Users voice fears on RIP Bill

Invasion of privacy, breaches of confidentiality and extra costs are all concerns raised by users in response to the imminent RIP...

Invasion of privacy, breaches of confidentiality and extra costs are all concerns raised by users in response to the imminent RIP Bill. Paul Donovan and Guy Campos report

IT directors have hit out against the Regulation of Investigatory Powers Bill, which goes through the House of Lords this week.

The Bill, as drafted, gives Government agents the power to hold company data and encryption keys for an unlimited time without restrictions on use, which could lead to breaches of confidentiality and lawsuits as a result.

It could also force the IT manager served with a demand for information to keep this secret from his board of directors; this is the result of an accompanying Section 46 gagging order, without providing specific employment protection.

In addition, if IT managers are unable to provide the data or encryption keys requested they will have committed an offence unless they can provide positive proof that the evidence required is not available - a reversal of normal legal practice that is designed to prevent the conviction of the innocent.

When extra powers for government bodies to demand electronic information were first mooted last year, they were dropped following fierce opposition from business. The government initially proposed that all encryption keys - a single company could have hundreds - would have to be stored with a trusted third party in a practice called key escrow. The third party would have been legally obliged to hand them over whenever the government requested.

The new proposals in the RIP Bill include one safeguard - a requirement that the authorities gain a judge's consent before issuing a warrant - but IT managers, from a range of industry sectors, are still worried.

They will be put in the difficult position of having to assess whether a warrant is real or not, according to Philip Virgo, special adviser to Institute for Management of Information Systems, which represents more than 10,000 IT professionals in the UK.

"One of the things IT managers need to know is the validity of the warrants that are being served on them," he said. "The issue of security and routines against spoof warrants needs to be addressed. The RIP Bill is an issue that will have most effect on financial and legal institutions in the City but you will find them very reluctant to talk about it in public."


It is difficult for companies to trust government officials to maintain corporate confidentiality, according to Frank Berridge, assistant and logistics director at the House of Fraser. "Given that the government and civil service leak like a sieve, there could be real questions of breaches of client confidentiality if they had access," he said.

"I don't believe that it is appropriate that I should do anything that I could not then tell my board colleagues about. The principle of the RIP Bill has to be in question, though I would not go to the extremes of the National Council for Civil Liberties. Government bodies should not have access to things electronically that they could not access on paper."


Margaret Smith, director of e-commerce, Legal & General believes that the Bill could be an underhand means of getting notorious key escrow onto the statute book.

"We lobbied for the removal of key escrow from the Electronic Communications Bill when it came out in draft form," she said.

"We recognise the need for the provision of special powers for law enforcement authorities but we need to make sure that we don't get problems that we didn't envisage. This might be a bit of a backdoor establishment of key escrow and everybody said that would be a bad thing.

"Our lawyers are looking at it and we will go back to the Government with our thoughts. Whatever happens, we would co-operate with any inquiry into crime as most major organisations would," she said.


As more and more company business is conducted using the Internet, concerns over confidentiality become greater, said Yvonne Pilsbury, IT manager at Dixons.

"The RIP Bill is an invasion of privacy that could lead to breaches of confidentiality," she said.

"We have just taken over a company and the deal was done by e-mail. There would have been problems if any of the information had got out. The concerns over confidentiality were such that everyone involved in the deal had to sign a secrecy agreement."

The public sector

Although the RIP Bill is being drafted by central government, the implications for IT managers have not been disseminated into local government, according to John Serle, spokesman for Socitm, the local authority IT managers' organisation.

He believes the Bill could be a "dodgy proposition" for public-sector IT professionals. "Local authority IT managers don't understand that the Bill will affect them. If they want to provide portal services, they have got to facilitate the RIP Bill and they are going to incur costs as a result."

Legal experts assess the impact of the Investigatory Powers Bill

The RIP Bill has the potential to wreck the development of e-commerce in the UK, according to Liz Fitzsimmons, a solicitor at Eversheds.

"RIP could come to stand for ruined Internet potential," she said. "IT directors and anyone who receives electronic or encrypted data needs to be aware of the dangers of RIP. Those who have Section 46 notices served upon them will feel particularly vulnerable, given that they will not be able to disclose that information to the employer and might even have to go and get their own legal representation."

She believes that IT directors need to now be gearing up in preparation for implementation of RIP. "Employers need to train their staff on RIP as to what could happen."

Catrin Turner, partner at London e-commerce and IT specialist solicitors Henry Hepworth, said that regardless of whether the RIP Bill is altered in the House of Lords this week, it could be changed by forthcoming European legislation.

"It is a question of balancing the rights of privacy with the need to prevent crime," she said.

"The Government seems terrified at the prospect that it won't be able to look over the shoulder of commercial companies. However, the dilemma of privacy versus crime prevention will only be resolved once the Human Rights Act comes into force and then the European Court of Human Rights could eventually become involved."

Read more on IT risk management