When you wake on Thursday 5 October next, you will find yourself living
in a
different country. An ancient bulwark of English law - the principle that
someone is presumed innocent until proven guilty - will have been overturned.
And that is just for starters. From that date also the police and security
services will enjoy sweeping powers to snoop on your email traffic and web
use
without let or hindrance from the Commissioner for Data Protection.
Every UK internet service provider (ISP) will have to install a black box
which monitors all the data-traffic passing through its computers, hard-
wired
to a special centre currently being installed in MI5's London headquarters.
This new mass surveillance facility is called the Government Technical
Assistance Centre (GTAC). Who said Jack Straw had no sense of humour?
The Regulation of Investigatory Powers (RIP) Bill which is now before the
Lords gives the Home Secretary powers of interception and surveillance which
would be the envy of the most draconian regime. In addition to encroaching
on
civil liberties, the same Bill will also drive hordes of e-commerce companies
from Britain to countries like Ireland where their encryption keys - extended
pin numbers allowing users to decipher jumbled data - will be protected
from
government prying. An administration which complains continually about making
Britain 'the most e-friendly country in the world' by 2002 is busily making
sure that exactly the opposite happens.
How has this extraordinary state of affairs come about? Is it another
manifestation of the cock-up theory of history, or are there more sinister
forces at work? The answer is a bit of both. For some time, it has been
obvious to Ministers and civil servants that British law needed updating
to
cope with the internet. In an era when online trading becomes ubiquitous,
for
example, some way has to be found of making 'digital signatures' legally
valid. Accordingly, a special Cabinet Office unit headed by Professor Jim
Norton set to work to devise a new legislative framework for the emerging
world of e-commerce and online communications. The main result of his labour
was the Electronic Commerce Bill.
As that Bill went through its Parliamentary hoops, it became clear that
some
parts of it - mainly the sections dealing with data encryption, interception
and surveillance - were so deeply flawed that they threatened to sink the
Bill. Given the Government's desire to make headway on the e-commerce front,
the problematic sections were eventually jettisoned and the Electronic
Commerce Bill became law in 1999.
It was a smart decision, but it left unresolved the problem of what to do
about the encryption stuff. The DTI, smarting from its bruising at the hands
of the computer scientists who had comprehensively shredded the original
encryption proposals, wanted nothing more to do with it. Accordingly the
poisoned chalice passed to the Home Office, which knows little of business
and
even less about the internet, but is endlessly attentive to the needs of
the
police, the security services and the Byzantine imperatives of official
secrecy. The RIP Bill is the fruit of that secretive bureaucratic milieu.
The official rationale for the legislation is that it is required to bring
UK
law into conformance with the European Convention on Human Rights. In the
end,
this will have to be tested in the courts, but Straw's confidence is not
shared by the Commons Trade & Industry Select Committee which last October
recommended that the Government publish a detailed analysis to substantiate
its confidence that the Bill does not contravene the Convention. This the
Government has so far declined to do.
The Bill has four main parts. The first deals with the interception of
communications. the second covers 'surveillance and covert human intelligence
sources'. The third tackles encryption and the fourth covers the 'scrutiny
of
investigatory powers and of the functions of the intelligence services'.
Parts
I to III propose massive extensions of the state's powers to spy on its
citizens while the fourth suggests a regulatory regime which seems laughably
inadequate to anyone familiar with internet technology. All sections of
the
Bill have been heavily criticised by external experts and a small number
of
committed MPs, but the legislation has passed through its Commons scrutiny
with its central provisions intact.
Part I gives the Home Secretary the power to issue a warrant requiring ISPs
to
intercept the communications of one or more of their subscribers. The problem
is that the internet is not like the telephone system - where it is
technically feasible to tap into a particular individual's communications
link. In order to monitor a person's internet traffic, you have to tap into
all the traffic running through his or her ISP. As a result, the expectation
is that Part I of the Bill will be implemented using so-called 'passive
monitoring': ISPs will be required to install a 'black box' which will monitor
all their data traffic and pass it to the GTAC centre.
The news that henceforth all UK internet traffic will find its way to MI5
does
not seem to have yet reached MPs, most of whom don't understand the technology
and assume that the Home Office must know what it is doing. Defenders of
the
Bill point out that MI5 can only legally read the content of communications
for which specific warrants exist, which is true. But they fail to notice
that
the Bill affords no such protection to the pattern of one's internet
connections.
