Networking, computers and the law

Network monitoring

Any network operator will need, from time to time, to examine the traffic that is flowing on their network, whether for capacity planning, tracing faults or investigating use or abuse of the network.

Respecting privacy

The law provides for these kinds of activity; however, any work on a communications network must comply with the Human Rights Act 1998 which states that individuals have a right to respect for the privacy of their communications.

Information about the volume or performance of network traffic flows will not normally fall within the Human Rights Act, but if a flow can be associated with an individual person then it will be protected by the Data Protection Act 2018 and General Data Protection Regulation.

Any monitoring or investigation that may, whether deliberately or accidentally, reveal the content of packets or messages will also be subject to the Investigatory Powers Act 2016. This Act distinguishes between monitoring required for the operation of a service (for example tracing network faults), and monitoring done for business purposes, including the policing of acceptable use policies.

Who can perform network monitoring?

Operational monitoring may, in general, be done at any time by the authorised operator of the service.

Business monitoring may only be done after users have been notified and for purposes set out in the Interception by Businesses etc. for Monitoring and Record-keeping Purposes Regulations associated with the Act. 

Ensure your actions are appropriate

The Human Rights Act further requires that any invasion of privacy must be proportionate to the risk that is being addressed by the monitoring. Any decision to monitor or investigate should therefore include an impact assessment to ensure that it will not cause more harm than good and should be undertaken with proper authorisation. 

Codes of Practice on Monitoring at Work (see especially Part 3) have been produced by the Information Commissioner: their provisions are likely to apply to students and other users as well as employees.

It should be noted that network measurement - creating packets or traffic flows and measuring their progress across a network - is unlikely to be affected by any laws on privacy or monitoring.

Investigations

Files on disk are not, in general, covered by the Investigatory Powers Act (note that this Act does apply to e-mail messages in mailboxes or queues). However the rights of users under the Human Rights Act must still be respected in any investigation.

Where an investigation may result in disciplinary or legal action, extreme care must be taken to preserve computer evidence as this is easily challenged.

The Association of Chief Police Officers' Good Practice Guide for Digital Evidence (pdf) and the US Department of Justice guide to Electronic Crime Scene Investigation (pdf) are both helpful. A guide to preparing for forensic investigations (pdf) is published by IAAC.

Note that those investigating misuse of computers may encounter information that is distressing or harmful to them, their colleagues or the organisation. Policies and procedures for investigation should be designed with this in mind, and should always be followed. For serious incidents, it may be worth engaging appropriate external investigators.

Possession of unlawful material

Where material is discovered that is unlawful to possess (such as in the  case of indecent images of children, section 46 of the Sexual Offences Act 2003) investigators are provided with legitimate reason defence to the criminal offences of possessing or making such images. The Criminal Justice and Immigration Act 2008 covers other specific images illegal to possess, but also contains a similar defence.

As described in a Memorandum of Understanding between the Crown Prosecution Service (CPS) and the Association of Chief Police Officers (ACPO), these defences will be interpreted strictly so investigators must be sure that have clear authorisation, and that they document and report their actions to prove their legitimate purpose. Jisc has developed guidelines to help sites comply with the ACPO/CPS Memorandum of Understanding.

The Internet Watch Foundation have a helpful best practice guide to assist organisations in dealing with these types of material. (In Scotland, the relevant law is the Protection of Children and Prevention of Sexual Offences (Scotland) Act 2005, however it is understood that the same best practice would apply).

Investigating copyright complaints

Although the government’s proposed requirement on ‘ISPs’ to investigate copyright complaints has never been brought into force, Jisc customer organisations are still required to investigate such complaints under the Janet acceptable use policy. See investigating copyright complaints for more information and good practice.

