2 The legislation covering interception
of electronic communications
15. When Mr Clarke and Mr Hayman came to investigate
the allegations of interference with the voicemails of members
of the Royal Household in November 2005, the police were faced
with various pieces of legislation that might be used against
the perpetrators, each of which had advantages and disadvantages.
The one on which, on advice from the Crown Prosecution Service,
they chose to focus was section 1 of the Regulation of Investigatory
Powers Act 2000. However, sections of the Data Protection Act
1999 and the Computer Misuse Act 1990 were also relevant.
16. We discuss these latter two Acts first and
explain why the police and the CPS were disinclined to use them,
before going on to set out the difficulties surrounding section
1 of the Regulation of Investigatory Powers Act.
COMPUTER MISUSE ACT AND DATA PROTECTION
ACT
17. The offence under section 1 of the Computer
Misuse Act is committed where a person knowingly 'causes a computer
to perform any function' with intent to secure unauthorised access
to any program or data held in any computer, or to enable any
such access to be secured. There has to be some interaction with
the computer, so that merely reading confidential data displayed
on a screen or reading the printed output from the computer would
not constitute the offence. On the other hand, it can be argued
that using the owner's PIN number or password without his authority
to access his e-mails or voicemails would fall within the scope
of the offence, as it would cause the computer to perform a function.
18. Until 2008, the offence under s.1 of the
1990 Act was triable summarily, with a maximum penalty of only
six months' imprisonment. This was therefore the situation during
the first investigation into hacking in 2005-06. The offence is
now[5] also triable on
indictment with a maximum penalty of two years' imprisonment,
the same mode of trial and penalty as the interception offence
under the Regulation of Investigatory Powers Act.
19. The Data Protection Act 1998 creates a number
of offences, but the most relevant is the offence of unlawful
obtaining of personal data. Section 55 of the 1998 Act makes it
an offence knowingly or recklessly to obtain or disclose personal
data without the consent of the data controller. The offence may
be tried either summarily or on indictment. Section 77 of the
Criminal Justice and Immigration Act 2008 confers an order-making
power to provide for the imposition of a sentence of imprisonment,
but this has not yet been brought into effect and currently,
the penalty is limited to a fine.
20. It is very difficult to imagine a voicemail
or other personal message which did not contain some personal
data of either the sender or the intended recipient. However,
section 55(2) provides for a number of defences which conceivably
might inhibit a successful prosecution for 'hacking'. Of most
direct relevance to this case, it is a defence to show that obtaining
or disclosing the information was justified as being in the public
interest (s.55(2)(d)). This defence has been prospectively broadened
by a new s.55(2)(ca)[6]
which makes it a defence to show that the person acted with a
view to the publication by any person of any journalistic, literary
or artistic material, and in the reasonable belief that in the
particular circumstances the obtaining, disclosing or procuring
was justified as being in the public interest. Journalists inquiring
into public figures might seek to rely on the new defence but
would need to show that they were acting in the public interest.
The defence is unlikely to apply at all in relation to the alleged
tampering with the voicemails of essentially private individuals
unwittingly brought to public attention through their connection
with victims of crime or with service personnel killed in battle;
but the police and prosecutors claim not to have been aware of
these cases at the time of the original investigation because
they had not fully reviewed the other 11,000 pages from the Mulcaire
case.
21. The current Director of Public Prosecutions,
Mr Keir Stamer QC, in a letter to us recognised the disadvantages
of using these two pieces of legislation in the circumstances
of the time, saying: "So far, prosecutions have (rightly
in my view) been brought under the Regulation of Investigatory
Powers Act 2000 (RIPA), but, depending on the circumstances and
available evidence, offences under the Computer Misuse Act 1990
and/or the Data Protection Act 1998 might also fall to be considered
in on-going or future investigations."[7]
Regulation of Investigatory Powers
Act
Section 1 (Unlawful interception) of the Regulation of Investigatory Powers Act says:
(1) It shall be an offence for a person intentionally and without lawful authority to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of
(a)a public postal service; or
(b)a public telecommunication system.
