From:  Professor Jim Norton, Head of E-Business Policy

The Rt Hon Jack Straw MP

The Rt Hon Stephen Byers

Secretary of State

Secretary of State

The Home Office

Department of Trade & Industry

50 Queen Anne’s Gate

1 Victoria Street





8 June 2000 

Regulation of Investigatory Powers Bill

Over the past few months, IoD has sought informally, with Ministers and officials, to make clear the concerns of our members regarding the Regulation of Investigatory Powers (RIP) Bill.  We have now seen the clear and helpful letter from Chris Humphries, Director General of the British Chambers of Commerce, to the Home Secretary.  The IoD strongly endorses the points that Chris has made and we feel that we should also emphasise some further concerns jointly to both Home Office and DTI.

First let us be clear that the IoD does recognise the need for a clear framework for the regulation of law enforcement access to the various communications media, including the Internet.  Placing such regulation within the framework of the European Directive on Human Rights is a welcome objective.  Business needs the general confidence created by efficient and effective policing of those criminal activities just as prevalent in the world of electronic commerce as in the older physical forms of trading.

The additional concerns of IoD members focus on the effectiveness of the current RIP Bill in addressing these otherwise sensible goals.  The construction of the definitions used in the Bill tends to be excessively broad and the drafting is littered with “is likely to”references such as “information likely to come into possession …”  These lead to substantial doubt as to the level of exposure to cost, risk and disruption for business both immediately on introduction and, perhaps of even greater concern, as the various Agencies explore how this new framework might be ‘stretched’ in the future.  This uncertainty does cast a pall over future investment decisions.  Areas of particular concern include:

·         which officials, at what level, in which Departments may seek access to encryption key material?   And 

·         where is the boundary drawn between ‘content’ of messages or transactions, (where warranted access is required) and ‘communications data’ (where access would not appear to require a warrant)?  In the old world of telephony such distinctions were clear.  They are far less so in the Internet World.  Every ‘click’ identifying a new page or button option seems to be regarded as ‘communications data’ in the Bill as presently drafted.  The amendments tabled by Lord Bassam to Clause 2 and Clause 20 make this concern even greater.

IoD members are also concerned about the degree of individual and corporate liability flowing from exposure in other jurisdictions to actions potentially required in the UK to comply with the RIP Bill.  If full decryption (as opposed to our preferred option of session) keys are demanded using as Section 46 notice with an associated ‘tipping-off’ order, individuals working for multi-national companies may be placed in a perilous position.  They may have compromised the international transactional security of that organisation yet be directly barred from informing senior management of that exposure.  Such an individual might well be protected under UK law for these actions but what of their exposure in other jurisdictions – particularly that the of a non-UK parent company?

We believe that the ‘definition’ and ‘communications data’ issues could be dealt with through amendments to the Bill in the House of Lords during its Committee stage starting on Monday (12/6).  We would welcome action by the DTI on the international issues, perhaps in the first instance through the OECD.

In closing, IoD strongly endorses the potential amendments already suggested by the Chambers of Commerce on:

·         seeking preferred access to plaintext with a fallback of ‘session’ keys.  A much higher level of judicial authorisation should be required for demands to access general decryption keys;

·         security guarantees for the storage of keys acquired under Bill powers and clear liability accepted by Government for consequences arising from loss or misuse;

·         resolving the potential issue of the Government being deemed to be acting as a ‘shadow director’ and giving the necessary employee protection;

·         the issue of the reverse burden of proof regarding lost or missing keys; and

·         meeting the reasonable costs of ISPs in establishing the envisaged infrastructure for investigative access.

We would welcome the opportunity to discuss your response on these points and to work together to achieve our shared goal of “making the UK the best location in the World for e-commerce by 2002”.

Jim Norton

Head of e-Business Policy, Institute of Directors