Guidelines for handling illegal material

Occasionally, organisations may have to deal with allegations of serious misuse of computers, where indecent images of children (as defined by the Protection of Children Act 1978 and subsequent amendments) or extreme pornographic images (as defined by section 63 of the Criminal Justice and Immigration Act 2008) may be present on the organisation's computers. The possession of such images is a serious criminal offence and must be reported to the Police as soon as possible. Until the material can be handed to the Police, organisations need to act very carefully to avoid harm to their users or potential criminal liability for the organisation or its staff. Jisc has developed the following guidelines, with assistance from Jisc members and the Home Office, to assist sites in this situation.

Please note: Names have deliberately been left within square brackets so that the relevant organisations - universities, colleges, research councils etc - and departments can fill in their own details for internal circulation.

About these guidelines

These guidelines are intended to help and protect computer support staff who may be requested by [the University] to respond to reports of the presence of illegal images (whether indecent images of children or extreme pornographic images) on computers at [the University of Erewhon].

The Protection of Children Act 1978 and subsequent legislation makes the possession, making or publishing of indecent images of children a serious criminal offence; the Criminal Justice and Immigration Act 2008 introduces a similar crime of possession of extreme pornographic images.

Images of either type must be reported to the police as soon as possible, with the minimum interference, for them to investigate. However, there may occasionally be an urgent requirement to confirm an allegation, to secure evidence or to remove material from view, and in these cases authorised site staff may be best placed to do the minimum necessary to achieve this.

Any such action, and any information obtained as a result, must be handled in strict confidence both to protect the evidence and those persons involved: malicious allegations have sometimes been made against innocent parties.

Viewing or handling indecent images of children will normally be a serious criminal offence. However, section 46 of the Sexual Offences Act 2003 provides a limited defence for those who can prove that they needed to do so for the purposes of the prevention, detection or investigation of crime. The Crown Prosecution Service (CPS) and the Association of Chief Police Officers (ACPO) have agreed a Memorandum of Understanding (MOU) setting out the factors they will consider when deciding whether this defence may be available in any specific case.

Sections 63 and 68 and Schedule 14 of the Criminal Justice and Immigration Act 2008 provide a similar "good reason" defence to possession of extreme pornographic images and it is expected that this would be subject to similar tests.

Staff who have been properly authorised and instructed to respond to reports of the presence of illegal images and who satisfy all the tests should not have to fear that they will be prosecuted. The MoU recommends that organisations adopt written procedures for such activities to protect their staff.

These guidelines set out a procedure that is believed to be in accordance with the ACPO/CPS Memorandum of Understanding. Following this procedure should therefore give authorised staff some protection against prosecution by demonstrating that they have acted reasonably and professionally (MoU principle 5).

Principles for dealing with illegal material

The guidelines aim to implement the following essential principles:

• The police are the appropriate people to be investigating serious crimes
• The risk of exposing users and staff to potentially harmful material must be minimised
• As little damage as possible should be done to any evidence of criminal activity

Therefore:

• Allegations of the presence of illegal material on systems connected to the [university] network must be reported to and dealt with by authorised staff as soon as possible (MoU principles 1 and 2)
• As soon as the likely presence of such material is confirmed, the matter must be handed to the police with the minimum delay, with the evidence in the best condition that can be achieved (MoU principles 3 and 4)
• These guidelines must be followed, or any departure from them documented with reasons for doing so, to demonstrate that staff have acted responsibly and professionally (MoU principle 5)

Rules for staff

The basic rules for staff when dealing with illegal materials are:

• Staff must only act when they have been given specific written authorisation by [computing service management] and in accordance with that authorisation and this procedure
• The role of the organisation's staff is only to confirm the presence of illegal material, to prevent further access to the material and to do the least possible damage to evidence
• Staff must report to the police as soon as the presence of illegal material is confirmed and must follow the directions of the police thereafter. The police should normally be contacted by a member of the [computing service management], but if they are not available then the police should be called direct and management informed as soon as possible
• If any delay threatens the organisation's response to the report then the matter must be handed to the police immediately
• Any information obtained as a result of actions under these guidelines must be treated as strictly confidential

Stages in the process

Investigating copyright complaints

The Janet Network and infringement of copyright

The Janet Acceptable Use Policy (AUP) identifies infringement of copyright as an unacceptable use of the network (paragraph 16). The creation or transmission of any material which infringes the copyright of another person would be a breach of the AUP.