(2) It shall be an offence for a person
(a)intentionally and without lawful authority, and
(b)otherwise than in circumstances in which his conduct is excluded by subsection (6) from criminal liability under this subsection,
to intercept, at any place in the United Kingdom, any communication in the course of its transmission by means of a private telecommunication system.
...............................
(7) A person who is guilty of an offence under subsection (1) or (2) shall be liable
(a) on conviction on indictment, to imprisonment for a term not exceeding two years or to a fine, or to both;
(b) on summary conviction, to a fine not exceeding the statutory maximum.
Section 2 (Meaning and location of "interception" etc.)E+W+S+N.I.
[Subsection (1)defines "postal service" , "private telecommunication system", "public postal service", "public telecommunications service", "public telecommunication system", "telecommunications service" and "telecommunication system".]
(2) For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he
(a) so modifies or interferes with the system, or its operation,
(b) so monitors transmissions made by means of the system, or
(c) so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,
as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.
.................................
(7) For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it.
(8) For the purposes of this section the cases in which any contents of a communication are to be taken to be made available to a person while being transmitted shall include any case in which any of the contents of the communication, while being transmitted, are diverted or recorded so as to be available to a person subsequently.
...............................
|
22. The offence under Regulation of Investigatory
Powers Act 2000 section 1 is committed by a person who (intentionally
and without lawful authority) intercepts any communication "in
the course of its transmission" by a telecommunications system.
The Director of Public Prosecutions told us: "Once the communication
can no longer be said to be in the course of transmission by the
means of the 'system' in question, then no interception offence
is possible" and added: "Taking the ordinary meaning
of those expressions one would expect the transmission of a communication
to occur between the moment of introduction of the communication
into the system by the sender and the moment of its delivery to,
or receipt by, the addressee."
23. That appears to have been the basis on which
the Crown Prosecution Service advised the police in 2005-06. It
was also the very clear view of the CPS in July 2009 when it gave
written evidence to the Culture, Media and Sport Committee and
stated:
THE LAW
To prove the criminal offence of interception the
prosecution must prove that the actual message was intercepted
prior to it being accessed by the intended recipient.
24. However, Section 2(2) has to be read in conjunction
with section 2(7) which provides that 'in the course of transmission'
includes "any time when the system by means of which the
communication is being, or has been, transmitted is used for storing
it in a manner that enables the intended recipient to collect
it or otherwise to have access to it". Whilst it is clear
that any stored message not yet received and heard or read may
be considered still "being transmitted", what about
messages already received and heard or read but left stored in
the system? Again, as the Director of Public Prosecutions put
it:
The difficulty of interpretation is this: Does the
provision mean that the period of storage referred to comes to
an end on first access or collection by the intended recipient,
or does it continue beyond such first access for so long as the
system is used to store the communication in a manner which enables
the (intended) recipient to have subsequent, or even repeated,
access to it?
25. One of the roles of the courts is to clarify
the construction of statute where necessary. For reasons that
are described below, however, as yet no court has been asked to
consider this issue.
26. We have gone into detail in relation to this
question because the interpretation of these sections of the Regulation
of Investigatory Powers Act has formed a major source of contention
in respect of the definition of who has been a 'victim' of hacking
and the likelihood of achieving successful prosecutions, influenced
the conduct of the 2005-06 police investigation and the subsequent
approach of the police to hacking, and was the focus of much of
the disagreement among our witnesses as to what ought to have
been done.
Impact of the interpretation of
the legislation on the police investigations
27. Considerable argument before the Committee
has focused on the advice on the interpretation of RIPA given
by the Crown Prosecution Service to the police in 2005-07, whether
the police correctly understood the advice, and whether the advice
has changed subsequently. The Mulcaire and Goodman cases were
the first in which section 1 of RIPA was applied to the hacking
of mobile phone voicemails.
