Regulation of Investigatory Powers Bill: what it will mean to you

RIP: we look at how this new Bill will affect IT departments across the UK

RIP: we look at how this new Bill will affect IT departments across the UK

What is it?

The Regulation of Investigatory Powers Bill (RIP) was introduced to the House of Commons on 9 February 2000.

According to the Home Office, the RIP is intended to assist law enforcement agencies in their fight against serious crime by bringing the law concerning surveillance and covert policing up to date with recent technological advances. Critics maintain it is legally deficient, constituting a breach of the provisions of the European Convention on Human Rights, and too onerous to be workable. IT managers who fail to comply with the provisions of RIP could face prosecution.

The RIP breaks down into five areas:

  • Interception of communications

  • Access to communications data

  • Surveillance and covert human intelligence sources

  • Scrutiny of investigatory powers and the functions of the intelligence services

  • Decryption of electronic data - the most important provision for IT directors.

    What is at stake?

    Under clause 46 of the RIP, any person with the "appropriate permission" (defined as written permission from a circuit judge), can require someone who has, or has had, a decryption key, to provide that key or the plain text of specified material. Failure to comply is a criminal offence punishable by up to two years' imprisonment and/or an unlimited fine.

    How will it work?

    The detailed decryption provisions under the RIP that may impact on the IT industry are:

  • In order to exercise the power, the person seeking disclosure of the key must have reasonable grounds to believe the key is in the possession of the person being required to produce it

  • The requirement to disclose the key must be necessary for preventing or detecting crime, or likely to be of value for purposes connected with the performance by a public authority of any statutory power or duty

  • Notice under the provision must be in writing, or in a manner that produces a written record (presumably including e-mail)

  • The Secretary of State can make provision for the payment of an appropriate contribution to the costs of complying with a notice. This is particularly concerning for the industry as there are no guidelines for how such a contribution is to be measured, and there is an undetermined cost that must be met by the IT user

  • The RIP creates a further offence of "tipping off" in the context of decryption key provisions. A notice may specify that the person in receipt of it must keep secret the existence and content of the notice, and things done in pursuit of it. A breach of this is an offence punishable by up to five years' imprisonment and/or an unlimited fine. However, it is a defence to this charge to show that the tipping off occurred as a result of the software, for example, where a key to protected information has ceased to be secure; and that the person could not reasonably be expected to take steps after the giving of the notice to prevent disclosure.

    What will it mean to you?

    Legal objections to the decryption provisions relate principally to placing the burden of proof on a defendant who claims to have lost the key as this is contrary to the criminal law principle of "innocent until proven guilty". For this reason it is questionable whether the provision as drafted will survive the enactment, later this year, of the Human Rights Act.

    Nonetheless, powers of Web tapping with criminal sanction for non-compliance are an imminent reality. In the short term, IT managers and directors would be well advised to consider an internal audit of the use of encryption keys, and a review of user policy.

    For further details contact Jeanette Hardwood at Dibb Lupton Alsop on 0161 235 4339

  • Read more on IT risk management