Unauthorised tapping into or hacking of mobile communications - Home Affairs Committee Contents

2 The legislation covering interception of electronic communications

15.  When Mr Clarke and Mr Hayman came to investigate the allegations of interference with the voicemails of members of the Royal Household in November 2005, the police were faced with various pieces of legislation that might be used against the perpetrators, each of which had advantages and disadvantages. The one on which, on advice from the Crown Prosecution Service, they chose to focus was section 1 of the Regulation of Investigatory Powers Act 2000. However, sections of the Data Protection Act 1999 and the Computer Misuse Act 1990 were also relevant.

16.  We discuss these latter two Acts first and explain why the police and the CPS were disinclined to use them, before going on to set out the difficulties surrounding section 1 of the Regulation of Investigatory Powers Act.


17.  The offence under section 1 of the Computer Misuse Act is committed where a person knowingly 'causes a computer to perform any function' with intent to secure unauthorised access to any program or data held in any computer, or to enable any such access to be secured. There has to be some interaction with the computer, so that merely reading confidential data displayed on a screen or reading the printed output from the computer would not constitute the offence. On the other hand, it can be argued that using the owner's PIN number or password without his authority to access his e-mails or voicemails would fall within the scope of the offence, as it would cause the computer to perform a function.

18.  Until 2008, the offence under s.1 of the 1990 Act was triable summarily, with a maximum penalty of only six months' imprisonment. This was therefore the situation during the first investigation into hacking in 2005-06. The offence is now[5] also triable on indictment with a maximum penalty of two years' imprisonment, the same mode of trial and penalty as the interception offence under the Regulation of Investigatory Powers Act.

19.  The Data Protection Act 1998 creates a number of offences, but the most relevant is the offence of unlawful obtaining of personal data. Section 55 of the 1998 Act makes it an offence knowingly or recklessly to obtain or disclose personal data without the consent of the data controller. The offence may be tried either summarily or on indictment. Section 77 of the Criminal Justice and Immigration Act 2008 confers an order-making power to provide for the imposition of a sentence of imprisonment, but this has not yet been brought into effect and currently, the penalty is limited to a fine.

20.  It is very difficult to imagine a voicemail or other personal message which did not contain some personal data of either the sender or the intended recipient. However, section 55(2) provides for a number of defences which conceivably might inhibit a successful prosecution for 'hacking'. Of most direct relevance to this case, it is a defence to show that obtaining or disclosing the information was justified as being in the public interest (s.55(2)(d)). This defence has been prospectively broadened by a new s.55(2)(ca)[6] which makes it a defence to show that the person acted with a view to the publication by any person of any journalistic, literary or artistic material, and in the reasonable belief that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest. Journalists inquiring into public figures might seek to rely on the new defence but would need to show that they were acting in the public interest. The defence is unlikely to apply at all in relation to the alleged tampering with the voicemails of essentially private individuals unwittingly brought to public attention through their connection with victims of crime or with service personnel killed in battle; but the police and prosecutors claim not to have been aware of these cases at the time of the original investigation because they had not fully reviewed the other 11,000 pages from the Mulcaire case.

21.  The current Director of Public Prosecutions, Mr Keir Stamer QC, in a letter to us recognised the disadvantages of using these two pieces of legislation in the circumstances of the time, saying: "So far, prosecutions have (rightly in my view) been brought under the Regulation of Investigatory Powers Act 2000 (RIPA), but, depending on the circumstances and available evidence, offences under the Computer Misuse Act 1990 and/or the Data Protection Act 1998 might also fall to be considered in on-going or future investigations."[7]

Regulation of Investigatory Powers Act
Section 1 (Unlawful interception) of the Regulation of Investigatory Powers Act says:

(1) It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of—

(a)a public postal service; or

(b)a public telecommunication system.

(2) It shall be an offence for a person—

(a)intentionally and without lawful authority, and

(b)otherwise than in circumstances in which his conduct is excluded by subsection (6) from criminal liability under this subsection,

to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of a private telecommunication system.


(7) A person who is guilty of an offence under subsection (1) or (2) shall be liable—

(a) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine, or to both;

(b) on summary conviction, to a fine not exceeding the statutory maximum.

Section 2 (Meaning and location of "interception" etc.)E+W+S+N.I.

[Subsection (1)defines "postal service" , "private telecommunication system", "public postal service", "public telecommunications service", "public telecommunication system", "telecommunications service" and "telecommunication system".]

(2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—

(a) so modifies or interferes with the system, or its operation,

(b) so monitors transmissions made by means of the system, or

(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,

as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.


