REGULATION OF INVESTIGATORY POWERS BILL

 

BRIEFING FOR HOUSE OF LORDS SECOND READING DEBATE (Thurs 25th May)

see also RIP Information Centre at www.fipr.org/rip

 

FIPR will be publishing proposals for specific amendments in time for the House of Lords Committee stage. In Parliamentary debate and elsewhere the government has referred to Codes of Practice which would address some of the criticisms contained herein – however these will not be available even in draft until immediately before Royal Assent, therefore we have not incorporated these references into our analysis. This paper does not address Part.II of the Bill – Covert Human Intelligence Sources.

 

 

Summary - Four Fallacies

“We tap telephones – obviously we must tap the Internet – why the fuss?”

Although telephone exchanges went digital in the 1980s, to tap domestic calls a warrant must physically be served on the telephone company – this maintains an important practical check on abuse. RIP would allow access directly through an infrastructure of “black-boxes” linked to a central surveillance centre (GTAC), without the knowledge of the Internet provider – or (verifiably) of an Interception Commissioner.

 

“This bill updates and modernises police powers – it does not extend them”

RIP does greatly extend powers both in practice and in principle:

·         Under Pt.I Ch.II any public authority can obtain a list of websites browsed for very broad purposes – and potentially in real-time via the GTAC monitoring centre - without any ministerial or judicial warrant. The Govt. argues that this is analogous to the present practice of obtaining logs of telephone numbers without a warrant. FIPR argues that the Internet is rapidly becoming a universal conduit for transactions and communications, and so access to “communications data” (i.e. who-is-talking-to-whom and who-is-reading-what) needs safeguards commensurate with access to content. The Data Protection Commissioner concurs.

·         Under Part.III a new offence of failing to decrypt (i.e. unscramble) coded data is created. The government argues that this can only arise where there is already lawful authority to obtain the data. But powers to demand “keys” (or passphrases) instead of the unscrambled data could have the effect “of undermining the individual’s entire privacy and security apparatus” according to an eminent Legal Opinion obtained by JUSTICE and FIPR.

 

“The RIP bill is necessary – if we lose interception capability, criminals will prosper”

Interception capability will progressively decline whether or not RIP is enacted because the information economy requires confidential communications – encryption is simply the name for technology that provides transaction and data security on the open systems of the Internet. The policy of key-escrow (depositing all keys in advance with agencies trusted by government) failed because it can be trivially circumvented. The inescapable conclusion is that law-enforcement will have to adapt its investigative methods to cope, but RIP may bring the worst policy outcome because:

·         it will actually exacerbate the problem by prematurely stimulating counter-measures (e.g steganography – the concealment of encrypted data by camouflage – and anonymity)

·         waste money creating dangerous and unprecedented systems for domestic mass-surveillance

·         it puts anyone who takes steps to protect their privacy in cyberspace in legal jeopardy

·         it puts off the necessity for law-enforcement to grasp the nettle of developing “forensic hacking” procedures and capabilities against suspect computers in cases of serious crime.

 

“There is no alternative – and it will be fully compliant with the Human Rights Act”

·         Arguments that Part.I is needed for HRA compliance are nugatory and for Part.III absurd. If the key has been lost or the passphrase forgotten an innocent person must shoulder the burden of proving this to the court (a logical impossibility) – in violation of the European Convention of Human Rights. However, in spite of accepting a Select Committee recommendation to explain their assertion of compatibility, the government has declined to offer any substantial legal argument to date.

·         The bill represents the endgame of a policy shambles that has lasted four years (see Chronology Appendix C), and is one of the outstanding historical failures of civil service policy machinery of the past several decades.

 

Part.I - Communications

The Smith Report

 

After a succession of closed meetings with the ISP industry (at which no agreement could be reached on cost structures or capabilities), in January the Home Office commissioned consultants from the Smith Group to “recommend the most cost-effective method for interception at each type of ISP in a way that…. minimises the cost burden to Government and industry”. The terms of reference presupposed – without justifying analysis - that interception by the ISP was preferable to interception by telephone companies that own the wires (“local loop”) running into the local exchange.

 

The report[1] proposed three solutions in roughly increasing magnitude of cost:

 

In each case, the intercepted information will be relayed to a central monitoring facility (GTAC - the Government Technical Assistance Centre) to be housed in the MI5 building, across hardwired links from each ISP. The Home Office appears not to have understood until very recently that in packet-switching systems such as the Internet (as opposed to telephone systems) it is only possible to tap anything by tapping everything. The Smith Group acknowledge that for the “passive” solution, 

“the need to monitor all ISP traffic in order to identify selected subscribers communications, implies the requirement for careful control and monitoring of this technique. The level of auditing and scrutiny will need to be higher for the passive approach than the other proposed solutions.”

