Internet Privacy: Cyber- Crimes vs Cyber-Rights

April 30, 1999

This article was prompted by a Memorandum by Cyber-Rights & Cyber- Liberties(UK) to the inquiry by the House of Commons Select Committee on Trade andIndustry into Electronic Commerce in February 1999. 1It reflects also ongoing research into the protection of individual rights andliberties in the Information Age. 2 In this article,we shall address one particular issue which has been of great concern not onlyfrom a civil liberties perspective but also from a legal perspective – theproblems of the Internet for law enforcement authorities. Those problem’s aresaid to comprise:



  • the actual and potential use of strong encryption by criminals
  • the thwarted desire of the law enforcement agencies such as NCIS to access `private encryption keys’
  • the issues surrounding police access to other personal information through Internet Service Providers, including the discussions of the ACPO/ISPs Government Forum.

Law enforcement issues are expected to be dealt with by theGovernment in its proposed Secure Electronic Commerce Bill, as announced in theQueen’s Speech in November 1998, but the Bill has not yet been published.However, the DTI recently published yet another consultation paper, BuildingConfidence in Electronic Commerce. 3 The newconsultation paper deals also with law enforcement issues in relation to thecriminal usage of encryption apart from its more approved and benign commercialuses.


Key Escrow, Law Enforcement and Privacy Concerns


The Issue of Privacy and the DTI’s Approach


A survey of recent Internet-related papers (including the mostrecent DTI consultation paper) would strongly suggest that privacy is not one ofits prime concerns as it is barely discussed or even mentioned. This silence isespecially remarkable in the light of other governmental initiatives. A right toprivacy will soon be part of our lives within the United Kingdom under the HumanRights Act 1998, and a `right to respect for private life’ will then become partof the British law for the first time by reference to Art 8 of the EuropeanConvention on Human Rights and Fundamental Freedoms (1950):




  1. Everyone has the right to respect for his private and family life, his home and his correspondence.



  2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime,for the protection of health or morals, or for the protection of the rights and freedoms of others.


It will be noted that Art 8 expressly incorporates a right toprivacy in regard to `correspondence’, and this has long been interpreted by theEuropean Court of Human Rights as including privacy in relation tocommunications via telecommunications networks. Indeed, the United Kingdom hasalready been found to be in breach of Art 8 on several occasions for failing topay adequate attention to the value of privacy. 4The authors, therefore, feel that there is a substantial risk thatInternet-related proposals emanating from the DTI are in danger of repeatingthis error.


Furthermore, principle 5 of the OECD Guidelines on CryptographyPolicy stated that `the fundamental rights of individuals to privacy, includingsecrecy of communications and protection of personal data, should be respectedin national cryptography policies and in the implementation and use ofcryptographic methods.’ In addition to the OECD Guidelines, the EuropeanCommission’s Communication on Encryption and Electronic Signatures points outthat:


International treaties, constitutions and laws guarantee the fundamental right to privacy including secrecy of communications (Art12 Universal Declaration of Human Rights, Art 17 International Covenant on Civil and Political Rights, Art 8 European Convention on Human Rights, Art F(2) Treaty on EU, EU Data Protection Directive). Therefore, the debate about the prohibition or limitation of the use of encryption directly affects the right to privacy, its effective exercise and the harmonisation of data protection laws in the Internal Market. 5


These national and international developments, which expresssignificant support for data privacy, should have important implications for thetreatment of encryption. The use of encryption should be prima facie respectedand even encouraged. By contrast, the government approach should be criticisedas being fixated on the value of encryption solely in connection with commerceand ignoring wider political and social uses of information technology whichmight legitimately require the use of encryption.


Law Enforcement and Encryption


To date, crime prevention has been the major published reasonbehind the official drive towards access (via `Trusted Third Parties’ acting as`duplicate’ key-holders) to private encryption keys by the law enforcementagencies. Most people would accept the need for democratic governments tointercept communications on a limited scale, for detection and investigation ofcrime, and for the defence of the realm. However, this article will show thatthe benefits of using strong encryption are far more important than theassumption that it might create problems for law enforcement and therefore thatencryption should not be routinely compromised by any key escrow system.


