REGULATION OF INVESTIGATORY POWERS BILL [Bill 64]

 

BRIEFING FOR SECOND READING DEBATE (MONDAY 6^th MARCH)

 

This briefing only covers those sections of the bill concerned with access to Communications Data (Part.I Chapter II) and Encryption (Part.III), since we understand that other sections will be fully covered in briefing from industry groups (Part.I) and legal rights organisations (Part.II). We will be publishing comments on Scrutiny arrangements (Part.IV) before Standing Committee.

 

Part.I Chapter II (Communications Data)

Communications data means data carrying address information that indicates “who-is-talking-to-whom” (rather than “what-they-are-saying”), and covers logs of telephone numbers, websites browsed, e-mail senders and recipients. It may also cover verifiable digital signatures affixed to Internet transactions, and precise geographic location data continuously available from 3^rd-generation mobile phones.

Any person designated by order in any public authority (24.2) may issue written notices to acquire communications data (for example from an Internet Service Provider) for any of the broad purposes in 21.2 (which include secondary powers to create other purposes). A current safeguard, that such data can only be obtained by police request on presenting a data controller with satisfactory evidence that a Data Protection Act (s.29) exemption applies, is abolished. Access to communications data is not reviewed by any Commissioner under this Act, although such data is within the scope of the Data Protection Act generally. However the Data Protection Commissioner has persistently criticised[1] blanket national security exemptions (DPA98 28.1) that preclude any inspection or enforcement.

Rapid advances in computing power now permit warehousing and “traffic-analysis” of unlimited quantities of communications data by automated tools (some commercially available[2]). They process Internet traffic or telephone number logs in machine-readable form and draw "friendship trees" which can detect and show the patterns of association between individuals and groups automatically using sophisticated artificial intelligence programming. It is likely that government will wish to significantly expand the use of intelligence-integrated traffic-analysis, perhaps to compensate for loss of interception capabilities due to encryption.

However if government was in a position to know which websites you browse, what you buy online, the e-mail addresses of those who e-mail you and those you have e-mailed, and analyse and archive that information without hindrance, there is potential for an unprecedentedly serious corrosion and chilling of civil liberties, particularly the freedoms of association and expression.

Safeguards on exploitation and acquisition of communications data are weaker than for interception of content because of ECHR case-law pre-dating the arrival of the Internet, which now functions as a ubiquitous medium for financial transactions, e-commerce, personal and business messaging, previously performed on disparate systems. The ability to image a complete nexus of social and business relationships from Internet traffic alone, amounts to the emergence of a powerful new form of surveillance at least as intrusive as access to content.

FIPR therefore believes that a RIP Commissioner should have a duty to review the exploitation of communications data, and a warranting system should be created for access to computer analysis facilities, with a system of oversight similar to the interception and intrusive surveillance regime.

 

Part.III (Encryption)

Encryption refers to the scrambling of computer data with modern cipher systems (usually in software) that are effectively uncrackable. The data concerned is protected using a mathematical procedure that cannot be reversed by even the most powerful computers available unless a special key is provided.

After much policy wrangling over several years, the United States has now dismantled strict export controls on encryption software, because many applications of e-commerce are dependent on the confidentiality and transaction security that only good encryption can provide (e.g. mobile-phone banking, electronic cash, online share dealing). Individuals as well as businesses have good reason to protect their privacy with encryption, as without it Internet communications are as unprotected as correspondence on a postcard.

Law-enforcement will be unable to understand intercepted criminal communications unless they obtain the key. S.49 creates the offence of failing to comply with a decryption notice that may be obtained by public authorities as diverse as local trading standards officers to MI5, under a patchwork of authorisations specified in Schedule.1 (see Annex Diagram[3]). Such notices may be served not only on suspects in a criminal investigation, but also on innocent parties or major companies who happen to possess information there is legal authority to obtain.

Although such powers superficially appear to be a reasonable extension by analogy of existing powers to require disclosure of information, on closer analysis they turn out to be of little use if formulated to be compatible with the Human Rights Act. The central difficulty arises from the fact that it is an inevitable and frequent occurrence (even amongst computer professionals) that keys (or equivalent pass-phrases) are genuinely lost, forgotten, or inadvertently or intentionally destroyed.

The offence is formally constructed so that a person is presumed guilty if properly served with a notice with which they do not comply. There is a statutory defence available which requires a person to demonstrate (on the balance of probabilities) that they do not have possession of the key. This is a uniquely severe (some would say logically impossible) reversal of the usual prosecution burden of proof, and was found to be incompatible with the European Convention of Human Rights in a Legal Opinion[4] obtained by FIPR and JUSTICE in 1999. The powers then proposed in the draft DTI Electronic Communications Bill were withdrawn, but have been re-introduced essentially unchanged in this Home Office bill, without clarification of why the Secretary of State now believes them to be compatible with the Human Rights Act.

A further practical difficulty with this approach is that the reverse-burden defence will become discredited because a criminal who wished to suppress evidence that would convict on a more serious charge, would prefer to plead forgetfulness - with only a 6-month sentence on summary conviction if they are not believed. But for an innocent defendant, they must essentially prove to the court that they are not lying, and can be convicted without need of other incriminating or circumstantial evidence.

FIPR believes that it would also be unsatisfactory to put the burden of proof on the prosecution to show key possession; but this may be the least bad solution attainable (deletion of “or has had” in 49.1.b). Proof beyond reasonable doubt of wilful withholding of a key could only occur if the authorities knew for certain the location of the key. In most operational circumstances, law enforcement agencies would then likely prefer to obtain a warrant to copy the key covertly, so that surreptitious surveillance of data could continue, or to commence a search with certain knowledge of the key. This is the logic underlying the hesitation of the United States to enact, and the decision of Ireland and Germany to eschew, such decryption powers altogether.

The view of most independent specialists in information security is that law enforcement will of necessity develop advanced bugging technologies, specifically designed to steal keys from targeted computers (under appropriate warrants). Various methods are well understood and under development, particularly by the NSA and FBI in the United States, including use of computer software “viruses” which exploit obscure security weaknesses in commercial software.

The “tipping-off” (S.50) offence also has grave conceptual flaws. An isolated individual could be prevented from "tipping-off" himself (!) for reasons of "maintaining the effectiveness...of investigatory techniques generally" (50.2). The explicit generality of this exemption would permit its operation as a catch-all gagging clause to prevent ventilation of oppressive abuse.

There is also the practical issue that the duties on specified authorities (S.51) do not mention adequate technical security requirements or costs of guarding seized keys[5]. Estimating from the measures employed to guard official HMG key material suggests either that these represent very substantial undeclared costs, or that the safety and security of innocent key owners will sometimes be seriously undermined[6]. There is no mention of the “central repository”[7] that the government thought necessary to secure seized keys in1997 DTI proposals on encryption.

In summary, the entire Part.III framework of decryption powers is unsatisfactory because it not only fails to ensure adequate punishment for the guilty, but it provides no reliable (indeed only a tarnished) defence for the innocent. Since corporate officers bear a personal criminal liability (S.69), company lawyers may routinely advise Directors that keys should voluntarily be deposited with a reputable third-party. It is too early to tell if this will lead to significant flight of e-business from the UK, but it could be interpreted as a policy of “key-escrow by intimidation”[8]. It is worth emphasising that new editions of Microsoft Windows now ship with strong encryption built-in, and will henceforth be available to millions of ordinary computer users who will lose or forget keys as easily and as often as a cash-point PIN number.