UK: Regulation Of Investigatory Powers Act

The Regulation of Investigatory Powers Act is expected to come into force in October. To the Government it is an essential step to bring law enforcement powers into the Internet age¹. For civil rights organisations it violates privacy, could prevent fair trials and will have a "chilling effect"² on liberties. The Act is known as RIP - whether you see this as apt depends on the side you take in this debate.

RIP was introduced to take account of developments in technology, comply with the Human Rights Act³ (due in force on 2 October 2000 and which protects private correspondence) and the Telecommunications Data Protection Directive⁴ (which requires laws to protect communications). It will regulate [1] interception of communications, [2] surveillance, [3] decryption of intercepted material and [4] the investigatory and intelligence services. The first and third areas will affect e-commerce businesses, especially Internet service providers.

The new law gives employees a new right to claim for unauthorised monitoring of their communications by employers.

Two regulatory standards apply: "communications" (defined widely to cover voice, fax and email) may only be intercepted in limited circumstances or under a warrant while "communications data" (traffic information identifying sender, recipient or message path) can be intercepted on the authority of a range of officials.

Any interception of a communication on a public telecommunications system (one available to a substantial section of the public) without lawful authority is an offence. Interception includes monitoring, modification or interference with the telecommunications system. Interception on a private system (one attached to a public system) without lawful authority is also an offence unless done with the controller’s consent.

Interception of communications is lawful in limited circumstances (mainly where there are reasonable grounds to believe that sender and intended recipient consent, if the sender consents and the RIP’s surveillance rules are met, by telcos to provide services or by prisons and secure hospitals). The Home Secretary may also authorise interception by warrant to protect national security, prevent or detect serious crime, safeguard the UK’s economic well-being or under an international agreement.

RIP imposes duties on telecommunications systems controllers. Those served with a warrant must do everything reasonably practicable to implement it (failure is an offence). The Home Secretary can also require system controllers to maintain an approved capability to implement interception warrants.

This last power is controversial – industry objected to the potential cost (estimated at £46bn⁵ - a figure strongly challenged by the Government) and warned of a flight of e-commerce firms from the UK. Critics suggested that "black boxes" would be required in every ISP giving security services access to traffic. The Government has denied this and said that only a limited number of ISPs will face any requirements. No obligations can be imposed without notice and there must first be consultation with a technical advisory board and a fair contribution to costs.

Communications data can be obtained in a wider range of circumstances. Listed public officials can require disclosure both on substantially the same grounds as are needed for an interception warrant and in addition to protect public safety and health, assess taxes, prevent personal injury or for other specified purposes. Again, compliance costs may (but need not) be paid.

RIP also allows the authorities to obtain keys to decrypt lawfully acquired material (including material intercepted under the Act, seized using existing statutory powers or obtained by intelligence services). This is seen as crucial to protect the effectiveness of law enforcement. Home Secretary Jack Straw said "serious criminals too have always been quick to jump on the latest technological bandwagon in their efforts to evade detection"⁶.

If the appropriate authority (generally a judge but for certain types of information the Home Secretary, a police officer or other specified person) reasonably believes that a person has a key to protected information and disclosure is necessary to protect national security, prevent or detect serious crime, safeguard the UK’s economic well-being or carry out any other statutory duty then they can serve a notice requiring disclosure.

The recipient of a disclosure notice can either disclose the plaintext of the protected message or the key. Where the recipient does not have the message, the message needs a third party key before it can be read or the disclosure notice requires the key itself and not just the plaintext, the recipient must disclose all keys relating to the material in their possession. If the person no longer has a key they must supply all information in their possession to help recover it or crack the encryption. Keys used only for electronic signatures need not be disclosed.

Failure to comply with a disclosure notice is an offence (penalty of up to 2 years imprisonment). There has been criticism that this could reverse the normal criminal burden of proof (eg it requires the subject to show that they no longer have a key and "prove a negative"). Any "tipping-off" of the surveillance target carries an additional penalty (up to 5 years imprisonment). It is a defence if any "tipping-off" is done automatically (eg by key protection software) or is necessary to seek legal advice.

Monitoring employee communications on a private telecommunication system is an offence unless done with lawful authority or with the consent of the system controller. Even with consent, unless there is authority the sender and recipient of the message can each claim compensation unless they give express or implied consent to the monitoring or it falls with specific regulations.

The draft regulations⁷ allow monitoring and recording for national security, detecting or preventing crime, to investigate or detect unauthorised use of a system or to provide evidence of communications to prove facts or check compliance with policies. Charities can also monitor (but not record) calls to their helplines. In all cases, the person making the interception must make reasonable efforts to inform the sender and recipient that it could be intercepted unless they had reasonable grounds to believe that they were aware of this. In all other cases consent is required.

The regulations do not allow for common business practices (such as interception for quality control, training or review of employee emails when a person is out of the office) and are currently being revised.

All employees should be made aware that their communications may be monitored and consent obtained through appropriate policies. Where employees have control of encryption keys, they should be warned of the need to comply with any disclosure notice, the risks of tipping-off and be given a predetermined method obtaining legal advice.

Finally, any company controlling a telecommunication system should follow developments connected with maintaining an interception capacity carefully.

1 Press release 28 July 2000

2 Amnesty International open letter 13 June 2000

3 Human Rights Act 1998

4 97/66/EC

5 Financial Times 13 June 2000

6 RIP press release, 28 July 2000

7 The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000