They further propose that economies of scale would result from government undertaking the design of the black-boxes, leveraging off software already developed for such purposes – presumably by GCHQ. FIPR believes that the design of an audit trail proof against insider malfeasance (or excess zeal), is a formidably difficult computer security problem - but the Smith Group is sanguine (without justifying analysis) - two man-months work for a total cost of £17,000. In practice, one of the primary checks against abuse of domestic telephone tapping is the legal and practical necessity of involvement by the operating company. But if ISPs are obliged to attach passive boxes to their networks, they will be “out-of-the-loop” and have no inkling about their actual operation. We see this also as cultural issue – throughout the past few years debate, the government has persistently rebuffed independent expert opinion and seems institutionally incapable of entertaining serious concerns about the dangers of extending surveillance capabilities without corresponding oversight reforms. It would take a revolution in attitudes, a public political commitment, and presently unquantified investment to engineer reliable systems audit of the passive solution.

 

The “semi-active” solution immensely complicates upgrading and maintenance of ISP systems, an area of intense present and future competition, and ties up the most skilled network engineering staff. The resulting opportunity costs are not considered by the report.

 

The “active” solution involves fairly harmless alterations to the servers handling e-mail accounts offered by the ISP, but misses all other protocols, including popular “web-mail” services that allow e-mail access from any Web browser to accounts maintained offshore – many of which offer end-to-end encryption. The value of this option needs further study, as it would only catch the communications of particularly stupid or careless criminals.

 

The cost estimates are a snapshot – as the next wave of broadband e-commerce is rolled out in 2001, with 3rd generation mobile Internet (UMTS) following in 2002, “semi-active” and “passive” interception equipment will need continual upgrading and only the latest and most expensive equipment will be able to filter the higher bandwidth enabled by the same equipment. The ISP industry is most concerned about their liability for initial and ongoing capital costs – but we would be even more concerned by the issue of verifiable oversight if the government agreed to fund the entire program.

 

The report also does not take into account the cost to the tax-payer of processing and safeguarding the intercepted material, or answer the basic question of whether interception will continue to be useful for law-enforcement as encryption becomes widely used for personal and business applications.

 

Part.I Chapter I - Interception

At Commons Third Reading, the government agreed to an affirmative resolution procedure before imposing interception requirements on ISPs, but rejected a revived Opposition amendment to create a Technical Approvals Board comprised of industry experts who would vet Home Office interception wish-lists for cost and feasibility. The Conservatives cited strong industry support (that government had doubted in Committee) for the TAB from the Federation of the Electronics Industry and Internet switching centre LINX, and referred to the Home Office's own consultation paper of June 1999 which had promised

"an independent body to provide impartial advice on how to balance the requirements of the Agencies and CSPs. This should help to ensure that any requirements are reasonable, proportionate and do not place CSPs at a disadvantage compared with their competitors"[2].

The government glossed over this point in debate, saying only that ongoing consultations with ISPs would suffice, although ISPA and LINX have recently criticised the poor quality and infrequency of consultation in an open letter of protest to e-Envoy Alex Allen[3].

 

The government rejected estimates of a £30m price-tag on costs to ISPs of installing and maintaining interception equipment, because it announced that it did not envisage all ISPs being required to intercept – an admission that the Home Office has now abandoned its original rationale of “levelling the playing field”. The £30m figure was derived from the Smith Report figures combined with a reasonable assumption that the largest 20 of the UK's 400 ISPs would have to take up higher-cost options for blanket interception, whilst the reminder would only install the cheaper “e-mail only” capability. Government also rejected amendments that required ISPs to be compensated for interception costs (rather than discretionary payments) and to report awards of such payments to Parliament.

 

Part.I Chapter II - Acquisition and exploitation of communications data

Communications data means data carrying address information that indicates “who-is-talking-to-whom” - for example logs of telephone numbers. Designated officials in any public authority (S.24.2) may authorise themselves to obtain directly, or require CSPs to provide, such data for any of the broad purposes in S.21.2 (or other purposes created under secondary powers). The Government has argued that “interception-and even directed surveillance[4]-is a much greater intrusion than the collection of communications data”[5], and therefore much weaker controls are justified. The Data Protection Commissioner disagrees saying, “access to traffic and billing data should also be made subject to prior judicial scrutiny[6]”, but the government rejects this approach on grounds also that “it would place unacceptable strains on the court service.”

 

“Big Browser Will Be Watching You”

There are important new arguments for requiring prior judicial authorisation for access to Internet communications data. The explosive growth of e-commerce, coupled with anticipated high penetration of interactive digital television and third-generation mobile phones, means that the Internet is on the verge of becoming a single conduit carrying comprehensive transaction data tracing virtually every facet of private life, which previously was scattered on separate utility, bank, credit-card, library, and telecommunications billing computers, if indeed they were recorded at all. The Home Office has made clear that it classes Internet audit trails, including lists of e-mail correspondents and web sites browsed, as communications data (rather than content). If, as seems likely, the Internet in time subsumes both television and written information sources, under the RIP Bill it will be lawful for any public authority to obtain comprehensive details of what any person has read, watched, and who they have corresponded with, without a ministerial or judicial warrant.

 

It is relevant that a current de facto safeguard, that such data can only be obtained by police request on presenting a data controller with satisfactory evidence that a Data Protection Act (s.29) exemption applies, is abolished. If the power of interception were implemented as envisaged by the Smith Report, it would be both lawful and feasible for such communications data to be obtained instantaneously, remotely, and secretly by the same apparatus: the “black-boxes” installed at ISPs, linked to the GTAC monitoring centre.