Governments are aware of the benefits of using encryptiontechnology for the development of e-commerce and for establishing businessconfidence in the Information Age. However, law enforcement agencies havetempered this enthusiasm for encryption with the fear that it might become amechanism used by criminals and to protect evidence of criminality. First, theUS FBI insisted on access to encryption keys and on a key escrow (or keyrecovery) mechanism for protection against terrorism, violent crime, foreignthreats, drug trafficking, espionage, kidnapping, and other crimes. NCIS took asimilar position in January 1999. 6


Without the `key recovery’ capability, such law enforcementagencies contend that they would be less able to protect the safety of thepublic, and this in itself would constitute an infringement of civil liberties.However, the authors believe that the solution to the problems of crimeprevention and law enforcement do not lie with accessing private encryptionkeys. From our review of the available research and information provided by lawenforcement agencies, the authors have concluded that there is no evidence thatthe use of encryption has been a serious problem for crime detection orprevention. There is no more than speculation that it will be a problem in thefuture. In any event, it seems fanciful to expect that criminals will usegovernment-mandated encryption systems with key recovery capabilities whenalternative systems of encryption remain readily available. The Government’sstrategy is therefore naive as it assumes that criminals would use encryptiontools which can be decrypted by the law enforcement bodies. In discussion, someGovernment spokesmen accept that criminals will communicate with one anothersecurely outside any key escrow scheme. The point they make is that criminalscommunicating with innocent third parties who participate in a key escrowschemewill thereby expose those communications to interception. Innocent third partiesare of course normally willing to assist law enforcement authorities byproviding information, although in some cases they will rightly insist on policeobtaining proper legal authority (the banks are the obvious example). If thepolice can obtain the information from innocent third parties by consent orthrough legal warrant, why do they need key escrow? We perceive that there aretwo possible reasons.



  • The first is that key escrow outflanks the need to obtain proper legal authority for the disclosures. That is of course not an acceptable justification for key escrow, and is, on the contrary, a basic objection to it. The absence of proper legal authority and proper legal oversight will undoubtedly result in contraventions of Art 8 of the European Convention. 7
  • The second is that key escrow provides the information `in real time’, without the delay of approaching the innocent recipient, and also without the risk that that approach will reveal to the subject of investigation that the information has been obtained. It may be that there is genuine evidence from unreported investigations that real obstacles are being placed in the way of the detection and prevention of serious crime by the fact that information can only be obtained after a delay and with some risk of `tipping off’. But it is striking that neither Government nor law enforcement spokesmen have ever clearly addressed this supposed problem, and have provided no evidence whatever in support of the only legitimate case that could support key escrow proposals. That case, if ever made, must take account of the fact, as pointed out by the European Commission, that `restricting the use of encryption could well prevent law-abiding companies and citizens from protecting themselves against criminal attacks. It would not however prevent totally criminals from using these technologies’. 8

Moreover, a key escrow technology will have a chilling effect on the onlineusers who seek to remain either secure or anonymous when communicating throughthe Internet, whether for fear of retribution or other reasons.


Denning and Baugh state that encryption is used by organised crime and forespionage and they cite seven cases of terrorism which involved encrypted fileswithin computers, but in all of these cases the law enforcement agents managedto decrypt the files during their investigation. 9Examples cited by the NCIS 26 January1999 10 pressrelease are also weak evidence of law enforcement difficulties 11because they all involved cases in which law enforcement was successful in oneway or another. Even without a `key escrow’ or `key recovery’ system, the lawenforcement agents managed to decrypt the encrypted files in these cases. A casethat is not mentioned by NCIS is the case of Father Adrian McLeish, a RomanCatholic priest, who was sentenced to six years’ imprisonment in November 1996for child abuse and child pornography offences. 12During Operation Modem by the Durham Police, it was discovered that McLeish usedencryption software. But McLeish’s use of encryption was not a problem for theDurham police, as McLeish handed over his encryption keys together with hisprivate passphrase (`Overhead the moon is beaming’). 13


There are also practical issues here which are worthy of consideration. Ofcourse no one is in favour of terrorists and drug dealers using cryptography toplan or facilitate their crimes. But what if they do? The sending of messages inthis way may still create evidence which is obtainable during the course of aninvestigation or trial. It is suspect users who should be targeted, not thewhole world at large. We should also remember that government access toencryption keys, just as with the use of other technological surveillance (suchas Closed Circuit Television systems (CCTVs) or explosives detection equipmentand X-ray machines) have not prevented premeditated brutal terrorist attackssuch as the Lockerbie Pan AM 103 bombing and the London Docklands and ManchesterArndale shopping centre bombings. It takes an extraordinarily high level ofconstant surveillance and oversight to provide an effective deterrent throughthese means.