(7) For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it.

(8) For the purposes of this section the cases in which any contents of a communication are to be taken to be made available to a person while being transmitted shall include any case in which any of the contents of the communication, while being transmitted, are diverted or recorded so as to be available to a person subsequently.


22.  The offence under Regulation of Investigatory Powers Act 2000 section 1 is committed by a person who (intentionally and without lawful authority) intercepts any communication "in the course of its transmission" by a telecommunications system. The Director of Public Prosecutions told us: "Once the communication can no longer be said to be in the course of transmission by the means of the 'system' in question, then no interception offence is possible" and added: "Taking the ordinary meaning of those expressions one would expect the transmission of a communication to occur between the moment of introduction of the communication into the system by the sender and the moment of its delivery to, or receipt by, the addressee."

23.  That appears to have been the basis on which the Crown Prosecution Service advised the police in 2005-06. It was also the very clear view of the CPS in July 2009 when it gave written evidence to the Culture, Media and Sport Committee and stated:


To prove the criminal offence of interception the prosecution must prove that the actual message was intercepted prior to it being accessed by the intended recipient.

24.  However, Section 2(2) has to be read in conjunction with section 2(7) which provides that 'in the course of transmission' includes "any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it". Whilst it is clear that any stored message not yet received and heard or read may be considered still "being transmitted", what about messages already received and heard or read but left stored in the system? Again, as the Director of Public Prosecutions put it:

The difficulty of interpretation is this: Does the provision mean that the period of storage referred to comes to an end on first access or collection by the intended recipient, or does it continue beyond such first access for so long as the system is used to store the communication in a manner which enables the (intended) recipient to have subsequent, or even repeated, access to it?

25.  One of the roles of the courts is to clarify the construction of statute where necessary. For reasons that are described below, however, as yet no court has been asked to consider this issue.

26.  We have gone into detail in relation to this question because the interpretation of these sections of the Regulation of Investigatory Powers Act has formed a major source of contention in respect of the definition of who has been a 'victim' of hacking and the likelihood of achieving successful prosecutions, influenced the conduct of the 2005-06 police investigation and the subsequent approach of the police to hacking, and was the focus of much of the disagreement among our witnesses as to what ought to have been done.

Impact of the interpretation of the legislation on the police investigations

27.  Considerable argument before the Committee has focused on the advice on the interpretation of RIPA given by the Crown Prosecution Service to the police in 2005-07, whether the police correctly understood the advice, and whether the advice has changed subsequently. The Mulcaire and Goodman cases were the first in which section 1 of RIPA was applied to the hacking of mobile phone voicemails.

28.  In the course of his oral evidence to us in September 2010, Assistant Commissioner Yates was asked about the 91 people whose PIN numbers were allegedly listed in Mr Mulcaire's papers: the Chair referred to these people as 'victims' of hacking, and Mr Yates replied:

"Victims of hacking" is taking it a bit far because hacking is defined in a very prescriptive way by the Regulation of Investigatory Powers Act and it's very, very prescriptive and it's very difficult to prove. We've said that before and I think probably people in this room are aware of that. It is very, very difficult to prove. There are very few offences that we are able to actually prove that have been hacked. That is, intercepting the voicemail prior to the owner of that voicemail intercepting it him or herself.

Chairman: But there are 91 PIN numbers, is that right?

Mr Yates: There is a range of people and the figures vary between 91 and 120. We took steps last year, as I indicated last year, to say that even if there is the remotest possibility that someone may have been hacked, let's look and see if there is another category. Bearing in mind that we'd already had a successful prosecution and two people have gone to jail, we wouldn't normally do that, but because of the degree of concern I said we were to be extra cautious here and make sure we have established whether there is a possibility—and we put some criteria around that, which I won't bore you with—they have been hacked. That is where that figure comes from. It is out of a spirit of abundance of caution to make sure that we were ensuring that those who may have been hacked were contacted by us.[8]

He added: "We can only prove a crime against a very small number of people and that number is about 10 to 12 people. That is very few people."[9]

29.  This interpretation followed the approach taken by the police in 2005-07 on the basis of their understanding of the advice being given to them by the Crown Prosecution Service. The current Director of Public Prosecutions, Mr Keir Starmer, noted:

In 2009, I gave written evidence to the Culture, Media and Sport Committee. In that evidence I set out the approach that had been taken to section 1(1) of RIPA in the prosecution of Clive Goodman and Glenn Mulcaire, namely that to prove the criminal offence of interception the prosecution must prove that the actual message was intercepted prior to it being accessed by the intended recipient. I also set out the reasons why David Perry QC had approached the case on that basis at the time.