 

Moreover, rapid advances in computing power now permit warehousing and “traffic-analysis” of unlimited quantities of communications data by automated tools[7] that derive “friendship trees” and can detect patterns of association between individuals and groups using sophisticated artificial intelligence programming. This method can be considered as a “suspicion-engine” which can identify new targets of investigation with complete generality – without any access to the content of communications – but which could subsequently serve as the basis for an interception warrant.

 

In summary, the combination of:

can justifiably be regarded as the emergence of a powerful new form of mass-surveillance.

 

It should be emphasised that whilst GCHQ performs broad-spectrum processing of both the content and traffic patterns of external communications, mass-surveillance of domestic communications is legally unprecedented in peacetime.

We wish to emphasise that it is not our view that RIP was drafted with this intention – however it is sobering to realise that proposals modestly billed as “updating and modernising existing powers”, would in fact legitimise what an extreme government might seek to achieve.

 

Part.III - Encryption

Encryption refers to the scrambling of computer data with modern cipher systems (usually in software) that are effectively uncrackable. The data concerned is protected using a mathematical procedure that cannot be reversed by even the most powerful computers available unless a special key is provided. After much policy wrangling over several years, the United States has now dismantled strict export controls on encryption software, because many applications of e-commerce are dependent on the confidentiality and transaction security that only good encryption can provide (e.g. mobile-phone banking, electronic cash, online share dealing). Individuals as well as businesses have good reason to protect their privacy with encryption, as without it Internet communications are as unprotected as correspondence on a postcard.

 

Law-enforcement will be unable to understand intercepted encrypted communications unless they obtain the key. S.49 creates the offence of failing to comply with a decryption notice that may be obtained by public authorities as diverse as local trading standards officers and MI5, under a patchwork of authorisations specified in Schedule.1 (see Appendix E diagram[8]). Such notices may be served not only on suspects in a criminal investigation, but also on innocent parties or major companies who happen to possess information there is legal authority to obtain.

 

Although such powers superficially appear to be a reasonable extension by analogy of existing powers to require disclosure of information, on closer analysis they turn out to be of little use if formulated to be compatible with the Human Rights Act. The central difficulty arises from the fact that it is an inevitable and frequent occurrence, even amongst computer professionals, that keys (or equivalent pass-phrases) are genuinely lost, forgotten, or inadvertently or intentionally destroyed.

 

The offence is formally constructed so that a person is presumed guilty if properly served with a notice with which they do not comply. There is a statutory defence available which requires a person to demonstrate (on the balance of probabilities) that they do not have possession of the key. This is a uniquely severe reversal of the usual prosecution burden of proof – because the defence must prove a negative - and was found to be incompatible with the European Convention of Human Rights in a Legal Opinion[9] obtained by FIPR and JUSTICE in 1999 and updated in March. The powers originally proposed in the draft DTI Electronic Communications Bill were withdrawn, but have been re-introduced essentially unchanged in this Home Office bill, without clarification of why the Secretary of State now believes them to be compatible with the Human Rights Act.

 

A further practical difficulty with this approach is that the reverse-burden defence will become discredited because a criminal wishing to suppress evidence that would convict on a more serious charge, would prefer to take a chance claiming forgetfulness - with a maximum 2 year penalty if they are not believed. But for an innocent defendant, they must essentially prove to the court that they are not lying, and can be convicted without need of other incriminating or circumstantial evidence. The result is that the courts will be unable rationally to distinguish between the innocent and guilty.

 

FIPR believes that it would also be unsatisfactory to put the burden of proof on the prosecution to show key possession; but this may be the least bad solution. Proof beyond reasonable doubt of wilful withholding of a key could only occur if the authorities knew for certain the location of the key. In most operational circumstances, law enforcement agencies would then likely prefer to copy the key covertly, so that surreptitious surveillance of data could continue, or to commence a search with certain knowledge of the key. No other country has enacted an explicit decryption power, and it appears that the UK is the only country whose unwritten constitution allows such a reverse-burden even to be attempted. On 18th May the government tabled an amendment “clarifying” that a less severe reverse-burden in the Terrorism Bill in fact amounted only to an evidential rather than persuasive burden[10]. However the government has insisted on numerous occasions that in the RIP Bill the defence must prove key non-possession on the balance of probabilities[11] - although with puzzling allusions to this constituting a “lower” burden[12] - but has declined to provide detailed argument about HRA compliance as recommended by the Trade and Industry Select Committee[13]. It remains to be seen whether government will attempt to maintain any vestige of intellectual consistency between these blatantly contradictory positions.

 

Thus the glaring flaw of the Part.III framework is that it not only fails to ensure adequate punishment for the guilty, but it provides no reliable defence for the innocent. When Simon Hughes MP intervened at Report to suggest it would be reasonable to require the defence to explain the circumstances of key non-possession if the accused were being given the benefit of a reasonable doubt, instead of a 50:50 chance, the Minister simply reasserted the correctness of his own view, without supporting argument[14]. We list some common circumstances of key non-possession in Appendix A.