More likely is that the terrorists will use encryption without detection ordetection will come later through other means, by which time the refusal toprovide the key will be incriminating evidence. 14Terrorists and organised criminals are detected through a variety of techniquesinvolving mainly informers and surveillance. The interception of messages isimportant, but the police clearly have effective powers to build up other usefulevidence.


The March 1997 DTI consultation paper suggested that similar legislation tothe Interception of Communications Act 1985 will be introduced for the recoveryof keys from the Trusted Third Parties (TTPs). Similar calls are now being madeby NCIS in addition to the DTI proposals. 15 Butthis idea seems to go further than the requirements of the 1985 Act because theconsultation paper suggested that the future legislation will not only deal withinformation on the move through a telecommunications system but also `lawfulaccess to data stored and encrypted by the clients of the licensed TTPs’.Additionally, Internet communications are different from simple telephonecommunications, and the encryption technology in question is obviously not themedium itself, but a tool that can be used for many purposes. So the analogywith the Interception of Communications Act 1985 is not necessarily a correctone.


In developing its policy on encryption, the April 1998 Government SecureElectronic Statement relates that it has given serious consideration to therisk that criminals and terrorists will exploit strong encryption techniques toprotect their activities from detection by law enforcement agencies. 16Therefore, the Government favours judicial warrants and legal interception ofcommunications on a case-by-case basis. The policy paper stated that `the newpowers will apply to those holding such information (whether licensed or not)and to users of encryption products’. This is justified by the fact thatwarrants are regularly used for the interception of communications withinBritain, although there is no claim that the interception of encrypted messagesthrough the use of the Internet arose in any single case out of the 2,600interception warrants issued during 1996-97 by the Home Secretary. Anotherimportant issue to be noted is that the number of such warrants has risenconsiderably in the last few years (1,073 warrants issued in 1996 compared to473 in 1990). 17 This suggests both that thecurrent powers are more than adequate and perhaps also that they are not beingproperly or strictly regulated. We therefore welcome the review which iscurrently being undertaken by the Home Office into these laws and hope thatradical changes are made, not only to make the powers more subject to anaccountable and open system of judicial control.


Endnotes


1. See http://www.cyber-rights.org/reports/.The authors gave oral evidence in front of the Select Committee on Trade andIndustry on 9 March 1999. See also Cyber-Rights & Cyber-Liberties (UK),`First Report on UK Encryption Policy: A Legal Reply to the DTI PublicConsultation Paper on Licensing of Trusted Third Parties For the Provision ofEncryption Services,’ 30 May, 1997, at www. cyber-rights.org/crypto/ukdtirephtm4


2. Consumer protection issues will therefore not be addressedhere, but see Cyber-Rights & Cyber-Liberties (UK) Report: `Who Watches theWatchmen: Part II – Accountability & Effective Self-Regulation in theInformation Age,’ September 19 98, at www.cyber-rights.org/watchmenii.htm.


3. Department of Trade and Industry, `Building Confidence inElectronic Commerce,’ 5 March 1999, at www.dti.gov.uk/cii/elec/elec_com.html.See also DTI and Home Office Press Release, `Building Confidence inElectronic Commerce: Government consults on proposals to make UK best place totrade electronically,’ P/99/ 200, 5 March 1999, and BBC News, Encryption: thecivil-libertarian view,’ Friday, 5 March 1999, and Cukier, K.N., `UK ChallengesIndustry to Give Police Access to Crypto “Key-Escrow” Introduced UnlessAlternatives Found,” Communications Week International, 15 March1999, p1.


4. See Malone v UK App no. 8691/79, Ser. A. vol. 82,(1984) 7 EHRR14; Govell v United Kingdom App. no. 27237/95 [1997] EHRLR 438; Halfordv UK App. no. 20605/92, 1997-III, (1997) 24 EHRR 523.


5. European Commission Communication, `Towards A EuropeanFramework for Digital Signatures And Encryption,’ Communication from theCommission to the European Parliament, the Council, the Economic and SocialCommittee and the Committee of the Regions ensuring Security and Trust inElectronic Communication, COM (97) 503, October 1997, at www.ispo.cec.be/eif/policy/97503toc.html.


