Snoopers' paradise - the Regulation of Investigatory Powers Bill

Innocent until proven guilty? Not if the Government get its way. The RIP bill looks set to give the establishment unprecedented...

Innocent until proven guilty? Not if the Government get its way. The RIP bill looks set to give the establishment unprecedented surveillance powers, with possibly damaging effects on businesses and individuals alike

As the Internet has become more pervasive, governments throughout the world have understandably become worried that while it can bring many benefits to businesses and users, it can also be used as a conduit for criminal activity. Communications of forthcoming illegal acts can be passed between criminals, terrorists can organise acts online, and paedophiles can pass obscene material between each other.

In an attempt to curb illegal activities over the net, the UK Government is currently putting legislation through a bill in Parliament to bring its investigatory powers for online activities in line with those for telecommunications and traditional mail. The Regulation of Investigatory Powers Bill (RIP), dubbed the "snoopers bill", has just had its third reading in Parliament and is due to be passed as law in October.

But while the Bill has the good intentions to make it easier to monitor and prosecute suspected criminals, it has caused a storm of controversy from civil rights groups and opposition MPs. The controversy comes from the bill's detail, which gives the police and secret services far more power than they ever had with the telephone or postal system, and which some claim impacts upon human rights. This bill is likely to affect every resident of the UK who uses any form of electronic communication, and many outside. However, it has been left so open to misuse that it could have costly effects on ISPs, cause immeasurable financial damage to any business working in the UK, discourage outside investment and generally undo much of the Government's plan to make Britain the most e-friendly country in the world.

The bill was designed to "...make provision for and about the interception of, communications, the acquisition and disclosure of data relating to communications, the carrying out of surveillance, the use of covert human intelligence sources and the acquisition of the means by which electronic data protected by encryption or passwords may be decrypted or accessed; to provide for the establishment of a tribunal with jurisdiction in relation to those matters, to entries on and interferences with property or with wireless telegraphy and to the carrying out of their functions by the Security Service, the Secret Intelligence Service and the Government Communications Headquarters; and for connected purposes."

This, of course, sounds very reasonable. There is a need for legislation to track and prosecute criminals using the Internet to carry out or organise their activities. Unfortunately the bill, which is currently on a fast track through Parliament, has given rise to some large loopholes which make parts of the bill unenforceable, make other parts open to misuse, and could convict innocent people while letting the guilty off lightly.

ISPs

The RIP bill has reclassified the role of the ISP as a "public telecommunications service". You will no longer use an ISP to connect to the net, you will be using the ISP's public telecommunication service. If you use Hotmail or a similar service, you use their public telecommunication service to read your mail. This definition could also be expanded to include WAP gateways and public news servers.

How this relates to the bill is that any of the following fall under its remit:

(a) a person who provides a postal service

(b) a person who provides a public telecommunications service

(c) a person not falling within paragraph b) who has control of the whole or any part of a telecommunication system located wholly or partly in the United Kingdom.

Section b) of this statement relates to ISPs and all the other public services available on the net mentioned above. Furthermore section c) could refer to practically anyone with a telephone.

Anyone falling into any of these categories or who is employed by a company that does will have to obey any surveillance warrants issued under the new laws or face up to two years in jail. Also, if anyone under orders to obey this warrant then reveals the contents, details or even its existence to anyone else, a five-year prison sentence can result. Unlike traditional surveillance warrants, there is no time limit placed on the new warrants, meaning that the details can never be divulged to anyone without a criminal offence having taken place. This in turn means that if you are monitored, you will never know it.

This places a huge burden on ISPs, similar businesses, and their employees - legislation with which companies in other countries do not have to comply. This could well turn away companies that would otherwise set up in the UK.

ISPs will also be charged with installing interception devices in order to facilitate the monitoring of user's activities. This is something that ISPs do not do, as a rule, at the moment. These "black boxes" will not come cheap. Demon Internet commissioned a report into the potential costs of installing and running these devices and stated that it could run into millions of pounds. Unconvinced, the Government set up its own inquiry, headed by the Smith group. The results were confirmed, with estimates running at £34m. Providing the necessary information would cost large ISPs £113,000 for the first year and £44,700 for every year after. For smaller ISPs, which by the Government's definition could include a vast range of businesses and people, the costs were expected to be £44,700 in year one and £19,400 from there on.

With many Internet start-ups still struggling to break even, costs like these could well cause more financial problems, and for smaller companies looking to build a business in this area, the costs could well be an extra deterrent to entering the market.

Monitoring and Privacy

While certain areas of personal data are still protected by the bill, much of it is far easier to obtain. While the content of communications can only be read with a court order, third parties may be privy to where emails are going and the websites to which a person visits. This is more stringent than previous telecommunications measures that allowed certain people access to the numbers you have dialled.

You might expect that this kind of surveillance warrant would only be issued where is a serious crime is being investigated or perpetrated, and that there would only be a very select number of people who could issue these warrants. But this is not the case. The justifications for issuing a warrant are described in the bill as:

(a) in the interests of national security

(b) for the purpose of preventing or detecting crime or of preventing disorder

(c) in the interests of the economic well-being of the United Kingdom

(d) in the interests of public safety

(e) for the purpose of protecting public health

(f) for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a Government department

(g) for the purpose, in an emergency, of preventing death or injury or any damage to a person's physical or mental health, or of mitigating any injury or damage to a person's physical or mental health

(h) for any purpose (not falling within paragraphs (a) to(g)) which is specified for the purposes of this subsection by an order made by the Secretary of State.

