SCN: Brits
Steve
steve at advocate.net
Fri Jun 9 17:07:04 PDT 2000
x-no-archive: yes
=======================
A Bill which is slipping through the House of Lords will allow MI5
access to all our online communications, says John Naughton. It
could mean we're all guilty until proven innocent. So why don't we
care more?
(London Observer)---When you wake on Thursday 5 October next,
you will find yourself living in a different country. An ancient bulwark
of English law - the principle that someone is presumed innocent
until proven guilty - will have been overturned. And that is just for
starters. From that date also the police and security services will
enjoy sweeping powers to snoop on your email traffic and web use
without let or hindrance from the Commissioner for Data Protection.
Every UK internet service provider (ISP) will have to install a black
box which monitors all the data-traffic passing through its
computers, hard-wired to a special centre currently being installed in
MI5's London headquarters. This new mass surveillance facility is
called the Government Technical Assistance Centre (GTAC). Who
said Jack Straw had no sense of humour?
The Regulation of Investigatory Powers (RIP) Bill which is now
before the Lords gives the Home Secretary powers of interception
and surveillance which would be the envy of the most draconian
regime. In addition to encroaching on civil liberties, the same Bill
will also drive hordes of e-commerce companies from Britain to
countries like Ireland where their encryption keys - extended pin
numbers allowing users to decipher jumbled data - will be protected
from government prying. An administration which complains
continually about making Britain 'the most e-friendly country in the
world' by 2002 is busily making sure that exactly the opposite
happens.
How has this extraordinary state of affairs come about? Is it another
manifestation of the cock-up theory of history, or are there more
sinister forces at work? The answer is a bit of both. For some time, it
has been obvious to Ministers and civil servants that British law
needed updating to cope with the internet. In an era when online
trading becomes ubiquitous, for example, some way has to be found
of making 'digital signatures' legally valid. Accordingly, a special
Cabinet Office unit headed by Professor Jim Norton set to work to
devise a new legislative framework for the emerging world of e-
commerce and online communications. The main result of his labour
was the Electronic Commerce Bill.
As that Bill went through its Parliamentary hoops, it became clear
that some parts of it - mainly the sections dealing with data
encryption, interception and surveillance - were so deeply flawed
that they threatened to sink the Bill. Given the Government's desire
to make headway on the e-commerce front, the problematic sections
were eventually jettisoned and the Electronic Commerce Bill
became law in 1999.
It was a smart decision, but it left unresolved the problem of what to
do about the encryption stuff. The DTI, smarting from its bruising at
the hands of the computer scientists who had comprehensively
shredded the original encryption proposals, wanted nothing more to
do with it. Accordingly the poisoned chalice passed to the Home
Office, which knows little of business and even less about the
internet, but is endlessly attentive to the needs of the police, the
security services and the Byzantine imperatives of official secrecy.
The RIP Bill is the fruit of that secretive bureaucratic milieu.
The official rationale for the legislation is that it is required to bring
UK law into conformance with the European Convention on Human
Rights. In the end, this will have to be tested in the courts, but
Straw's confidence is not shared by the Commons Trade & Industry
Select Committee which last October recommended that the
Government publish a detailed analysis to substantiate its
confidence that the Bill does not contravene the Convention. This
the Government has so far declined to do.
The Bill has four main parts. The first deals with the interception of
communications. the second covers 'surveillance and covert human
intelligence sources'. The third tackles encryption and the fourth
covers the 'scrutiny of investigatory powers and of the functions of
the intelligence services'. Parts I to III propose massive extensions
of the state's powers to spy on its citizens while the fourth suggests
a regulatory regime which seems laughably inadequate to anyone
familiar with internet technology. All sections of the Bill have been
heavily criticised by external experts and a small number of
committed MPs, but the legislation has passed through its
Commons scrutiny with its central provisions intact.
Part I gives the Home Secretary the power to issue a warrant
requiring ISPs to intercept the communications of one or more of
their subscribers. The problem is that the internet is not like the
telephone system - where it is technically feasible to tap into a
particular individual's communications link. In order to monitor a
person's internet traffic, you have to tap into all the traffic running
through his or her ISP. As a result, the expectation is that Part I of
the Bill will be implemented using so-called 'passive monitoring':
ISPs will be required to install a 'black box' which will monitor all
their data traffic and pass it to the GTAC centre.
