Saturday 29 January 2011

Voicemail hacking – what’s the crime?

My naughty step is getting so crowded I’m thinking of ordering a larger one. As the media continues to publish reports about victims of (alleged) voicemail hacking, I thought I would try and tease out some of the issues that need to be addressed as the investigators work out whether and which bits of the law have been broken.

“Voicemail hacking” is a strange phrase, which has emerged over the past few years to describe an activity which is certainly naughty, but strangely quite hard to define in terms of the laws which have been broken. And it’s important to know which laws have been broken, as only then will the miscreants know what punishments they are likely to get.

You can get a prison sentence (of up to 2 years) for unlawful interception. But you can get a much longer sentence for committing an offence under the Computer Misuse Act. Ten long years, actually. As well as an unlimited fine.

I don’t think it’s possible to say that everyone who who commits a voicemail hack is always guilty of the crime of unlawful interception. This is because the Regulation of Investigatory Powers Act defines the offence of unlawful interception in a very narrow way. Those awfully clever Parliamentary draftsmen used language that was so complicated in its construction that everyone forgot how hard it might be to actually apply it in real life.

Let’s look a little closer at the problem.

The problem arises in Section 2 of the Act, which provides that a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—
(a)so modifies or interferes with the system, or its operation,
(b)so monitors transmissions made by means of the system, or
(c)so monitors transmissions made by wireless telegraphy to or from apparatus comprised in the system,
as to make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication.

So far so good. Its a crime to intercept a communication if its in the course of its transmission. This means its definitely a crime to intercept and record, say, live calls between two people.

But, what happens when the caller has simply left a message on a voicemail? Can it be argued that the communication is still being transmitted? Or does the transmission end when the caller leaves the voicemail, which the intended recipient will listen to later?

Subsections (7) and (8) try to address this knotty problem. Here are the words that were used, then I’ll try and explain the intention:

Subsection 7 provides that For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it.

Subsection (8) provides that For the purposes of this section the cases in which any contents of a communication are to be taken to be made available to a person while being transmitted shall include any case in which any of the contents of the communication, while being transmitted, are diverted or recorded so as to be available to a person subsequently.

What I take this to mean is that the Parliament tried to put communications into 2 categories. The first category relates to communications in transit. The second category relates to communications that have been transmitted and are being stored in a voicemail box. If I’m right, a miscreant commits the crime of unlawful interception if they access the first category of messages, but not the 2nd category. The 2nd category is another sort of crime – a Computer Misuse Act type of crime, if you fancy committing a criminal offence; or perhaps a breach of confidence, if you fancy committing a civil offence.

While this appears to be an elegant distinction in theory (well done, you clever Parliament), I don’ t think that anyone, at the time, actually thought about the problems the police (or other litigants) were going to encounter in trying to investigate and prosecute these offences.

The trouble is that the records which the prosecution will have to rely on to establish their case may well not exist. Do records actually exist which show whether a caller
• Dialed a phone number and was put through to the calling party’s voicemail box?
• Left a message on the voicemail box?
• Used a PIN number to access the stored voicemails?
• Listened to any of the stored voicemails which had previously been heard by the intended recipient?
• Listened to any of the stored voicemails which had not previously been heard by the intended recipient?
• Deleted any of the stored voicemails?

And what about the person whose account had been “hacked”? How would they know that a message which had previously been left for them had actually been opened, listened to and subsequently deleted by the miscreant? Where’s the evidence that might warn them that some mischief had occurred?

I’m really not sure. I suppose it would help if a careless miscreant were to keep detailed records of precisely what they had done. I’m not sure whether any other types or records exist that would provide the evidence – to meet the test required before it can be adduced in criminal trials.

I mentioned the Computer Misuse Act earlier. It creates a couple of quite useful offences. I’m not as familiar with this piece of legislation as I am on RIPA, so am relying on the accuracy of material published by the Intellectual Property and Technology team at UK law firm Freeth Cartwright LLP.

The Section 1 offence “Unauthorised access to computer materials (hacking)” provides that someone is guilty of the offence if:
• he causes a computer to perform any function
(a) with intent to secure access to any program or data held in any computer
(b) or to enable any such access to be secured
• the access he intends to secure, or to enable to be secured, is unauthorised

The Section 3 offence “Carrying out unauthorised acts in relation to a computer” provides that someone is guilty of the offence if
• he does any unauthorised act in relation to a computer;
• at the time when he does the act he knows that it is unauthorised; and
• either the person intends that the act will have a certain result (discussed next) or the person is reckless as to whether or not the act will have that certain result.

The 'certain result' referred to in bullet point 3 above is any of the following:
• impairing the operation of any computer
• preventing or hindering access to any program or data held in any computer
• impairing the operation of any such program or the reliability of any such data
• enabling any of the above to be done

This means that a miscreant commits a Section 1 offence by unlawfully listening to a stored voicemail message, and a Section 3 offence by deleting it. The maximum penalty for Section 1 offences is a custodial sentence of up to 2 years and an unlimited fine, while a person who commits a Section 3 offence faces a custodial sentence of up to 10 years and an unlimited fine.

So, why bother with interception offences if a prosecutor can get a heavier sentence under the Computer Misuse Act?

Again, it’s the same problem. The actual evidence of misbehaviour is really hard to come by.

Perhaps some extremely expensive lawyers have looked at this issue and they have advised the less reputable members of the investigative media that voicemail hacking is certainly naughty, but actually quite hard to detect.

Lessons for those who want it make it harder for others to compromise their voicemail accounts:

• Ask callers to consider whether they actually need to leave a voicemail message (why don’t they send a text instead?)
• Check voicemail boxes frequently (so that the saved messages are heard shortly after they have been created)
• Delete messages once they have been read (so that there is less material for a miscreant to find)
• Change Voicemail PINs regularly (just as we do with our other passwords ... )