Remove RIPA ambiguities

The confusion and consternation surrounding the Regulation of Investigatory Powers Act (RIPA) shows no sign of abating. Now,...

The confusion and consternation surrounding the Regulation of Investigatory Powers Act (RIPA) shows no sign of abating. Now, Computer Weekly has learnt that the Home Office is to instigate two consultations to iron out some of the inconsistencies that are currently hobbling the Act.

First, the Home Office intends to enter into consultation to decide which government agencies should be able to access data for purposes of national security, under the terms of the Act. Second, it is seeking to finalise a voluntary code of practice for communications service providers on storing e-mail and telephone data - this, despite the fact that the providers themselves have already made it clear that they will reject such a code.

The Home Office is right to act to clarify this unpopular law. Clearly, an Act that gives the police and other government organisations the right to access details of telephone, e-mail and Web communications must be carefully framed if it is not to breach the fundamental principles of human rights.

But the arguments over RIPA are not limited to the civil liberties lobby. The Act will have direct repercussions for the work of many IT directors. Under the legislation, any business with a significant e-commerce operation could find itself on the receiving end of an order demanding disclosure of data about its customers. IT directors will need to know how to respond - and to do this the legislation needs to be clear and unambiguous.

Legal opinion that was recently sought by the UK's information commissioner, Elizabeth France, points out that although the code requires providers to retain data for purposes of national security and anti-terrorism, in practice, police and government agencies with access to this data are able to easily take advantage of RIPA to mine it for other, more mundane purposes, such as investigating benefit or tax fraud.

The waters are muddied further by the fact that some government agencies are currently making use of a series of other existing laws to access Internet and phone details being retained as a result of RIPA. None of these laws require agencies to work according to the safeguards of RIPA codes of conduct or under the oversight of the Government's Interception Commission.

In other words, a host of government bodies are enjoying free reign to access private data, thanks to a raft of overlapping laws and a lack of legislative clarity.

We applaud the Government's efforts to bring transparency to this unsatisfactory situation. But there must be no halfway house. Nothing less than a top-down reappraisal of any and all laws pertaining to the accessing of public data will suffice, if communications service providers and the companies and individuals they serve are to be assured that their human rights to privacy remain intact.

RIPA must state clearly and unambiguously which agencies are entitled to access what data, and under what circumstances. And any other miscellaneous UK laws that pertain to the retention of public communications data must be dovetailed into RIPA, closing any loopholes through which public bodies are currently clipping in order to scrutinise data for purposes other than national security.

Read more on IT risk management