A ScottishPower Company
INTERCEPTION OF COMMUNICATIONS IN THE UNITED KINGDOM
RESPONSE BY SCOTTISHTELECOM
ScottishTelecom welcome this opportunity to comment on the reform of the legislation on the interception of communications in the United Kingdom. The following paper outlines ScottishTelecom’s views on the proposals given in The Home Office Consultation Paper. ScottishTelecom owns one of the United Kingdom's leading Internet Service Providers, Demon Internet. The proposals in the consultation document have a significant potential impact on ISPs. Due to the distinct technical characteristics of Internet networks Demon Internet have considered the Consultation Document separately and will submit their own response. In this document we express some broad concerns about the proposals in relation to ISPs, more detail can be found in Demon's Internet Specific response.
Since the Interception of Communications Act 1985 was enacted, communications in the United Kingdom have undergone radical change. The nature of the telecommunications industry in particular has changed significantly with the growth of competition in the provision of fixed telecommunications services as well as the rapid development of mobile communications and use of the internet. Given both the scope and the pace of change which has taken place in the last fifteen years, a review of the legislation is clearly required. However this is an area which is certain to continue to develop rapidly and it is important that these matters are kept under review in order to ensure not only that the law enforcement agencies have the necessary means to fight crime, but also to safeguard the rights of individuals in an age when increasing use and reliance is being made of communications.
The Government note that since the 1985 Act was enacted, a number of new services have developed and cites the examples of International Simple Resale Operators and Internet Service Providers. We have a number of comments to make on the extension of the legislation to cover email services and will deal with these in more detail below. At this stage we would simply point out that in addition to those owning and operating their own networks in order to provide service, there are increasing numbers of systemless service providers who utilise the networks of established PTOs in order to provide telecommunication services to their customers. Such systemless service providers hold customer and billing data on their customers to which the network operator providing physical connectivity might have no access. The Government should ensure that the legislation covers all such providers of telecommunications services. Useful definitions in respect of publicly available services could be adopted from the Telecommunications (open Network Provision) (Voice Telephony) Regulations 1998 thus ensuring consistency with the current licensing regime in the United Kingdom.
ScottishTelecom, has concerns about the practical implications of the extension of the Interception legislation to the systems of ISPs, although we do not believe that the current system whereby our own internet subsidiary, Demon Internet, is subject to the provisions of the 1985 Act whereas independent ISPs face no such controls, can be objectively justified. If the Government is minded to allow interception of email, then all ISPs should be subject to the same regulatory regime otherwise competition in this market will be artificially distorted.
At present ScottishTelecom does have the capability to intercept communications on its public network and has worked extensively with the law enforcement agencies in order to meet their requirements and to assist in developing their understanding of what can be achieved using current technology. However, to date, the number of requests for interception has been relatively small and we have been able to meet these requests with the assistance of the law enforcement agencies. ScottishTelecom does not own the dedicated equipment required and indeed, given the small number of requests received, would have difficulty in justifying its purchase commercially. To date we have been able to borrow equipment as required from government agencies to allow the interception to take place. We would have grave concerns about our ability to meet any substantial increase in the number of applications for interception, both in terms of equipment and human resources. This would be particularly true in relation to our ISP subsidiaries where the volume of data is significantly greater. If the scope of interception is to be extended then the government should be prepared to extend the current resourcing arrangements in order to minimise the impact on the competitiveness of British companies operating in what is now a fiercely competitive worldwide market.
Furthermore we believe that a legislative change, allowing interception of ISP traffic and, to a lesser extent, traffic carried on private networks, risks such an increase in the volume of requests that operators will struggle to cope. In the ISP sector in particular the sheer volume of traffic passing through the systems presents problems not only for the ISP but for the law enforcement agencies who might find they have insufficient resource to deal with the volume of data intercepted. We recognise the logic of the government's proposal to include all forms of communication within the legislation but we believe that there is a very real need for a process of education for the law enforcement agencies in order that they might fully understand what is technically feasible as well as the resource implications involved for all parties. Even under the existing legislation we are aware that other PTOs have received hopelessly unrealistic intercept requests in relation to telephony services. The need for education is only heightened by any moves to extend the scope of intercepts to new forms of communication. This is a responsibility of government rather than commercial operators although ScottishTelecom is happy to continue to assist with the law enforcement agencies on a voluntary basis.