The news that henceforth all UK internet traffic will find its way to
MI5 does not seem to have yet reached MPs, most of whom don't
understand the technology and assume that the Home Office must
know what it is doing. Defenders of the Bill point out that MI5 can
only legally read the content of communications for which specific
warrants exist, which is true. But they fail to notice that the Bill
affords no such protection to the pattern of one's internet
connections.
In other words, while MI5 may need a warrant actually to read your
email, many other people will have essentially unregulated access
to logs of the websites you access, the pages you download, the
addresses of those with whom you exchange email, the discussion
groups to which you belong and the chat rooms you frequent - in
short, a comprehensive record of what you do online and with whom.
It will be interesting to see how this squares with the European
Convention's requirements about privacy.
It is Part III of the Bill, however, which is most likely to contravene
the Convention. Section 46 gives the Home Secretary the power to
compel the surrender of keys used to encrypt communications data.
Failure to comply carries a prison sentence of two years. If someone
cannot comply because they have lost or forgotten the key then they
have to prove that to the satisfaction of a court. In other words, the
burden of proof is shifted from the prosecution to the defence - one
is presumed guilty until proved innocent. And how do you prove that
you have forgotten something?
Even more oppressive is the Bill's creation of a secondary offence -
revealing that you have been required to supply, or supplied, a
decryption key - which carries an even stiffer penalty. Under the
terms of the Bill, for example, the police could arrive at 4am and
demand that you produce such a key. If you were unable to comply
and were taken in for questioning, it would be a criminal offence
punishable by five years' imprisonment to explain to your family
why you were being dragged off.
Civil liberties campaigners are predictably opposed to the RIP Bill.
But it is also widely opposed by the business community. Even
Professor Norton, the architect of the Government's e-commerce
legislation, describes the proposals as 'a classic own goal' that will
undermine the aim of making Britain a centre for e-commerce.
Encryption is central to e-business, and many companies have
contractual agreements with clients for whom they hold
cryptographic keys. Under the RIP Bill they would be banned from
revealing that they had surrendered a key and thereby compromised
the client's security.
'This is a clear case,' says Norton, 'of the futility of government
treating internet policy as a national issue when what is needed is
international agreement. A UK firm which handed over the key of a
multinational client would be vulnerable to a compensation claim in
an overseas court for compromising that client's global security. US
businesses are not happy about that liability and will opt to work in
countries like Ireland.'
The most astonishing thing about Straw's pre-emptive strike on civil
liberties and e-commerce is that, to date, there has been almost no
public discussion of it. The Ministers driving his Bill through
Parliament concede that the powers they seek are sweeping, but
argue that they can be trusted to apply them reasonably and that in
any case the powers are commensurate with the threat from online
criminals, terrorists, paedophiles and pornographers. In the
absence of proper safeguards, the first argument is absurd.
As far as the second is concerned, nobody has yet produced any
convincing empirical evidence that the supposed threats are more
than the fantasies of security services and hysterical projections of
some newspapers. The internet undoubtedly provides a conduit for
criminal conversations and porno graphic transactions. But then so
does the telephone system and the Royal Mail, and yet nobody
proposes tapping every phone in the land or scanning every letter. A
terrifying erosion in our liberties is being planned, yet the threat is
largely ignored.
Could it be that this collective passivity is because, for most
citizens, the liberties that are being eroded lie in the future rather
than the present? Most people do not currently encrypt their email,
even though an unencrypted email is as vulnerable to snooping as
an ordinary postcard. But in five years' encryption will have become
a necessity.
Human nature being what it is, people will lose or forget their
decryption keys - and some will find themselves attempting to
convince a judge that they are not paedophiles feigning amnesia to
qualify for a shorter sentence. Will they then remember Burke's
warning that for evil to triumph it is necessary only for good men to
do nothing? And will they wonder why they had not been more
alarmed on the morning of 5 October 2000?
Copyright 2000 Guardian Newspapers Limited
* * * * * * * * * * * * * * From the Listowner * * * * * * * * * * * *
. To unsubscribe from this list, send a message to:
majordomo at scn.org In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * * http://www.scn.org/volunteers/scn-l/ * * * * * * *
More information about the scn
mailing list