R.I.P. E-Commerce?

June 30, 2000

Peter Mandelson would have been proud of the spin that Jack Straw put on the Regulation of Investigatory Powers Bill when it was published on 10 February:

‘The Human Rights Act and rapidly changing technology are the twin drivers of the new Bill. None of the law enforcement activities specified in the Bill is new. Covert surveillance by police and other law enforcement officers is as old as policing itself; so too is the use of informants, agents and undercover officers.’1

The RIP Bill is the ugly sister of the Electronic Communications Act 2000.2 It proposes to enact a number of new powers that would entitle the government to intercept and decrypt encrypted communications. As Jack Straw suggested, the proposals contained in the controversial new Bill appear at first sight to be quite reasonable. On mature reflection, however, the application of traditional methods of surveillance to new techniques means that many of the Bill’s proposals will place an onerous burden, both financial and regulatory, on ISPs. Industry reaction to the Bill has focused on the adverse effects on consumer confidence in e-commerce and the human rights implications of the provisions in the Bill. Remarkably, some observers believed that the provisions in the Bill relating to the delivery up of encryption keys had been dropped altogether as they did not sit happily with the European Convention on Human Rights and its implementing legislation, the Human Rights Act 1998. Instead, the government is aiming to push the Bill though Parliament before the Human Rights Act comes into force on 2 October this year.

Proposed Ambit Of The Bill
The RIP Bill seeks to regulate the interception of communications, intrusive and covert surveillance techniques, the use of covert human intelligence sources (including agents, informants and undercover officers), the acquisition of communications data and access to encrypted data.
The new Bill proposes to extend the interception of the communications regime which, since its introduction in 1985, affected no-one but the Post Office and public telecommunications operators. This was understandable given that in 1985 there was no e-mail, no mobiles, no pagers and no encryption, the Internet was merely a toy of the US military and the public telecommunications system was dominated by British Telecom. Whilst the exponential growth of the communications industry has necessitated a reconsideration of the 1985 regime, the RIP Bill and in particular its proposals to require the delivery up of encryption keys may be a regulatory step too far.

Part I – Interception Of Communications
Part I of the RIP Bill introduces substantial changes to the Interception of Communications Act 1985, which was essentially designed to protect communications from unlawful interception and to regulate lawful interception under warrant. These changes were trailed in the Home Office Consultation Paper: Interception of Communications in the United Kingdom (CM 4368)3 published on 22 June 1999. The new Bill proposes to establish a single legal framework for the interception of all communications in the UK, regardless of the means of communication, how it is licensed or the point of interception on the transmission route.

Faced with a radically different communications industry, the proposed regime will encompass not only public telecommunications and postal systems but also private telecommunications systems which are attached to public telecommunications systems. The broad definitions contained in the RIP Bill mean that Internet Service Providers, mobile telephony providers, WAP gateways and even office switchboards will be brought under the ambit of the new regime. Indeed, it has been speculated that the broad definition of a ‘public telecommunication system’ under clause 2(1) of the Bill even captures operators of Internet applications such as Hotmail and, presumably, Yahoo.

If the RIP Bill is enacted, telecommunications service providers will be obliged to maintain an ‘interception capability’ (clause 12). This would enable the government to tap into any communication if interception would be in the interests of national security, help prevent or detect serious crime, safeguard the UK’s economic interests or assist the UK’s compliance with international mutual assistance agreements (clause 5(3)). Clause 12 therefore proposes a stronger requirement than that contained in the Consultation Paper; that merely required ISPs to take reasonable steps to ensure their systems were capable of interception under warrant.

Many ISPs and Internet businesses have already taken issue with the cost of installing and maintaining the interception capability. Whilst the Home Office has indicated that it would contribute towards this cost, this will be of little comfort to ISPs unless precise guarantees are included in the Bill to this effect.

Further, the Bill does not define the responsibilities of public telecommunication operators in precise terms, rendering the financial burden of compliance potentially unquantifiable. This is reflected in a report which indicated that the Home Office made a tenfold underestimation of the costs of compliance, thereby casting doubt on whether a sufficient government contribution will be forthcoming. The government’s preference for spending on public services, coupled with a degree of caution, would suggest that ISPs should make budgetary provisions for compliance.

An obvious, but dangerous, consequence of the interception capability requirement is that public telecommunication operators, including ISPs, will be required to install and maintain a backdoor mechanism to intercept communications. The government has not fully appreciated that such back doors could be targets for computer hackers and e-terrorists who like to challenge security systems and, therefore, their existence will act as a deterrent to third parties contemplating setting up their businesses in Britain, thus damaging the UK’s standing in the online world.

