like a very broad power to me.  However, the media stories about the London riots have focussed on the alleged widespread use of BlackBerry Messenger.  This is a secure closed network.  Would this mean the plots on BlackBerry would not come to the notice of criminal intelligence officers?  As has been demonstrated in the Middle East, Research in Motion can come to an accommodation with national security authorities that meets their eavesdropping requirements.  If Research in Motion did not want to cooperate, then arguably there exists a robust regime in Part III of RIPA that would enable investigatory authorities to obtain the necessary codes, particularly as the grounds set out in section 49 for the requirement to release keys are essentially the same as in section 5 for interception.

Human Rights?

What about human rights, you might ask?  Article 10 of the European Convention on Human Rights is supposed to grant a right to freedom of expression, isn’t it? However, as even Wikipedia’s Article 10 page helpfully points out, this is not an unqualified right.  Where in accordance with the law (see above) and necessary in a democratic society, the right can be restricted.

So, although the steps outlined by the Prime Minister in the House of Commons debate seem an extreme response to rioting, the legal tools are already in place to enable the UK Government to do exactly what the Prime Minister has proposed.

What price investigative journalism?

cashMany questions are being asked about the fourth estate in the aftermath of the News of the World hacking scandal.  However, few seem to considering the potential that reactionary measures adopted as a result of widespread illegality by journalists may make genuine investigative journalism that is conducted in the public interest impossible.  In particular, the Information Commissioner’s 2006 report into the illegal sale of personal data, What Price Privacy?, is getting the attention it should have received 5 years ago. However, the reports of the number of incidences of sale of personal data to journalists fails to note that some of this activity could have been lawful.

There is already an exemption from the scope and reach of the Data Protection Act 1998 to cover genuine journalism. Section 32(1) of the Act states:

(1)  Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a)  the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b)  the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c)  the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.

“Special purposes” means any one or more of for purposes of journalism, artistic purposes, and literary purposes (Section 3 of the Act).

The main criminal offence being committed by phone hackers under the Data Protection Act 1998 is the unlawful obtaining of individuals’ phone numbers and PINs for voice mail boxes – the actual interception of communications is either an offence under the Regulation of Investigatory Powers Act 2000 or the Computer Misuse Act 1990.  In particular, section 55 of the Act states:

55 Unlawful obtaining etc. of personal data.

(1)  A person must not knowingly or recklessly, without the consent of the data controller—

(a)  obtain or disclose personal data or the information contained in personal data, or

(b)  procure the disclosure to another person of the information contained in personal data.

(2)  Subsection (1) does not apply to a person who shows—

(a)  that the obtaining, disclosing or procuring—

(i)  was necessary for the purpose of preventing or detecting crime, or

(ii)  was required or authorised by or under any enactment, by any rule of law or by the order of a court,

(b)  that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,

(c)  that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or

(d)  that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.

(3)  A person who contravenes subsection (1) is guilty of an offence.

(4)  A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).

(5)  A person who offers to sell personal data is guilty of an offence if—

(a)  he has obtained the data in contravention of subsection (1), or

(b)  he subsequently obtains the data in contravention of that subsection.

(6)  For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.

(7)  Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data.

(8)  References in this section to personal data do not include references to personal data which by virtue of section 28 or 33A are exempt from this section.

It is therefore clear that there is a public interest defence to the section 55 criminal offence, at section 55(2)(d), that would enable the techniques being used by News of the World and others to continue to be used for legitimate investigative journalism.

When it comes to interception of communications, which is an offence under section 1 of the Regulation of Investigatory Powers Act 2000, there are a complex set of exemptions both in the Act itself (at section 3) and under the Telecommunications (Interception)(Lawful Business Practices) Regulations 2000.  I therefore have some sympathy with investigative journalists in that there does not appear to be a simple public interest defence open to them to be able to intercept communications lawfully. Similarly, if accessing voice mail boxes were considered to be computer misuse under the Computer Misuse Act 1990, there is no public interest defence under the 1990 Act.