Janet-connected organisations are required by the terms and conditions for the use of the Janet Network to take reasonable steps to ensure that users comply with the AUP, in particular to ensure that any unacceptable use of the network, including copyright misuse, is investigated promptly and dealt with effectively should it occur.

Rights-holders and their agents are increasingly monitoring peer-to-peer networks and other Internet services to detect breaches of their intellectual property rights. These notes aim to help Janet-connected organisations respond effectively to these complaints.

Receiving complaints

Complaints relating to IP addresses are generally sent to the e-mail contact(s) listed in the RIPE IP address database. Complaints about particular servers may also be sent to the advertised contacts for those services (eg webmaster for web servers).

Occasionally, complaints are sent to Jisc CSIRT, though this is a less direct route as Jisc CSIRT does not have access to logs or other records required for an investigation. Such complaints will be passed to the organisation's registered security contact to be dealt with.

Organisations should therefore ensure that:

• Contact details for all their public IP address ranges are up-to-date (different address ranges may have separate contact details listed - updates to contact details for IP address ranges can be sent to ipaddress@ja.net)
• E-mail to these addresses is read frequently
• Those reading it know how to deal with copyright complaints

Responding to complaints

Complaints of copyright misuse should include at least the:

• Complete IP address (or web URL) of the alleged breach
• Date and time, or range of times, when the alleged breach occurred. (Times should include the time zone in GMT +0100 format)

Many organisations connect to Janet through proxies or network address translation devices and these are more likely to be able to identify the responsible individual if the complaint includes full details of both ends of the connection over which the copyright material was transferred. Prompt complaints, made soon after the event, are more likely to result in successful investigations.

Complaints should also include a working e-mail address to which responses may be sent. This may be used to request further details if insufficient information has been provided. Where complete information has been provided, organisations should respond to confirm that the complaint has been received and will be investigated in line with the Janet AUP and organisational acceptable use policies.

Dealing with complaints

Having received a complaint of copyright misuse, Janet-connected organisations are required to investigate it and should ensure that their local policies support this.

Investigation will normally involve the organisation matching the complaint against its own information, such as server, authentication, DHCP and network flow logs. As discussed in the Janet technical guide on Logfiles, organisations should normally keep sufficient logs to enable them to link activity on Janet to a responsible individual.

If these logs appear consistent with the complaint, the organisation should identify the responsible individual and contact them to ensure that if a copyright breach has occurred then it stops and is not repeated. If the organisation's logs indicate that the complaint may be incorrect or mis-directed, the organisation should inform the reporter so that they can improve their detection and reporting systems.

If a complaint relates to a visiting user from another member of the eduroam federation then the organisation should forward it to be dealt with under the eduroam policy.

If a user has committed a breach of copyright or of good security practice (for example by allowing others to use their account), the complaint provides an opportunity to warn them of the need to act responsibly in future. Many sites have also reported good results from using these users as ambassadors to spread good practice among their friends and colleagues. This can be an effective way to reduce copyright breaches and improve compliance with the Janet AUP.

Disclosing information

The Janet-connected organisation's obligations under the AUP will be satisfied once it has taken effective action to stop the reported copyright infringement and to discourage future breaches.

Rights-holders will normally also consider this action sufficient. In the most serious cases, however, rights-holders may wish to take legal action against the individuals responsible. In criminal cases the police can issue a notice under section 61 of the Investigatory Powers Act 2016 requiring the organisation to disclose the identity of the user associated with a username or IP address. In civil cases the courts can make orders (known as Norwich Pharmacal orders) with the same effect. Any organisation receiving either a notice or an order must comply if it is able to.