6. National Criminal Intelligence Service Press Release, NCIScalls upon Government to ensure law enforcement powers do not fall behindtechnology in fight against `crypto criminals’ No: 02/99, 26 January1999.


7. See further Klass v Germany; Judgement of 6September 1978, A.28; (1979) 2 EHRR 214; Huvig v France (1990) 12 EHRR 547.


8. See the European Commission, `Towards A European Frameworkfor Digital Signatures And Encryption,’ Communication from the Commission to theEuropean Parliament, the Council, the Economic and Social Committee and theCommittee of the Regions ensuring Security and Trust in ElectronicCommunication, October 1997, COM (97) 503, at www.ispo.cec.be/eif/policy/97503toc.html.


9. See Denning, D. E. &. Baugh, Jr., W. E. `CasesInvolving Encryption in Crime and Terrorism,’ October 1997, 5 http://guru.cosc.georgetown.edu/¨denning/crypto/cases.html.


10. National Criminal Intelligence Service Press Release(1999),`NCIS calls upon Government to ensure law enforcement powers do not fallbehind technology in fight against “crypto criminals”, ‘ No: 02/00, 26 January1999 at www.ncis.co.uk/web/Press%20Releases/encryption.htmand also note that, according to John Abbott, NCIS Director General, `criminalsare lazy, freedy and they make mistakes . . . We are able to capitalise on thisand we anticipate that a licensing scheme would allow us to have somesuccesses.’ See BBC News, `Encryption key would lock up criminals,’ 2 March1999.


11. See also the examples cited in Depart- met of Trade andIndustry, `Building Confidence in Electronic Commerce, 5 March 1999, at www.dti.gov.uk/cii/elec/elec_com.html.


12. McLeish admitted 12 specimen charges of indecentassaults against two boys, one aged 12 and another aged 18. He also admitteddistributing indecent photographs, possessing them with intent to distributethem and being involved in the importation of pornographic videos of children.


13. Another example is the use of encryption within the socalled Wonderland child pornography club with codes fromthe for- mer Soviet KGBto prevent outsiders from gaining access to them. However, during the `OperationCathedral’ in September 1998, the misuse of encryption technology proved not tobe a problem for the law enforcement forces around the globe for the detectionof their criminal activity.


14. As under the Prevention of Terrorism (TemporaryProvisions) Act 1989, sch 7.


15. See further Department of Trade and Industry,`BuildingConfidence in Electro- nic Commerce,’ (see note 11).


16. See further Bowden, C. , & Akdeni z,Y.,`Cryptography and Democracy: Dilem- mas of Freedom,’ in Liberty eds., Liberat-ing Cyberspace: Civil Liberties, Human Rights, and the Internet, London: PlutoPress, 1999, 81-125. Available also through www.cyber-rights.org/reports/.


17. Total figures for warrants issued in England and Wales1989-1995: 1989 – 458, 1990 – 515, 1991 – 732, 1992 – 874, 1993 – 998, 1994 -947, 1995 – 997, 1996 – 1073. `UK: Phone-tapping doubles in 5 years’, StatewatchBulletin, Vol 6, no 3, May- June1996, and also the Report of the Com- missionerfor 1996, Interception of Com- munications Act 1985. Cm 3678, HMSO; Report ofthe Commissioner for 1996, Security Service Act 1989, Cm 3769, HMSO; Report ofthe Commissioner for 1996, Intelligence Services Act 1994. Cm 3677, HMSO.


18. Compare the Interception of Communications- Act1985 with the Police Act 1997, Part III.


19. 97 Cr App R151 at 160.


20. See further Koops, Bert-Jaap, The Crypto Controversy:A Key Conflict in the Information Society, Kluwer Law International, 1999.


21. European Commission Communication, `Towards A EuropeanFramework for Digital Signatures and Encryption,’ Communication from theCommission to the European Parliament, the Council, the Economic and SocialCommittee and the Committee of the Regions ensuring Security and Trust inElectronic Commu- nication, COM (97) 503, October 1997, at www.ispo.cec.be/eif/policy/97503toc.html.