He went on to point out, however, that no distinction had been made in the terms of the charges against Messrs Mulcaire and Goodman between messages that had been accessed by the intended recipient and those that had not, and neither the prosecution nor the defence had raised this issue during the hearing, not least because both defendants in 2007 pleaded guilty. Therefore the judge was not required to make any ruling on the legal definition of any aspect of RIPA.[10]

30.  Unfortunately, the construction of the statute, the interpretation of the CPS's advice in 2005-07 and the interpretation of evidence given to both us and our sister committee, the Culture Media and Sport Committee, all became the subject of dispute between Mr Yates, Mr Starmer and Mr Chris Bryant MP, during the course of which there were allegations of selective quotation and deliberate misunderstanding of positions, and even, by implication, of misleading the Committees.[11] None of the participants had been present at the discussions of the cases of Messrs Mulcaire and Goodman, and all were relying on the recollections of those who were present and who could be asked for advice, together with the information supplied in any remaining documents, many of which had been drafted in the light of oral discussions and often to record a decision or position rather than to set out in detail every possible ramification of the discussions.

31.  Whilst it is now impossible to know the exact course of the discussions between the police and the CPS at the time, Mr Peter Clarke, the witness who was closest to the original investigation as the senior officer in charge, made it clear to us that he understood the legal advice to be that they should proceed on a narrow construction of the statute. That is, that they should assume they could prosecute successfully only if they could prove that someone had accessed a voicemail message without authorisation before the intended recipient had heard it. The police were able to gather enough evidence to support this in one case involving Messrs Mulcaire and Goodman, and they were able to link five further cases to Mr Mulcaire on the basis of similarity of method—as Mr Yates described them to our sister committee, "inferential" cases.[12] Because the two men pleaded guilty to all counts, the robustness of the inferential cases—and therefore the interpretation of section 1 of the Regulation of Investigatory Powers Act—was never tested.

32.  The National Policing Improvement Agency (NPIA) provides advice to the police on their own operations. Ian Snelling, Covert Advice Team Manager in the NPIA Specialist Operation Centre, confirmed that their advice to police, which had been 'essentially the same' since 2003, was as follows.

Ultimately it will be a matter for the courts to decide whether a stored communication, which has already been accessed, is capable of interception but until such time it remains my view that, on a strict interpretation of the law, the course of transmission of a communication, including those communications which are stored on the servers of the CSP such as voicemail messages, ends at the point at which the data leaves the telecommunication system by means of which it is being (or has been) transmitted and is no longer accessible, and not simply when the message has been listened to. Accessing such voicemails could therefore amount to a criminal interception of a communication, as well as a civil wrong, and should therefore be conducted with the appropriate consents and/or lawful authority under e.g. RIPA s1(5)(c) or s3.[13]

33.  In a letter to us dated 24 March 2011, Mr Yates cited a number of examples where the CPS in 2006 appeared to have taken a narrow interpretation of the offence. According to Mr Yates, this remained the police's understanding of how section 1 of RIPA should be interpreted until October 2010 when, in the context of the consideration of whether new evidence on the hacking issue was emerging, the new Director of Public Prosecutions addressed the construction of section 1. In his letter of 29 October 2010 to us, the DPP stated:

The role of the CPS is to advise the police on investigation and to bring prosecutions where it is appropriate to do so. In view of this, as I am sure you will appreciate, I need to take care not to appear to give a definitive statement of the law. For that reason, I will confine myself to explaining the legal approach that was taken in the prosecution of Clive Goodman and Glenn Mulcaire in 2006; and then indicate the general approach that I intend to take to on-going investigations and future investigations.[14]

... I have given very careful thought to the approach that should be taken in relation to on-going investigations and future investigations.

Since the provisions of RIPA in issue are untested and a court in any future case could take one of two interpretations, there are obvious difficulties for investigators and prosecutors. However, in my view, a robust attitude needs to be taken to any unauthorised interception and investigations should not be inhibited by a narrow approach to the provisions in issue. The approach I intend to take is therefore to advise the police and CPS prosecutors to proceed on the assumption that a court might adopt a wide interpretation of sections 1 and 2 of RIPA. In other words, my advice to the police and to CPS prosecutors will be to assume that the provisions of RIPA mean that an offence may be committed if a communication is intercepted or looked into after it has been accessed by the intended recipient and for so long as the system in question is used to store the communication in a manner which enables the (intended) recipient to have subsequent, or even repeated, access to it.[15]

34.  We have been frustrated by the confusion which has arisen from the evidence given by the CPS to us and our sister Committee. It is difficult to understand what advice was given to whom, when. Only on the last day on which we took evidence did it become clear that there had been a significant conversation between the Director of Public Prosecutions and Assistant Commissioner Yates regarding the mention in the Mulcaire papers of the name Neville and whether this and Mr Mulcaire's contract with News International were a sufficient basis on which to re-open the investigation. The fact that the CPS decided it was not, does not in any way exonerate the police from their actions during the inquiry.

