From: Caspar Bowden [cb@fipr.org]
Sent: 29 March 2001 14:26
Subject: FIPR Release 29/3/01: Govt. stalls on licensing of computer
consultants

FIPR Press Release 29/3/01: FOR IMMEDIATE USE
==========================

		Foundation for Information Policy Research

Contact: Caspar Bowden                       Tel: +44(0)20 7354 2333

Government stalls on Bouncers Bill licensing of computer consultants
--------------------------------------------------------------------
Home Office Minister Charles Clarke announced yesterday (28/3/01 16:09 BST)
in the 2nd Reading debate of the Private Security Industry (PSI) Bill that
the government did not "CURRENTLY" intend to bring IT security consultants
within the scope of a new licensing regime, but would not give an assurance
to amend the wording to guarantee their complete exemption.

Promoted as a measure to crack down on wheelclampers and bouncers, the PSI
Bill also requires private investigators and "security consultants" to be
licensed by a new statutory authority supervised by the Home Office.

"Security consultant" means anyone giving advice about "security precautions
in relation to any risk to property" (Sch.2 5(1)a). This has caused a wave
of unease through the IT industry as it was realised the wording could catch
freelancers such as systems administrators ('sysadmins') who configure and
maintain computer access controls, and programmers and consultants who
typically work on a wide range of system tasks including information
security. Several trade bodies have made enquiries about the Home Office's
intentions in the past few weeks but have received no clear reply.

Mr.Clarke referred to the presently unregulated status of IT consultants,
but said the government did not "currently" intend to prescribe their
inclusion in the licensing regime. However he said the DTI would consult
with the industry about the adequacy of existing professional practices.

Opposition spokesman Nick Hawkins MP (Con) asked if the government would
agree to revised wording which would grant IT consultants the clear
exemption afforded to accountants, lawyers and management advisers.
Mr.Clarke stressed the broad wording of the bill was intentional, and agreed
merely to "look" at the wording.


Quotes
======
Caspar Bowden, Director of Internet policy think-tank FIPR commented:

"In 1999 the government wanted 'key-escrow' - a copy of everyone's
encryption keys. The RIP Act 2000 allows seizure of anyone's encryption
keys. Do they now want to ban anyone from working with encryption without a
license?"

"This looks like a tactic to keep the government's options open. Unless
there are the same cast iron exemptions for programmers, sysadmins and IT
consultants that have been granted to other professions, the government can
introduce licensing by order at any time."

[Verbatim Hansard appended]

What Next ?
-----------

The Bill has already passed through the House of Lords, and now enters the
Committee Stage in the Commons. In the absence of an early government
amendment to make necessary changes in the definitions, it must be assumed
that the government intends to take power to license IT consultants without
further legislation.


Notes for Editors
-----------------

1. The Private Security Industry Bill is at
http://www.publications.parliament.uk/pa/cm200001/cmbills/067/2001067.pdf

2. The Foundation for Information Policy Research (www.fipr.org), is a
non-profit think-tank for Internet policy, governed by an independent Board
of Trustees with an Advisory Council of experts.

3. Research topics include: legislation and regulation of electronic
commerce and infrastructure, consumer protection, data protection and
privacy, copyright, law enforcement and national security, evidence and
archiving, electronic government and interaction with business and the
citizen, and social inclusion.

4. FIPR's analysis of the RIP Act stimulated media debate, and led to
amendments ensuring that people who lose keys or forget passwords are
presumed innocent until proven guilty, and preventing casual surveillance of
web browsing without a warrant.

Verbatim Hansard follows
========================

http://www.publications.parliament.uk/pa/cm200001/cmhansrd/cm010328/debtext/
10328-06.htm
28 Mar 2001 : Column 974
...

Mr. Clarke:  The hon. Member for Surrey Heath asked about IT security
consultants. I am happy to clarify a point relating to security consultants
that has caused concern in some circles. Schedule 2(5), to which he
referred, extends the provisions to security consultants whose activities
are broadly defined in terms of giving advice about security precautions
against any risk to property or the person.

In keeping with the rest of Bill, that is a BROAD DEFINITION, accompanied by
some clarificatory exemptions. Concern has been expressed about the position
of the information security industry in relation to those definitions. JUST
AS WITH TANGIBLE **ASSETS**, there are REAL THREATS TO THE SECURITY OF
INFORMATION and security advice, and precautions are needed to protect it.

At PRESENT, there is NO REGULATION OF THE INFORMATION SECURITY industry.
However, the Government are committed to regulating only where necessary.
The Department of Trade and Industry will THEREFORE consult the information
security industry on the extent and effectiveness of existing
precautions--protected measures--and WHETHER FURTHER ACTION is required. In
the light of that, I am happy to make it clear that we do not
***CURRENTLY*** intend to bring the information security industry WITHIN THE
SCOPE OF THE NEW LICENSING REGIME established by the Bill.

The Security Industry Authority, when established, will undertake full and
detailed consultations about the discharge of the remits placed on it by the
Bill. NOBODY WILL BE REGULATED by the Bill without their full knowledge and
understanding. All relevant types of security consultant will be invited to
participate in the authority's consultations at the APPROPRIATE TIME

Mr. Hawkins: I am grateful to the Minister for his remarks, which are
helpful to those involved in the information security sector of the IT
industry, but is not he conscious of the fact that the broad wording of
schedule 2(5) may accidentally catch some of those people, even if he does
not intend that it should? Will he undertake further to consider that
wording and whether it might be improved?

Mr. Clarke: I am certainly prepared to LOOK AT the wording, BUT this is a
HISTORIC BILL for which, as I have said, my right hon. Friend
the Member for Walsall, South has pressed for many years, and I AM KEEN for
its wording to take account of significant changes in the way in which
security is offered. Over the past 20 years, for instance, there have been
considerable changes in the style of security, the approach to security and
the technology that is used. That is why we have adopted a FLEXIBLE STANCE
in the Bill, requiring the Security Industry Authority to REVIEW THE
POSITION and COMMITTING ourselves to consulting the industries concerned. I
acknowledge that the wording of the Bill should relate to what we know now,
in 2001, but in a BROADLY DRAFTED context. That is our rationale, and that
is why I have been able to give the commitments that I have given (??!!).