Won't make any difference
The CPS still won't bother prosecuting any Phorm-like entities.
It will no longer be enough to have "reasonable grounds" to believe that someone had consented to monitoring of their communications under changes to the Regulation of Investigatory Powers Act (RIPA) proposed by the Government. Putting notice of monitoring in terms and conditions will not be enough to count as consent to that …
If the law is changed so that explicit consent by both sender and recipient is required, that removes Phorm from a grey zone and puts it well and truly on the illegal side of the line.
Note also that either sender or recipient (depending on where you view it from) is not necessarily a customer of the ISP doing the interception. Note further that it may very well be a big company with deep pockets, and very unhappy that its customers communications are being made available to its competitors, even if only in the form of targeted advertisements.
(I'm aware that many readers including myself regarded Phorm's past activities as already on the wrong side of that line, but they're moving the line much further in our direction! )
Goodbye Phorm, at least from the UK. And good riddance.
> that removes Phorm from a grey zone
Phorm weren't in a grey area.
What BT did was illegal. But the CPS decided they weren't going to prosecute, and wouldn't let anyone else bring a private prosecution.
It doesn't matter what laws you've got - if they're not upheld, they might as well be removed.
Time will tell whether this does the trick or not - or even if it gets to the statute book unscathed - but there is still NO excuse for the failure of several police forces up and down the land to prosecute ISPs for interception of communications without consent, as well as criminal copyright abuse carried out by their robot scrapers on small websites - I have in mind the complaints made to local police forces following the "value added" programmes initiated by BT/Phorm, TalkTalk/Huawei and Vodafone/Blue Coat. They have been given good evidence, there has been clear evidence of harm, and the offences were entirely deliberate and knowingly committed. But apparently that's not enough. I can't see the police changing their tune even with the new law - they will still say it isn't in the public interest and they have to consider the best allocation of their limited resources. So the ISPs will still get away with it.
Any company with DLP will also have instructed their employees that computers and networks are a company resource to be used solely for company communications, even if there is no enforcement or penalties for breaching that policy.
At that point, everything is fair game, from the contents of a PC's hard drive, to the bits sent out through the router. No privacy concerns whatsoever.
Many companies, even ones with DLP, allow their staff limited personal use. That aside, the personal use is irrelevant to this discussion. DLP is inspecting the email traffic, whether business or personal. you can get the permission of your staff but how do you get the permission of third parties outside the company? without that permission, how do you scan email things? AV/spam might be easier as it tends to be automated scanning, but DLP stuff tends to be backed up by human eyeballs to confirm that something isn't a false positive.
you have put out the following press release: 'CPS decides no prosecution of BT and Phorm for alleged interception of browsing data'.
Reading it I can find no good reason why you are doing this, and some of the terms are peculiar:
-- since you're not willing to prosecute, I understand that any interception can only be 'alleged'. This is hardly a defence. I want to know whether it has happened or not, not whether it was 'alleged'.
"would not be in the public interest to proceed any further"
-- I am a member of the public and I don't feel this is so, especially as I may have been one whose data was intercepted.
"it may become clear prior to the collection and consideration of all the likely evidence that a prosecution would not be in the public interest."
-- if you have not collected and weighed the data I cannot see how you can possibly come to a conclusion about whether a prosecution cannot continue. [*]
"We obtained expert evidence to enable us to understand how the technology worked, how many people were affected and how they were affected. Those are the key elements of the alleged offending"
-- I would have said that the key elements of alleged offending was whether the law had been broken. Only after that are mitigating circumstances (such as how the alleged victims were affected) taken into account.
"Even if further evidence were available and collected, we are satisfied that it could not change our assessment"
-- this is unbelievable. You are claiming that you would not continue even if incriminating evidence was discovered?
I don't know why you are trying hard not to prosecute but something is completely strange here. Please explain to me why you will not consider any further evidence even before you have found any, why you will not prosecute when there is clear suspicion of a crime having been committed.
I believe that if I had to perform such an interception I would expect to go to prison. Why is the law different for large companies? I'm a member of the public, I trust you to uphold the law, I do not believe you are doing so and I don't know why but it makes me uneasy and distrustful of you.
[*] Realised something interesting about this. I believe there are certain bodies that can't be sued e.g. the UK govt (is this right?) which suggests that a prosecution of phorm might incriminate in some way the gov, which... you see where I'm going.
If corrupt regulators won't enforce the law, the words of the law don't matter.
What BT/Phorm (and TalkTalk/Huawei, Vodafone/Bluecoat) did is illegal and criminal under RIPA, Copyright Designs and Patents, Computer Misuse, Data Protection Act, PECR, and Fraud etc etc
But the Police, ICO, Ofcom, all refused to enforce the law. Apparently enforcing the law isn't in the public or national interest.
So changing the law won't make any difference until the problem of corrupt police and regulators is solved.
".. RIPA requires the consent of both the sender and the intended recipient of the intercepted communication,"
So as someone who runs a server I count as the Sender don't I? So things like the Talk Talk stalking bot (which intercepts user urls for later inspection) accessing my server would fall under this and if I don't consent then Talk Talk are violating RIPA?
*If* I'm reading this right then
1) You can't bury a monitoring clause in a 50 page T&C
2) It has to be a *specific* opt in where you *request* to have your internet access monitored.
This should stuff Phorm in *future* but the view of the CPS and ICO remains they were gutless.
*Grudging* thumbs up because that is what the response of the CPS and ICO has been.
My load balancer is one end of an SSL connection, and that data is decoded inside the load balancer so that my rules (where it's supposed to go) can do what they'er supposed to do. My interpretation of this is that this is no longer allowed, unless you have a non-load balanced page that allows users to choose/not choose to use your service.
To take it one step further, if I stick WireShark (or whatever) onto a server to try to figure out why things aren't working, will I be breaking this law.
On a more twisted note, If i add an HTML header to my outbound traffic that contains the text "You do not have permission to monitor this transmission" followed by a unique-to-my-pc 64byte hash, can I traceroute to theregister.co.uk and then bring suit against each of the carriers in between if a discovery turns up my line of text in any of thier logs????
So it would be punishable to receive on a legal (or home made) radio / receiver to receive whatever someone transmit, unless I have a written consent from the sender and every party is intended to receive it.
- A tourist with a radio, who does not pay a UK TV license, so should not listen to the BBC
in the UK (its ok to listen to the BBC outside the UK).
- HAM radio amateurs,
- Plane spotters, listen to cockpit and air traffic control
etc, etc, etc
I would think that it is the sender's responsibility to protect theyr communication if they don't want eavesdropping.
i.e. close the gate if you don't want people to wander onto your yard.
"any communication in the course of its transmission by means of a public telecommunications system and was not" .. .. ..
So, is there ANY public system ?
BT owns BT, O2 is owned by telefonica, and anyone else will no doubt be owned by someone.
Has anyone seen T&C's of a system that specifically states it's NOT privately owned or "the property of" ??
I'm no legal beagle, but the phrase clipped above specifically states you only pay a fine if you are caught sniffing on a PUBLIC system .
Maybe bush telegraph can be considered public, but I do not know of any others :)
There is not, and has not been for a very long time, any requirement for a person (whether visiting or UK resident) to have a licence to receive BBC *radio* transmissions.
Radios needed a licence circa 1960 but it has long since been abolished.
Biting the hand that feeds IT © 1998–2019