35.  Section 2(7) of the Regulation of Investigatory Powers Act 2000 is particularly important and not enough attention has been paid to its significance.

Role of the Information Commissioner

36.  Given the fact that the aim of hacking is to obtain personal information, we thought it worth considering the various regulatory regimes dealing with the acquisition and use of information. Section 57 of the Regulation of Investigatory Powers Act creates the role of Interception of Communications Commissioner, but this role is limited to overseeing those issuing warrants to the police and security services permitting interception, and those acting under warrant or assisting those acting under warrant. Generally, as its short title implies, the Act is concerned more with defining the powers of the state to intercept the communications of those present in the UK in the course of legal investigations than with private individuals or organisations attempting interception. This Commissioner has no duties in respect of private sector operators, and in particular has no remit or resources to advise individuals who believe they have been victims of unauthorised interception of their communications by the private sector. The Surveillance Commissioners also operate under the Regulation of Investigatory Powers Act and the Police Act 1997, but their job is to oversee the use by state officials of covert surveillance operations and covert human intelligence sources (otherwise known as undercover officers and informants), and not interception of communications.

37.  We asked the Information Commissioner, Mr Christopher Graham, about his role in relation to telephone hacking. He replied that, although he and his office occasionally gave informal advice on the issues, he had no formal role under the Regulation of Investigatory Powers Act or the Misuse of Computers Act as he was not the prosecuting authority for either of these, and no one else had a regulatory role in respect of these Acts either:[16] he was appointed to oversee the Data Protection Act 1998 and the Privacy and Electronic Communications (EC Directive) Regulations 2003. He added:

Thus I have responsibility for taking action on the Data Protection Act s.55 offence that may arise from the unlawful 'blagging' of personal information from a data controller.[17] But the Information Commissioner does not have any regulatory competence in the area of interception of communication—which would cover hacking and tapping, for example, of mobile phone communications. This latter activity is dealt with entirely under the Regulation of Investigatory Powers Act. This means that the regulatory regime that covers the use, disclosure and interception of communications related data is fragmented.[18]

The problem is that whilst the Data Protection Act, the Privacy and Electronic Communications (EC Directive) Regulations and the Regulation of Investigatory Powers Act together form part of the framework of regulation that limits excessive surveillance and provides safeguards for individuals, it is only in relation to the Data Protection Act and Privacy and Electronic Communications (EC Directive) Regulations that there is an organisation charged with promoting compliance with the legislation and with providing authoritative advice to those who need it.[19]

38.  One missing part of this fragmented regime has been provided by the entry into force on 25 May 2011 of new Privacy and Electronic Communications Regulations which provide that any data controller who becomes aware of a breach of data security must inform not only the Information Commissioner but also the affected customers.[20] Also, there was an attempt at a more joined-up approach to regulation in this area by bringing together the Information Commissioner with the three other regulators (the Surveillance and Interception of Communications Commissioners and the interim Closed Circuit Television Commissioner) to discuss any gaps in the regime.[21] We are concerned that this meeting appeared to be a rarity, and that there is not enough linkage between the different Commissioners.

39.  The lack of a regulatory authority under the Regulation of Investigatory Powers Act has a number of serious consequences. Although the Information Commissioner's office provides some advice, there is no formal mechanism for either those who know they are in danger of breaking the law or those whose communications may be or have been intercepted to obtain information and advice. Moreover, the only avenue if anyone is suspected of unauthorised interception is to prosecute a criminal offence, which, as the Information Commissioner noted, is a high hurdle in terms of standard of proof as well as penalty.[22] Especially given the apparent increase of hacking in areas such as child custody battles and matrimonial disputes,[23] and the consequential danger of either the police being swamped or the law becoming unenforceable, there is a strong argument for introducing a more flexible approach to the regime, with the intention of allowing victims easier recourse to redress. We therefore recommend the extension of the Information Commissioner's remit to cover the provision of advice and support in relation to chapter 1 of the Regulation of Investigatory Powers Act.

