Using the list as a sounding board here, so please let me know if the
following seems reasonable to you. Comments very welcome before I start
promoting the ideas more widely.

My own feeling is that organisations providing network connections must
protect themselves legally by having a policy to make clear that users
do not have "a legitimate expectation of privacy", but that it is vital
that *at the same time* they publish a code of practice (or equivalent)
that explains the controls to prevent the power to monitor being abused.
For example, something like the one I prepared earlier at
http://www.ja.net/cert/JANET-CERT/regulation/sysadmin_charter.html. That
is supposed to reassure both the monitors and the monitees that their
reasonable expectations will be met, but that there are circumstances
where the rights of the individual need to be reduced to protect the
community (as permitted by HRA, incidentally).

The purpose of RIPA (quite apart from the HRA) is to *control* invasions
of privacy not, as has been widely reported in the press, to declare
open season on monitoring: it certainly isn't the "snoopers charter" of
many headlines. The Government and the Home Office have got themselves a
lot of terrible publicity by documenting the power to intercept long
before publishing adequate controls on the use of it: I think it would
be a waste if the rest of us didn't learn from their experience.

Andrew

--------------------
Andrew Cormack
Chief Security Advisor
UKERNA, Atlas Centre, Chilton, Didcot, Ox11 0QS, UK

Phone: +44 (0)1235 822302
Fax: +44 (0)1235 822399

> -----Original Message-----
> From: This list is for those interested in Data Protection
> issues [mailto:[log in to unmask]] On Behalf Of
> Charles Christacopoulos
> Sent: 20 December 2002 16:52
> To: [log in to unmask]
> Subject: Re: Expectations of privacy
>
>
> ** Reply to note from Andrew Charlesworth
> <[log in to unmask]>         Fri, 20 Dec 2002
> 16:01:03 +0000
>
>
> > Further to Collette's point - it is entirely true that
> Universities do not
> > engage in routine monitoring of staff and student phone
> calls and e-mails
> > made on institutional equipment, nor would they wish to, or
> probably even
> > be capable of doing so - the important point being made is
> that staff and
> > students are put on notice that they do not have "a
> legitimate expectation
> > of privacy" in such communications.
>
> Yeap.  Andrew, I wish I could write like you when I grow up (if I ever
> grow up).
>
> Colette, I should have said that "it is common practice in
> universities"
> to make the statement that communications may be monitored.
> Knowing how
> stretched our ITS are ... I think the least of their worries
> would be to
> do random monitoring in case they find some subversive types ;-)
>
> For any monitoring to take place there would be a need for a
> senior member
> of staff to authorise it and - being a university - we'll
> probably set up
> a subcommittee to monitor the monitoring.
>
> As long as staff are properly warned, reminded, assisted as necessary
> and their privacy is also respected when it must be nothing, wrong
> with it.
>
> Regards
> Charles
>
> PS.  I am only saying such things 'cause the list might be
> monitored ;-)
>
> ==============================================
> Charles Christacopoulos, Management Information Officer,
> Planning & Information, University of Dundee, Dundee, DD1 4HN,
> Scotland, United Kingdom. Tel: 44(0)1382-344891. Fax:
> 44(0)1382-201604.
> http://www.somis.dundee.ac.uk/
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>        All archives of messages are stored permanently and are
>       available to the world wide web community at large at
>       http://www.jiscmail.ac.uk/lists/data-protection.html
>       If you wish to leave this list please send the command
>        leave data-protection to [log in to unmask]
>             All user commands can be found at : -
>     www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
>   (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
       All archives of messages are stored permanently and are
      available to the world wide web community at large at
      http://www.jiscmail.ac.uk/lists/data-protection.html
      If you wish to leave this list please send the command
       leave data-protection to [log in to unmask]
            All user commands can be found at : -
    www.jiscmail.ac.uk/user-manual/summary-user-commands.htm
  (all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^