Big Browser is watching you

It was once the proud claim of Tony Blair that the Government was determined to make the UK "the most e-friendly country in the world". But an unlikely coalition of computer techies, net users and human rights campaigners believe that the new Regulation of Investigatory Powers Act – appropriately abbreviated to RIP – has laid that particular myth well and truly to rest.

The RIP Act updates the powers of the security services so that they can do battle with the cyber criminals by "tapping" their emails and seizing their encryption keys. Few would disagree with such a noble objective.

When the act received royal assent last month, Jack Straw said: "The act will ensure that the UK's law enforcement and security agencies have the powers they need to do their job effectively in a changed technological world." It was all a question of balancing the State's needs with the rights of the individual and industry, the Home Secretary said. "We believe the RIP Act strikes the right one."

Unfortunately, not many commentators outside Whitehall agreed with such an upbeat analysis of his department's handiwork. The ink of the assent was barely dry when the Internet Service Providers (ISPs) began to complain. ISPs hate the RIP Act as they believe that they will be expected to pick up much of the bill for allowing MI5 to read their customers' emails.

Leading players such as Claranet and Poptel announced that they would be forced to move offshore to avoid the new powers. "Unless the Government is prepared to deliver a more supportive regulatory environment, businesses in particular will choose to base their internet activities overseas," threatens Steve Rawlinson, systems manager at Claranet.

The wider e-commerce community is shocked that a government, which apparently supported e-commerce, could get it so wrong. The Government is in danger of turning the UK from a "pioneer to an also-ran", says a spokesperson for Demon Internet. "The key issue here is that the internet is a global medium that cannot be controlled – it has grown beyond that. Trying to place too many restrictions on it is a pointless exercise. If the rest of the world refuses to impose this type of legislation, and the indications are that they won't, we're left out on our own."

Meanwhile, civil rights campaigners argue that October, when both RIP and the Human Rights Act 1998 come into force, will mark the start of an open season as the lawyers tear the legislation apart.

Add these disparate interest groups together – the lawyers, the boffins and the dotcoms – and the Government and its security forces have a formidable opponent on their hands.

The legislation was originally conceived to extend the powers of the Interception of Communications Act 1985 to the brave new world of the world wide web. When that law was drafted, members of the security services had a simple model for surveillance, explains Robert Carolina, an IT telecoms partner at Tarlo Lyons. Officers simply went into the offices of the relevant telecommunications company (telco), put the alligator clips on the lines and listened as criminal bosses talked to the criminal underlings.

Traditionally, the telcos have split the cost of surveillance with the Government and now the internet industry is expected to make a contribution. Service providers will be required to maintain a "reasonable intercept capability". What that means, nobody knows, says Carolina, adding that it could mean as little as making a desk free for MI5 once a month.

A recent report from the British Chamber of Commerce (BCC) put the price of compliance for ISPs at a "realistic" £640m for the next five years. There has been plenty of speculation about "big browser" which will comprise a government-designed black box located at service providers. The hardware will relay data to MI5, based at a new £25m spy centre which has the wonderfully misleading name of the Government Technical Advisory Centre.

As in all matters relating to RIP, the Government is taking a robust line. A Home Office spokesman dismisses the BCC figures as wildly inaccurate. "We estimate – and this is backed up by independent research – the cost of extending the interception regime will be approximately £20m over three or four years and the Government has set aside that sum," he says. "So it shouldn't cost ISPs anything."

ISPs will be issued with notices detailing what will be required of them and a body called the Technical Advisory Board is presently being established, comprising of Government and industry members to advise on issues.

But the internet industry remains anxious. The techies are not happy, says Nicholas Bohm, a sole practitioner who contributed to the BCC report and sits on the Law Society's e-commerce group. He says that ISPs work to tight margins in a demanding environment and they cannot afford to divert scarce intellectual resources.

He predicts that the implementation process could also be a frustrating experience for the Home Office. The decisions of the Home Secretary and his ministers could be subject to judicial review if they do not have convincing reasons to back up their demands. "Since we know they don't understand the issues, it's going to be difficult to see them having any convincing arguments," Bohm says.