40.  We also strongly recommend that the Government reviews how the Act must be amended to allow for a greater variety of penalties for offences of unlawful interception, including the option of providing for civil redress, whilst retaining the current penalty as a deterrent for serious breaches.

41.  We note that most of our witnesses claimed to be unaware at the time of the Information Commissioner's two 2006 reports, What price privacy? and What price privacy now?. We are disappointed that they did not attract more attention among the police, the media and in government, and hope that future such reports will be better attended to.

42.  We are concerned about the number of Commissioners, each responsible for different aspects of privacy. We recommend that the government consider seriously appointing one overall Commissioner, with specialists leading on each separate area.

43.  In relation to blagging, there were limits on the Information Commissioner's powers:

the Data Protection Act, insofar as it applies to this sort of thing, has a very broad exemption within it for what is called the special purposes, for literature, journalism and the arts. My investigatory powers can be very easily stymied by somebody telling me that what they are doing is for journalism, literature and the arts. All my powers of requiring information—information notices, investigation and the more dramatic stuff, kicking the door down—I can't do if there is an exemption for the special purposes. So my role in this area is, frankly, pretty limited.[24]

44.  We questioned the Information Commissioner, Mr Christopher Graham, about the practical limits this placed on his investigations. He explained that, whereas in other situations any application by him to a court with reference to an information notice would be straightforward, it might not be worth spending the time and financial resources to challenge the recipient of the notice in court if he/she was or might be a journalist and the investigation that the person was carrying out might be in the public interest: "I am not sure I could make an information notice stick under these circumstances."[25] The Information Commissioner therefore considered that the legislation as currently drafted in practice seriously limited his ability to challenge the illegal obtaining of personal information by those who could legitimately claim to be journalists.

45.  Furthermore, even where a case could be brought under section 55 of the Data Protection Act, the Information Commissioner considered that the penalties now available were inadequate, and he noted that magistrates were unwilling to impose even the maximum penalties currently available to them.[26] The maximum penalty for blagging under section 55 of the Data Protection Act is a fine of up to £5,000 in the magistrates court, although the fine may be higher if the case is prosecuted in the Crown Court.[27] He contrasted the situation with RIPA and the Misuse of Computers Act, which provide for a custodial sentence of up to two years as penalty for a breach. He noted that the Ministry of Justice was aware of the unsatisfactory situation in respect of the penalties attached to 'blagging' and that that department was exploring the possibility of bringing this activity within the ambit of legislation on restitution of the profits of crime [28] and talking to the Sentencing Advisory Council about recommending tougher penalties in its guidelines to magistrates.[29]

5   See section 35(3) Police and Justice Act 2006. Back

6   Inserted by s.78 of the Criminal Justice and Immigration Act 2008, which is not yet in force.  Back

7   Ev126 Back

8   Evidence taken before the Home Affairs Committee on 7 September 2011, Specialist Operations, HC 441-i, Q 5 Back

9   Evidence taken before the Home Affairs Committee on 7 September 2011, Specialist Operations, HC 441-i, Q 9


10   Ev128 Back

11   The dispute started with an Adjournment debate in the House of Commons initiated by Mr Chris Bryant MP on 10 March 2010 (HC Deb, 10 March 2010), continued through the letter columns of the Guardian during the next few days, and then each of the protagonists was enabled to give his views to Committees of the House, Mr Yates to the Culture, Media and Sport Committee on 24 March, Mr Bryant and Mr Yates to us on 29 March, and the Director of Public Prosecutions to us on 5 April. Back

12   Q 454 Back

13   Ev146 Back

14   Ev128 Back

15   Ev161 Back

16   Qq 155-161 Back

17   'Blagging' is where an unauthorised person obtains personal information-addresses, telephone numbers, medical information, financial information, etc-from a source that legitimately hold the information by pretending to be either the individual whose information is held or someone else with a legitimate right to access the information. Back

18   Ev126 Back

19   Ev126  Back

20   Q 156 Back

21   Qq 147-149 Back

22   Ev126 Back

23   Q 133 and What Price Privacy Now?, December 2006 Back

24   Q 133 Back

25   Qq 139-144 Back

26   Qq 150-152 Back

27   Section 60 of the Data Protection Act  Back

28   The Information Commissioner estimated that the profits from the unlawful sale of personal information in the UK would amount to some millions of pounds per year: in one case alone, those selling the information were being paid £70,000 a week for the information: Qq 152-154 Back

29   Q 151 Back

previous page contents next page

© Parliamentary copyright 2011
Prepared 28 October 2011