28. In the course of his oral evidence to us
in September 2010, Assistant Commissioner Yates was asked about
the 91 people whose PIN numbers were allegedly listed in Mr Mulcaire's
papers: the Chair referred to these people as 'victims' of hacking,
and Mr Yates replied:
"Victims of hacking" is taking it a bit
far because hacking is defined in a very prescriptive way by the
Regulation of Investigatory Powers Act and it's very, very prescriptive
and it's very difficult to prove. We've said that before and I
think probably people in this room are aware of that. It is very,
very difficult to prove. There are very few offences that we are
able to actually prove that have been hacked. That is, intercepting
the voicemail prior to the owner of that voicemail intercepting
it him or herself.
Chairman: But there
are 91 PIN numbers, is that right?
Mr Yates: There
is a range of people and the figures vary between 91 and 120.
We took steps last year, as I indicated last year, to say that
even if there is the remotest possibility that someone may have
been hacked, let's look and see if there is another category.
Bearing in mind that we'd already had a successful prosecution
and two people have gone to jail, we wouldn't normally do that,
but because of the degree of concern I said we were to be extra
cautious here and make sure we have established whether there
is a possibilityand we put some criteria around that, which
I won't bore you withthey have been hacked. That is where
that figure comes from. It is out of a spirit of abundance of
caution to make sure that we were ensuring that those who may
have been hacked were contacted by us.[8]
He added: "We can only prove a crime against
a very small number of people and that number is about 10 to 12
people. That is very few people."[9]
29. This interpretation followed the approach
taken by the police in 2005-07 on the basis of their understanding
of the advice being given to them by the Crown Prosecution Service.
The current Director of Public Prosecutions, Mr Keir Starmer,
noted:
In 2009, I gave written evidence to the Culture,
Media and Sport Committee. In that evidence I set out the approach
that had been taken to section 1(1) of RIPA in the prosecution
of Clive Goodman and Glenn Mulcaire, namely that to prove the
criminal offence of interception the prosecution must prove that
the actual message was intercepted prior to it being accessed
by the intended recipient. I also set out the reasons why David
Perry QC had approached the case on that basis at the time.
He went on to point out, however, that no distinction
had been made in the terms of the charges against Messrs Mulcaire
and Goodman between messages that had been accessed by the intended
recipient and those that had not, and neither the prosecution
nor the defence had raised this issue during the hearing, not
least because both defendants in 2007 pleaded guilty. Therefore
the judge was not required to make any ruling on the legal definition
of any aspect of RIPA.[10]
30. Unfortunately, the construction of the statute,
the interpretation of the CPS's advice in 2005-07 and the interpretation
of evidence given to both us and our sister committee, the Culture
Media and Sport Committee, all became the subject of dispute between
Mr Yates, Mr Starmer and Mr Chris Bryant MP, during the course
of which there were allegations of selective quotation and deliberate
misunderstanding of positions, and even, by implication, of misleading
the Committees.[11] None
of the participants had been present at the discussions of the
cases of Messrs Mulcaire and Goodman, and all were relying on
the recollections of those who were present and who could be asked
for advice, together with the information supplied in any remaining
documents, many of which had been drafted in the light of oral
discussions and often to record a decision or position rather
than to set out in detail every possible ramification of the discussions.
31. Whilst it is now impossible to know the exact
course of the discussions between the police and the CPS at the
time, Mr Peter Clarke, the witness who was closest to the original
investigation as the senior officer in charge, made it clear to
us that he understood the legal advice to be that they should
proceed on a narrow construction of the statute. That is, that
they should assume they could prosecute successfully only if they
could prove that someone had accessed a voicemail message without
authorisation before the intended recipient had heard it. The
police were able to gather enough evidence to support this in
one case involving Messrs Mulcaire and Goodman, and they were
able to link five further cases to Mr Mulcaire on the basis of
similarity of methodas Mr Yates described them to our sister
committee, "inferential" cases.[12]
Because the two men pleaded guilty to all counts, the robustness
of the inferential casesand therefore the interpretation
of section 1 of the Regulation of Investigatory Powers Actwas
never tested.