 

The view of most independent specialists in information security is that law enforcement will of necessity have to develop advanced bugging technologies, specifically designed to steal keys from targeted computers (under appropriate authorisation – such as the Police Act 1997 Part.III). Various methods are well understood and under development, particularly by the NSA and FBI in the United States, including use of computer software “viruses” which exploit obscure security weaknesses in commercial software.

 

The secrecy condition (“tipping-off” - S.50) offence also has grave flaws, and is not time-limited. An isolated individual could be prevented from "tipping-off" himself (!) for reasons of "maintaining the effectiveness...of investigatory techniques generally" (50.2). The explicit generality of this exemption would permit its operation as a catch-all gagging clause.

 

There is also the practical issue that the duties on specified authorities (S.51) do not mention adequate technical security requirements or costs of guarding or transporting seized keys[15]. Estimating from the measures employed to guard official HMG key material suggests either that these represent very substantial undeclared costs, or that the safety and security of innocent key owners will sometimes be seriously undermined[16].

 

The government has amended S.70 (formerly S.69) to exempt company directors from liability under Part.III - that is, they are no longer personally liable for failure of their company to comply with a decryption notice - however it still leaves individuals and company employees in the firing line. FIPR's diagnosis is that government is attempting a strategy of “key escrow by intimidation” - we surmise that government expects the jeopardy of reverse-burden to boost demand artificially for key-escrow services.

 

It is worth emphasising that new editions of Microsoft Windows now ship with strong encryption built-in, and will henceforth be available to millions of ordinary computer users who will lose or forget keys as easily and as often as a cash-point PIN number.

 

The government introduced an amendment that a key could be demanded instead of plaintext only if it was believed there were “special circumstances”. The word exceptional rather than special had been considered and rejected (any suspect is by definition not to be trusted to supply the plaintext of incriminating material), and recent assertions that access to “plain text – rather than any key – will be sufficient in almost all cases”[17] were not repeated. The meaning of “special circumstances” will not be defined until the Code of Practice is available.

 

Part.IV Oversight

RIP crosses significant technological and legal thresholds, in advance of any informed public debate or understanding of the chilling effects on freedoms of association and expression, and serious corrosion of fundamental civil liberties.

 

RIP assigns the Interception Commissioner rather than the Data Protection Commissioner responsibility for oversight of access to communications data. Our major concern is that the Interception Commissioner’s primary methodology to date has been random sampling of warrant documentation for telecommunication systems that require operator assistance to implement interception. We can envisage no expedient technical means by which a Commissioner could verifiably supervise the operation of remotely controlled interception “black-boxes”. We reluctantly conclude that the construction of Part.I constitutes an unsalvageably dangerous extension of powers, which should be redrafted on a system of prior judicial approval, requiring the service provider’s involvement in implementation as a necessary practical check.

 

Harry Cohen MP made the following observation at Report :

"An official could legitimately authorise collections of communications data and keep proper records only for them subsequently to be used for another purpose. If that is true, the relevant commissioner, who examined the authorisation process, would not know of such disclosures; nor would the telecommunications operator or the public. To put it bluntly, the whole authorisation process and all the protections afforded by chapter II could be reduced to a meaningless sham.”

At Third Reading the government again rejected Opposition amendments to unify the system of five Commissioners (excluding the DPC), but agreed instead to a “unified secretariat” and the provision of an unspecified capacity to undertake investigations, although the secretariat would operate on a “need-to-know” basis.

 

We have concerns also about the Intelligence and Security Committee’s oversight role in such a complex area. The ISC published their approval of decryption powers, without apparently inviting evidence from non-government experts, in their most recent report. However comments by the Chair of the ISC during Commons Second Reading reveal a significant misunderstanding of an issue fundamental to the question of access to keys[18]. Moreover despite assurances that the ISC would follow the Bill’s progress, all members were absent for Third Reading on official business.

 

Appendix A – Reasons for not having Possession At Notice Time of Serving

1.        I still keep that encrypted data on my hard-disk because although I forgot the password several years ago, I might remember it suddenly (as one does), and it contains important records.

2.        That's a key from a key-server when I first tried encryption. I've forgotten the password so can't "revoke” it (and it cannot otherwise be deleted from a globally replicating network of key directories), and people still send me things occasionally with it - which I can't read.

3.        I just changed keys three days ago - I meant to record the passphrase in my organizer but forgot it before I did

4.        It's a perfect-forward-secrecy/ephemeral-key system that automatically destroys/never-retains a decryption key.