Schedule 2 of the Data Protection Act 2018 also permits (but does not require) an organisation to identify an individual user if it wishes to do so and is satisfied both that this is necessary for the legitimate interests of the rights-holder and that it does not prejudice the rights or legitimate interests of the user. Organisations considering using this power should declare this in their registration with the Information Commissioner and the Fair Processing Notices they give to users, and should take care to comply with their obligations under the Data Protection Act 2018 when using this route, in order to avoid any risk of legal liability. 

Conclusion

Jisc intends to continue to work with rights-holders and connected sites to ensure that processes for reducing copyright misuse are effective.

Any comments or suggestions for improvements should be sent to Jisc's chief regulatory adviser, Andrew Cormack (andrew.cormack@jisc.ac.uk) and any problems with individual complaints to Jisc CSIRT (irt@jisc.ac.uk).

Disclosure of information to law enforcement

The police and other law enforcement agencies may need assistance to prevent, detect or investigate criminal activity involving networks or computers at Janet-connected sites.

As this may involve organisations doing things that would normally be prohibited by law (for example disclosing personal information, contrary to the Data Protection Act 2018), the law has a number of provisions and processes to permit cooperation.

This page describes those most likely to be encountered by Janet-connected sites. Jisc may facilitate urgent requests by providing details of our trusted security contacts at the site(s) concerned.

Co-operation and best practice

The processes have been designed to ensure the best balance between providing good information or evidence for investigating authorities and protecting organisations or individuals. It is therefore important for all parties to follow the appropriate process for each situation.

Some of these processes require the organisation to cooperate, whereas in others the organisation must assess whether cooperation is necessary and proportionate before it agrees or refuses cooperation accordingly.

In most cases the law enforcement agency will make informal contact with an organisation before serving a formal notice on it. This provides an opportunity for the agency and the organisation to discuss what relevant information may be available and could be released so that the contents of the notice, when it is served, should be clear and acceptable to both parties.

In most cases this contact will be made by a trained single point of contact for the agency, who is already familiar with the types of information likely to be available from computers and networks.

Disclosing logfiles

By far the most common request made by the police is to identify an individual user or to provide information about their on-line activity. Information about communications and the individuals who made them (eg the identity of users of a particular email or IP address, when they logged in and to whom they sent emails), but not including the content of any files or communications, is covered by the Investigatory Powers Act 2016 (IPA), where it is referred to as 'communications data'.

Section 61 of the IPA allows law enforcement, and other authorities listed in Schedule 4 of the Act,  to serve a notice on an organisation requiring that communications data be disclosed.

A notice under this section must be given in a form that allows a permanent record to be kept - other than in exceptional circumstances this will be in writing, giving at least the minimum information in paragraph 6.23 of the Code of Practice. An organisation receiving a notice must comply with it by disclosing the information specified in the notice: normally the authority will contact the organisation before issuing a notice to confirm that the information is available.

Disclosing other information

Information that is not communications data, and therefore not covered by the Investigatory Powers Act 2016, includes the content of e-mails and files.

Two different processes (one mandatory, one not) cover the disclosure of this type of information.

Evidence

A court may make an order that an organisation must disclose specified information to the court, usually for use as evidence. The most common orders are those issued by judges under Schedule 1 of the Police and Criminal Evidence Act 1984 (PACE), known as PACE Production Orders as they require the recipient to produce (disclose) information that they would otherwise be under a legal duty to keep confidential.

An organisation that receives such an order must comply with it, generally by disclosing the required information to a police constable, or explain to the court why it is unable to do so. Failure to comply, without good reason, is likely to constitute a criminal offence.

Personal data

Schedule 2 Part 1 Section 2(1) of the Data Protection Act 2018 allows an organisation that holds personal data (including the content of emails and files) to choose to disclose data if it is persuaded that the disclosure is both necessary and proportionate for the purpose of detecting, investigating or preventing of crime. It is the responsibility of the organisation that has the data to ensure that the risk of harm if the information is not disclosed justifies the breach of privacy that will be caused by disclosing it.

