Last week Computer Weekly columnist David Taylor slammed the new
RIP Act as an obstacle to e-business. The home secretary Jack Straw
penned this response
I was disappointed to see that misconceptions continue to
circulate about the Regulation of Investigatory Powers Act
(RIPA).
The Internet and associated technologies offer huge legitimate
opportunities for business and society - opportunities that the
Government is actively encouraging. But it cannot be right for
criminals to be free to abuse these technologies with impunity
because the law is not up to date, and for e-businesses themselves
to become the victims of serious criminality.
Simply put, RIPA aims successfully to balance individual rights,
the interests of business and those of law enforcement, to ensure
that UK cyberspace provides the best and the safest environment for
e-business.
Let me deal with your specific questions.
RIPA does not mean that all ISPs will be required to monitor all
e-mail traffic. Nor are we creating a special centre to access all
e-mail. As we have consistently explained, a small number of ISPs
may be required to maintain an intercept capability and then only
after consultation with individual providers on the precise terms
of that requirement.
RIPA does not permit unfettered electronic surveillance by the
security service or anyone else. Interception warrants require my
personal authority and may only be authorised if they meet one of
the narrow criteria set out in the Act - a threat to national
security, a threat to the nation's economic well-being, or to
prevent or detect serious crime.
We believe RIPA to be compatible with the European Convention on
Human Rights. The Convention rightly seeks to protect individual
privacy, but in Article 8 it is also recognises that in certain
circumstances it may be necessary to interfere with an individual's
privacy where this is in accordance with the law and - in a
democratic society - is in the interests of, for example, the
prevention of crime.
These are precisely the sort of strictures contained in section
49 of RIPA - establishing the power to serve a disclosure notice.
The Act does not presume that individuals are guilty until proven
innocent. We altered the offence of non-compliance with a
disclosure notice in Parliament to lower the burden of proof in
favour of the defence in cases where the authorities have been able
to prove only prior possession of an encryption key.
You ask for international comparisons. I make no apologies for
this Government having taken a lead in tackling the difficult
issues involving e-mail interception and encryption. But other
countries are now looking at ways to update law enforcement powers
to take account of technological advancement. Look at the recent
debate about the "Carnivore" e-mail interception system in the
US.
RIPA is not about stifling e-business. The Act has benefited
from direct discussion with industry, including three detailed
public consultation exercises last year.
We made a number of significant amendments to the Act during its
Parliamentary passage in specific response to points raised by
industry. We will provide £20m over three years from next April to
ease the introduction of the new interception arrangements. There
will also be a Technical Advisory Board, comprised of Government
and industry members, to oversee notices requiring the maintenance
of an intercept capability.
RIPA needs industry's co-operation, and we will continue our
constructive dialogue with the relevant players, most immediately
on the codes of practice, during the coming months.
We are making this country an "e-friendly" place for business.
One of the Government's important responsibilities is to ensure
that the UK is also a safe place for people to live and work. That
is everyone's right. RIPA will help us achieve this.
Computer Weekly comment
Nobody denies the need for laws to stop cybercrime. But the RIP
Act does two things that needlessly hamper the emergence of
e-business. It places the cost of surveillance onto business
without adequate guarantees of compensation - ISPs say £20m is not
enough. And it undermines trust, because businesses suspect their
secure communications will be open to scrutiny by leaky and
unaccountable law enforcement agencies.
The Government's attempts to regulate electronic commerce have
always put crimefighting first, fostering e-business confidence
second.
The Republic of Ireland has outlawed the same measures the RIP
Act now enforces. That is one of the reasons Eire is fast becoming
western Europe's Silicon Valley, while major corporations seriously
consider moving secure e-commerce operations out of the UK.
The Government's last-minute climbdowns on the detail of the Act
simply show how little it had listened to business in the first
place. If it had listened more, the RIPAct would not exist.
What do you think? Email cwtalkback@rbi.co.uk