5.        My organizer "glitched" and I lost all the data in it, including passphrases

6.        I never wrote it down because I've never forgotten it before

7.        I assumed that the manufacturer had a backdoor to get the data back

 


Appendix B – Technical Glossary

ISP and CSP

Internet Service Provider (company providing connection to the Internet) and Communications Service Provider (Home Office term for telephone company or ISP). ISPs generally will NOT possess keys to customer communications that are encrypted – they merely act as a conduit

Encrypt/Decrypt

The process of scrambling/unscrambling information into a jumbled form, by means of a mathematical cipher, which cannot be understood without a key

Forensic Hacking

Most computers leave tell-tale data in temporary files which remain even if the computer is switched off. It is often possible to recover passwords and keys by expert examination. It is also possible to circumvent encryption by exploiting obscure security vulnerabilities in the operating system or using hardware or software eavesdropping devices to steal keys.

Key

A long number which acts like the combination of a lock with an astronomical number of permutations. Keys are chosen to be sufficiently long that they cannot be guessed by trial-and-error, even by the most powerful computers that can be reasonably foreseen.

      Session Key

A key uniquely generated for each message. A session key can only decrypt a single message

      Long-term key

Used to protect session keys. If a long-term key is revealed ALL messages can be read

      Key escrow

Policy pursued by some governments from 1993 to ensure copies of all decryption keys are deposited in advance with agencies (“third-parties”) trusted to release them covertly under legal authority. Widely criticised as infeasible and unenforceable, UK last to abandon in 1999.

      Key recovery

Either: euphemism for key escrow and/or: system which differs technically from key-escrow by only enabling access to session-key of particular message (rather than long-term key)

Password/Passphrase

Because people cannot remember numbers with several hundred digits, keys are themselves protected with encryption. A password, or preferably a pass phrase that cannot be guessed by machine, is typed in every time to prepare the actual key for use. 

Perfect Forward Secrecy

A system that uses a different key with every exchange of messages between two parties. Old keys are continually destroyed so past messages cannot be read (unless otherwise preserved)

Plaintext

Data in its original unscrambled form (may in fact be data representing sound/pictures/voice)

Steganography

Ways of camouflaging encrypted data, by hiding in a mass of other data derived from a real-world “signal” that contains some “noise”, such as sound/pictures/voice/video.

       Steganographic File System

A computer filing system where data cannot be accessed or even its existence proved without a key, because encrypted files are undetectably embedded in camouflaging random data

 

Appendix C – Encryption Policy Chronology

July 1995

Labour Party “Communicating Britain’s Future” rejects key-escrow

10 Jun 1996

DTI paper on “regulatory intent concerning use of encryption on open networks”.

17 Mar 1997

DTI Consultation “Licensing of Trusted Third Parties for the Provision of Encryption Services”

19 May 1997

Scrambling for Safety 1

27 Apr 1998

DTI “Secure Electronic Commerce Statement” – Labour endorses “voluntary” key-escrow

29 May 1998

Scrambling for Safety 2

19 Oct 1998

Second DTI consultation paper postponed

24 Nov 1998

Queen’s Speech announces “Electronic Commerce Bill”

3 Dec 1998

Trade and Industry Select Committee announces inquiry into E-Commerce

19 Jan 1999

France abandons key escrow

4 Mar 1999

PIU study announced at No.10 meeting for industry leaders: “key-escrow not the answer”

5 Mar 1999

DTI Consultation “Building Confidence In Electronic Commerce”

23 Mar 1999

Scrambling for Safety 3: first public discussion of encryption policy by Home Office

1 Apr 1999

26 day response period of DTI Consultation ends: FIPR accumulates submissions on website

19 May 1999

T&I Sel.Ctee Report “Building Confidence In Electronic Commerce: The Government's Proposals”

26 May 1999

Cabinet Office Performance and Innovation Unit Report, “Encryption and Law Enforcement”

22 Jun 1999

Home Office Consultation “Interception of Communications in the United Kingdom”

8 Jul 1999

Conservatives refuse to allow introduction of Bill under “carry-over” procedure this session

23 Jul 1999

Draft “Electronic Communications Bill” published

23 Sep 1999

Scrambling for Safety 3.5

7 Oct 1999

FIPR/JUSTICE Human Rights Audit of decryption powers in Part.III draft E-Comms Bill published

26 Oct 1999

T&I Sel Ctee report published – recommends Govt. publish detailed analysis of HRA compatibility

17 Nov 1999

Queen’s Speech confirms separation of decryption powers from E-Comms Bill

20 Jan 2000

Govt. replies to T&I Sel. Ctee – agrees to address specific criticisms

6 Mar 2000

Second Reading debate House of Commons

20 Mar 2000

FIPR/JUSTICE updated Human Rights Audit of RIP decryption powers published

22 Mar 2000

Scrambling for Safety 2000

20 Apr 2000

Smith Group report for Home Office on implementation of Internet interception published

 

Appendix D - Index of RIP Media Coverage –  www.fipr.org/rip#media

 


