Interception of Email

Some legal issues

Clive Feather

Published 1998-08-07

Introduction

One of the tools of investigation that the Police use is to covertly examine the contents of communications between suspects. Such interception is subject to restrictions imposed by various laws.

With the expansion of the Internet into everyday life, criminals are using it for their own purposes. This means that the Police now have an interest in being able to examine the contents of electronic mail without the knowledge of the parties involved. What laws apply to such interception is a significant question.

This paper has been written by a non-lawyer with the assistance of legal input from various parties including legal and other experts in this matter. Nonetheless all opinions are my own and should not be relied on for legal purposes without independent advice.

Applicable law

The Interception of Communications Act 1985 (IoCA) effectively prevents the tapping of a "public telecommunication system" (such taps require a warrant from the Home Secretary, and evidence gained from them in not usable in court). Section 10(1) delegates the meaning of this term to the Telecommunications Act 1984. The latter is slightly convoluted, but essentially:

A complete list of public telecommunication operator licencees is available from Oftel.

The leading case is R. v Ahmed (Court of Appeal 1994-03-29, Crim.L.R.p246). This determined that, where public and private networks are both used as part of a call, it is the physical point of interception that matters.

Thus a tap within the BT network is subject to the IoCA, but one made on a private network, even as part of the same communication, is not.

Where more than one public network is involved, the protection obviously applies to all:

Application to the Internet

Private communications over the Internet fall into two general groups: "direct link" and "store and forward" (IRC is an example of the former, email and Usenet of the latter). Considering direct links first, the principles are the same except that there is an additional private network (the ISP) involved:

or, if the end parties are customers of two separate ISPs, the situation appears more complex but the rules remain the same:

(which shows the case when the ISPs are connected through a peering point such as LINX, though the direct connection case is similar).

Clearly interception of these communications are legal when done on the ISP or peering point equipment, but not when on the public telephone network or the leased circuits that connect ISPs (assuming they are carried by public telecommunications operators, which is usual).

Store and forward communications differ in only one significant respect: the message spends some time at one or other of the servers shown in the diagrams above before continuing on its way. Since these lie on private networks, there is no change to the situation.

However, note that some ISPs are in common ownership with public telecommunications operators. Such ISPs might be "public" within the sense of this discussion; this is an unresolved issue.

International traffic

At first glance it would appear that it does not matter whether the material is domestic or international. However, section 10(2) of IoCA introduces a new point:

For the purposes of this Act a communication which is in the course of its transmission otherwise than by means of a public telecommunication system shall be deemed to be in the course of its transmission by means of such a system if its mode of transmission identifies it as a communication which:

In essence, this affects calls made to another country for example, over a transatlantic cable:

Such a cable is usually owned by an operator who is not "public" within the meaning of the Acts, but is nonetheless "public" in the normal sense of the word. Without this section, a tap at the point marked would not be subject to the protection of IoCA. Therefore section 10(2) extends that protection to cover the cable but the wording also extends it to cover the private network at the user's end.

Far more important, it also extends to cover any ISP involved in the communication. For example, consider an IRC conversation with a party abroad:

The fact that the message travels over the cable at some point extends the IoCA to cover the ISP, even though the ISP is a private network within the UK.

Now consider an international store-and-forward communication such as email. This will also be covered by the IoCA while in transit. There is a possible argument that while it is held on the disc at a server it is not a communication, but the wording of the Act does not appear to support this view.

Thus an email sent to or received from abroad is protected by the IoCA. At most, only domestic email can be intercepted legally at ISP premises.

International relay

Regrettably, an already complex situation is actually even more so. There are two obvious ways in which a prima facia domestic communication can become international.

Firstly, some UK ISPs have PoPs ("points of presence") in other countries. UK customers can dial into these PoPs to send the message, even if that message is going to another UK customer. Or the recipient can dial into these PoPs to collect the message. In either case, the email has become an international communication, subject to section 10(2). Even worse, the email bears no indication of such, and it would require major analysis of logs and telephone bills to establish whether or not this had happened. And it is important to bear in mind that the international part of the communication might happen after it was intercepted; this is not mentioned as a defence under the Act.

Secondly, even though the customer dials into a UK PoP, they can then connect to a US or other overseas computer and have it relay the message. This might be evident if done by the sender; it will probably not be when done by the recipient. Such a relayed message is covered by section 10(2).

It should be noted that I have received opinions that a court would not apply section 10(2) in this manner.

Other law

Even if IoCA does not apply, this does not mean that ISPs are free to hand over email to the Police or allow them to intercept traffic. Email may be "personal data" within the meaning of the Data Protection Acts 1984 & 1998, in which case the ISP is forbidden from disclosing the data, or the ISP may take the view that they are not willing to co-operate with the Police on this matter. However, the Police do have a number of other powers available to them. Notably:

Summary

Email and other Internet communication is subject to the Interception of Communications Act when it is travelling over the public telephone networks and the leased lines connecting ISPs. It is not subject to the Act if it is intercepted within the network of an ISP.

However, the Act does extend to cover:

And it may not be possible to determine whether this last case applies to any specific communication.

If IoCA does not apply to a communication, there is other legislation allowing or forcing email to be passed to the Police.


Back Back to the legal topics index. CDWF Back to Clive's home page.