Agencies concerned with crime and national security can therefore ask an organisation if it is willing to disclose information under either of these sections, but there is no legal requirement to comply with such a request.

Further guidance on what to disclose

Standard forms (eg from the Internet Crime Forum) have been designed on which the agency can make the case for disclosure: organisations that are persuaded that a request is necessary and proportionate and decide to disclose information on that basis are strongly recommended to keep a copy of the request, together with a record of the process by which the organisation reached the decision to disclose. These will be needed as evidence if the organisation is subsequently sued for having breached its obligation under the Data Protection Act to keep personal data secure.

Removing material from publication

Universities and colleges in England, Wales and Northern Ireland have a statutory duty to protect free speech by their members under section 43 of the Education (No.2) Act 1986 (similar provisions also apply to universities and colleges in Scotland).

However, where information published by a university or college, or one of its members, breaks the criminal or civil law (these are generally also breaches of the Janet Acceptable Use Policy), this duty may be overridden and the publication may be altered or removed.

The normal situation under UK law is contained within the Electronic Communications (EC Directive) Regulations 2002. This protects organisations that provide services such as web hosting from liability so long as they act promptly when informed of a particular publication that may be unlawful. If the publication continues after a complaint, the organisation will be held to have approved the content of the publication and may be liable if the publication is later found to break the law. See our guide to hosting liability.

For the particular case of material relating to terrorism, sections 3 and 4 of the Terrorism Act 2006 set out a more detailed and demanding process. A police constable may issue a written notice to a senior representative of the organisation (usually the secretary or registrar) informing them that they are publishing terrorist material. The organisation must remove or amend the material within two working days or else it will be held to have approved the publication of the material. Following receipt of a notice the organisation is also required to take all reasonable steps to prevent re-publication.

Being prepared

A complaint does not have to take any particular form, but it must give specific information that allows the publication to be identified. Organisations should therefore have efficient processes to receive and consider complaints of unlawful material on their websites and to remove or alter any material that they would not be prepared to defend in court. Note that the organisation should not disclose the identity of the person responsible for the publication other than under one of the processes above.

Data retention and data preservation

Section 87 of the Investigatory Powers Act 2016 permits the home secretary to order any organisation that operates a network to retain data about the use of its systems. We are not aware of this power being used against any private network. Unless and until an organisation receives such a notice, the Data Protection Act 2018 prohibits the collection or retention of any personal data that the organisation does not itself need.

Should the authorities subsequently need to see the retained information, disclosure will be achieved by one of the processes described above.

Logs and data collection

It is strongly recommended that anyone responsible for a computer or network should collect sufficient logs of activity to be able to identify the account and individual responsible for any misuse.

The policies for connection to the Janet Network expect that sites will maintain such logs.

Requirements for logs are discussed in our technical guide.

Risks of not keeping logs

Even though logging may not be required by law (see the section on Data Retention above for circumstances when it may be), Janet-connected organisations that have failed to keep logs have found themselves being blamed for misuse from their site that they could not trace. It is quite possible that such blame could develop into a formal claim of liability for damage caused, leaving the organisation with bad publicity at best and a large bill for damages and legal costs at worst.

Restrictions

There are a number of legal issues that must be addressed in any logging activity. Even if the logs contain only information that the network was used by particular accounts, then they will constitute personal data within the meaning of the Data Protection Act 2018 (particularly the Privacy and Electronic Communications (EC Directive) Regulations 2003).

This places restrictions on how logs may be used, and also requires that they be protected against misuse by appropriate technical and procedural measures. Personal data may only be kept so long as there is good reason to do so: organisations should ensure that they have a retention policy stating how long logs will be held and that they are deleted after this period.

If the logs contain the content of any communication, for example the text of e-mails, news or chatroom conversations, then recording them counts as interception and the conditions of the Investigatory Powers Act 2016 must also be met.