I therefore consider that in any consideration of greater regulation of the press, consideration should be given to providing for public interest defences for the purposes of journalism in the 1990 and 2000 Acts. I also agree that the maximum penalty of £5,000 for a breach of section 55 is lamentable. It was in 2006, it clearly is in 2011.

Will Tesco rescue News International, James Murdoch and Rebekah Brooks?

© Copyright Steve Daniels

Tesco Supermarkets Ltd –v- Nattrass [1972] AC 153 is a well known case that describes and limits the application of what is known as the attribution or identification principle. This determines under what circumstances a company can be considered to have committed a criminal offence as a result of the acts or omissions of any of its directors or employees.   In the words of Lord Reid (at paragraph 170):

A living person has a mind which can have knowledge or intention or be negligent and he has hands to carry out his intentions. A corporation has none of these: it must act through living persons, though not always one or the same person. Then the person who acts is not speaking or acting for the company. He is acting as the company and his mind which directs his acts is the mind of the company. There is no question of the company being vicariously liable. He is not acting as a servant, representative, agent or delegate. He is an embodiment of the company or, one could say, he hears and speaks through the persona of the company, within his appropriate sphere, and his mind is the mind of the company. If it is a guilty mind then that is the guilt of the company. It must be a question of law whether, once the facts have been ascertained, a person in doing particular things is to be regarded as the company or merely as the company’s servant or agent. In that case any liability of the company can only be a statutory or vicarious liability.

In practice this has meant that there has to be a close connection between the acts or omissions of any particular employees and the company itself; in many cases, successful prosecutions of companies have only followed where the criminal offence has been committed by a managing director/sole or majority shareholder in a small company (see my earlier post on corporate manslaughter).

When the News of the World royal correspondent Clive Goodman and inquiry agent Glenn Mulcaire were found guilty for offences under the Regulation of Investigatory Powers Act 2000 (RIPA) (and Criminal Law Act 1977), it appeared at the time that the interception of communications by them was, as far as the News of the World was concerned, the act of one rogue reporter and his agent.  In the words of the last ever editor of News of the World, Colin Myler, to the Press Complaints Commission, the episode concerning Clive Goodman and Glenn Mulcaire was “an exceptional and unhappy event in the 163 year history of the News of the World, involving one journalist”.  There was no suggestion that News International was considered for prosecution at the time Clive Goodman and Glenn Mulcaire were prosecuted.

In light of more recent events, there are indications that the scope of hacking by Glenn Mulcaire for News of the World was much more widespread than merely working for one rogue reporter. There are also suggestions that involvement of the editors at the time, Andy Coulson (arrested today) and Rebekah Brooks, means that there is a real prospect that if they can be considered to be the controlling mind of News International for the purposes of RIPA criminal offences, then News International could itself be prosecuted under RIPA.

This leads to another interesting conclusion. RIPA, like many Acts of Parliament, includes a provision that catches directors of companies that are prosecuted for a criminal offence. The RIPA version of this provision states, at section 79(1):

79 Criminal liability of directors etc.

(1) Where an offence under any provision of this Act other than a provision of Part III is committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to any neglect on the part of—

(a) a director, manager, secretary or other similar officer of the body corporate, or

(b) any person who was purporting to act in any such capacity,

he (as well as the body corporate) shall be guilty of that offence and liable to be proceeded against and punished accordingly.

So if editors of newspapers are considered sufficiently close to a newspaper to be its controlling mind for the purposes of a relevant criminal offence, and directors of that newspaper neglected to ensure that practices and procedures in the company were lawful or condoned the illegal practices that enabled the newspaper to score many scoops, then those directors may also be criminally liable.  In this light, the statement by James Murdoch concerning the closure of the News of the World makes interesting reading.

It should be noted that given current company case law following Tesco Supermarkets v Nattrass, it is a big “if” to consider that the identification principle would result in News International being successfully prosecuted as a result of actions by its editor(s). Consequently, the prospect of James Murdoch or other directors facing prosecution is even more remote.

