Increasingly local authorities are turning to the online world, especially social media, when conducting investigations. There is some confusion as to whether the viewing of suspects’ Facebook accounts and other social networks requires an authorisation under Part 2 of the Regulation of Investigatory Powers Act 2000 (RIPA). In his latest annual report the Chief Surveillance Commissioner states (paragraph 5.42):
“Perhaps more than ever, public authorities now make use of the wide availability of details about individuals, groups or locations that are provided on social networking sites and a myriad of other means of open communication between people using the Internet and their mobile communication devices. I repeat my view that just because this material is out in the open, does not render it fair game. The Surveillance Commissioners have provided guidance that certain activities will require authorisation under RIPA or RIP(S)A and this includes repetitive viewing of what are deemed to be “open source” sites for the purpose of intelligence gathering and data collation.”
Careful analysis of the legislation suggests that whilst such activity may be surveillance, within the meaning of RIPA (see S.48(2)), not all of it will require a RIPA authorisation. Of course RIPA geeks will know that RIPA is permissive legislation anyway and so the failure to obtain authorisation does not render surveillance automatically unlawful (see Section 80).
There are two types of surveillance, which may be involved when examining a suspect’s Facebook or other social network pages; namely Directed Surveillance and the deployment of a Covert Human Intelligence Source (CHIS). Section 26 of the Act states that surveillance has to be covert for it to be directed:
“surveillance is covert if, and only if, it is carried out in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is or may be taking place” (my emphasis)
If an investigator decides to browse a suspect’s public blog, website or “open” Facebook page (i.e. where access is not restricted to “friends”, subscribers or followers) how can that be said to be covert? It does not matter how often the site is accessed as long as the investigator is not taking steps to hide his/her activity from the suspect. The fact that the suspect is not told does about the “surveillance” does not make it covert. Note the words in the definition of covert; “unaware that it is or may be taking place.” If a suspect chooses to publish information online they can expect the whole world to read it including law enforcement and council investigators. If he/she wants or expects privacy it is open to them to use the available privacy settings on their blog or social network.
The Commissioner stated in last year’s annual report:
“5.31 In cash-strapped public authorities, it might be tempting to conduct on line investigations from a desktop, as this saves time and money, and often provides far more detail about someone’s personal lifestyle, employment, associates, etc. But just because one can, does not mean one should. The same considerations of privacy, and especially collateral intrusion against innocent parties, must be applied regardless of the technological advances.” (my emphasis)
I agree with the last part of this statement. The gathering and use of online personal information by public authorities will still engage Human Rights particularly the right to privacy under Article 8 of the European Convention on Human Rights. To ensure such rights are respected the Data Protection Act 1998 must be complied with. A case in point is the monitoring last year of Sara Ryan’s blog by Southern Health NHS Trust. Our data protection expert Tim Turner wrote recently about the data protection implications of this kind of monitoring.
Where online surveillance involves employees then the Information Commissioner’s Office’s (ICO) Employment Practices Code (part 3) will apply. This requires an impact assessment to be done before the surveillance is undertaken to consider, amongst other things, necessity, proportionality and collateral intrusion. Whilst the code is not law, it will be taken into account by the ICO and the courts when deciding whether the DPA has been complied with. In December 2014, Caerphilly County Borough Council signed an undertaking after an ICO investigation found that the Council’s surveillance of an employee , suspected of fraudulently claiming to be sick, had breached the DPA.
Facebook Friends – A Friend Indeed
Of course the situation will be different if an investigator needs to become a “friend’ of a person on Facebook in order to communicate with them and get access to their profile and activity pages. For example, local authority trading standards officers often use fake profiles when investigating the sale of counterfeit goods on social networks. In order to see what is on sale they have to have permission from the suspect. This, in my view, does engage RIPA as it involves the deployment of a CHIS defined in section 26(8):
“For the purposes of this Part a person is a covert human intelligence source if—
(a) he establishes or maintains a personal or other relationship with a person for the covert purpose of facilitating the doing of anything falling within paragraph (b) or (c);
(b) he covertly uses such a relationship to obtain information or to provide access to any information to another person; or
(c) he covertly discloses information obtained by the use of such a relationship, or as a consequence of the existence of such a relationship” (my emphasis)
Here we have a situation where a relationship (albeit not personal) is formed using a fake online profile to covertly obtain information for a covert purpose. In the case of a local authority, this CHIS will not only have to be internally authorised but also, since 1st November 2012, approved by a Magistrate.
This is a complex area and staff who do not work with RIPA on a daily basis can be forgiven for failing to see the RIPA implications of their investigations. From the Chief Surveillance Commissioner’s comments (below) in his annual report, it seems advisable for all public authorities to have in place a corporate policy and training programme on the use of social media in investigations:
“5.44 Many local authorities have not kept pace with these developments. My inspections have continued to find instances where social networking sites have been accessed, albeit with the right intentions for an investigative approach, without any corporate direction, oversight or regulation. This is a matter that every Senior Responsible Officer should ensure is addressed, lest activity is being undertaken that ought to be authorised, to ensure that the right to privacy and matters of collateral intrusion have been adequately considered and staff are not placed at risk by their actions and to ensure that ensuing prosecutions are based upon admissible evidence.”
We have a workshop on investigating E – Crime and Social Networking Sites, which considers all the RIPA implications of such activities. It can also be delivered in house.
In conclusion, my view is that RIPA does not apply to the mere viewing of “open” websites and social network profiles. However in all cases the privacy implications have to be considered carefully and compliance with the Data Protection Act is essential.
Ibrahim will be looking at this issue in depth in our forthcoming webinars.
Looking to update/refresh your colleagues’ RIPA Knowledge. Try our RIPA E Learning Course. Module 1 is free.
We also have a full program of RIPA Courses and our RIPA Policy and Procedures Toolkit contains standard policies as well as forms (with detailed notes to assist completion).
4 thoughts on “Facebook, Social Networks and the Need for RIPA Authorisations”
Excellent overview and guidance of the connection between the DPA and RIPA, although mostly from a commercial entity perspective. One day it would be nice to see guidance to consumers on how they can use these regulations to defend themselves. Its one thing to know of the regulation, its a whole other issue for individuals to use them to empower themselves.
Any plans to do something similar for the upcoming GDPR?
Reblogged this on Man in the Krowd and commented:
This is an excellent summary of the connection between the Data Protection Act and RIPA (Regulatory Investigative Powers Act).
Note that I, and many like me believe RIPA should be repealed as a piece of legislation that fundamentally undermines our human rights. However at least there are some positive elements that can be taken out as seen here. A lot is to do with interpretation and emphasis which this article highlights.