Friday, July 08, 2011

The Idiot's Guide to Why Voicemail Hacking is a Crime

Not what I should be doing right now, but in the wake of the amazing News of the World revelations, there does seem to be some public interest in a quick note on why there is (some) controversy around whether hacking mesages in someone's voicemail is a crime.

Most of the longer version of this can be found in an excellent memo by Chris Pounder of Amberhawk from October 2010 and those of you with more legal background are therefore directed there.


The first relevant provision is RIPA (the Regulation of Investigatory Powers Act 2000) which provides that interception of communications without consent of both ends of the communication , or some other provision like a police warrant is criminal in principle. The complications arise from s 2(2) which provides that:

“....a person intercepts a communication in the course of its transmission by
means of a telecommunication system if, and only if ... (he makes) ...some or all of the
contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication”. [my itals]

Section 2(4) states that an “interception of a communication” has also to be “in the course of its transmission” by any public or private telecommunications system. [my itals]

The argument that seems to have been been made to the DPP, Keir Starmer, on October 2010, by QC David Perry, is that voicemail has already been transmitted and is thus therefore no longer "in the course of its transmission." Therefore a RIPA s 1 interception offence would not stand up. The DPP stressed in a letter to the Guardian in March 2011 that this interpretation was (a) specific to the cases of Goodman and Mulcaire (yes the same Goodman who's just been re-arrested and inded went to jail) and (b) not conclusive as a court would have to rule on it.

We do not know the exact terms of the advice from counsel as (according to advice given to the HC on November 2009) it was delivered in oral form only. There are two possible interpretations of even what we know. One is that messages left on voicemail are "in transmission" till read. Another is that even when they are stored on the voicemail server unread, they have completed transmission, and thus accessing them would not be "interception".

Very few people I think would view the latter interpretation as plausible, but the former seem to have carried weight with the prosecution authorities. In the case of Milly Dowler, if (as seems likely) voicemails were hacked after she was already deceased, there may have been messages unread and so a prosecution would be appropriate on RIPA without worrying about the advice from counsel. In many other cases eg involving celebrities though, hacking may have been of already-listened- to voicemails. What is the law there?

When does a message to voicemail cease to be "in the course of transmission"? Chris Pounder pointed out in April 2011 that we also have to look at s 2(7) of RIPA which says

" (7)For the purposes of this section the times while a communication is being transmitted by means of a telecommunication system shall be taken to include any time when the system by means of which the communication is being, or has been, transmitted is used for storing it in a manner that enables the intended recipient to collect it or otherwise to have access to it."

A common sense interpretation of this, it seems to me (and to Chris Pounder ) would be that messages stored on voicemail are deemed to remain "in the course of transmission" and hence capable of generating a criminal offence, when hacked - because it is being stored on the system for later access (which might include re-listening to already played messages).

This rather thoroughly seems to contradict the well known interpretation offered during the debates in the HL over RIPA from L Bassam, that the analogy of transmission of a voice message or email was to a letter being delievered to a house. There, transmission ended when the letter hit the doormat.

There remains a little wiggle room in that at the dates some of the older hacking incidents may have occurred, the voice messages might plausibly have been physically stored on local answerphones, not, as is common with mobiles and mobile voicemail, on remote voicemail servers. This leaves a flicker of concern that the messages might not be "stored" on "the [same] system by means of which the communication is being, or has been, transmitted"

Against this quibble would be that a purposive interpretation of the law should not distinguish for no reason between (say) fixed phones with physical answerphones, and mobile phones with remotely stored voicemail. OTOH, criminal laws are always to be interpreted restrictively on the grounds that no one should find themselves accused of breaking a criminal law they were not deemed to know.

A person who is guilty of an offence under subsection (1) or (2) shall be liable on conviction on indictment, to imprisonment for a term not exceeding two years or to unlimited fine.