The UK’s online competitiveness will be damaged further if, in adopting the RIP Bill, the UK implements a more onerous regime than that in place in other countries. The Bill’s relative severity is highlighted by a comparison with the proposals from the Republic of Ireland, under which it will be illegal in most instances for public authorities to force the delivery up of encryption keys. It remains to be seen whether Internet Service Providers say ‘no, nay, never’ to the UK and relocate to Eire to take advantage of its proposed ‘light touch’ regime.

Industry reaction to the ‘interception capability’ has been hostile, with small ISPs likely to be particularly affected by the financial burden of compliance. The modifications that will have to be made to ensure compliance with the RIP Bill may involve installing a permanent box onto the systems network to monitor and, where appropriate, intercept communications. Alternatively, the level of interception capability required may require some ISPs to reconfigure e-mail addresses, which would not only be a huge burden for them, but would also greatly inconvenience a number of people. Implementing the required changes is likely to prove expensive; Demon Internet, for example, estimates its initial costs of compliance at £1 million with annual upgrades costing up to £150,000. Indeed a recent British Chambers of Commerce report, commissioned from the London School of Economics, estimated the cost of compliance at around £650 million over five years on the basis that the technology that is needed to monitor electronic communications is increasingly complex as new forms of encryption are developed. The Consultation Paper had a proviso that the modifications and costs to be incurred by the ISPs and the level of assistance to be provided by them must be reasonable given the resources available to them, the likely demand for interception and the technical complexity of providing the interception capability. This proviso does not appear in the new Bill or its accompanying explanatory notes.4 To ensure compliance with the Bill, ISPs may need to employ additional staff to respond promptly once an interception warrant has been served. ISPs would also have to draft compliance manuals detailing the provisions of the Bill, as well as the correct internal procedures to be followed in the event that an interception warrant was served by the appropriate enforcement agency. These procedures would then need to be tested on an ongoing basis to assess whether they will work in practice and would necessitate educating and training staff in how to react once an interception warrant has been received.

The need for a properly drafted and clear internal compliance manual is illustrated by clause 11(4) of the Bill, under which employees at companies are obliged to obey the terms of an interception warrant. An employee who knowingly fails to comply with this provision could face up to two years’ imprisonment (clause 11(7)), whilst those employees who reveal the existence of an interception warrant may be imprisoned for up to five years – even where such disclosure was purely innocent. This ill-considered offence could mean that an employee in receipt of a surveillance warrant would not be able to reveal its existence to his employer. Moreover, as there is no long-stop date under clause 18 for making unauthorised disclosures of an interception warrant, its provisions would appear to apply in perpetuity.

Whereas the need for secrecy is understandable during the period of interception and for a certain period of time afterwards, the requirement to maintain secrecy in perpetuity is excessive and does not allow the circumstances under which the warrant was served to be taken into account. It is surprising that Jack Straw and Charles Clarke, two former Presidents of the National Union of Students who are likely to have been under internal surveillance themselves, have endorsed a Bill criminalising the disclosure of an interception warrant.

The human rights implications of Part I should not be overlooked. The European Court of Human Rights decision in Kopp v Switzerland5 affirms that a general derogation from an individual’s right of privacy under Article 8 for the purposes of, for example, a criminal investigation can only be allowed in very specific circumstances which have been carefully circumscribed by the European Court of Human Rights. For example, surveillance warrants would need to be directed at named individuals or locations to comply with the European Convention. The wide-ranging powers proposed by the RIP Bill mean that the Bill may well breach the European Convention.

Part II: Intrusive Surveillance – A ‘Snoopers Charter’?
The second part of the Bill authorises the use by security and intelligence agencies, law enforcement and other public authorities of covert surveillance, agents, informants and undercover officers. The Home Office’s view is that the use of such techniques will be properly registered and externally supervised to ensure that law enforcement operations are consistent with the Convention. However, whilst the Bill sets out the circumstances in which authorisations for intrusive surveillance can be granted, it has been suggested that the Bill is no more than a ‘snooper’s charter’ and a legal shield for existing mass surveillance techniques that have been ruled in breach of the European Convention.