In other words, while MI5 may need a warrant actually to read your email,
many
other people will have essentially unregulated access to logs of the websites
you access, the pages you download, the addresses of those with whom you
exchange email, the discussion groups to which you belong and the chat rooms
you frequent - in short, a comprehensive record of what you do online and
with
whom. It will be interesting to see how this squares with the European
Convention's requirements about privacy.
It is Part III of the Bill, however, which is most likely to contravene
the
Convention. Section 46 gives the Home Secretary the power to compel the
surrender of keys used to encrypt communications data. Failure to comply
carries a prison sentence of two years. If someone cannot comply because
they
have lost or forgotten the key then they have to prove that to the
satisfaction of a court. In other words, the burden of proof is shifted
from
the prosecution to the defence - one is presumed guilty until proved innocent.
And how do you prove that you have forgotten something?
Even more oppressive is the Bill's creation of a secondary offence - revealing
that you have been required to supply, or supplied, a decryption key - which
carries an even stiffer penalty. Under the terms of the Bill, for example,
the
police could arrive at 4am and demand that you produce such a key. If you
were
unable to comply and were taken in for questioning, it would be a criminal
offence punishable by five years' imprisonment to explain to your family
why
you were being dragged off.
Civil liberties campaigners are predictably opposed to the RIP Bill. But
it is
also widely opposed by the business community. Even Professor Norton, the
architect of the Government's e-commerce legislation, describes the proposals
as 'a classic own goal' that will undermine the aim of making Britain a
centre
for e-commerce. Encryption is central to e-business, and many companies
have
contractual agreements with clients for whom they hold cryptographic keys.
Under the RIP Bill they would be banned from revealing that they had
surrendered a key and thereby compromised the client's security.
'This is a clear case,' says Norton, 'of the futility of government treating
internet policy as a national issue when what is needed is international
agreement. A UK firm which handed over the key of a multinational client
would
be vulnerable to a compensation claim in an overseas court for compromising
that client's global security. US businesses are not happy about that
liability and will opt to work in countries like Ireland.'
The most astonishing thing about . Straw's pre-emptive strike on civil
liberties and e-commerce is that, to date, there has been almost no public
discussion of it. The Ministers driving his Bill through Parliament concede
that the powers they seek are sweeping, but argue that they can be trusted
to
apply them reasonably and that in any case the powers are commensurate with
the threat from online criminals, terrorists, paedophiles and pornographers.
In the absence of proper safeguards, the first argument is absurd.
As far as the second is concerned, nobody has yet produced any convincing
empirical evidence that the supposed threats are more than the fantasies
of
security services and hysterical projections of some newspapers. The internet
undoubtedly provides a conduit for criminal conversations and porno graphic
transactions. But then so does the telephone system and the Royal Mail,
and
yet nobody proposes tapping every phone in the land or scanning every letter.
A terrifying erosion in our liberties is being planned, yet the threat is
largely ignored.
Could it be that this collective passivity is because, for most citizens,
the
liberties that are being eroded lie in the future rather than the present?
Most people do not currently encrypt their email, even though an unencrypted
email is as vulnerable to snooping as an ordinary postcard. But in five
years' encryption will have become a necessity.
Human nature being what it is, people will lose or forget their decryption
keys - and some will find themselves attempting to convince a judge that
they
are not paedophiles feigning amnesia to qualify for a shorter sentence.
Will
they then remember Burke's warning that for evil to triumph it is necessary
only for good men to do nothing? And will they wonder why they had not been
more alarmed on the morning of 5 October 2000?
Rest of the world
Most countries impose no restrictions on the use of encryption by their
citizens. The exceptions tend to be authoritarian regimes such as those
in
Russia and China.
IRELAND: New e-commerce Bill makes it illegal for government to access
commercial cryptographic keys.
FRANCE: The government has recently announced a new policy of totally relaxing
controls on domestic use of encryption.
US: No domestic controls on use of cryptography, though Washington looks
enviously at the UK RIP bill.
GERMANY: Has long been the European leader in opposing restrictions on
citizens' use of encryption.
Over the coming weeks The Observer will print a series of articles and opinion
pieces on the proposed RIP Bill. If you wish to voice your opinion online
you
can do so {HYPERLINK "http://talk.guardianunlimited.co.uk/WebX?13@@.ee75b58"}
here. To find out more about the Bill see {HYPERLINK
"http://www.fipr.org/rip/"}www.fipr.org/rip/�
IMPORTANT NOTICE: If you are not using HushMail, this message could have been read
easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