But the BCC thinks that the cost to ISPs is a fraction of the total price that the online business community will have to pay. It has calculated that the overall financial implications of RIP would be in the region of £46bn in its first five years of operation. "Its effect is likely to be loss of confidence in e-commerce, unacceptable costs to business and to the UK economy, confusion and uncertainty at numerous levels of business activity," it says.

The interception regime will only serve to make a bad situation worse, says Ross McKean, a solicitor with Baker & McKenzie who is currently seconded to NTL. "If you build holes into people's networks, which is essentially what the act is asking people to do, as well as that weak point being used legitimately in the broadest sense, it will be used by hackers as well."

Trust in e-commerce is already low. "Confidence is the key, and this act destroys confidence," McKean says. He refers to the recent litany of internet security lapses at some of the UK's bluest of blue chip companies, most recently at Powergen and Barclays Bank. "All these stories are harming people's confidence in the internet and so what we did not need at a time like this was an act that says you can have all your communications read," he says.

A recent ICM survey found that only one third of people think that their money is safe on the web as compared to a conventional bank and only one in five felt secure when handing over their details to cyberspace. McKean believes that the legislation is "totally inconsistent" with Tony Blair's intention to make the UK the place for e-commerce. By contrast, he points to the Irish E-commerce Act which explicitly rules out intrusive interception and forced disclosure of private decryption keys.

Certainly, the RIP Act represents the UK leading the way or, depending upon your view, going dangerously out on a limb. The UK is the only G8 economy to allow the state access to decryption keys. Key seizure provisions are backed up by criminal sanctions – two years imprisonment for failing to meet disclosure requirements and up to five years for tipping someone off.

Even if the security services never demand a single key, the fact that legislation is on the statute books undermines e-commerce, argues Claranet's Rawlinson. "You'll never know if a financial institution, for example, has a private decryption key because it is an offence to tell that that key has been compromised. The fact that they might be able to without you knowing is enough to damage business confidence."

Originally, the RIP bill reversed the burden of proof and placed the onus on a person served with a notice to prove that they did not have a key. Amnesty International claimed that such a provision violated both the right to a fair trial and the presumption of innocence.

According to Bohm, the Government "caved in" at the last moment after considerable pressure from peers in the House of Lords. But problems remain. "In order to refuse access to the key you have to be extraordinarily sure that law enforcement cannot prove that this was used as a decryption key and you're betting your liberty on that one," he says. As that message percolates through industry, he believes that the key seizure provisions will become one of RIP's more alarming legacies.

The self-interest of industry meets with the concerns of civil liberties groups as they would argue that RIP diminishes the rights of individuals on the internet which in turn destroys confidence in the medium. In an open letter to peers last month, Amnesty International warned that the act could "violate" an individual's right to privacy and have a "chilling effect" on the fundamental rights of freedom of expression and association.

Suzanne Garben, a media and intellectual property partner at Denton Wilde Sapte, believes that there are "reasons to be vigilant" under the new regime. There are strict limitations on exceptions to the right to privacy under the European Convention – namely national security, public safety and economic well being – but she points to a clause allowing the Secretary of State to add any additional purpose. "Frankly I can't see how there could be any additional grounds," she adds.

RIP provides the framework for the state's new powers but it will be left to secondary legislation and codes of practice to fill in the blanks. "There is a fear factor and nobody can quite see where the act is going and uncertainty of later subsidiary legislation does not help," she adds.

Citizens might be reasonably comfortable with the necessity of Big Brother's watchful eye over conventional communications, but it is the scale and indiscriminate nature of Big Browser that is alarming. Bugging the internet is not like tapping phones, Garben says. "Because of the way the internet works, you can't tap one thing, you have to tap everything and then select what you want."

The interception of emails by the security forces requires a warrant but communications data is readily available to designated officials in specified public authorities. Such information includes names and addresses of the senders and recipients of emails as well as details of websites visited and could be used to create revealing profiles of net users. "There is an underlying assumption that this is somehow less intrusive than the content – but there is reason to question that assumption," Gorben says.