22. App no. 8691/79, Ser. A. vol. 82, (1984) 7 EHRR14.


23. See Sch 2 to the Interception of Communications Act1985.


24. This view is more fully expressed by JUSTICE, Surveillance(London, 1998).


25. [1994] 2 AC130, H. L.


26. See Inquiry into Legislation against Terrorism (Cm.3420,1996) (the Lloyds Report).


27. See further Akdeniz, Y, & Bohm, N, `InternetPrivacy: New Concerns about Cyber-Crime and the Rule of Law,’ (1999) InformationTechnology & Communications Law Journal (5) 20-24.


28. See the current version of the Data Protection Act s28(3) form at www.linx.net/misc/dpa28-3form.html.


29. See the Cyber-Rights & Cyber-Liberties (UK) privacyletter at www.cyber-rights.org/privacy/letter.htm.


30. The responses are available from the above pages.


31. See Council of Europe Recommendation No R (99) 5 of theCommittee of Ministers to Member States, at www.coe.fr/cm/ta/rec/1999/99r5.htm.


32. February 1999, at www.cyber-rights.org/privacy/watchmen-iii.htm.









A further point which causes some alarm is that the government is not wholly committed to searches purely under the authority of a judge (contrary to earlier promises). In the Secure Electronic Statement, a vague distinction is made between judicial involvement in`criminal investigations’ and other `interceptions’ which will be by order of the Secretary of State. To some extent, it must be admitted that this follows the lax pattern of earlier legislation to which we have already alluded, 18 but the replication of this absence of proper (judicial) oversight should hardly be welcome. The effect will be to dilute considerably judicial oversight, as law enforcement agencies will be encouraged to engage in `fishing expeditions’ for intelligence which do not require scrutiny by judges. In any event, the access to a key in order to decode a message already sent should be treated as a different exercise to the original interception of a message as it is being transmitted. Once an encrypted message has been intercepted and found undecipherable, the benefits of real time access have already been lost, and the process of enforcing access becomes analogous to executing a search warrant. That analogy should be applied, thus ensuring that access powers are subject to judicial authority and that the additional protection provided by the Police and Criminal Evidence Act 1984 for `special procedure materials’, such as legally privileged communications, are properly respected.


Alternative forms of evidence-gathering


The interception of messages is an important technique of modern law enforcement, but it should be remembered that terrorists and organised criminals are detected through a variety of techniques involving mainly informers and surveillance. It should also be remembered that encryption is a means to an end and that at some stage a decrypted message is quite likely to be produced and recorded on computer or even in physical form by the criminal. In addition, those who choose to exercise their `right to silence’ by not disclosing information to unlock encrypted files will risk adverse inferences being drawn from their silence under ss 34 to 37 of the Criminal Justice and Public Order Act 1994. Lord Slynn in Murray v DPP stated that: 19


If aspects of the evidence taken alone or in combination with other facts clearly call for an explanation which the accused ought to be in a position to give, if an explanation exists, then a failure to give any explanation may as a matter of common sense allow the drawing of an inference that there is no explanation and that the accused is guilty.


Not providing an encryption key may result in judges commenting on the accused’s behaviour and juries drawing inferences under the 1994 Act. 20 An even more draconian power to order an explanation of seized materials (such as a computer disks) exists under para 6 of Sch 7 to the Prevention of Terrorism (Temporary Provisions) Act 1989.


It should be remembered that a recent European Commission communication paper on encryption stated that `most of the (few) criminal cases involving encryption that are quoted as examples for the need of regulation concern “professional” use of encryption. It seems unlikely that in such cases the use of encryption could be effectively controlled by regulation’. 21


Police Access to Personal Information through the ISPs


The Interception of Communications Act 1985 was enacted in reaction to the unregulated usage of interception of telephone conversations following the European Court of Human Rights decision in Malone v UK. 22 It must be noted that, although access to the content of communications has now been regulated, information about those communications derived from traffic logs remains unregulated. 23 A sophisticated electronic telecommunications system could provide a significant volume of information about who called whom when, which would in turn enable dossiers to be compiled showing the existence of networks of relationships between subscribers, without any requirement for a warrant. The authors believe, the whole system needs statutory revision and judicial control in order to comply with the European Convention on Human Rights. 24 However, we do not seek to prohibit the use of electronic surveillance in crime detection. Indeed, in some respects it is currently too narrowly based – an example is s 9 of the Interception of Communications Act 1985, which forbids the use in court of evidence from a telephone tap and is based on intelligence agency and not police agendas.


