It seems Three UK have reverted to their old tactic of assuming they can bend the rules to breaking point. Many of you will already be aware of the trials run by Three recently with regards to the ad-blocking systems provided by Israeli company Shine. Particular attention should be paid to the following paragraph:

The method by which Shine blocks ads at the network level is unclear. The company says it uses “machines” that are capable of performing deep packet inspection (DPI) inside the network. Using a mixture of “real-time analysis, artificial intelligence and algorithms,” the team is able to identify ads and stop them without breaking the original webpage or app.

Emphasis was added by me. The first point is quite important, since it implies that traffic is being intercepted and processed in such a way that would require consent from both the sender and recipient under RIPA s3(1), since there is no warrant issued for the interception. s3(1) can be found here.

3 Lawful interception without an interception warrant.

 

(1)Conduct by any person consisting in the interception of a communication is authorised by this section if the communication is one which is both—

(a)a communication sent by a person who has consented to the interception; and

(b)a communication the intended recipient of which has so consented.

This is not an either-or situation. Consent is required from BOTH sender AND the recipient. Three have obtained consent from their customers but they represent only one party to the communication. It should also be noted that whilst the British government fought tooth and nail to keep implied consent within RIPA it was nonetheless removed from RIPA after legal proceedings had been initiated by the EU commission. Implied consent has not been in RIPA since 2011.

Leaving aside for a moment the questionable priorities shown by the government in their dealings with the EU commission on this matter, it should also be noted that the telecoms companies themselves cannot be trusted. Filtering is not a new thing and has been used in the past in order to prevent children from accessing inappropriate material (a course of action that was of course doomed to failure from the start).

As a Three customer myself I faced a large hurdle in removing a filter that I had neither requested nor wanted. Repeated requests to get rid of this filter changed nothing: the filter was left switched on. I was told I could go into the shop to get it switched off. I was naïve enough to believe this might work so this was tried too. Unfortunately for me however the employees in the shops showed no willingness whatsoever to even try and help me. I was turned away with no help being given, and a strong sense that they only cared about selling to new customers and cared nothing for existing customers.

In any case the Three filter also relied upon systems provided by Bluecoat.

There have been cases in the past where services provided by Bluecoat didn’t seem to work as most people would expect. Web usage was being shared with them and they subsequently visited the site as part of the filter. Again this raises other questions regarding privacy but these too will have to be left for the time being. The important point is this: when it came to other telecoms providers were concerned even when the adult filter was switched off the sharing often still continued.

I’m also a webmaster too, and would never consent to this type of interception, but then I’m never asked. I assume Three know that most webmasters would equally not allow such interception to occur, which is why they try and ignore the need to ask in the first place. I also have zero confidence in Three running their systems acceptably. Even if they did somehow managed to do so – something they have failed to do in the past – then they have still failed to outline exactly what’s happening to customers.

I sent a request to the ICO requesting details on their conversations between them and Three and/or Shine or internal conversations regarding the Shine trials. This request and the outcome can be found here. You’ll note how entire pages have been redacted from part of the response – evidently the ICO has been taking lessons from the US government when it comes to redaction. The level of secrecy surrounding their conversations with the company is also quite revealing. However the most interesting part is that the ICO themselves appear to recognise that these trials are not without unanswered questions.

ICO response

The response also indicates that there may also be problems under RIPA too. Since this is presumably the province of IoCCO I decided to send them an email too outlining my concerns. That particular complaint is still being investigated.

There is still the second point from the article to consider, and that is their assertion that adverts can be removed without breaking the website or app. This strongly suggests that content is not only being intercepted it’s also being modified before being sent on. This is an unacceptable state of affairs and represents arrogance of the highest order on Three’s part.

In any case the message is clear in my opinion: if you care about your privacy then avoid Three.