DoJ, Wikileaks and Twitter: Stones and Glasshouses

WL Helping HandThere seems to be a degree of outrage on many social media channels about the Department of Justice in the United States obtaining a court order to require the US-based social media platform Twitter, and possible Facebook and Google as well, to reveal account information about certain users who are alleged to be involved with Wikileaks. There should be no doubt amongst UK social media commentators or users that the law in the UK is more generous to government authorities than anything in the US.

US Law

The court order against Twitter was made under 18 USC §2703(d), which is an order made on application to a magistrate judge (and not a subpoena, as is being widely reported). These orders can only be granted where it is shown by the applicant government entity that there are reasonable grounds for believing that the information it will obtain from the respondent communications providers will be relevant and material to an ongoing criminal investigation. Whilst we are not experts in US law, we believe that orders under 18 USC §2703(d) enable the government entity making the application to obtain what we in the UK would call the communications data (see below) for a particular account from a respondent communications provider and details about the subscriber or customer for that account. The contents of any communication can only be demanded if they are over 180 days old, otherwise another criminal evidence procedure is required. As far as we are aware, in the US there is no federal statutory obligation on communications providers to retain communications data, but 18 USC §2703(f) does provide for data preservation orders.

UK Law

This post explains the relevant UK law, which shows that not only can similar communications data to the Twitter account information sought by the Department of Justice be obtained by government entities in the UK from UK communications providers, but that information can be demanded for much broader purposes than in connection with an ongoing criminal investigation. 

In the Regulation of Investigatory Powers Act 2000 (“RIPA”), “communications data” is defined as being (section 21(4) of RIPA):

(a)  any traffic data comprised in or attached to a communication (whether by the sender or otherwise) for the purposes of any postal service or telecommunication system by means of which it is being or may be transmitted;

(b)  any information which includes none of the contents of a communication (apart from any information falling within paragraph (a)) and is about the use made by any person—

(i)  of any postal service or telecommunications service; or

(ii)  in connection with the provision to or use by any person of any telecommunications service, of any part of a telecommunication system;

(c)  any information not falling within paragraph (a) or (b) that is held or obtained, in relation to persons to whom he provides the service, by a person providing a postal service or telecommunications service.

Whilst it is unclear to what extent communications data under RIPA includes web page or other internet usage data, the definition of traffic data was carefully drafted to exclude web page information (rider at s.21(6)).

Whilst communications providers had no standing obligation to retain data under RIPA, a designated person (as defined in sections 25(1) and (2)) may require any telecommunications operator of a telecommunications system that is “in possession of, or be capable of obtaining, any communications data” to obtain that data, if not already in the operator’s possession, and disclose it (section 22(4)).  However, the grounds under RIPA upon which communications data can be ordered to be obtained are the most extensive in any UK legislation.  They include, for example, matters such as “for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department” (section 22(2)(f)).  The original purposes have also been extended by the Regulation of Investigatory Powers (Communications Data) (Additional Functions and Amendment) Order 2006 (all these purposes together being the “RIPA Purposes”).

The scope of these RIPA Purposes was addressed in the Home Office Acquisition and Disclosure of Communications Code of Practice, which came into effect on 1 October 2007 (the “RIPA Code”). The RIPA Code seeks to emphasis that any action by a designated person or a person authorised by them is “necessary and proportionate” (see paragraphs 2.1, 3.5, 3.7, 3.31 and 3.48). However, it does not contain much in the way of guidance on how a designated person is to assess what is “necessary and proportionate”.

Any notice given by the delegated person to a communications provider is only valid for a maximum of one month (section 23(4)), but it would appear that under RIPA the acquisition period for the relevant communications data which is the subject of the notice, can be unlimited.  The RIPA Code states that any notice must give the start date and end date for the acquisition of data, but with limits on future end dates, so that where a notice relates to the acquisition of communications data that will or may be generated in the future, the future period is restricted to no more than one month from the notice date (paragraph 3.44).

