David Allen Green

A critical and liberal look at law and policy

Police and Ripa requests

Are there questions to be answered?

By David Allen Green Published 27 January 2011 16:33

One of the interesting questions raised by the developing scandal into the use of phone-tapping by tabloid reporters and private investigators is: how did they get the telephone numbers and other data, such as PIN codes?

The usual explanation is that there were "blagging" exercises: someone would call the telephone company a number of times and would gradually eek the relevant details out by deception. This may well be true, though it would be time-consuming and possibly unsuccessful.

There are other ways, which are quicker.

For example, there may have been individuals at the telephone companies happy to provide such information.

But the police themselves have extraordinarily wide powers under the Regulation of Investigatory Powers Act (Ripa) to demand any and all data from telephone companies in respect of an account or an individual: hundreds of these "Ripa notices" are issued every day, usually on standard forms, with all the data then provided by return.

There is currently no evidence that the police wrongly used their Ripa request powers to pass on (or even sell) information to reporters and private investigators. So I am not making any suggestion of wrongdoing, and my suppositions here may well be wrong.

All that I am suggesting is that there was another – quicker and far more effective – way for the reporters and the investigators to obtain information, instead of blagging. And this alternative means is also consistent with the known facts and could perhaps explain the reluctance of the police to progress their investigations.

As it would clearly be in the public interest to put the matter beyond all doubt, I have submitted two Freedom of Information requests on this to the Metropolitan Police.

Let's see what happens.

David Allen Green is legal correspondent of the New Statesman. He is also a practising telecoms and media lawyer.

Special Offer: Get 12 issues of New Statesman magazine for just £12

More from David Allen Green

8 comments

Fri, 2011-01-28 00:02 — Stephen J Henstridge (not verified)

Default PINs are often "0000" and just as often people don't change them. Makes guessing quite easy.

Fri, 2011-01-28 01:03 — Lizhk (not verified)

does anybody know how the Met came to the conclusion that it wasn't a crime if the message had already been listened to?

Fri, 2011-01-28 10:42 — Chris Gannon (not verified)

This makes a surprising amount of sense, especially given Rebekah Brooks (nee Wade)'s admission that The Sun had paid the police for information on stories.

http://www.guardian.co.uk/media/2003/mar/12/sun.pressandpublishing

Mon, 2011-01-31 11:37 — ivan (not verified)

"does anybody know how the Met came to the conclusion that it wasn't a crime if the message had already been listened to"

I read that the Crown Prosecution Service advised them of it, but they have now changed their mind.

Thu, 2011-01-27 18:12 — Steve Jones (not verified)

One pedantic point is that they aren't PIN codes, they are PINs (even worse is PIN number). Having got that petty point off my chest.

I would hope that no phone company would reveal a PIN. Indeed, it's bad security practice for PINs or passwords to be displayable to staff at all (indeed passwords are often one-way encrypted to make this impossible). Good practice should be to reset PINs and force the customer to change it again on first entry (simply using default PINs is the simplest hack).

The only way to make these things truly secure is to have what is called a one-time password. That's an electronic device which produces a pseudo-random number which can only be used once making it immune to what is called a replay attack (which is what these phone hacks are). If the banking, Internet, online trader, credit card and similar outfits got their act together, then much fraud could be wiped out.

Incidentally, it is also RIPA that made hacking into modern communciations, like messaging systems, illegal. There were specific laws with regard to line tapping before that, but phone hacking was in a grey area.

It's worth noting that the same legislation that applies to hacking into phone messaging system is equally applicable to all electronic communications, including emails. The cases of "leaking" emails is an area of dubious legality. Whether it is technically illegal or not might depend on arcane technical issues such as whether the emails were extracted direct from disk or obtained by hacking accounts. If there is a technical difference, I'm not sure there's an ethical one. (Of course somebody in proper receipt of an email and publishing it is subject to confidentiality issues, not hacking ones).

It's interesting that many Newspapers, including liberal ones, have made use of leaked emails, and it's not clear that all have them have been obtained legally.

Finally, bent police officers giving information to journalists? So this is new? I recall many an old TV plotline relying on a PI or Journalist leaning on a policeman to find out the registered address of a car. Of course that's before the government found it a nice money-making wheeze to sell that information to almost anybody with a half-convincing justification for receiving it.