Understandably, ISPs are zealous about their subscribers' right to privacy. Many of Poptel's clients are trade unions and campaigning bodies and often find themselves at odds with the Government. Previously, legislation had limited interception to the monitoring of non-domestic communications – but not any more. Chairman Sean Fernson says: "Consequently, a trade union planning a major national strike could clearly be said to be acting against the economic well being of the country."

The problem with the internet is that the technology evolves faster than the law-makers can legislate. The anti-RIP movement has united "the libertarians, the techies and bits of industry" says Bohm, and has created fertile ground for the deployment of resistant technologies. "What will grow up is an avoidance industry" he predicts. And so RIP could have the ironic effect of encouraging greater protection for the cyber criminals. As soon as the act hit the statute books, an idiot's guide to avoid its spying powers was published on the internet.

The Home Office is trying to calm fears of routine mass surveillance of net users. Last year, only 2,000 warrants were authorised for interceptions. It is a "fairly rare activity," a Home Office Spokesperson says. "If you are a major criminal engaged in a major threat to national security then yes, you should be worried. No one else need be."

The Internet Industry's Verdict

A statement from Demon Internet begins: "The theory behind the bill is a noble one [to] allow key public sector organisations to have surveillance techniques over the internet." However, Demon continues to warn that service providers will be forced to make a large investment which will be passed on to users. "Customers will in turn be hit with forced expenditure of between £1,000 per year for a small organisation and £25,000 for a large one." But the price UK plcs will pay is not limited to monetary denominations, it argues. "The upshot could be that we are left behind as the electronic revolution happens around us."

Claranet, the UK's largest independent ISP, will offer customers the option of having their email stored on French servers as opposed to UK servers, says its systems manager Steve Rawlinson. "From Claranet's point of view it makes very little difference because we have infrastructure elsewhere," he says. "But for e-commerce in the UK it is quite worrying because it is another reason for somebody to decide that the UK is not the place."

On the issue of RIP's controls on encryption keys, he says: "This is worrying because you will never know if your financial institution, for example, has had its private encryption key demanded by law enforcement agencies because it is an offence to tell you that the key has been compromised."

Sean Fensom, chair of Poptel, says: "It doesn't matter what we think about the RIP Act, the important thing is that our users are concerned." A number of Poptel's business users are campaigning organisations and trade unions which have "very legitimate reasons" for coming into conflict with the Government.

Fensom argues that RIP will not even stop those who it is designed to stop. "Anyone who is in the least bit determined to keep their communications secret can do so, particularly if they are using an offshore ISP," Fensom says. "It's a clear threat to our business and so it is important for us to establish the same facilities."

According to the Government, it will cost ISPs £20m to develop a reasonable interception capacity. "We think that that is a gross underestimate," says Tim Snape, a council member of the Internet Service Providers' Association. "It's only going to be correct if they do nothing.

"It is an industry that competes on price and that has meant that some players have had to cut their cloth very thin indeed. Should this be a tax that is placed upon the industry?"

THE REGULATION OF INVESTIGATORY POWERS ACT 2000

The Regulation of Investigatory Powers Act has sparked outrage from internet service providers, with some threatening to move their business out of the UK. Jon Robins reports on how the Government is scaring off the e-millionaires with its latest act

Part I – Interception

Provides for a criminal offence of interception of a communication in the course of its transmission via a public telecommunications system, a private telecommunications system or the postal service, without a warrant or other lawful authority.

Gives power to the Secretary of State to issue warrants for interception of communications on application of specified high ranking officials in the police, security and intelligence services for specified purposes listed in the act – where necessary and in the interests of national security and for prevention or detection of serious crime [no requirement for judicial warrant].

Provides power for the Secretary of State to serve notices requiring public telecommunications service providers to maintain interception capability. Public telecoms operators and ISPs (and potentially public news servers, WAP gateways and web-hosting companies) may be required to install black boxes giving interception capability.

