After the legislative battles, businesses are learning to live with the cybertapping law that came into force late last month. Chris Sundt surveys the damage
The Regulationof Investigatory Powers (RIP) Act has been subject to voluminous discussion, argument and vituperation over the last 18 months or so.
Often in the teeth of government opposition, it has been amended until it has become both less threatening and, in places, more difficult to interpret. But, whatever its current weaknesses, it is now in force and we need to learn how to live with it.
The Act, in fact requires business to do little more than what should be seen as good corporate governance to conform to its requirements. The RIP Act is trying to achieve multiple objectives:
It is updating the Intercept-ion of Communications Act (1984) to take account of the ever-increasing number of telecommunications service providers who could be asked to intercept communications (part I chapter 1)
It updates, for the same reasons, the range of service providers that can be asked by statutory bodies to access communications data (part I chapter 2)
It includes a number of law enforcement activities for which the new Human Rights Act requires specific legal cover where previously there was none (mostly part II)
It includes provisions to allow statutory bodies to request, by various means, the plain text associated with protected information that comes into their possession (part III).
Business has no objection, in principle, to any of these goals. As is quite often the case, the devil is in the detail. The Government was determined to get the Act in place before the Human Rights Act came into force last month, and this severely constrained time for rational discussion.
It also meant that significant amendments forced through in the House of Lords (to their credit) were not overturned owing to lack of parliamentary time.
The overall message that business should take from the RIP Act is that it is "mostly harmless". In fact, there are aspects that should be welcomed:
The communications interception warrant process is still very tightly controlled and available to a very restricted list of authorities
The legal status of many law enforcement activities is established for the first time (especially in the area of covert surveillance)
The communications intercept capability process is more open. A technical advisory board that includes industry representatives will vet for practicality the requirements that can be placed on service providers to enable interception under warrant, and these requirements will be published.
But there are concerns. The Act enables a very wide range of statutory bodies to demand information of businesses with little real judicial control. Businesses should be concerned particularly with the following:
Under part I chapter 1, it is now illegal for businesses to intercept or monitor communications on any network that is part of a public network unless, for example, both parties have given express consent. This effectively covers all corporate networks. The Act allows specific exceptions for legal business interception as defined in a regulation that has been produced by the DTI, and came into effect on 24 October. For interception to be legal under this regulation, businesses will have to be careful to make sure that all reasonable steps are taken to make sure those communicating know their communications could be monitored
Under part I chapter 2, a very broad range of statutory bodies has the right to request "communications data" under the appropriate judicial procedures. The definition of such data is still subject to debate, but such requests can be made of most businesses that use electronic communications - and especially of businesses that make use of the Internet or other public networks.
Part III allows any statutory body that has come into possession of data it cannot understand to demand (under a section 49 notice) of anyone it has reasonable belief can do so to provide the associated plain text, or the means of access to the plain text. Failure to comply with a section 49 notice without good reason can result in fines or prison sentences.
Businesses should also be aware there are civil liberty and privacy concerns leading to possible legal challenges under the Human Rights Act to specific provisions of the RIP Act. Should any such challenges be successful, they might change the legal obligations for businesses under the RIPAct.
One major concern for a business will be whether it is a "telecommunications service provider" (TSP)within the meaning of part I of the Act.
If so, they are liable to be served a notice to incorporate interception capabilities into their services. The Government has stated that it only intends that the major public service providers will be subject to such a notice, but there is nothing in the Act to prevent the relevant authorities from serving such a notice on any TSP.
In summary good corporate governance should be adequate to meet obligations under the Act if:
All appropriate people are aware of when interception/ monitoring/recording of electronic communications within the corporation is undertaken and the associated policies are included in the relevant regulations and guidelines
Appropriate procedures are in place for handling of warrants and notices under part I chapter 2 (access to communications data) and part III (access to protected data)
If considered to be a TSP, a plan is available to handle a notice to provide interception capability, should it be presented
Where encryption is used, a written policy exists on how all types of keys are handled.
It is worth noting that, while the Government has repeatedly stated that it will only use the provisions of the Act where fully justifiable (for example, only asking the few largest ISPs to include an interception capability), the Act contains no such restrictions.
Future administrations could make far greater use of the powers of the Act and the range of statutory bodies that can issue notices for communications data and for access to protected data is very large.
Industry must remain on its guard to ensure that such powers are used reasonably and that the Codes of Practice, though having no legal force, do effectively limit such use.
This article has, of necessity, provided a high-level layman's view of the implications on business processes of the RIPAct and associated legislation. Appropriate legal advice must be sought to confirm that processes adopted are, indeed, legally adequate.
Chris Sundt is a consultant with over 35 years' experience in IT. He represents the interests of ICL and industry on law and regulatory issues in e-commerce on a number of national and international bodies
What should business do to comply with the RIP Act?
There should be formal policies on interception/monitoring/recording of communications by employees (of whatever type) and by customers - this includes anyone who communicates with the company electronically
All employees should be aware of the procedure to be followed should any form of warrant or notice be presented. It is essential that a business identify someone who is aware of the form of such warrants and notices, can verify their authenticity (to prevent fraudulent access to sensitive information, especially personal data, using forged warrants/notices) and can ensure that they are properly executed. While it is unlikely that most firms will currently be subject to a warrant or notice, the significantly broadened scope for notices for communications data and for access to protected information by almost any statutory body coupled with the increasing provision of communications services as part of e-commerce will make such notices more likely in the future
Those businesses offering a range of telecommunications services may need to consider whether they could be seen as a TSP as defined in the Act and, thus, potentially subject to a notice to provide interception capability. If this is the case, a plan should be developed on how such a notice might be handled - even if no actual preparatory technical work is done
If encryption is used to protect data in store (for example, on a laptop disc), while being communicated (for example, links using VPN or SSL) or for other reasons (such as secure e-mail), there should be a written policy on how all types of key are handled. Should it then become necessary to produce decryption keys rather than plain text associated with encrypted information, it will be straightforward to demonstrate whether the relevant keys still exist, and if so who has access to them.
Note that the regulation only defines what is legal. The Data Protection Commission has published draft guidelines on what monitoring/interception of employee communications is allowable from a data protection perspective. This further constrains what can be done.