|
The
Rt Hon Jack Straw MP |
The
Rt Hon Stephen Byers |
|
Secretary
of State |
Secretary
of State |
|
The
Home Office |
Department
of Trade & Industry |
|
50
Queen Anne’s Gate |
1
Victoria Street |
|
London |
London |
|
SW1H
9AT |
SW1H
0ET |
8 June 2000
Over
the past few months, IoD has sought informally, with Ministers and officials, to
make clear the concerns of our members regarding the Regulation of Investigatory
Powers (RIP) Bill. We have now seen
the clear and helpful letter from Chris Humphries, Director General of the
British Chambers of Commerce, to the Home Secretary.
The IoD strongly endorses the points that Chris has made and we feel that
we should also emphasise some further concerns jointly to both Home Office and
DTI.
First
let us be clear that the IoD does recognise the need for a clear
framework for the regulation of law enforcement access to the various
communications media, including the Internet.
Placing such regulation within the framework of the European Directive on
Human Rights is a welcome objective. Business
needs the general confidence created by efficient and effective policing of
those criminal activities just as prevalent in the world of electronic commerce
as in the older physical forms of trading.
The
additional concerns of IoD members focus on the effectiveness of the current RIP
Bill in addressing these otherwise sensible goals.
The construction of the definitions used in the Bill tends to be
excessively broad and the drafting is littered with “is likely to”references
such as “information likely to come into possession …”
These lead to substantial doubt as to the level of exposure to cost, risk
and disruption for business both immediately on introduction and, perhaps of
even greater concern, as the various Agencies explore how this new framework
might be ‘stretched’ in the future. This
uncertainty does cast a pall over future investment decisions.
Areas of particular concern include:
·
which officials, at what level, in which Departments may seek access to
encryption key material? And
·
where is the boundary drawn between ‘content’ of messages or
transactions, (where warranted access is required) and ‘communications data’
(where access would not appear to require a warrant)? In the old world of telephony such distinctions were clear.
They are far less so in the Internet World.
Every ‘click’ identifying a new page or button option seems to be
regarded as ‘communications data’ in the Bill as presently drafted.
The amendments tabled by Lord Bassam to Clause 2 and Clause 20 make this
concern even greater.
IoD
members are also concerned about the degree of individual and corporate
liability flowing from exposure in other jurisdictions to actions potentially
required in the UK to comply with the RIP Bill. If full decryption (as opposed to our preferred option of
session) keys are demanded using as Section 46 notice with an associated
‘tipping-off’ order, individuals working for multi-national companies may be
placed in a perilous position. They
may have compromised the international transactional security of that
organisation yet be directly barred from informing senior management of that
exposure. Such an individual might
well be protected under UK law for these actions but what of their exposure in
other jurisdictions – particularly that the of a non-UK parent company?
We
believe that the ‘definition’ and ‘communications data’ issues could be
dealt with through amendments to the Bill in the House of Lords during its
Committee stage starting on Monday (12/6).
We would welcome action by the DTI on the international issues, perhaps
in the first instance through the OECD.
In
closing, IoD strongly endorses the potential amendments already suggested by the
Chambers of Commerce on:
·
seeking preferred access to plaintext with a fallback of ‘session’
keys. A much higher level of
judicial authorisation should be required for demands to access general
decryption keys;
·
security guarantees for the storage of keys acquired under Bill powers
and clear liability accepted by Government for consequences arising from loss or
misuse;
·
resolving the potential issue of the Government being deemed to be acting
as a ‘shadow director’ and giving the necessary employee protection;
·
the issue of the reverse burden of proof regarding lost or missing keys;
and
·
meeting the reasonable costs of ISPs in establishing the envisaged
infrastructure for investigative access.
We
would welcome the opportunity to discuss your response on these points and to
work together to achieve our shared goal of “making the UK the best location
in the World for e-commerce by 2002”.
Jim
Norton
Head of e-Business Policy, Institute of Directors