The Idiot's Guide to Why Voicemail Hacking is a Crime

Not what I should be doing right now, but in the wake of the amazing News of the World revelations, there does seem to be some public interest in a quick note on why there is (some) controversy around whether hacking mesages in someone's voicemail is a crime.

Most of the longer version of this can be found in an excellent memo by Chris Pounder of Amberhawk from October 2010 and those of you with more legal background are therefore directed there.

RIPA

The first relevant provision is RIPA (the Regulation of Investigatory Powers Act 2000) which provides that interception of communications without consent of both ends of the communication , or some other provision like a police warrant is criminal in principle. The complications arise from s 2(2) which provides that:

“....a person intercepts a communication in the course of its transmission by
means of a telecommunication system if, and only if ... (he makes) ...some or all of the
contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication”. [my itals]

Section 2(4) states that an “interception of a communication” has also to be “in the course of its transmission” by any public or private telecommunications system. [my itals]

The argument that seems to have been been made to the DPP, Keir Starmer, on October 2010, by QC David Perry, is that voicemail has already been transmitted and is thus therefore no longer "in the course of its transmission." Therefore a RIPA s 1 interception offence would not stand up. The DPP stressed in a letter to the Guardian in March 2011 that this interpretation was (a) specific to the cases of Goodman and Mulcaire (yes the same Goodman who's just been re-arrested and inded went to jail) and (b) not conclusive as a court would have to rule on it.

We do not know the exact terms of the advice from counsel as (according to advice given to the HC on November 2009) it was delivered in oral form only. There are two possible interpretations of even what we know. One is that messages left on voicemail are "in transmission" till read. Another is that even when they are stored on the voicemail server unread, they have completed transmission, and thus accessing them would not be "interception".

Very few people I think would view the latter interpretation as plausible, but the former seem to have carried weight with the prosecution authorities. In the case of Milly Dowler, if (as seems likely) voicemails were hacked after she was already deceased, there may have been messages unread and so a prosecution would be appropriate on RIPA without worrying about the advice from counsel. In many other cases eg involving celebrities though, hacking may have been of already-listened- to voicemails. What is the law there?

When does a message to voicemail cease to be "in the course of transmission"? Chris Pounder pointed out in April 2011 that we also have to look at s 2(7) of RIPA which says

" (7)For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it."

A common sense interpretation of this, it seems to me (and to Chris Pounder ) would be that messages stored on voicemail are deemed to remain "in the course of transmission" and hence capable of generating a criminal offence, when hacked - because it is being stored on the system for later access (which might include re-listening to already played messages).

This rather thoroughly seems to contradict the well known interpretation offered during the debates in the HL over RIPA from L Bassam, that the analogy of transmission of a voice message or email was to a letter being delievered to a house. There, transmission ended when the letter hit the doormat.

There remains a little wiggle room in that at the dates some of the older hacking incidents may have occurred, the voice messages might plausibly have been physically stored on local answerphones, not, as is common with mobiles and mobile voicemail, on remote voicemail servers. This leaves a flicker of concern that the messages might not be "stored" on "the [same] system by means of which the communication is being, or has been, transmitted"

Against this quibble would be that a purposive interpretation of the law should not distinguish for no reason between (say) fixed phones with physical answerphones, and mobile phones with remotely stored voicemail. OTOH, criminal laws are always to be interpreted restrictively on the grounds that no one should find themselves accused of breaking a criminal law they were not deemed to know.

A person who is guilty of an offence under subsection (1) or (2) shall be liable on conviction on indictment, to imprisonment for a term not exceeding two years or to unlimited fine.

CMA

One of the strangest parts of this controversy though has been the relative absence of commentary - from the DPP or otherwise - that even if the most restrictive interpretation above of RIPA was adopted - computer hacking under the Computer Misuse Act, s 1 , could easily provide an alternative offence. (Nick Davies of the Guardian does mention it however in the same Memo to HC as quoted above from Amberhawk. )

CMA s 1 says that

"(1)A person is guilty of an offence if—

(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [or to enable any such access to be secured] ;

(b)the access he intends to secure [or to enable to be secured] is unauthorised; and

(c)he knows at the time when he causes the computer to perform the function that that is the case." [my italics]

Max sentence is 12 months jail but the aggregated version (eg unauthorised access plus raud under s 2) can now go up to 5 years jail. (s55 of the DPA (misuse of personal data, which would also apply)was also amended recently to allow for a jail sentence (following the HMRC scandals) - but Parliament has yet to bring this into force.)

Putting in a guessed-at PIN to access voicemail maps well to "causes a computer to perform any function". CMA makes no requirement that reasonable security is overcome, or anything of that kind. Nor does the material hacked have to be deleted or sold or anything of that kind, merely accessed.

But is an answerphone or a voicemail server or a mobile phone, a "computer"? The word was deliberately left undefined in the 1990 Act so it did not become outdated as technology progressed. (This has proved wise.) However the CPS guidance quotes "DPP v McKeown, DPP v Jones ([1997] 2Cr App R, 155, HL at page 163) [where] Lord Hoffman defined a computer as "a device for storing, processing and retrieving information". " This seems easily wide enough to include any or all of a mobile, a smartphone, an answerphone or a voicemail server.

The advice given the DPP may have taken into account other worries about prosecuting either the RIPA or CMA offences. It woukd be very good to know exactly what, if any. In the meantime however there seems no good reason why criminal prosecutions cannot be immediately brought against those factually proven to have taken part in voicemail hacking.

