Regulation of Investigatory Powers Act (2000) commentary
by James Hammerton
Everyone has the right to respect for his private and
family life, his home and his correspondence.
The RIPA allows the government to access a person's electronic communications in a very unrestricted manner, thus infringing in the privacy of their correspondance in a manner many would not tolerate regarding their postal communications. The act:
enables mass surveillance of communications in transit;
enables the government to demand ISPs fit equipment to facilitate surveillance;
enables the government to demand that someone hands over keys to protected information;
allows the government to monitor people's internet activities;
prevents the existence of interception warrants and any data collected with them from being revealed in court
The act's "interception warrants" can be served for purposes of "national security", "preventing or detecting serious crime" or "safeguarding the economic well-being of the UK". These (undefined) terms are so vague as to be applicable to just about anyone.
For example, the communications of businessmen negotiating deals with foreign companies could easily fall under "safeguarding of the economic well-being of the UK" within the plain English meaning of the term.
The definition of public telecommunications services is broad and could apply to internet services providers, phone companies, or even someone running a web site.
When an ISP is served with an interception warrant, it has to comply and it may not reveal this fact to anyone ever. Thus you wouldn't even know that the government was doing this to you.
See sections 1 to 5 (which define unlawful and authorised interceptions) and 6 to 11 (which define interception warrants and associated powers and duties). Take note of the definition of "public telecommunications service" in section 2, and the legal requirements on people served with an interception warrant in section 11.
The Home Secretary can serve interception
warrants to perform mass surveillance
The exceptions allowed here could be used to perform mass surveillance of internet traffic (or phone calls) and again allow such use on vague grounds that would allow the Home Secretary to use it in just about any circumstances.
See sections 8(4) to 8(6) which specify that an interception warrant should specify the communications data of an individual or a set of premises to be monitored, but then allows an exception for the above stated grounds.
Apart from the hassle this will cause to ISPs this could allow the government to require ISPs to install "back doors" into their systems for the purposes of monitoring. Furthermore there is no requirement that the design of such equipment be public, and given the tone of the act and the secretive nature of the government organisations likely to use this (GCHQ, MI5) it is likely such designs would remain secret.
The affected ISPs' security could be seriously compromised since it is possible not only that corrupt government officials could abuse such powers, but that such systems would be vulnerable to attacks from hackers who find out about the back doors.
The history of computer network security demonstrates that such back doors are serious vulnerabilities and that the best way to remain maximally secure is for one's security system to be publicly open to expert evaluation. This requirement serious undermines that and will damage the development of the trust and security required for e-commerce.
See sections 12 to 14 (on interception capability and costs).
The government can demand that decryption keys be handed over in order to access protected information,
where the person concerned has or has had the keys and does not have the information.
It is an offence not to hand over such a key on pain of 2 years imprisonment. You are deemed to have possessed the key if you possessed it at any time before the disclosure notice was served, unless you can show you did not have it after the time the notice was served and before the time you were required to disclose it. You are taken to show that you did not possess it at the relevant time if you can adduce sufficient evidence to raise an issue with respect to this matter and the contrary is not proved beyond reasonable doubt.
Note that if you ever had the key you will have to produce evidence you no longer have it, i.e. provide evidence for a negative. Also, if the notice requiring disclosure demands secrecy it is an offence to let anyone know that you've been asked to hand over the key(s) in question on pain of 5 years imprisonment.
The legal requirements here undermine the use of public key systems, such as PGP, to protect information that is communicated between people. Whilst it is possible to set things up to minimise this impact and even circumvent these powers, this simply imposes costs on ordinary users who wish to keep their communications secret for any reason (criminals can circumvent these powers anyway!), and also puts people who use PGP at risk of having to disclose their private keys (thus compromising the security of all the info sent to them) or going to prison for destroying, forgetting or losing a key.
See sections 49 to 56 which define the powers and offences related to this issue. See also Schedule 2.
The government can access internet
The problem with this is that it enables the electronic equivalent of putting someone on surveillance for any reason whatsoever. The listed reasons are all vague and if that doesn't cover it the Home Secretary can authorise it for his own reasons anyway. The state can thus gather information such as what websites you visit and when, who you email, who emails you, what newsgroups you read, all the phone numbers you call, what software you've downloaded, what documents you've downloaded, where and when you log on to a machine and from where you logged on, etc. Essentially any government department or any police officer can demand this information, as long as it is deemed to be required under the grounds listed above.
Sections 21 to 25 detail how communications data can be accessed and what is regarded as communications data.
It is illegal for surveillance data to be used in legal
The main objection here is that if someone has illegitimately been the subject of an interception warrant there is no legal way for them to know about it (except through investigation by a tribunal and very limited circumstances).
See section 17 of the act describes the exclusions discussed above. Sections 65-70 describe a tribunal that can investigate the use of interception warrants, however any complaints must be made within a year for this to occur.
© magnacartaplus.org 2000, 12 September
the address for this document is http://www.magnacartaplus.org/http://www.magnacartaplus.org/bills/rip/index.htm