A further point to be noted is that the interception regime applies to licensed providers of public telecommunications systems, and that very few Internet Service Providers (ISPs) fall into this category. They are neither proper addressees of a 1985 Act warrant from the Secretary of State, nor beneficiaries of the protection given by the imposition of criminal sanctions against unauthorised interception. This limitation suggests that consideration be given to legislation which allows ISP to be notified as third parties to a warrant application. In any event, as in Germany and in several other Western European countries, the authors suggest that the objects of the investigation be informed of the issuance of a warrant at the end of its period of operation or such date thereafter determined by a judge on proof that earlier disclosure would hinder an ongoing investigation. Without such notification and possible scrutiny by an outside person, there is a grave danger that the system will be abused and that the European Convention standards will not be met.


As became clear from the decision of the House of Lords in R v Preston, 25 the statutory provisions for maintaining the secrecy of the fact of interception, and the narrowly expressed purpose of the power itself, have led to difficulties in the use of intercepted evidence: all material must be destroyed as soon as its retention is no longer necessary for the prevention or detection of crime, which must usually be inconsistent with its retention for use in a prosecution. The secrecy of the process, and the vesting of the relevant power in the executive rather than the judiciary, have effectively prevented the development of a body of case law bearing on the substance of interception issues. Therefore, a further reform may be a needed in the form of the abolition of s 9 of the Interception of Communications Act 1985, as mentioned above and as supported by the Lloyd Report on Terrorism Legislation in 1996. 26


ISPs thus find themselves operating in an uneasy territory, subject to powers of search, perhaps exposed to criticism as holders (albeit unknowingly) of material used for criminal purposes, unable to be given the cover of a warrant from the Secretary of State for disclosing information, and in possession of information about the source and destination of messages which the authorities can obtain freely from telecommunications operators but which the very operations of an ISP render inaccessible without interception of the messages themselves.


Given the concern over cyber-crimes, it is entirely understandable that the police and the ISPs should wish to develop mutual understanding and support, and to establish working relationships. 27 For this purpose the Association of Chief Police Officers and the ISPs, with the support of the Home Office, have established the ACPO, ISPs and the Government Forum, with the objective of developing good practice guidelines between law enforcement agencies and the ISP industry, describing what information can lawfully and reasonably be provided to law enforcement agencies, and the procedures to be followed. This initiative has caused considerable and legitimate concern among the British Internet users and the media.


To date the work of the Forum seems to have been focused on developing and harmonising a form of request for information by the police to an ISP. The form, which might seem to some addressees to have the appearance of a legal warrant (akin to a search warrant), is designed to satisfy the ISP that in the circumstances of the particular case the ISP is not prevented by the restrictions on data disclosure in the Data Protection Act 1984 from providing information to the police. Despite its appearance, the form (and its associated `good practice guidelines’) 28 has no legal basis for imposing any obligation on an ISP to provide any form of disclosure to the police. In reality it is an invitation to volunteer information.


It is of course right that the police should not put ISPs in peril of infringing the Data Protection Act, and to that extent the use of such a form is of assistance to all concerned. But it is most unfortunate that the Forum should so completely neglect the matter of the protection granted by the law to the safeguarding of private information, especially in the light of Art 8 of the European Convention.


It may be argued that the investigation of crime excuses breaches of confidence, or negates the confidentiality itself. It is certainly a truism that there is no confidence in iniquity. This is an over-simplified view of the matter, however. It has certainly never prevailed over the need for judicial authority for disclosures by banks, and there is no reason why ISPs should stand in any different position.


Furthermore there are important cases where the rule does not apply at all: communications protected by legal professional privilege (and lawyers are among those making increasing use of the Internet for professional purposes) remain protected however gross the iniquities revealed by them may be. And it is thoroughly unsatisfactory to expect ISPs to examine material sought by the police in order to determine, at their own expense, on their own responsibility and at their own risk, whether the degree of iniquity revealed justifies what would otherwise be a breach of confidence.


