InfoSecurity show

Quentin Campbell Q.G.Campbell at
Wed Apr 30 14:12:34 IST 2003

> -----Original Message-----
> From: Kevin Spicer [mailto:kevins at BMRB.CO.UK] 
> Sent: 29 April 2003 21:42
> Subject: Re: InfoSecurity show
> FWIW The main argument I hear for moving to a commercial 
> product is the 'content filtering' that some of the 
> commercial products claim to do. The main reasons for this 
> being HR & legal related (not just porn but also profanity, 
> and prevention of information leakage - quite how that could 
> be achieved with any degree or certainty). I know all about 
> the striphtml action, but that alone isn't seen as being 
> enough.  The other 'essential requirement' of a content 
> filtering is detailed reporting.

If you work in the UK, be very, very, careful in what you do with
"detailed reporting".

Automatic spam filtering, tagging and stripping of HTML is lawful under
RIPA in the United Kingdom. However if in addition to that you are also
recording and reporting to a third party some of the content that was
filtered then that is "interception" under RIPA 2000. See

It is a criminal offence (max. 2 years imprisonment) under section 1(2)
of RIPA to intercept on a private communications system without lawful

You may be excluded from the criminal liability under section 1(2) if
you are (a) the person with a right to control operation or use of the
system, or (b) you have the express or implied consent of such a person
to make the interception (see section 1(6)).

However even if you have that express or implied consent to intercept
communications on a private network your action may then be actionable
in a civil suit by the sender or recipient of a communication if the
interception takes place without lawful authority (see section 1(3)). 

The rules for legitimate interception that provide "lawful authority"
can be found in the Telecommunications (Lawful Business
Practice)(Interception of Communications) Regulations 2000. See

There is also a helpful JISC paper on e-mail monitoring under RIPA at


Sys Admins like me should have any authorities/permissions/requests
given expressly in writing; this was the advice from a lawyer. This will
protect you from unscupulous employers who may later take disciplinary
action against you and try to dismiss you on the grounds that you did
not have their "implied consent" to do things. Even a university is not
beyond such contemptible conduct against its employees.

PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
"Any opinion expressed above is mine. The University can get its own." 

More information about the MailScanner mailing list