One of the strangest parts of this controversy though has been the relative absence of commentary - from the DPP or otherwise - that even if the most restrictive interpretation above of RIPA was adopted - computer hacking under the Computer Misuse Act, s 1 , could easily provide an alternative offence. (Nick Davies of the Guardian does mention it however in the same Memo to HC as quoted above from Amberhawk. )

CMA s 1 says that

"(1)A person is guilty of an offence if—

(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer [or to enable any such access to be secured] ;

(b)the access he intends to secure [or to enable to be secured] is unauthorised; and

(c)he knows at the time when he causes the computer to perform the function that that is the case." [my italics]

Max sentence is 12 months jail but the aggregated version (eg unauthorised access plus raud under s 2) can now go up to 5 years jail. (s55 of the DPA (misuse of personal data, which would also apply)was also amended recently to allow for a jail sentence (following the HMRC scandals) - but Parliament has yet to bring this into force.)

Putting in a guessed-at PIN to access voicemail maps well to "causes a computer to perform any function". CMA makes no requirement that reasonable security is overcome, or anything of that kind. Nor does the material hacked have to be deleted or sold or anything of that kind, merely accessed.

But is an answerphone or a voicemail server or a mobile phone, a "computer"? The word was deliberately left undefined in the 1990 Act so it did not become outdated as technology progressed. (This has proved wise.) However the CPS guidance quotes "DPP v McKeown, DPP v Jones ([1997] 2Cr App R, 155, HL at page 163) [where] Lord Hoffman defined a computer as "a device for storing, processing and retrieving information". " This seems easily wide enough to include any or all of a mobile, a smartphone, an answerphone or a voicemail server.

The advice given the DPP may have taken into account other worries about prosecuting either the RIPA or CMA offences. It woukd be very good to know exactly what, if any. In the meantime however there seems no good reason why criminal prosecutions cannot be immediately brought against those factually proven to have taken part in voicemail hacking.

Corporate criminal liability

A final point is who would be liable for such a criminal offence. Just the reporter who put in the PIN, or, say, the proprietor of the newspaper in question, which benefited? This is an issue of corporate criminal liability where the relevant law in England & Wales is from Tesco v Nattrass [1972] AC 153 . The widely quoted test from that by L Reid is the "directing mind test" as follows:
The person who acts is not speaking or acting for the company. He is acting as the company and his mind which directs his acts is the mind of the company. If it is a guilty mind then that guilt is the guilt of the company.
This is regarded as, sometimes unfortunately (it has been amended for corporate manslaughter) , pretty restrictive, and likely to apply only to the most senior directors or managers. ?? as to say, the liability of Wade or Murdoch for NI.

Deleting the evidence

Finally if the rumours circulating that millions of emails have been deleted by NI to foil a criminal investigation are true, there would be an alternative of prosecuting attempt to pervert the course of justice - which as a common law offence has an unlimited sentence in Scotland and I think in England too. So burning the evidence is not a get out of jail free card :)


Matthew Pemble said...

Of course, what you should be doing is getting some relaxation in before the evil students return but ...

Deleting any voicemail, unless authorised, would surely also be a s3 CMA90 offence?

"(2)This subsection applies if the person intends by doing the act—


(b)to prevent or hinder access to any program or data held in any computer;

And that's up to 10 years on indictment!

pangloss said...

@Matthew that is a very good point re deletion - of course evidence is the problem -- but we have some pretty expansive decisions on that because of people deleting child porn on their PCs..

Álvaro Del Hoyo said...


RIPA is focused on privacy/communications secrecy -right that stands while communications is being accomplished-, nor in privacy/data protection.

Besides the cases of died people voicemail accessed and deleted -although his/her familiy members can asked for injustion as long as their privacy/familiar privacy has been violated-, Data Protection Act should also apply:

(1)A person must not knowingly or recklessly, without the consent of the data controller—

(a)obtain or disclose personal data or the information contained in personal data, or

(b)procure the disclosure to another person of the information contained in personal data.

And in this case there is no way to pretend that the special purpose of journalism was valid:

(1)Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a)the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b)the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c)the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.