The current regime which does not cover the operation of private networks is undesirable. We therefore welcome the proposal to place interception of communications on private networks on a statutory basis as this will allow proper control of such activities and safeguard the human rights of individuals. We would however, reiterate the same points set out in the Email section above, albeit the scale of operations involved is much smaller in the case of private networks. ScottishTelecom's ability to meet any such obligations would depend entirely on the volume of requests received. The exemption of monitoring for business purposes is essential as this facility is used extensively for training and security reasons. Statutory clarification of the rights of employees is also desirable given the extensive use of monitoring of telephone calls in the workplace. Many companies now operate monitoring and interception policies in relation to their own internal email systems, it would seem logical to place such interception of employees' email by employers on a statutory basis in order to clarify the rights and obligations of both employees and employers in this area. This would be consistent with the Government's apparent intention to extend the scope of public network interception to ISPs and would indeed ensure that all forms of communications interception are subject to the same legislative controls.
As set out above, we welcome the clarification which will be provided by placing interception of communication on a common statutory basis. We have concerns about the practical implications of this in relation to the Internet in particular, however we agree with the logic of updating the legislation to take account of developments in both the postal and telecommunications industries. As previously noted the legislation ought to apply to systemless service providers as well as PTOs and ISPs.
ScottishTelecom's PTO business is already subject to the 1985 Act. The main impact will therefore be on our Internet business, for detailed comments see Demon Internet's response. The impact of the extension of the legislation to cover private networks will depend on the volume of applications which such a move produces. In the event that there is no substantial increase in the number of applications, and the current level of assistance from the law enforcement agencies is maintained, then there will be no significant impact on ScottishTelecom.
At present, ScottishTelecom does not operate a PTO business outwith the United Kingdom. Demon Internet does have an operation in the Netherlands where similar provisions to those proposed in the consultation document apply. However the scale of Demon's operation in the Netherlands is much smaller and even at that lower level of business, the Dutch Government recognised the practical difficulties of implementation and has granted an exemption from certain parts of the Telecommunications Act (Article 13.1) for 9 months to allow implementation to proceed. An equivalent transitional period would be required in the United Kingdom.
Demon Internet have concerns about the ability of Oftel to balance the requirements of service providers and the law enforcement agencies and ScottishTelecom shares some of these concerns. In our experience even with the existing workload, Oftel struggles to cope with current resources. The OLO group has recently expressed concern that lack of resource and staff turnover is hindering Oftel's performance. Additional roles cannot be given to Oftel without a corresponding review of resources. In particular the recruitment of suitably qualified staff to deal with the extension of the legislation to ISPs would have to be addresses.
Although it is arguable that warrants in respect of criminal investigations ought to be carried out at a judicial rather than at a political level, questions of national security or economic well being of the nation are inherently political. On balance we believe that it is preferable for authorisation to remain with the Home Secretary and First Minister rather than adopt a twin track approach.
The proposed format of warrant, covering all means of communication available to a specified individual will we believe eliminate much of the duplication of effort and is more realistic given the proliferation of means of communication and the ease with which customers may change between suppliers. Once again, however we have reservations on the effectiveness of such controls in relation to the Internet. It is common practice, particularly among small to medium enterprise customers, to have one Internet account to which a number of staff have access. The proposals do not appear to have considered this type of scenario nor how the rights of those who are not the target of legitimate investigations can be safeguarded against unwarranted interception. Issues such as this which are peculiar to the Internet require to be addressed, if controls are to be applied to Internet traffic.
The proposals for warrant modification appear to us to be somewhat confused. In paragraph 7.9 it is proposed that "senior officials" in the issuing department should have the power to modify warrants by adding in more addresses or telephone numbers to a warrant previously authorised by the relevant Minister. Paragraph 7.11 then goes on to state that in cases of urgency this power should be delegated to Director General level within "the intercepting agency". We are unclear as to why it is proposed to give a general modification power to senior officials in the ministry concerned and in cases of urgency to delegate further still to a senior official in the agency which is itself requesting the intercept. If such powers are to be delegated at all, we believe the modifications should have the same limited lifespan available under the 1985 Act and that the power should remain within the Ministry which granted the original warrant. It is highly undesirable to hand control over to the same agency which seeks the warrant in the first place.
We welcome the proposal to establish a code of practice governing the procedures employed in interception and look forward to responding to the consultation document on its terms.