32. The National Policing Improvement Agency
(NPIA) provides advice to the police on their own operations.
Ian Snelling, Covert Advice Team Manager in the NPIA Specialist
Operation Centre, confirmed that their advice to police, which
had been 'essentially the same' since 2003, was as follows.
Ultimately it will be a matter for the courts to
decide whether a stored communication, which has already been
accessed, is capable of interception but until such time it remains
my view that, on a strict interpretation of the law, the course
of transmission of a communication, including those communications
which are stored on the servers of the CSP such as voicemail messages,
ends at the point at which the data leaves the telecommunication
system by means of which it is being (or has been) transmitted
and is no longer accessible, and not simply when the message has
been listened to. Accessing such voicemails could therefore amount
to a criminal interception of a communication, as well as a civil
wrong, and should therefore be conducted with the appropriate
consents and/or lawful authority under e.g. RIPA s1(5)(c) or s3.[13]
33. In a letter to us dated 24 March 2011, Mr
Yates cited a number of examples where the CPS in 2006 appeared
to have taken a narrow interpretation of the offence. According
to Mr Yates, this remained the police's understanding of how section
1 of RIPA should be interpreted until October 2010 when, in the
context of the consideration of whether new evidence on the hacking
issue was emerging, the new Director of Public Prosecutions addressed
the construction of section 1. In his letter of 29 October 2010
to us, the DPP stated:
The role of the CPS is to advise the police on investigation
and to bring prosecutions where it is appropriate to do so. In
view of this, as I am sure you will appreciate, I need to take
care not to appear to give a definitive statement of the law.
For that reason, I will confine myself to explaining the legal
approach that was taken in the prosecution of Clive Goodman and
Glenn Mulcaire in 2006; and then indicate the general approach
that I intend to take to on-going investigations and future investigations.[14]
... I have given very careful thought to the approach
that should be taken in relation to on-going investigations and
future investigations.
Since the provisions of RIPA in issue are untested
and a court in any future case could take one of two interpretations,
there are obvious difficulties for investigators and prosecutors.
However, in my view, a robust attitude needs to be taken to any
unauthorised interception and investigations should not be inhibited
by a narrow approach to the provisions in issue. The approach
I intend to take is therefore to advise the police and CPS prosecutors
to proceed on the assumption that a court might adopt a wide interpretation
of sections 1 and 2 of RIPA. In other words, my advice to the
police and to CPS prosecutors will be to assume that the provisions
of RIPA mean that an offence may be committed if a communication
is intercepted or looked into after it has been accessed by the
intended recipient and for so long as the system in question is
used to store the communication in a manner which enables the
(intended) recipient to have subsequent, or even repeated, access
to it.[15]
34. We have been frustrated by the confusion
which has arisen from the evidence given by the CPS to us and
our sister Committee. It is difficult to understand what advice
was given to whom, when. Only on the last day on which we took
evidence did it become clear that there had been a significant
conversation between the Director of Public Prosecutions and Assistant
Commissioner Yates regarding the mention in the Mulcaire papers
of the name Neville and whether this and Mr Mulcaire's contract
with News International were a sufficient basis on which to re-open
the investigation. The fact that the CPS decided it was not, does
not in any way exonerate the police from their actions during
the inquiry.
35. Section 2(7) of the Regulation of Investigatory
Powers Act 2000 is particularly important and not enough attention
has been paid to its significance.
Role of the Information Commissioner
36. Given the fact that the aim of hacking is
to obtain personal information, we thought it worth considering
the various regulatory regimes dealing with the acquisition and
use of information. Section 57 of the Regulation of Investigatory
Powers Act creates the role of Interception of Communications
Commissioner, but this role is limited to overseeing those issuing
warrants to the police and security services permitting interception,
and those acting under warrant or assisting those acting under
warrant. Generally, as its short title implies, the Act is concerned
more with defining the powers of the state to intercept the communications
of those present in the UK in the course of legal investigations
than with private individuals or organisations attempting interception.