1.      Computer Weekly 18/5/00: Minister in spat with Computer Weekly over RIP bill

2.      Network News 17/5/00:  Government RIPs into more controversy

3.      Business & Technology  12/5/00: ISPs furious as snooping costs go through the roof

4.      Computing 11/5/00: Government forces through Net spy bill 

5.      Computing 11/5/00: They could be watching you too!

6.      ComputerWeekly 11/5/00: Firms move operations abroad to avoid RIP Bill

7.      AP 10/5/2000: "Britain plans cyber-center to spy on the Internet

8.      Network News 10/5/00: RIP threat to e-mail privacy

9.      VNUnet 10/5/00: Snooping bill under attack again

10.   CNN TV report on RIP 10/5/00

11.   ZDNet UK 9/5/00: Cyber-snooping Bill through House of Commons

12.   BBC Online 8/5/00: Computer crime plan 'bad for business'

13.   BBC Radio 5 Nicky Campbell phone-in 8/5/00 

14.   BBC TV Business Breakfast 8/5/00 07:45  - Max Foster reports on RIP Bill

15.   BBC Radio 4 'Broadcasting House' 7/5/00,  Dan Damon

16.   Sunday Times 7/5/2000: "The net closes in"

17.   Observer 7/5/2000: "Coming to a screen near you"

18.   Silicon.Com 5/5/00: Behind the Headlines....criminals taking the RIP (video)

19.   Independent 5/5/00: Freedom of information must mean just that

20.   Christian Science Monitor 5/5/00: UK moving to open all (e-)mail

21.   NTK 5/5/00

22.   Daily Telegraph 4/5/00: Fool Britannia

23.   Daily Express 4/5/00: Where's the sense in Big Brother snooping on our e-mail?

24.   The Register 4/5/00: "RIP - Lib Dems wade into cyber rights debate"

25.   Silicon.com 4/5/00: 'Snooping Bill' will not deter criminals, say experts

26.   Computing 4/5/00: Critics launch fresh attack on Net bill

27.   Guardian 3/5/00: Francis Wheen: MI5's e-mail snoops

28.   Financial Times 3/5/00: LETTERS: Foreign investors will be scared off

29.   Telepolis 2/5/00: Tony Geraghty - Irish War: British Disease

30.   Financial Times 2/5/00: State surveillance plans are 'worrying leap in dark'

31.   ZDNet 2/5/00: MI5 to build new email and surfing surveillance centre

32.   British Forces Broadcasting Service 2/5/00 11:15 - RIP interview with CB

33.   Austrian Broadcasting Corporation FM4 2/5/00 11:50 - RIP interview with CB.

34.   BBC Radio 5 Live 1/5/00 12:40 - RIP interview with CB

35.   CNN.com 1/5/00: U.K. plan to open Internet spy center draws criticism

36.   ITN 1/5/00: MI5 to spy on email

37.   BBC Online 1/5/00: Spy centre to spread its web

38.   Independent 1/5/00: Watchdog slams Net snooping (sic)

39.   PA News 1/5/00: Watchdog highlights internet security fears

40.   Slashdot 30/04/00: UK Building Eavesdropping infrastructure

41.   Yahoo 30/4/00: MI5 plans to build Internet surveillance centre

42.   PA News 30/4/00: Spy centre to target hi-tech crime

43.   BBC Online 30/4/00: Computer cloaks and digital daggers

44.   Sunday Times 30/4/00: MI5 builds new centre to read e-mails on the net  

45.   Scotsman 28/4/00: WHEN RIP WILL NOT MEAN REST IN PEACE

46.   NTK 28/4/00: ...civil rights lunatics opposed to RIP Bill...include the Data Protection Commissioner, ISPA/LINX, Her Majesty's Loyal Opposition...

