Innocent until proven guilty? Not if the Government get its way.
The RIP bill looks set to give the establishment unprecedented
surveillance powers, with possibly damaging effects on businesses
and individuals alike
As the Internet has become more pervasive, governments
throughout the world have understandably become worried that while
it can bring many benefits to businesses and users, it can also be
used as a conduit for criminal activity. Communications of
forthcoming illegal acts can be passed between criminals,
terrorists can organise acts online, and paedophiles can pass
obscene material between each other.
In an attempt to curb illegal activities over the net, the UK
Government is currently putting legislation through a bill in
Parliament to bring its investigatory powers for online activities
in line with those for telecommunications and traditional mail. The
Regulation of Investigatory Powers Bill (RIP), dubbed the "snoopers
bill", has just had its third reading in Parliament and is due to
be passed as law in October.But while the Bill has the good
intentions to make it easier to monitor and prosecute suspected
criminals, it has caused a storm of controversy from civil rights
groups and opposition MPs. The controversy comes from the bill's
detail, which gives the police and secret services far more power
than they ever had with the telephone or postal system, and which
some claim impacts upon human rights. This bill is likely to affect
every resident of the UK who uses any form of electronic
communication, and many outside. However, it has been left so open
to misuse that it could have costly effects on ISPs, cause
immeasurable financial damage to any business working in the UK,
discourage outside investment and generally undo much of the
Government's plan to make Britain the most e-friendly country in
the world.The bill was designed to "...make provision for and about
the interception of, communications, the acquisition and disclosure
of data relating to communications, the carrying out of
surveillance, the use of covert human intelligence sources and the
acquisition of the means by which electronic data protected by
encryption or passwords may be decrypted or accessed; to provide
for the establishment of a tribunal with jurisdiction in relation
to those matters, to entries on and interferences with property or
with wireless telegraphy and to the carrying out of their functions
by the Security Service, the Secret Intelligence Service and the
Government Communications Headquarters; and for connected
purposes."This, of course, sounds very reasonable. There is a need
for legislation to track and prosecute criminals using the Internet
to carry out or organise their activities. Unfortunately the bill,
which is currently on a fast track through Parliament, has given
rise to some large loopholes which make parts of the bill
unenforceable, make other parts open to misuse, and could convict
innocent people while letting the guilty off lightly.
ISPsThe
RIP bill has reclassified the role of the ISP as a "public
telecommunications service". You will no longer use an ISP to
connect to the net, you will be using the ISP's public
telecommunication service. If you use Hotmail or a similar service,
you use their public telecommunication service to read your mail.
This definition could also be expanded to include WAP gateways and
public news servers.How this relates to the bill is that any of the
following fall under its remit:(a) a person who provides a postal
service(b) a person who provides a public telecommunications
service(c) a person not falling within paragraph b) who has control
of the whole or any part of a telecommunication system located
wholly or partly in the United Kingdom.Section b) of this statement
relates to ISPs and all the other public services available on the
net mentioned above. Furthermore section c) could refer to
practically anyone with a telephone.Anyone falling into any of
these categories or who is employed by a company that does will
have to obey any surveillance warrants issued under the new laws or
face up to two years in jail. Also, if anyone under orders to obey
this warrant then reveals the contents, details or even its
existence to anyone else, a five-year prison sentence can result.
Unlike traditional surveillance warrants, there is no time limit
placed on the new warrants, meaning that the details can never be
divulged to anyone without a criminal offence having taken place.
This in turn means that if you are monitored, you will never know
it.This places a huge burden on ISPs, similar businesses, and their
employees - legislation with which companies in other countries do
not have to comply. This could well turn away companies that would
otherwise set up in the UK.ISPs will also be charged with
installing interception devices in order to facilitate the
monitoring of user's activities. This is something that ISPs do not
do, as a rule, at the moment. These "black boxes" will not come
cheap. Demon Internet commissioned a report into the potential
costs of installing and running these devices and stated that it
could run into millions of pounds. Unconvinced, the Government set
up its own inquiry, headed by the Smith group. The results were
confirmed, with estimates running at £34m. Providing the necessary
information would cost large ISPs £113,000 for the first year and
£44,700 for every year after. For smaller ISPs, which by the
Government's definition could include a vast range of businesses
and people, the costs were expected to be £44,700 in year one and
£19,400 from there on.With many Internet start-ups still struggling
to break even, costs like these could well cause more financial
problems, and for smaller companies looking to build a business in
this area, the costs could well be an extra deterrent to entering
the market.
Monitoring and PrivacyWhile certain areas of
personal data are still protected by the bill, much of it is far
easier to obtain. While the content of communications can only be
read with a court order, third parties may be privy to where emails
are going and the websites to which a person visits. This is more
stringent than previous telecommunications measures that allowed
certain people access to the numbers you have dialled.You might
expect that this kind of surveillance warrant would only be issued
where is a serious crime is being investigated or perpetrated, and
that there would only be a very select number of people who could
issue these warrants. But this is not the case. The justifications
for issuing a warrant are described in the bill as:(a) in the
interests of national security(b) for the purpose of preventing or
detecting crime or of preventing disorder(c) in the interests of
the economic well-being of the United Kingdom(d) in the interests
of public safety(e) for the purpose of protecting public health(f)
for the purpose of assessing or collecting any tax, duty, levy or
other imposition, contribution or charge payable to a Government
department(g) for the purpose, in an emergency, of preventing death
or injury or any damage to a person's physical or mental health, or
of mitigating any injury or damage to a person's physical or mental
health(h) for any purpose (not falling within paragraphs (a) to(g))
which is specified for the purposes of this subsection by an order
made by the Secretary of State.This basically covers any crime, not
just serious the ones, and any other reason that the Government or
special services may seem fit to monitor your online activities.