This Commissioner has no duties in respect of private sector
operators, and in particular has no remit or resources to advise
individuals who believe they have been victims of unauthorised
interception of their communications by the private sector. The
Surveillance Commissioners also operate under the Regulation
of Investigatory Powers Act and the Police Act 1997, but their
job is to oversee the use by state officials of covert surveillance
operations and covert human intelligence sources (otherwise known
as undercover officers and informants), and not interception of
communications.
37. We asked the Information Commissioner, Mr
Christopher Graham, about his role in relation to telephone hacking.
He replied that, although he and his office occasionally gave
informal advice on the issues, he had no formal role under the
Regulation of Investigatory Powers Act or the Misuse of Computers
Act as he was not the prosecuting authority for either of these,
and no one else had a regulatory role in respect of these Acts
either:[16] he was appointed
to oversee the Data Protection Act 1998 and the Privacy and Electronic
Communications (EC Directive) Regulations 2003. He added:
Thus I have responsibility for taking action on the
Data Protection Act s.55 offence that may arise from the unlawful
'blagging' of personal information from a data controller.[17]
But the Information Commissioner does not have any regulatory
competence in the area of interception of communicationwhich
would cover hacking and tapping, for example, of mobile phone
communications. This latter activity is dealt with entirely under
the Regulation of Investigatory Powers Act. This means that the
regulatory regime that covers the use, disclosure and interception
of communications related data is fragmented.[18]
The problem is that whilst the Data Protection Act,
the Privacy and Electronic Communications (EC Directive) Regulations
and the Regulation of Investigatory Powers Act together form part
of the framework of regulation that limits excessive surveillance
and provides safeguards for individuals, it is only in relation
to the Data Protection Act and Privacy and Electronic Communications
(EC Directive) Regulations that there is an organisation charged
with promoting compliance with the legislation and with providing
authoritative advice to those who need it.[19]
38. One missing part of this fragmented regime
has been provided by the entry into force on 25 May 2011 of new
Privacy and Electronic Communications Regulations which provide
that any data controller who becomes aware of a breach of data
security must inform not only the Information Commissioner but
also the affected customers.[20]
Also, there was an attempt at a more joined-up approach to regulation
in this area by bringing together the Information Commissioner
with the three other regulators (the Surveillance and Interception
of Communications Commissioners and the interim Closed Circuit
Television Commissioner) to discuss any gaps in the regime.[21]
We are concerned that this meeting appeared to be a rarity, and
that there is not enough linkage between the different Commissioners.
39. The lack of a regulatory authority under
the Regulation of Investigatory Powers Act has a number of serious
consequences. Although the Information Commissioner's office provides
some advice, there is no formal mechanism for either those who
know they are in danger of breaking the law or those whose communications
may be or have been intercepted to obtain information and advice.
Moreover, the only avenue if anyone is suspected of unauthorised
interception is to prosecute a criminal offence, which, as the
Information Commissioner noted, is a high hurdle in terms of standard
of proof as well as penalty.[22]
Especially given the apparent increase of hacking in
areas such as child custody battles and matrimonial disputes,[23]
and the consequential danger of either the police being swamped
or the law becoming unenforceable, there is a strong argument
for introducing a more flexible approach to the regime, with the
intention of allowing victims easier recourse to redress. We therefore
recommend the extension of the Information Commissioner's remit
to cover the provision of advice and support in relation to chapter
1 of the Regulation of Investigatory Powers Act.
40. We also strongly recommend that the Government
reviews how the Act must be amended to allow for a greater variety
of penalties for offences of unlawful interception, including
the option of providing for civil redress, whilst retaining the
current penalty as a deterrent for serious breaches.
41. We note that most of our witnesses claimed
to be unaware at the time of the Information Commissioner's two
2006 reports, What price privacy? and What price privacy
now?. We are disappointed that they did not attract more attention
among the police, the media and in government, and hope that future
such reports will be better attended to.
42. We are concerned about the number of Commissioners,
each responsible for different aspects of privacy. We recommend
that the government consider seriously appointing one overall
Commissioner, with specialists leading on each separate area.
