December 16, 2006

Interception and Monitoring of Communications in FE and HE

From: JISC Legal Information Service, 4 April 2006, by Betty Willder

'...Interception and monitoring legislation is a potentially contentious area for colleges and universities. It is important to strike a balance between the need on occasions to intercept or monitor communications (e.g. by the police for the prevention or detection of crime, or by the college or university itself for operational purposes) and the privacy and freedom of expression rights of the individual whose communications may be intercepted.

New laws were therefore introduced to take account of advances in technology and to attempt to address the interests of both camps.

...It is important to emphasise at the outset that any interception should be regarded as exceptional by nature and must always be done on a clear legal base. Any action taken should always be directed to a statutory provision and must be proportionate to that purpose.

...The Regulation of Investigatory Powers Act 2000 ('the RIPA') rovides that to intentionally and without lawful authority intercept a communication on a private system (e.g. the JANET connection) in the course of its transmission, unless it is done or authorised by someone with the right of control e.g. the Principal or his IT manager acting on his authority
, is a criminal offence.

It should also be noted that whilst it may not be a criminal offence for someone with the right of control or authorised, to intercept on a private system, there may be grounds for a civil action for damages if there is no
lawful authority to intercept...

Lawful Authority to Intercept
  • Lawful authority is required to intercept.
  • If there is no lawful authority then consent of the sender and receiver of the communication is needed.
  • The RIPA allows some limited interception by the controller of the system without the consent of the sender or the recipient.
  • The RIPA sets out the conditions under which third parties such as the police may intercept.
  • The Lawful Business Regulations are the main source of lawful authority for the controller of the system to intercept and monitor. They permit the monitoring or keeping a record of communications to for purposes such as standards, national security, prevention and detection of crime, investigating unauthorized use, and ensuring effective system operation.
  • The interception must also be relevant to the business of the system controller.
  • Every effort must have been made to tell users that interception may take place.
  • A communication which has been intercepted and contains personal data is subject to the Data Protection Act 1998.
Possible examples of permitted interceptions
  • To check the content of e-mail to ensure that the institutions standards and quality control is not being breached or that third party standards are being followed e.g. the JANET Acceptable Use Policy.
  • To check that the system is being used for legitimate purposes only.
  • Under a valid warrant obtained by a specified authority e.g. the police or customs and excise etc.
  • Some measure of interception is likely to be essential to for example, check or prevent a virus spreading through the system, or to eliminate spam.
  • Routine interception for operational purposes such as backing up or forwarding to the correct address.
  • Monitoring (but not recording) may also be permissible to ascertain whether a communication is business or personal. An institution may need to check e-mails or voice mail for example in the prolonged absence of staff in accordance with an agreed institutional procedure.
  • Where a college operates a confidential helpline service, (for example a collaboration between the institution and the students union), monitoring (but not recording) of calls to support or protect the staff.

None of these examples should be taken as providing unlimited interception powers to colleges and universities and heed should always be paid to the purpose of the interception and the legal basis on which it is done. Staff and students should be clear as to the level of monitoring which may take place.

Essentials for colleges and universities

Colleges and Universities as a minimum should have the following in place. An email and internet policy which:
  • Lets the user know what level of interception is likely to take place
  • states the do's and don'ts for the user including whether personal use is permitted
  • states the level of privacy the user can expect including whether 'cookies ' or other information gathering devices are in use
  • lets the user know the penalties for breach of the policy
  • is linked with employment contracts, grievance and disciplinary procedures, and acceptable use policies
  • has been cross checked with student and staff handbooks, departmental guidelines etc to ensure consistency
  • forms part of induction training
  • is visible to all e.g. consider notices at log in, on walls in computer suites, and regular on screen reminder notices to ensure ongoing visibility of the policy
  • is reviewed on a regular basis...
Having these policies and procedures in place will aid in compliance with the law but cannot guarantee complete protection in what is recognised as a difficult area of the law which in many respects has still to be interpreted by the courts.'

The above does not allow for much flexibility and since electronic communications are relatively new, as the author states it 'is a difficult area of law which in many respects has still to be interpreted by courts'.

Most universities are likely to have in place an Acceptable Use Policy, along the lines of:

The University seeks to promote and facilitate the proper and extensive use of Information Technology in the interests of learning and research. Whilst the tradition of academic freedom will be fully respected, this also requires responsible and legal use of the technologies and facilities made available to students and staff of the University... The University fully reserves the right to monitor e-mail, telephone and any other electronically-mediated communications...

And this is where the grey area appears, i.e. academic freedom will be fully respected BUT the university reserves the right to monitor... and if needed - or if convinient - apply disciplinary penalties. The end result is some daring individuals testing the system, or self-censorship.

A report released by the Foundation for Individual Rights in Education (FIRE) reveals that burdensome restrictions on speech are commonplace at America’s colleges and universities. The report, entitled Spotlight on Speech Codes 2006: The State of Free Speech on Our Nation’s Campuses, surveyed more than 330 schools and found that an overwhelming majority of them explicitly prohibit speech that, outside the borders of campus, is protected by the First Amendment to the U.S. Constitution.

And here is a daring academic that challenged the system... The true story of the world precedent legal ruling on email privacy.


Anonymous said...

Communications monitoring, bring in communism

Communications Monitoring conflicts with true scholarship and should be banned completely. There are morally correct means to achieve what communications monitoring is claiming to.

Communications monitoring is done on a daily basis, often by project supervisors who spend most of their time doing consultancy work outside the university. It is justified by universities as a need to monitor performance and is done without warning the researcher.

Communications Monitoring provides the perfect platform for those senior academics/researchers to lift material from a researcher's space on the server as well as from his/her emails. Attempts by the researcher to establish his/her academic career, including obtaining research funds independently can be sabotaged by the senior researcher or academic. Sometimes ideas that are still being debated or are still in their infancy are hijacked by a morally-deficient (and ideas-deficient) senior researcher. The researcher is left with nothing to support his/her case but by pointing out to the sudden change in that academic's demonstrated line of thought or quality of work, which is usually attributed by a greedy university to the "natural evolution" in that academics thinking, even if it is a step change from what that academic has been doing for over a decade with the same research topic.

The problem is made worse when his colleagues collude and distribute the ideas among themselves like a "war booty", or if the academic passes on the idea to a favoured researcher.

Pierre-Joseph Proudhon said...

Indeed. Monitoring can be used for various reasons beyond the so called 'legitimate' reasons. Those that hold the keys are never really accountable. They are a law upon themselves.

I remember a trick I played to one of our IT persons who I knew was monitoring my email. I wrote in an email something implicating him - I had the evidence - and when he read my email he got so scared, he went and confessed by himself!

I also know of staff who never use the university's network and use only their own email to communicate, thus by-passing the controlled network.

Regarding supervisors monitoring staff emails to take their ideas from them, why is it that nothing surprises me?