And who can issue these warrants and look at the information?(a) a
Police Force(b) the National Criminal Intelligence Service(c) the
National Crime Squad(d) the Commissioners of Customs and Excise and
their department(e) any of the intelligence services(f) any such
public authority not falling within paragraphs (a) to (e) as may be
specified for the purposes of this subsection by an order made by
the Secretary of State.In other words, anyone from the head of MI5
down to your local Police Officer, or anyone in Government who the
Home Secretary deems fit. These numbers will amount to thousands of
individuals who can order access to users' personal information for
whatever reason they feel necessary.Worrying for businesses is how
"economic well-being of the United Kingdom" will be interpreted.
The number of foreign business deals that a company undertakes
could be argued to have an effect on the UK's economic well-being.
In general, there are clauses designed to prevent overzealous
scrutiny, although there seem to be loopholes in the bill to get
around this. In essence, any public department can monitor who they
want, for whatever purpose they want and for as long as they want
simply by gaining the permission of the Home
Secretary.
SecurityAmong the major worries that will be of
particular concern to UK businesses, are security issues. Alongside
the fact that thousands of people may be able to access your
business communications for spurious reasons, there could be
serious security problems with the "black boxes" that are fitted at
the ISP end.With the Internet being a public domain, security has
always been an crucial issue. Company details in the wrong hands
might cause massive damage to an enterprise's market position.
Since the Internet's inception, security companies have worked hard
to ensure that all communications and transactions are as safe as
possible. It is only because these systems have been open to
scrutiny that all the back doors into the system have managed to be
closed. With the introduction of the "black box", ISPs will be
obliged to provide a back door into web traffic for the Government
to use. So far, no details of what the equipment will comprise have
been released, and given the security service's dedication to
secrecy, it is unlikely that they will.This could easily lead to
the cracking of the technology once it is in place, and therefore
the misuse of it. Without consultation from security experts or
publicising the technological details so they can be scrutinised
for holes, these "black boxes" could be an easy target for
malicious hackers.
Guilty until proven innocentOne of the
biggest objections to the bill is the Government's position on
access to encryption keys, which many claim contravenes one of the
key human rights issues, and may provide some criminals an escape
route from harsh punishment. Besides this are also serious business
issues again revolving around a company's online security.The bill
allows authorised people to demand an encryption key to view
private documents when under suspicion for almost any crime or in
conflict with any public authority. Again this includes for the
"economic well-being of the United Kingdom". Failure to hand over a
key when asked could result in a two-year prison term. If you do
not have the keys you must prove that you have never been in
possession of them.It is this burden of proof shift that has
campaigners up in arms. No longer does a jury have to prove beyond
reasonable doubt that the suspect has deliberately lost, hid or
failed to give up the keys, the onus appears to be on the accused
to prove that they never had them in the first place. Despite this
apparent breach of human rights, the bill seems to overlook the
fact that it is virtually impossible to prove this anyway.While
this part of the bill has the potential to convict an innocent
person, it also raises the chance for serious criminals to get off
lightly. Anyone who has incriminating material in encrypted form
that would result in a jail term of longer than two years simply
has to refuse to hand over the key and take the lighter
sentence.Aside from this issue, the encryption key section of the
bill also has serious business implications. Much business activity
needs to be kept confidential for the company to survive. To do
this the vast majority of companies will use key encryption in some
form or other. Once a key is passed on to a third party, the
security of all the data under that key is compromised. The key is
also out of the control of the company, which then has no idea who
else could get hold of it. The damage that this could cause is
massive. Unfortunately, the Government has yet to make any
assurances over the security of the key once it has been passed
on.Not surprisingly, it was this issue that caused the most
opposition as the bill came for its third parliamentary reading in
May.David Maclean MP said: "An innocent person...can be liable to a
prison sentence of two years. He may have had no intention to
commit a crime, but he can go to prison for two years. That is
unjust and fundamentally wrong."Richard Shepherd MP said the bill
has "features that are unacceptable to our sense of freedom,
liberty and the due processes that we have held to be important for
many years."Home Office minister Charles Clarke, defending this
part of the bill, said: "Where prosecutions occur, it is for the
authorities to prove, beyond reasonable doubt, that the accused
has, or has had, a key. That is a significant burden of proof, and
it is laid on the prosecution, not the defence."Harry Cohen MP was
worried how any data collected could be misused. "An official could
legitimately authorise collections of communications data and keep
proper records only for them subsequently to be used for another
purpose. If that is true, the relevant commissioner, who examined
the authorisation process, would not know of such disclosures; nor
would the telecommunications operator or the public. To put it
bluntly, the whole authorisation process and all the protections
afforded by chapter II could be reduced to a meaningless sham," he
said.Because of the fast track nature of the bill's procedure
through the House, very little about the bill has made its way onto
terrestrial television and few understand it. Nevertheless, there
are still groups out there who believe that a difference can be
made if there is enough support. STAND, a group formed to protest
about the bill, is currently asking those who oppose areas of the
bill to fax their MP to complain, and provide a service to make
this easy to do. They also provide a more detailed explanation of
how the bill will affect businesses and individuals alike.Despite
the protests by opposition parties and other groups, the bill is
now likely to become law. Only minor changes are likely to be made
from here. Once it is passed, businesses will have to learn how to
work with the changes to law without damaging their profitability.
This could involve fundamental changes to business practices, but
as with many things in life, the lessons probably won't be learned
until something has gone seriously wrong.
Paul Grant