This basically covers any crime, not just serious the ones, and any other reason that the Government or special services may seem fit to monitor your online activities. And who can issue these warrants and look at the information?

(a) a Police Force

(b) the National Criminal Intelligence Service

(c) the National Crime Squad

(d) the Commissioners of Customs and Excise and their department

(e) any of the intelligence services

(f) any such public authority not falling within paragraphs (a) to (e) as may be specified for the purposes of this subsection by an order made by the Secretary of State.

In other words, anyone from the head of MI5 down to your local Police Officer, or anyone in Government who the Home Secretary deems fit. These numbers will amount to thousands of individuals who can order access to users' personal information for whatever reason they feel necessary.

Worrying for businesses is how "economic well-being of the United Kingdom" will be interpreted. The number of foreign business deals that a company undertakes could be argued to have an effect on the UK's economic well-being. In general, there are clauses designed to prevent overzealous scrutiny, although there seem to be loopholes in the bill to get around this. In essence, any public department can monitor who they want, for whatever purpose they want and for as long as they want simply by gaining the permission of the Home Secretary.

Security

Among the major worries that will be of particular concern to UK businesses, are security issues. Alongside the fact that thousands of people may be able to access your business communications for spurious reasons, there could be serious security problems with the "black boxes" that are fitted at the ISP end.

With the Internet being a public domain, security has always been an crucial issue. Company details in the wrong hands might cause massive damage to an enterprise's market position. Since the Internet's inception, security companies have worked hard to ensure that all communications and transactions are as safe as possible. It is only because these systems have been open to scrutiny that all the back doors into the system have managed to be closed. With the introduction of the "black box", ISPs will be obliged to provide a back door into web traffic for the Government to use. So far, no details of what the equipment will comprise have been released, and given the security service's dedication to secrecy, it is unlikely that they will.

This could easily lead to the cracking of the technology once it is in place, and therefore the misuse of it. Without consultation from security experts or publicising the technological details so they can be scrutinised for holes, these "black boxes" could be an easy target for malicious hackers.

Guilty until proven innocent

One of the biggest objections to the bill is the Government's position on access to encryption keys, which many claim contravenes one of the key human rights issues, and may provide some criminals an escape route from harsh punishment. Besides this are also serious business issues again revolving around a company's online security.

The bill allows authorised people to demand an encryption key to view private documents when under suspicion for almost any crime or in conflict with any public authority. Again this includes for the "economic well-being of the United Kingdom". Failure to hand over a key when asked could result in a two-year prison term. If you do not have the keys you must prove that you have never been in possession of them.

It is this burden of proof shift that has campaigners up in arms. No longer does a jury have to prove beyond reasonable doubt that the suspect has deliberately lost, hid or failed to give up the keys, the onus appears to be on the accused to prove that they never had them in the first place. Despite this apparent breach of human rights, the bill seems to overlook the fact that it is virtually impossible to prove this anyway.

While this part of the bill has the potential to convict an innocent person, it also raises the chance for serious criminals to get off lightly. Anyone who has incriminating material in encrypted form that would result in a jail term of longer than two years simply has to refuse to hand over the key and take the lighter sentence.

Aside from this issue, the encryption key section of the bill also has serious business implications. Much business activity needs to be kept confidential for the company to survive. To do this the vast majority of companies will use key encryption in some form or other. Once a key is passed on to a third party, the security of all the data under that key is compromised. The key is also out of the control of the company, which then has no idea who else could get hold of it. The damage that this could cause is massive. Unfortunately, the Government has yet to make any assurances over the security of the key once it has been passed on.

Not surprisingly, it was this issue that caused the most opposition as the bill came for its third parliamentary reading in May.

David Maclean MP said: "An innocent person...can be liable to a prison sentence of two years. He may have had no intention to commit a crime, but he can go to prison for two years. That is unjust and fundamentally wrong."

Richard Shepherd MP said the bill has "features that are unacceptable to our sense of freedom, liberty and the due processes that we have held to be important for many years."

Home Office minister Charles Clarke, defending this part of the bill, said: "Where prosecutions occur, it is for the authorities to prove, beyond reasonable doubt, that the accused has, or has had, a key. That is a significant burden of proof, and it is laid on the prosecution, not the defence."

Harry Cohen MP was worried how any data collected could be misused. "An official could legitimately authorise collections of communications data and keep proper records only for them subsequently to be used for another purpose. If that is true, the relevant commissioner, who examined the authorisation process, would not know of such disclosures; nor would the telecommunications operator or the public. To put it bluntly, the whole authorisation process and all the protections afforded by chapter II could be reduced to a meaningless sham," he said.

Because of the fast track nature of the bill's procedure through the House, very little about the bill has made its way onto terrestrial television and few understand it. Nevertheless, there are still groups out there who believe that a difference can be made if there is enough support. STAND, a group formed to protest about the bill, is currently asking those who oppose areas of the bill to fax their MP to complain, and provide a service to make this easy to do. They also provide a more detailed explanation of how the bill will affect businesses and individuals alike.

Despite the protests by opposition parties and other groups, the bill is now likely to become law. Only minor changes are likely to be made from here. Once it is passed, businesses will have to learn how to work with the changes to law without damaging their profitability. This could involve fundamental changes to business practices, but as with many things in life, the lessons probably won't be learned until something has gone seriously wrong.

Paul Grant

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close