47.   Silicon.com 27/4/00: ...furore over the UK's RIP Bill still growing..

48.   Computer Weekly 27/4/00: Government told to pay set-up RIP Bill costs

49.   Computer Weekly 27/4/00: ISPs step up attack on RIP Bill

50.   BBC Radio 4 'You and Yours' 26/4/00: with e-Minister Patricia Hewitt

51.   VNUnet 26/4/00: Industry slams cost of UK snooping bill

52.   ZDNet News 26/4/00: Wiretapping may cost ISPs £17m says new report

53.   Silicon.com 26/4/00: Snooping Bill report attacks 'one size fits all' policy

54.   KableNet 25/4/00: RIP Bill to cost ISPs more than £30m

55.   The Register 25/4/00: RIP Bill - ISP costs mount up

56.   Financial Times 25/4/00: Whitehall 'should pay to set up e-mail intercept'

57.   The Register 19/4/00: RIP: Tories attack from the Right

58.   Observer 16/4/00: Jack Straw wants the keys to your office. Don't let him in

59.   Silicon.com 14/4/00: Data protection watchdog slams Snooping Bill

60.   Daily Telegraph 13/4/00: DIALOGUE BOX: What the Bill actually says...

61.   Network News 12/4/00: Bowden puts paid to the RIP Bill

62.   Silicon.com 11/4/00: Analysis of Survey: RIP and you

63.   Telepolis 11/4/00: Echelon in Holland

64.   Times 11/4/00: RIP privacy?

65.   Silicon.com 10/4/00: 'Snooping Bill' slammed by Silicon.com viewers

66.   Herald 7/4/00: Part-time sheriffs to be introduced  

67.   Irish Times 7/4/00: E-Commerce Bill aims to enhance Ireland's Position

68.   Daily Telegraph 6/4/00: Raising the stakes

69.   KableNet 6/4/00: INSIGHT - RIP it up and start again 

70.   Network News 5/4/00: The politics of crypto access

71.   Daily Express 5/4/00: Internet prowlers using a secret code

72.   Independent 2/4/00: E-mails that could return to haunt you

73.   BBC Online 31/3/00: Website campaign to derail legislation

74.   Schnews 31/3/00: WAKE UP! WAKE UP! YER PRIVATES ARE UNDER ATTACK!

75.   Guardian 30/3/00: 3 exchanges of letters between FIPR and Charles Clarke MP

76.   Computing 30/3/00: New law opens up private data to MI5

77.   Silicon.com 30/3/00: Government accused of 'hopelessly underestimating' RIP costs

78.   Computer Weekly 30/3/00: FEI warns Government RIP faces huge hurdles

79.   Open Letter 29/3/00: from Oliver Heald MP, Opposition spokesman on RIP

80.   Network News 29/3/00: Bill imperils cheap net access

81.   Ananova 27/3/2000: Minister defends web surveillance bill

82.   Guardian 27/3/00: MI5 bugging exempt from privacy act

83.   Sunday People 26/3/00: FORGET YOUR PASSWORD... END UP IN JAIL

84.   Irish Times 25/3/00: British bill may 'drive' e-commerce to Republic

85.   BBC Radio 4 'PM' 24/3/00: Branwen Jeffreys reports on RIP

86.   Financial Times 24/3/00:Legal fears over e-mail tapping

87.   NTK 24/3/00: Minister in charge of Not Being Scared by The Crypto Freaks

88.   KableNET.com 24/3/00: E-bugging bill gets a slating

89.   VNUNet 24/3/00: Snooping powers could harm cheap net access

90.   The Register 23/3/00: RIP: even Big Brother is confused

91.   Wired.com 23/3/00: Ripping into U.K. Privacy Bill

92.   ComputerWeekly 23/3/00: Banks snub bill to spy on IT data

93.   VNUNet 23/3/00: UK government answers snooping bill critics

94.   Silicon.com 23/3/00: Internet 'Snooping Bill' fails human rights audit

95.   ZDNet News 22/3/00: RIP Bill comes under fresh attack

96.   VNUNet 22/3/00: Industry tackles UK government over snooping bill

97.   Network News 22/3/00: Industry insiders challenge RIP Bill

98.   Register 21/3/00: "MPs get 1000 anti-RIP faxes"

99.   Financial Times 21/3/00: Letter from Charles Clarke MP

100. ZDNet 21/3/00: RIP bill gets buried under fax mountain

101. CWI 20/3/00: ISPs condemn expensive 'spy tax' proposal

102. NTK 17/3/00: RIP Bill and external communications, Freedom servers

103. Computer Weekly 16/3/00: Why the RIP Bill should R.I.P.

104. Computer Weekly 16/3/00: City banks urged to air grievances over Bill

105. Computer Weekly 16/3/00: WAKE UP CALL: the RIP Bill, what is it ?

106. Business & Technology (March): Big Brother demands keys to e-mail doors

107. Daily Telegraph 16/3/00: Regulation Bill carries 'tipping off' offence

108. Guardian 15/3/00: Letter from CB in reply to Charles Clarke MP

109. Register 14/3/00: What the hell is... the UK's RIP Bill

110. FT 14/3/00: LETTERS -Threat to internet ambitions, Tom Wills-Sandford, FEI

111. Independent 14/3/00: Investigatory Powers Bill is `Big Brother charter'

112. The Register 13/3/00: Big Brother Bill faces Select Committee storm

113. Open Letter 13/3/00 from Charles Clarke MP and reply thread

114. Observer 12/3/00: Encryption bill has to be last straw

115. Guardian 10/3/00: Letter from Charles Clarke MP

116. Daily Telegraph 9/3/00: LEADER:...@intrusion-newlab.com

117. BBC Online 8/3/00: Big Brother delves into your inbox

118. Financial Times 7/3/00: LEADER: Spies in the web

119. Guardian 7/3/00: LEADER: RIP for basic liberties

120. BBC Online 7/3/00: Computer crime plans attacked

121. Times 7/3/00: How secure is your e-mail?

122. Times: Changing world of the snoopers, March 7, 00.

123. Wired.com 7/3/00: U.K. Crypto Law a Key Issue

124. vnunet.com 7/3/00: UK email interception bill stumbles

125. The Register 6/3/00: Opposition mounts against UK's Big Brother Bill