In practice government entities in the UK do not have to consider seeking an order under section 22 of RIPA to preserve communications data, as the UK has for a number of years implemented a data retention regime.  Communications providers in the UK are required to retain communications data under the Data Retention (EC Directive) Regulations 2009 (the “Data Retention Regulations”), which implement Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 (the “Data Retention Directive”) on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. The Regulations do not set out the purposes for data retention, but it is stated in the Data Retention Directive that the intention is to “ensure that the data is available for the purposes of the investigation, detection and prosecution of serious crime” (Art.1(1))(the “Data Retention Directive Purposes”)(emphasis added).

In the Data Retention Regulations “communications data” is defined as being “traffic data and location data and related data necessary to identify the subscriber or user”.  Traffic data means “data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing in respect of that communication and includes data relating to the routing, duration or time of a communication”(Regulation 2).  This definition is slightly different from that set out at section 21(4) of RIPA)(see above); the most clear differences are that in RIPA location data is expressly included and defined (at sections 21(6) and (7)), and the more broad definition of traffic data.  In particular, the definition of traffic data in the Data Retention Regulations does not exclude from the definition of traffic data, data to the level of web page information.

Under the Data Retention Regulations public communications providers are required to retain the communications data set out in Regulation 4 and the Schedule.  This is generally data necessary to: (a) to trace and identify the source of a communication; (b) to identify the destination of a communication; (c) to identify the date, time and duration of a communication; (d) to identify the type of communication; or (e) to identify users’ communication equipment (or what purports to be their equipment).  The retention period for all communications data retained under is twelve (12) months (Regulation 5).  The Data Retention Regulations do not include an access regime for any retained communications data, but merely state that access may only be obtained only in specific cases and as permitted or required by law (Regulation 7).

Other Relevant Legislation

Data Protection Act 1998

The Data Protection Act 1998 (“DPA”) fifth data protection principle (at paragraph 5 of Part I of Schedule 1) provides that personal data shall not be retained than is necessary for the specified and lawful purpose(s) of the data controller.  Consequently, communications providers ought to state in any fair processing notice made available to their customers that communications data is being retained as required by the Regulations and may be disclosed to public authorities permitted to access the communications data under RIPA, even though most of this processing will be subject from the subject information provisions (as defined at section 27(2) of the DPA) under an exemption in Part IV of the DPA (section 28 (National security) and section 29 (Crime and taxation) being the most obvious).

Communications providers will be relying, in most cases, on the lawful purpose set out in paragraph 5 of Schedule 2 of the DPA (processing necessary for the administration of justice, to carry out statutory functions or functions of the Crown, a Minister of the Crown or a government department or for “the exercise of any other functions of a public nature exercised in the public interest by any person”), or, where the communications data contains sensitive personal data, on the purposes set out at paragraph 7 of Schedule 3 of the DPA (as paragraph 5 of Schedule 2, except without the ‘functions of a public nature exercised in the public interest’ purpose).

Human Rights Act 1998

Article 8(2) of the European Convention of Human Rights (the “Convention”), incorporated into UK law by the Human Rights Act 1998 (“HRA”), provides that “there shall be no interference by a public authority with the exercise of this [Article 8 privacy] right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” (the “Art 8(2) Purposes”).

The principle of retention of communications data for the Data Retention Directive Purposes, which are narrower than the Art 8(2) Purposes, is therefore lawful under the Convention and the HRA. What is open to question is the lawfulness of any of the Data Retention Regulations’ retention periods and the interference with data subjects’ rights to privacy where retention (and access) is carried out for RIPA Purposes that go beyond those set out at Article 8(2).

[We found the post “Thoughts on the DOJ wikileaks/twitter court order” by Christopher Soghoian on his slight paranoia blog interesting – and useful to confirm our understanding of 18 USC § 2703.]