From a corporate forensics POV…..
..As far as I understand it, under RIPA it is prohibited to examine unread emails without lawful authority (ie, a warrant), as this would constitute unlawful interception of communications.
However if an unread email resides in the Deleted Items folder of a user's mailbox, doesn't this raise a bit of a grey area? One could argue that the user would have to know what it said in order to make a judgement on whether to retain or delete it, (and if the setting for the time period after which it will be marked "read" is set high enough, it would be possible for the recipient to peruse the contents and delete it while still being marked "unread", therefore avoiding investigation by internal forensics examiners (ie people without search warrants))
This doesn't relate to any current cases - it was hypothetical that intrigued me. Obviously I wouldn't want to chance it without the advice of a lawyer!!!
On this side of the pond, there is no expectation of privacy for communication or activities that occurred using company equipment (computers, voice mail, PDAs, etc.). This is especially notable if there is a company policy highlighting this. Telephony is a separate matter due to various wiretapping laws since the second party is not privy to the policy.
How does RIPA interact with that type of corporate policy? As the company is the owner of the equipment does that constitute lawful authority? Since the data is stored on their equipment, transmitted using their equipment, etc. what is the liability of the company if they cannot examine the data?
Always interesting to see the differences in laws.
Goblin,
My understanding of RIPA is that if it is communications contained on an item you have power to seize or have already seized then it can be analysed.
If you were at a scene and you were to disconnect the computer from either the Internet or from a private network, anything residing on that computer is open to examination.
This all being subject to legal privilege if legal privilege was an issue.
Any arguement about the provenance of deleted, unopened emails would be based upon your findings (and maybe those of a defence expert) and be for a jury to decide if they are relevant.
Steve
If this email exists on a corporate network then it all depends on the wording of the contract of employment (or acceptable use policy) which the user has agreed with his employer. Do they have an expectation to privacy? Has the company got the right to monitor/inspect communications and other data?
As you point out, before you take any action you need to be absolutely sure that you are acting in an authorised way or you/your organisation could face far worse trouble than the problem you already have!
In the US, those issues are covered separately by 4th amendent searches on the government side, and by the ECPA and Wiretap act on the private side.
For instance, in the US a law enforcement officer cannot search a computer, even at the scene of the crime without a warrant. He or she can only view what is on the screen under the "in plain sight" rules.
A cell phone might be different if it is recovered at the scene of a crime and can contain information that could lead to the immediate solution of the crime. However, for it to be admissiable you get into the domain of the type of search being conducted.
I am no attorney, nor am I LE.
And proper coverarge of the issues relating to privacy and protections against unlawful search and siezure are much too detailed to conver in a post.
Laws are different from country to country as well. An LE person from France that I met told me that employee data is protected in France, independent of any company policies.
Three pieces of legal requirements and law you can consider important for corporate/business (civil) investigations are
1) The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000
2) The Human Rights Act 1998
3) The Regulation of Investigatory Powers Act 2000.
RIPA by itself it not enough for the hypothesis you have set down.
Goblin, when these types of questions arise like you have asked, as I understand it a response should be to ask (the "test") why you are looking at the emails (read/unread/saved or deleted)?
The "test" is one based upon "objectivity" and "reasonableness" and to help meet that a range of criteria have been identified set out in The code of practice, "Monitoring at work an employer's guide".
Two criteria out of the various criteria available under 1) and 3) above that may be stated for your unread deleted email, but still have to be proven that the intent for the ones below was genuine, are
- Covert monitoring
- Prevention and detection of crime
The reason I mention these two is that your hypothesis is based upon the intent of the investigator "From a corporate forensics POV….." and not one that you suggest that the discovery of the unread deleted email arose from standard monitoring in the workplace.
In every case, as I understand it, employees must be made aware of the various criteria and circumstances in which monitoing takes place and that persistent notification should be in practise (warning notices etc).
One could argue that the user would have to know what it said in order to make a judgement on whether to retain or delete it,
What if a mail filter moved it to the recycle bin? No need for anyone to make judgement on it based on the contents …
From a corporate forensics POV…..
As I understand it RIPA applies only to investigations carried out by government agents (in the widest sense including local government, police etc.) but not to those carried out by private individuals and companies
The Human Rights Act also relates mainly to the relationship between government and citizens rather than between one citizen and another.
For instance, in the US a law enforcement officer cannot search a computer, even at the scene of the crime without a warrant. He or she can only view what is on the screen under the "in plain sight" rules.
Unless at the border. Customs has instituted a policy of random seizure of all digital media, no reasonable suspicion required, and too bad if that media is required for you to earn a living. Then, a warrantless fishing expedition for as long as they feel necessary. Trolling for felonies as it were. Of course the problem is how to prove that whatever they "found" was present on the media at seizure.
Details, details.
But anyone who places faith in the Fourth Amendment is way behind the power curve.
To the OP What is so hard about getting an attorney involved? If push comes to shove you will be speaking to an attorney regardless. Might as well do so from a pre-indictment position.
A very grey area indeed.
If it is for a criminal offence, Police use Sec 19 PACE to allow investigation into all areas, therefore, remainling completely legal.
As a POV, it depends on contracted terms and obviously permission authorised by the owner of the email. Deleting the email doesnt mean that it is there for someone else to open it. Essentially it still belongs to him/her, it might have been put there accidently or as a store for safekeeping. Either way, if no permission is given then you need to look at how the persons employment contract reads. If it is not covered then you are on sticky ground.
If you are doing private investigation work - then you are already on dodgy ground - Computer Misuse Act etc….
So if investigated by police or authorised body for a criminal offence, and equipment seized under Sec 19 PACE - legal.
Any other way … refer to employee handbook.