Corporate criminal liability

A final point is who would be liable for such a criminal offence. Just the reporter who put in the PIN, or, say, the proprietor of the newspaper in question, which benefited? This is an issue of corporate criminal liability where the relevant law in England & Wales is from Tesco v Nattrass [1972] AC 153 . The widely quoted test from that by L Reid is the "directing mind test" as follows:

The person who acts is not speaking or acting for the company. He is acting as the company and his mind which directs his acts is the mind of the company. If it is a guilty mind then that guilt is the guilt of the company.

This is regarded as, sometimes unfortunately (it has been amended for corporate manslaughter) , pretty restrictive, and likely to apply only to the most senior directors or managers. ?? as to say, the liability of Wade or Murdoch for NI.

Deleting the evidence

Finally if the rumours circulating that millions of emails have been deleted by NI to foil a criminal investigation are true, there would be an alternative of prosecuting attempt to pervert the course of justice - which as a common law offence has an unlimited sentence in Scotland and I think in England too. So burning the evidence is not a get out of jail free card :)

MySpace suicide bully found guilty of.. hacking???

The Register reports that in this extremely bizarre case, Lorie Drew has been found guilty of unauthorised access to the MySpace website, ie a crime rather than a civil infringement - because in breach of its terms and conditions, she pretended to be someone she was not in order to bully a teenage girl and eventually incite her to commit suicide.

The facts are so crazy I'm just going to paste from El Reg here..

"The case was heard in Los Angeles because that is where the MySpace servers are.

Lori Drew created a fake MySpace profile in the name of Josh Evans. She used the persona to flirt with a thirteen year old girl called Megan Meier, who her daughter had previously fallen out with.

After weeks of flirting Drew then sent her message which said: "You’re a shitty person, and the world would be a better place without you in it." Hours later Meier hung herself in her bedroom.

Local police in Missouri would not charge Drew and the LA prosecutor has been accused of grandstanding. The charges were downgraded from felonies to misdemeanors - three counts of accessing a computer without authorization - but Drew could still face jail, the New York Times reports.

The case has split legal observers with some welcoming extension of the use of the Computer Fraud Act to social networking sites. But Matthew L Levine, a defense lawyer in New York, told the NYT: “As a result of the prosecutor’s highly aggressive, if not unlawful, legal theory, it is now a crime to ‘obtain information’ from a website in violation of its terms of service. This cannot be what Congress meant when it enacted the law, but now you have it.” MySpace T&Cs oblige users to be truthful in information they post."

This is a good example of how hard cases make really bad law. The problem here apparently was that Missouri had no relevant criminal stalking law - which would have been the obvious way to deal with this. So Missouri passed, and an ambitious LA prosecutor saw a way to go for a conviction under their equivalent of the UK's Computer Misuse Act 1990, s 1 - an "unauthorised access" law, which was clearly originally designed for hacking.

What is "unauthorised" has been a bugbear throughout the history of these kind of laws. Originally , "unauthorised" in most jurisdictions contemplated outsiders breaking into a computer or system. In the UK, some of the earliest CMA cases ruled that unauthorised access could occur even where an insider - say a disgruntled employee - used a password or simply physical access rights to get into a computer system to say, defraud the employer or commit e-vandalism. A serious problem is whether you are authorised simply to access a sustem, or to access it for a particular purpose. A number of cases, eg, dealt with policemen abusing their rights of access to the Police National Computer to wreak private justice on ex girlfriends and the like.

More recently in the famous Lennon case, a court also had to decide if sending a few million emails as a DOS attack to a mail server was "unauthorised". The first instance court said no: mail servers offer a standing permission to receive mail, don't they? The appeal court more pragmatically said, yes, but they don't authorise receiving several million emails sent with a malicious intent. I warned at the time that, although useful as extending s 1 of the CMA to fight DOS and DDOS, this approach would have consequences. And here, sort of , they are.

What the UK has never really come to grips with - and the Drew case does - is whether "unauthorised" is also what you do when you break the contractual rules relating to access to a website (whether express ie in the EULA, or AUP, or T & C - or implied - as in Lennon).

Let's have an example. Blogger's content policy says that images of nudity should be posted only behind a Friends-lock. What if I post a (harmless, non child porn, non violent, non criminal) nude picture here for the world to see? (Like say this one?) By all means Blogger should have the right to throw me off its site - that's their contractual privilege. But should I be open to a criminal prosecution under s 1 of the CMA for "unauthorised access"? I don't think so.

Blogger's content policy (which is I think the same as Google's now) is pretty sensible in fact. I had to look quite hard to find an example of what I might do that would breach their T & C and not already be an criminal offense, eg, incitement to racial hatred. But remember that unlike the criminal law, what a site puts in its EULA or T & C is its privilege, and need not confirm to popular views as to what is societally unacceptable or wrong.

This is why it is crucially important to keep civil sanctions for breach of contract quite seperate from criminal sanctions for crininal behaviour, even though there is obviously an overlap in the actual types ofconduct. In the Drew case, the answer could have lain with using stalking laws rather than hacking laws to prosecute the undoubtedly evil accused; in the UK the answer could be to clarify exactly what "unauthorised" means (or to abandon the s 1 offense of "pure" hacking, and allow it as an offense only when used to pursue an illegal subsequent activity?).

I hope this US case will be seen as what it is: an unfortunate aberration.

EDIT: Link on (US) legal opinions on whether suicide-watching online (not the same as instigation , at least necessarily) is illegal inducemnt or abetting of suicide.

EDIT: Link from Making Light giving more info about the Drew case.