RIP Bill creates legal dilemma for IT chiefs

David Bicknell

IT directors will face a choice between breaking the law or breaching commercial confidentiality if Web tapping...

David Bicknell

IT directors will face a choice between breaking the law or breaching commercial confidentiality if Web tapping legislation passes through the Lords unaltered next week.

Business leaders are pressing for a last-minute overhaul of the Government's controversial Regulation of Investigatory Powers Bill. They fear it will damage the UK as a place to do e-commerce.

The Bill will go into its final committee stages in the House of Lords on 12 June with a new catalogue of complaints behind it.

In its current form, the Bill makes IT departments the target of law enforcement notices mandating the delivery of encryption keys or plain text - even though doing so could breach commercial confidentiality.

IT departments would have to put the technologies and processes in place to make encryption keys and details of transactions available to security services at short notice.

One IT security manager at a leading high-street financial institution, said RIP "was terrible for UK plcs" and the costs of accommodating the law would drive business abroad. "It is unworkable," he added.

Although the campaign against it has previously been led by ISPs and human rights campaigners, last week business leaders weighed in. In a letter to Home Secretary Jack Straw, British Chambers of Commerce (BCC) director general Chris Humphries, outlined "businesses' serious concerns" over the Bill.

At the heart of the letter is a concern that IT directors may end up being law enforcement agencies' target in organisations. They could be served a Section 46 notice, which requires the surrender of an encryption key or plain text held by an employee, without being able to make company directors aware of it.

That is because the notice is likely to arrive with a "tipping off" order attached, which means the IT director would be legally obliged not to inform anyone of the notice's existence.

In his letter to Straw, Humphries argues that the Bill should be redrawn to "explicitly state" that Section 46 notices relating to keys must be served to company directors. He also wants to ensure that keys are given to law-enforcement agencies for a limited time and specific purpose. Full encryption key disclosure could make a company liable in breach of commercial confidence with its business partners.

At the heart of the BCC's complaints is the fear that the RIP measures could leave firms liable to civil suits for damages resulting from interception of documents.

Critics say the Bill has been too loosely drafted, to ensure it does not become out-of-date as technology changes.

Data storm, HavenCo chief executive Sean Hasting steps into a storm over the Regulation of Investigatory Powers Bill this week. Based in Sealand, a World War Two fortress 12 miles off the Suffolk coast at Felixstowe, HavenCo is being set up as a datastore for companies wishing to store files outside the reach of the RIP legislation and UK e-commerce laws. The Anguilla-registered corporation will test Linux-based systems in the summer and expects to offer a full service in the autumn.

Read more on IT risk management