RIP: we look at how this new Bill will affect IT departments across
the UK
What is it?The Regulation of Investigatory Powers Bill (RIP) was introduced
to the House of Commons on 9 February 2000.
According to the Home Office, the RIP is intended to assist law
enforcement agencies in their fight against serious crime by
bringing the law concerning surveillance and covert policing up to
date with recent technological advances. Critics maintain it is
legally deficient, constituting a breach of the provisions of the
European Convention on Human Rights, and too onerous to be
workable. IT managers who fail to comply with the provisions of RIP
could face prosecution.
The RIP breaks down into five areas:
- Interception of communications
- Access to communications data
- Surveillance and covert human intelligence sources
- Scrutiny of investigatory powers and the functions of the
intelligence services
- Decryption of electronic data - the most important provision
for IT directors.
What is at stake?
Under clause 46 of the RIP, any person with the "appropriate
permission" (defined as written permission from a circuit judge),
can require someone who has, or has had, a decryption key, to
provide that key or the plain text of specified material. Failure
to comply is a criminal offence punishable by up to two years'
imprisonment and/or an unlimited fine.
How will it work?
The detailed decryption provisions under the RIP that may impact
on the IT industry are:
- In order to exercise the power, the person seeking disclosure
of the key must have reasonable grounds to believe the key is in
the possession of the person being required to produce it
- The requirement to disclose the key must be necessary for
preventing or detecting crime, or likely to be of value for
purposes connected with the performance by a public authority of
any statutory power or duty
- Notice under the provision must be in writing, or in a manner
that produces a written record (presumably including
e-mail)
- The Secretary of State can make provision for the payment of an
appropriate contribution to the costs of complying with a notice.
This is particularly concerning for the industry as there are no
guidelines for how such a contribution is to be measured, and there
is an undetermined cost that must be met by the IT user
- The RIP creates a further offence of "tipping off" in the
context of decryption key provisions. A notice may specify that the
person in receipt of it must keep secret the existence and content
of the notice, and things done in pursuit of it. A breach of this
is an offence punishable by up to five years' imprisonment and/or
an unlimited fine. However, it is a defence to this charge to show
that the tipping off occurred as a result of the software, for
example, where a key to protected information has ceased to be
secure; and that the person could not reasonably be expected to
take steps after the giving of the notice to prevent
disclosure.
What will it mean to you?
Legal objections to the decryption provisions relate principally
to placing the burden of proof on a defendant who claims to have
lost the key as this is contrary to the criminal law principle of
"innocent until proven guilty". For this reason it is questionable
whether the provision as drafted will survive the enactment, later
this year, of the Human Rights Act.
Nonetheless, powers of Web tapping with criminal sanction for
non-compliance are an imminent reality. In the short term, IT
managers and directors would be well advised to consider an
internal audit of the use of encryption keys, and a review of user
policy.
For further details contact Jeanette Hardwood at Dibb Lupton
Alsop on 0161 235 4339