Legal Implications was(Re: Announce: MailScanner-Console-0.1)

Quentin Campbell Q.G.Campbell at NEWCASTLE.AC.UK
Tue Jun 17 16:33:59 IST 2003

> -----Original Message-----
> From: Francois Caen [mailto:FCaen at CI.LAKEWOOD.WA.US] 
> Sent: 17 June 2003 15:37
> Subject: Re: Legal Implications was(Re: Announce: 
> MailScanner-Console-0.1)
> -----Original Message-----
> From: Julian Field [mailto:mailscanner at ECS.SOTON.AC.UK] 
> > The From, To and Subject are all considered private 
> information in the
> EU. 
> So... What about sendmail's plain old maillog???
> Are you not allowed to look at it? Do you disable sendmail logging??

It is a bit of a legal minefield in the UK. But, yes, you can look at
Sendmail logs. To summarise...

In the UK the Subject: line is considered "content" while the "To:",
"From:", and other headers are considered to be "traffic data".

Monitoring any "content" in the UK is "interception". Under the
Regulation of Investigatory Powers Act 2000 it is a criminal offence to
"intentionally and without lawfull authority" intercept any
communication in the course of its transmission by a public
telecommunications system.

This also applies to a private telecommunications service but there are
special exceptions in RIPA that give the necessary "lawfull authority"
to certain people in an organsiation for purposes connected with the
provision or operation of that service.

The exceptions are very limited and the rules for legitimate
interception are set out in the Telecommunications (Lawful Business
Practice)(Interception of Communications) Regulations 2000. 

To answer your question about Sendmail logs, the "Subject:" line is not
normally part of the logged information so we are only dealing there
with "traffic data". 

Where an organisation like my University is only involved in operating a
_private_ telecommunications service then we can do what we want with
"traffic data" because it is not subject to RIPA in those circumstances.

But a word of caution. The Sendmail logs of a private telecommunications
service may be subject to the Data Protection Act! The latter applies
because "To:", "From:" and related header records are considered
"personal data" when they identify individuals. 

[A further word of caution. If you are using Sendmail as the MTA in a
_public_ telecommunications service in the UK then what you do with the
"traffic data" in the Sendmail logs is subject to RIPA.]

The latest draft of "The Employment Practices Data Protection Code -
Part3: Monitoring at Work" has just been released by the Office of the
Information Commissioner (the old "Data Protection Registrar"). This
explains about the legalities and limitations on monitoring and logging
in the workplace where a private telecommunications service is being
operated (includes telephones). [This Code of Practice does _not_ apply
to any organisation operating a public telecommunications service.] 

PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
"Any opinion expressed above is mine. The University can get its own."

More information about the MailScanner mailing list