126. Financial Times 6/3/00: Bill could affect cost of accessing the internet

127. Radio 4 'Today' 6/3/00: interview with CB

128. Sunday Times 5/3/00:Fighting for online privacy

129. Irish Times: UK RIP Bill Is Killer Blow To E-Commerce, March 5, 00.

130. NTK 3/3/00: RIPping yarns

131. Federation of Small Business Policy Brief (March 00) on RIP

132. Guardian Online 1/3/00: Government surveillance bill arouses alarm

133. ZDNetUK: Government Snooping will cost taxpayers millions, March 1, 00.

134. IEEE Internet Mar/Apr: British Encryption and Surveillance Bill Raises Concerns

135. Network News 28/2/00: Encryption at the mercy of the law

136. BBC World Service radio Insight (26/2/00)

137. BBC Radio 5 Live 26/2/00: Interview with Nicholas Bohm

138. Daily Telegraph 24/2/00: Bill revives attack on privacy

139. Computer Weekly 24/2/00: LEADER: Folly of draconian law on decryption

140. Irish Times 18/2/00:UK RIP BILL IS KILLER BLOW TO E-COMMERCE

141. Wired: Irish, UK Crypto Regs Far Apart, February 16, 00.

142. ZDNetUK 14/2/00: Jane Wakefield: Bullies, teenagers and Net giants  

143. Guardian 11/2/00:Leader: All eyes and ears

144. The Register 11/2/00: "UK gov't reveals Big Brother bill"

145. FT 11/2/00: BIG BROTHER: Government unveils e-mail surveillance law 

146. Guardian 11/2/00: Ministers seek wide bugging powers

147. TechWeb 10/2/00: E-Spying Bill Called 'Escrow By Intimidation'

148. ZDNet UK 10/2/00: New surveillance bill comes under fire

149. BBC Online 10/2/00: Surveillance bill under fire

150. Computer Weekly 27/1/00: Peter Sommer - Investigating cyberspace

151. ZDNet  17/1/00: IT Week: Decryption centre mooted

152. FT 11/1/00: LAW: Ministers rush through e-mail powers

153. Financial Times 21/12/99: CB (personal view): Decrypt with care



[1] http://www.homeoffice.gov.uk/oicd/techcost.pdf

 

[2] http://www.homeoffice.gov.uk/oicd/ioca.pdf para 5.6

[3] http://www.ispa.org.uk/docs/Openlettertoeenvoy.htm

[4] Charles Clarke MP, RIP Standing Committee 28th March : “surveillance in a public place that gives information about life style, contacts and movements” - http://www.publications.parliament.uk/pa/cm199900/cmstand/f/st000328/pm/pt1/00328s09.htm

[5] ibid.

[6] Data Protection Commissioner Briefing For Parliamentarians on RIP http://www.fipr.org/rip/DPCparlRIP.htm

[7] see http://www.xanalys.com/intelligence_tools/products/watson_fs.html for an indication of the capability of off-the-shelf tools

[8] By kind permission of Dr.Charles Lindsey http://www.cs.man.ac.uk/~chl/schedule1.html

[9] In The Matter Of The Draft Electronic Communications Bill And In The Matter Of A Human Rights Audit For Justice And FIPR (http://www.fipr.org/ecomm99/ecommaud.html), Prof.Jack Beatson QC and Tim Eicke, Essex Court Chambers, 7 October 1999

[10] http://www.publications.parliament.uk/pa/ld199900/ldbills/049/amend/su049-ia.htm “where….it is a defence for a person charged with an offence to prove a particular matter….If the person adduces sufficient evidence to raise an issue with respect to the matter the court or jury shall assume that the defence is satisfied unless the prosecution proves beyond reasonable doubt that it is not.”

[11] http://www.fipr.org/rip/burdenproof.html

[12] suggesting that otherwise the defence would be required to prove innocence beyond reasonable doubt (sic) !

[13] Trade &Industry Select Committee14th Report: Human Rights : "Justice and the Foundation for Information Policy Research commissioned a human rights audit of part III of the draft Bill which reported serious concerns that the draft Bill would, if enacted, contravene articles 6 and 8 of the ECHR.....Having certified that legislation does not contravene the European Convention on Human Rights, Ministers must be able to demonstrate, when challenged, that this is indeed the case. We recommend that the Government publish a detailed analysis to substantiate its confidence that part III of the draft Bill does not contravene the European Convention on Human Rights, dealing with the points made to the contrary." 26th Oct 1999

[14]  http://www.publications.parliament.uk/pa/cm199900/cmhansrd/cm000508/debtext/00508-18.htm#00508-18_spnew0

[15] The Home Office Regulatory Impact Assessment (http://www.homeoffice.gov.uk/oicd/riapt3.htm) only states that "providing actual figures on compliance costs is difficult at this stage".

[16] The Regulation of Investigatory Powers Bill – The Provisions for Government Access to Keys by Dr B. R Gladman (FIPR) http://www.fipr.org/rip/RIPGAKBG.pdf

[17] Scrambling for Safety 2000, 22nd March, http://www.homeoffice.gov.uk/oicd/ccspeech.pdf

[18] Mr.King believes that provision of “plaintext” computer data entails transcription: "(FIPR)…recommended that access and provision of keys should not at all times be required but that at least a transcript should be made available. In that connection…How many companies, providers and encryption service providers will have to be approached at one time or another? Who will be doing the transcribing of what might be extremely secret or sensitive information?" ISC Chair Tom King MP, RIP 2nd Reading debate, Column 802 http://www.publications.parliament.uk/pa/cm199900/cmhansrd/cm000306/debtext/00306-15.htm#00306-15_spnew0