43. In relation to blagging, there were limits
on the Information Commissioner's powers:
the Data Protection Act, insofar as it applies to
this sort of thing, has a very broad exemption within it for what
is called the special purposes, for literature, journalism and
the arts. My investigatory powers can be very easily stymied by
somebody telling me that what they are doing is for journalism,
literature and the arts. All my powers of requiring informationinformation
notices, investigation and the more dramatic stuff, kicking the
door downI can't do if there is an exemption for the special
purposes. So my role in this area is, frankly, pretty limited.[24]
44. We questioned the Information Commissioner,
Mr Christopher Graham, about the practical limits this placed
on his investigations. He explained that, whereas in other situations
any application by him to a court with reference to an information
notice would be straightforward, it might not be worth spending
the time and financial resources to challenge the recipient of
the notice in court if he/she was or might be a journalist and
the investigation that the person was carrying out might be in
the public interest: "I am not sure I could make an information
notice stick under these circumstances."[25]
The Information Commissioner therefore considered that the legislation
as currently drafted in practice seriously limited his ability
to challenge the illegal obtaining of personal information by
those who could legitimately claim to be journalists.
45. Furthermore, even where a case could be brought
under section 55 of the Data Protection Act, the Information Commissioner
considered that the penalties now available were inadequate, and
he noted that magistrates were unwilling to impose even the maximum
penalties currently available to them.[26]
The maximum penalty for blagging under section 55 of the Data
Protection Act is a fine of up to £5,000 in the magistrates
court, although the fine may be higher if the case is prosecuted
in the Crown Court.[27]
He contrasted the situation with RIPA and the Misuse of Computers
Act, which provide for a custodial sentence of up to two years
as penalty for a breach. He noted that the Ministry of Justice
was aware of the unsatisfactory situation in respect of the penalties
attached to 'blagging' and that that department was exploring
the possibility of bringing this activity within the ambit of
legislation on restitution of the profits of crime [28]
and talking to the Sentencing Advisory Council about recommending
tougher penalties in its guidelines to magistrates.[29]
5 See section 35(3) Police and Justice Act 2006. Back
6
Inserted by s.78 of the Criminal Justice and Immigration Act 2008,
which is not yet in force. Back
7
Ev126 Back
8
Evidence taken before the Home Affairs Committee on 7 September
2011, Specialist Operations, HC 441-i, Q 5 Back
9
Evidence taken before the Home Affairs Committee on 7 September
2011, Specialist Operations, HC 441-i, Q 9
Back
10
Ev128 Back
11
The dispute started with an Adjournment debate in the House of
Commons initiated by Mr Chris Bryant MP on 10 March 2010 (HC Deb,
10 March 2010), continued through the letter columns of the Guardian
during the next few days, and then each of the protagonists was
enabled to give his views to Committees of the House, Mr Yates
to the Culture, Media and Sport Committee on 24 March, Mr Bryant
and Mr Yates to us on 29 March, and the Director of Public Prosecutions
to us on 5 April. Back
12
Q 454 Back
13
Ev146 Back
14
Ev128 Back
15
Ev161 Back
16
Qq 155-161 Back
17
'Blagging' is where an unauthorised person obtains personal information-addresses,
telephone numbers, medical information, financial information,
etc-from a source that legitimately hold the information by pretending
to be either the individual whose information is held or someone
else with a legitimate right to access the information. Back
18
Ev126 Back
19
Ev126 Back
20
Q 156 Back
21
Qq 147-149 Back
22
Ev126 Back
23
Q 133 and What Price Privacy Now?, December 2006 Back
24
Q 133 Back
25
Qq 139-144 Back
26
Qq 150-152 Back
27
Section 60 of the Data Protection Act Back
28
The Information Commissioner estimated that the profits from the
unlawful sale of personal information in the UK would amount to
some millions of pounds per year: in one case alone, those selling
the information were being paid £70,000 a week for the information:
Qq 152-154 Back
29
Q 151 Back
|