Measures designed to address the much publicised concerns of the IT industry include: establishment of a Technical Advisory Board (TAB) to oversee the issuing of notices; the right to receive a "fair contribution" towards costs incurred; the appointment of an interception of communications commissioner.

Gives powers for officials of public authorities (such as the police, intelligence services and revenue commissioners) to authorise the obtaining or disclosure of "communications data" – everything apart from the content of voice or data messages. The new provisions introduced by the act make this data available without a warrant or order to a broader class of person and for much wider purposes than under Part 1.

The purposes for which the communication data may be accessed include: the prevention or detection of crime (as opposed to serious crime); protecting public health/safety; the assessment and collection of taxes.

Part II – Surveillance and covert human intelligence sources regulates

The authorisation and carrying out of surveillance by police and intelligence services; the authorisation, use and protection of informants and undercover officers.

Part III – Investigation of electronic data protected by encryption

Part III gives authorised law enforcement authorities the right to serve decryption notices requiring disclosure of encryption keys for purposes such as the prevention or detection of crime and in the interests of national security.

The Secretary of State can issue warrants authorising the service of notices, for example, in many cases it is not necessary to obtain a judicial warrant through the courts.

Amendments to the original provisions in the bill, designed to address the concerns of the IT industry and civil rights groups include:

1. An obligation for the authorities to prove that a person is withholding a key before charging them with the offence of failure to comply with a notice (this reverses the original requirement for the individual to prove he was not in possession of the key).

2 The requirement to disclose encrypted information may be satisfied by providing the information in intelligible form unless specified otherwise in the notice.

3 Police officers may be authorised to serve decryption notices only if they are above the rank of superintendent.

Part IV – Scrutiny of investigatory powers and codes of practice

This part provides for the appointment of judicial commissioners to review the Secretary of State's role in relation to warrants for interception; the regime for acquiring communications data; and arrangements for decryption keys.

It gives the Secretary of State the right to introduce Codes of Practice.

Claire Coleman is associate solicitor in the e-commerce group at Denton Wilde Sapte.

HUMAN RIGHTS

There is some solace for the human rights lobby as RIP creates a new cause of action protecting the unlawful interception of emails on private networks. The act was originally introduced to drag the UK law into line with the European Convention on Human Rights following a critical drubbing by the Strasbourg judges in the high profile case of Alison Halford, the former chief constable of Merseyside. She claimed that the police bugged her phone in a dispute over high promotional prospects. The European Court ruled that she had a "reasonable expectation" of privacy in making and receiving phonecalls at work.

Now employees will have a legal right against their bosses for spying on their emails. But Graham Defries, a partner in the e-commerce group at IT firm Bird & Bird, points out that RIP includes a "legitimate purpose" for businesses monitoring communication. But the detail as to what constitutes such a purpose will come later. "It could mean that the Government ends up giving employers the right to monitor a great deal of the type of information employees are transferring around the firm," he says.

"It's zombie legislation. Although clinically dead with macabre wounds, it still lumbers on menacing both individual privacy and commercial confidence," said Casper Bowden, the director of internet policy think tank the Foundation of Information Policy Research, as the bill came to the end of the legislative process last month.

Now that the legislation is on the statute book, he thinks that it still has "enormous and obvious problems" with the Human Rights Act 1998. The Government made a U-turn on the vexed issue of the reversed burden of proof for key possession. It was not a very edifying testament to this Government's attitude towards the Human Rights Act, he says.

He thinks that one of the RIP Act's most alarming provisions allows the State to spy on domestic communication. The "average man on the street" would consider GCHQ's power to be limited to spying on foreigners, he says. But the act allows the Home Secretary to let GCHQ monitor domestic communications under a blanket warrant for general surveillance. "I think that is terrifying. It is the apparatus of Big Brother," he says.

The Home Office defends its human rights record. According to a spokesman, one of the main reasons for the legislation was to ensure that the existing law complied with the European Convention. He says the act is "fully compliant" with the European Convention on Human Rights. "We will ensure that the powers are used with full regard to the convention which does stipulate a right to privacy, but also acknowledges that there are occasions in a democratic society where that can be overruled."