The establishment of an Interception Commissioner in 1985 was an important step towards ensuring that personal rights and freedoms are not violated and the statistics quoted in the Consultation Document indicate that thus far no abuse of the powers has been brought before the Commissioner. However, given the fact that the targets of interception are generally unaware that they have been the subject of interception it is unlikely that many innocent persons whose rights have been violated will bring a complaint to the Commission. Clearly, in the case of ongoing investigations into crime or terrorism for example, it would be difficult to notify the targets of interception without prejudicing investigations. The Government should however consider whether it would be possible for example to notify such persons after any live investigation has concluded. We do not offer any solutions as to how the interests of the individual can be balanced against the interests of the law enforcement agencies but do believe that there is a requirement to improve upon the current arrangements. If the Government is committed to providing a means of redress against unlawful interception it is a vital pre requisite to notify individuals that they have been the subject of interception.
We welcome the Government's proposal to place the obligations to provide communications data on a statutory footing and believe that this will provide clarity and certainty. Again, we would reiterate that in the telecoms sector this should apply equally to systemless service providers. Given that the legislation will apply to all forms of communication we would draw attention to the terms of the Telecommunications Data Protection Directive. Any legislation should be consistent with the terms of this Directive.
Please describe the nature of the market you operate in and a general indication of the size and nature of your customer base.
ScottishTelecom is a licenced public telecommunications operator providing a complete range of telecommunications services including Corporate & Residential telephony, leased lines, premium rate services, call centre services and internet access. We have approximately four hundred thousand customers in the United Kingdom and fifty thousand in The Netherlands.
Does your company fall within the scope of IOCA 1985, and if so do you compete with UK companies upon whom there is currently no intercept requirement ?
Yes, ScottishTelecom is subject to the current legislation although there is debate as to its application to our internet subsidiary (see Demon Internet response). We compete against companies which are not subject to ICOA 1985 in a number of sectors.
If you are not subject to IOCA 1985, do you compete with companies who are?
Do you already have the capability to monitor your network where necessary for fault diagnosis or other purposes? How much additional work do you consider would be required to ensure that communications passing over your network are capable of being intercepted? What cost is involved, the nature and the scale of the cost and would it be a one-off or recurring cost?
Yes. ScottishTelecom already co-operates with law enforcement agencies in such matters and relies on their assistance in terms of equipment provision etc as detailed more fully in our response set out above. Any extension of the obligations might have serious resource implications, again as set out in our response.
Compliance costs aside, can you identify any impacts these proposals will have upon your business?
We believe that whereas it is possible to restrict staff awareness of interceptions in a PTO environment, in an ISP scenario it is much more difficult to restrict such knowledge. We have already highlighted that at present we rely heavily on Government assistance in terms of equipment to comply with requests for interception. Any increase in the level of interception would have to be met with a corresponding increase in the level of support available if the level of service provided to law enforcement agencies is to be sustained.
If you operate internationally, how do the proposed requirements compare with those placed upon you in other countries? Would it be helpful to have more consistency internationally?
The proposals are similar to those in The Netherlands where we have been granted a 9 month exemption period. In that jurisdiction, the levels of interception are much lower than have been proposed in the UK. The resource implications are therefore much more serious in the UK.
While implementing these measures, how can the Government best support you to minimise the impact on your business?
As already highlighted, existing support will have to be increased in line with any increase in requirements place on us.
Do you have any suggestions for improvements to the proposals for a framework to achieve a "reasonable intercept capability" (paras 5.3-5.5)?
None save those outlined in the main body of our response.
What sanctions, if any, do you think would be appropriate where a CSP failed to provide a reasonable intercept capability or assistance when required by warrant? Would such sanctions assist in ensuring a level commercial playing field for comparable CSPs?
There is such a wide variety of possible scenarios that such cases could only properly be dealt with by the courts. We do not have any views on the level of fines or punishment which would be appropriate.
If you are a small-medium sized business can you comment on the ways that compliance to these proposals would be difficult or impossible ?
See the comments in Demon Internet's response which are just as applicable to the telecoms industry.
Are you content for your replies to these questions to be published?
Although we believe that there are good reasons for updating the current legislation, we have significant concerns about the practical implications of some of the Government's proposals. The application of the proposals to the Internet in particular does we believe require further consideration. The Internet is a new and different form of communication with distinct technical characteristics which do not lend themselves easily to the same form of controls as for example postal services or traditional telephony. This is not to say that the Internet should be exempt from such controls but we do believe that the Government should consider carefully the practical implications of any proposed legislation.