Part III: Outlawing Encryption and Encouraging Outlaws to Use Encryption
Part III of the RIP Bill is perhaps the most controversial. It bestows the power on law enforcement agencies and any public authority to require the delivery up of either decrypted text or the keys that are used to encrypt communications in the first place. When these requirements surfaced in the draft Electronic Communications Bill, the public reaction, which had been nurtured by months of debate over the preceding key escrow proposals, led to them being dropped from the Bill in order to fast-track the more acceptable proposals clarifying the status of electronic signatures and the voluntary licensing of cryptography service providers.
Unfortunately, the proposals have resurfaced with few changes.6 The Bill creates a power to require the disclosure of encryption keys to ‘protected information’ i.e. encrypted electronic data. Having obtained a warrant from the Secretary of State, the police and other law enforcement agencies, as well as any public authority, will be able to require the disclosure of an encryption key by giving a ‘section 46 notice’ which can be served on anyone believed to be in possession of a key. Although the Bill was amended at Report stage in the House of Commons to the effect that the authorities could insist on receiving an encryption key only where there are ‘special circumstances’ necessitating delivery up of the key, precise guidelines as to what constitute special circumstances have yet to be forthcoming. Consequently, the risk at which these proposals put consumer confidence in encryption products may present a dilemma for cryptography service providers.
To understand the problem fully, it helps to understand something about how encryption software works. Not everybody uses ‘public key’ or ‘asymmetric’ encryption, where a pair of keys is required, one private and known only to one party in an exchange of electronic correspondence, the other public and published for example on a Web page or public Internet repository. Although very secure, this type of encryption software can be very slow. Increasingly software uses a combination of symmetric and asymmetric processes but with the necessity of only the use of a private key which would normally be password protected. The implications of this were discussed in a Regulatory Impact Assessment (Cm 4417) on the draft Electronic Communications Bill:

‘…where a notice specifies that a key be handed over, the individual/business served with a written notice may decide that its security has been compromised and may incur considerable costs in implementing new security systems and changing the keys of other trading partners, customers and associates.’7

It is axiomatic to state that strong encryption is vital to the future of e-commerce. However, if an individual’s private key has been disclosed, it can be used to decrypt anything encrypted by it, regardless of whether the notice was issued for that particular communication, thus ensuring that no communications to these individuals will remain private. Forcing disclosure of private keys could therefore have significant financial implications for businesses as well as undermine online security and individual privacy. Indeed, the LSE’s Report estimates that the UK could lose £35 billion in e-commerce revenues to overseas jurisdictions due to the key disclosure requirement alone. Furthermore, by giving any public authority the right to demand access to encrypted material, the government is, arguably, trivialising the process of key disclosure. This is compounded by omissions relating to the length of time that authorities can keep possession of a key and the security measures which authorities should have in place once they have been given an encryption key. At present, the authorities only have a general duty to prevent a key from passing to third parties which also appears to undermine the importance of the whole process of enforced key disclosure.
Again, the ancillary necessities of drafting policies, compliance manuals and codes of practice, detailing the procedures which should be followed to comply with a s46 notice and training staff and testing the procedures once in place will take their toll on businesses. Clause 48 provides for payments to be made for compliance with s46 notices, though there is no guarantee that a single penny will be reimbursed as the Secretary of State has absolute discretion in formulating the relevant arrangements.

Possession Of A Key – Guilty Until Proven Innocent
Part III of the Bill creates two related offences. First, a person who has or has had possession of an encryption key could face two years’ imprisonment if he fails to comply with a s 46 notice. All the prosecution have to prove is possession of the key in order to serve a s46 notice and the onus immediately shifts to the putative keyholder to prove that he did not have access to that encryption key. Although this is an improvement on a similar provision featuring in the draft Electronic Communications Bill, under which it merely had to ‘appear’ to the giver of the notice that an individual held a key and the putative holder of the key would escape conviction only if he could prove that the key was not in his possession, the reversal of the burden of proof is nonetheless severe.
Whilst not having access to the key is a defence, if the keyholder has forgotten or lost his password he would have to prove on a balance of probabilities that he does not have possession of the key or else face two years’ imprisonment. In other words, the encrypted files are presumed to be incriminating unless it is proved otherwise. It should be noted that the latest editions of Microsoft Windows come with built-in encryption packages. An unfortunate consequence might be that PC users who lose or forget their passwords become criminally liable under the Bill.
When the Home Secretary opened the second reading debate of the Bill, he drew attention to the concerns of law enforcement agencies that serious criminals might be tempted to use encryption to evade the law. However, it is hardly an effective disincentive to serious criminals to face a mere two year maximum sentence if they refuse to hand over their encryption keys. Ironically, on the other hand, innocent parties will be forced to prove to a court that they are not lying or else will have to deliver up their encrypted data as the risk of a prosecution will far outweigh the advantages of protecting their data.