As a result of concerns expressed about these issues, Cyber-Rights & Cyber-Liberties (UK) has developed a`privacy letter’ 29 to be sent from a subscriber to an ISP addressing the position from the subscriber’s point of view. A few ISPs have already replied as they are responsive to these concerns, but further evidence is needed before conclusions can be drawn. 30 It should also be noted that the approach Cyber-Rights & Cyber-Liberties (UK) have taken with the development of the `privacy letter’ is consistent with the February1999 Recommendation of the Council of Europe `for the Protection of Privacy on the Internet.’ 31


So far, the views of civil liberties organisations and, more importantly, the views of the users have been excluded from the ACPO ISP Government Forum: no doubt it is partly as a result of this exclusion that the Forum’s initiatives and work, if unchecked, could lead to extensive infringements of the privacy rights of individual Internet users in the UK.


Cyber-Rights & Cyber-Liberties (UK)’s recent report, `Who Watches the Watchmen: Part III – ISP Capabilities for the Provision of Personal Information to the Police,’ 32 shows that the authors, together with the online users, have legitimate concerns in relation to privacy issues involving the ISPs and law enforcement bodies. Furthermore, procedures can be properly designed only within a legal context, and we are concerned to ensure that the legal context takes due account of individual rights and liberties. Such procedures are a matter of legitimate public interest, especially to users of the services of ISPs.


It should be noted that the ACPO has no statutory basis. Therefore, ACPO has no accountability to the public at large. Moreover, ISPA (a trade body interested in protecting its own interests rather than the consumer interests) is also not accountable to the public. It is the duty of the Government to take such decisions and to open the closed doors to the public. Transparency, openness and accountability are important features of a healthy society and the Nolan Committee principles on good standards in public life should be respected. Policing the Internet by consent means winning the consent of the Internet user community: it cannot be achieved by recruiting ISPs as a private police force.


The authors believe it is now time for the Government through Parliament to intervene in the activities of the ACPO/ ISP Government Forum and to clarify these matters, including the laws in relation to interception of communications and the relevant procedures. We believe this should be a heavily regulated area, otherwise we can expect several detrimental consequences, including further litigation under the European Convention/ Human Rights Act 1998 and a transfer of business to European legal jurisdictions which better respect the value of privacy. A response to these calls for openness and transparency came from one of the ISP trade organisations, the London Internet Exchange (LINX). LINX invited industry representatives, public interest groups and the DTI to discuss privacy on the Internet within a new Privacy Forum in March 1999. The proposed first objective of this group of people will be to work together on producing an `Internet Privacy Code’ that ISPs would be willing to commit to and this initiative is also supported by ISPA.


This is an important step in the right direction and Cyber-Rights & Cyber-Liberties (UK) will be involved with these meetings. It is encouraging to see the industry finally responding positively to the consumers’ concerns on Internet privacy. The development of an Internet Privacy Code which takes into account users’ concerns at a national level will be a major step towards the recognition and protection of such rights and values.



Endnotes


18. Compare the Interception of Communications Act 1985 with the Police Act 1997, Part III.


19. 97 Cr App R151 at 160.


20. See further Koops, Bert-Jaap, The Crypto Controversy: A Key Conflict in the Information Society, Kluwer Law International, 1999.


21. European Commission Communication, `Towards A European Framework for Digital Signatures and Encryption,’ Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions ensuring Security and Trust in Electronic Communication- , COM (97) 503, October 1997, at www.ispo.cec.be/eif/policy/97503toc.html.


22. App no. 8691/79, Ser. A. vol. 82, (1984) 7 EHRR14.


23. See Sch 2 to the Interception of Communications Act 1985.


24. This view is more fully expressed by JUSTICE, Surveillance (London, 1998).


25. [1994] 2 AC130, H. L.


26. See Inquiry into Legislation against Terrorism (Cm.3420, 1996) (the Lloyds Report).


27. See further Akdeniz, Y, & Bohm, N, `Internet Privacy: New Concerns about Cyber-Crime and the Rule of Law,’ (1999) Information Technology & Communications Law Journal (5) 20-24.


28. See the current version of the Data Protection Act s 28(3) form at www.linx.net/misc/dpa28-3form.html.


29. See the Cyber-Rights & Cyber-Liberties (UK) privacy letter at www.cyber-rights.org/privacy/letter.htm.


30. The responses are available from the above pages.


31. See Council of Europe Recommendation No R (99) 5 of the Committee of Ministers to Member States, at www.coe.fr/cm/ta/rec/1999/99r5.htm.


32. February 1999, at www.cyber-rights.org/privacy/watchmen-iii.htm.