‘Tipping Off’
A second offence is called ‘tipping off’. Anyone given a s 46 notice or having the misfortune of becoming aware of it is obliged to ‘keep secret the giving of the notice, its contents and things done in pursuance of it’. Failure to do so could lead to five years’ imprisonment. Although there are limited defences in the Bill, it does not contain a long-stop time limit on such disclosures, effectively placing those covered by this offence under a lifetime threat of a five-year sentence. Whilst this offence will have little deterrent effect on a criminal who is likely to hold his key on his person and thus need not disclose to third parties any information relating to a s 46 notice, innocent individuals (such as employees and businesses) might be unnecessarily penalised by the secrecy provisions which guard a s 46 notice.

A Bugged Bill
It is likely that Part III of the RIP Bill breaches, on several grounds, the human rights standards established under the European Convention on Human Rights. Although there is no human rights case law relating specifically to e-mails, it is clear that any communication whether by telephone, e-mail or otherwise, is protected by Article 8 of the Convention, and in particular the right to respect for private life and correspondence. Once again, the ECHR decision in Kopp v Switzerland is of direct relevance. The interception of communications and disclosure of private keys would arguably constitute a breach of Article 8(1). Although such powers can be justified if they are exercised for example in the interests of national security, public safety or for the prevention of disorder or crime, they will only be so if they are in accordance with the law and necessary in a democratic society. The ECHR in Kopp v Switzerland held that tapping and other forms of interception of telephone conversations constituted a serious interference with private life and correspondence, and therefore should be based on a law that is very precise. Accordingly, any domestic law must be sufficiently clear in its terms to give citizens an adequate indication as to the circumstances and conditions in which the authorities are entitled to exercise such powers.
At the same time, the reversal of proof also contravenes the right to a fair trial as enshrined in Article 6 of the Convention as well as the Article 6 right of an individual against self-incrimination. Nor will the safeguards in the Bill relating to the conduct of authorities giving s46 notices satisfy the ECHR, judging by the stringent safeguards laid down in relation to the interception of communications in the recent decision of Valenzuela Contreras v. Spain.8
Given that the proposals in the Bill do not sit comfortably with the European Convention, it is likely that, if adopted, their legality will be challenged in the courts. It is hoped that, in the interim, the development of e-commerce and individual privacy rights are not too severely damaged.

Building Confidence In E-Commerce?
It is clear that the proposed framework for the enforced decryption of encrypted data raises a number of questions. This is rather ironic given the Bill has been in the offing for four years,9 yet appears to have been drafted without consideration of many of the wider issues. It should be interesting to see whether the Bill, having incorporated some amendments during its passage through the House of Commons, will be further amended by the House of Lords. Already, the government has amassed a wide coalition of interest groups against the RIP Bill, ranging from human rights activists to online entrepreneurs, who have wasted few opportunities to highlight the contradiction between the provisions of the RIP Bill and the government’s stated aim of making Britain the best and safest place in the world to conduct e-commerce. This unusual coalition was remarked upon by Lord Cope; who noted that ‘the Bill has achieved the rare, if not unique, distinction of having The Times, the Financial Times and The Guardian all call for the Bill to be withdrawn.’ It is hoped that enough changes will be forced through in time to ameliorate the worst aspects of the Bill and put the government back on track to position the UK as the e-centre of the world. In the meantime, Jack Straw’s statement under s 19(1)(a) of the Human Rights Act 1998 that the Bill is compatible with the European Convention on Human Rights is, to put it mildly, a little inappropriate.

1. See Home Office Press Release 10 February 2000, ‘Regulation of Investigatory Powers Bill Published
Today’, http://www.homeoffie.gov.uk
2. http://www.parliament.the-stationery-office.co.uk/pa/ld199900/ldbills/024/2000024.htm
3. http://www.homeoffice.gov.uk/oicd.interint.htm
4. http://www.parliament.the-stationery-office.co.uk/pa/pabills.htm
5. [1999] 27 EHRR91.
6. Its proposals do not happily sit with Jack Straw’s observations on the previous Conservative government’s
1996 proposals on encryption and security which Straw claimed would weaken online confidence and security.
7. http://www.dti.gov.uk/cii/elec/ecbill.pdf
8. [1999] 28 EHRR483.
9. The previous Conservative administration first proposed to regulate encryption in 1996.