link to briefings documents at

Regulation of Investigatory Powers Act (2000) – commentary


by James Hammerton

back to index page


Everyone has the right to respect for his private and family life, his home and his correspondence.
Article 8(1) of the European Convention on Human Rights.

This document summarises the incursions into civil liberties of the Regulation of Investigatory Powers Act (RIPA), which was passed in the UK in July 2000. This act can be found at the HMSO web-site.


  • Summary
  • Detailed discussion


The RIPA allows the government to access a person's electronic communications in a very unrestricted manner, thus infringing in the privacy of their correspondance in a manner many would not tolerate regarding their postal communications. The act:


return to index in 'Regulation of Investigatory Powers Act (2000) - a commentary' document on


Detailed discussion

The RIPA incurs into civil liberties in several ways:
    The government can demand that a public telecommunications service intercepts an individual's communications
    The act's "interception warrants" can be served for purposes of "national security", "preventing or detecting serious crime" or "safeguarding the economic well-being of the UK". These (undefined) terms are so vague as to be applicable to just about anyone.

    For example, the communications of businessmen negotiating deals with foreign companies could easily fall under "safeguarding of the economic well-being of the UK" within the plain English meaning of the term.

    The definition of public telecommunications services is broad and could apply to internet services providers, phone companies, or even someone running a web site.

    When an ISP is served with an interception warrant, it has to comply and it may not reveal this fact to anyone ever. Thus you wouldn't even know that the government was doing this to you.

    See sections 1 to 5 (which define unlawful and authorised interceptions) and 6 to 11 (which define interception warrants and associated powers and duties). Take note of the definition of "public telecommunications service" in section 2, and the legal requirements on people served with return to index in 'Regulation of Investigatory Powers Act (2000) - a commentary' document on an interception warrant in section 11.

    The Home Secretary can serve interception warrants to perform mass surveillance
    Whilst the interception warrants normally have to specify the communications of an individual or set of premises to intercept, under certain circumstances the home secretary can order that the "external communications" of a telecommunications service be intercepted (e.g. all the internet traffic flowing through a particular ISP's machines) if he deems it necessary for purposes of national security, preventing/detecting serious crime or safe guarding the UK's economic well being.

    The exceptions allowed here could be used to perform mass surveillance of internet traffic (or phone calls) and again allow such use on vague grounds that would allow the Home Secretary to use it in just about any circumstances.

    See sections 8(4) to 8(6) which specify that an interception warrant should specify the communications data of an individual or a set of premises to be monitored, but then allows an exception for the above stated grounds.

    The government can require ISPs to fit equipment that enables them to do perform surveillance
    The government will however contribute to the costs of doing so.

    Apart from the hassle this will cause to ISPs this could allow the government to require ISPs to install "back doors" into their systems for the purposes of monitoring. Furthermore there is no requirement that the design of such equipment be public, and given the tone of the act and the secretive nature of the government organisations likely to use this (GCHQ, MI5) it is likely such designs would remain secret.

    The affected ISPs' security could be seriously compromised since it is possible not only that corrupt government officials could abuse such powers, but that such systems would be vulnerable to attacks from hackers who find out about the back doors.

    The history of computer network security demonstrates that such back doors are serious vulnerabilities and that the best way to remain maximally secure is for one's security system to be publicly open to expert evaluation. This requirement serious undermines that and will damage the development of the trust and security required for e-commerce. return to index in 'Regulation of Investigatory Powers Act (2000) - a commentary' document on

    See sections 12 to 14 (on interception capability and costs).


    The government can demand that decryption keys be handed over in order to access protected information,
    where the person concerned has or has had the keys and does not have the information.

    It is an offence not to hand over such a key on pain of 2 years imprisonment. You are deemed to have possessed the key if you possessed it at any time before the disclosure notice was served, unless you can show you did not have it after the time the notice was served and before the time you were required to disclose it. You are taken to show that you did not possess it at the relevant time if you can adduce sufficient evidence to raise an issue with respect to this matter and the contrary is not proved beyond reasonable doubt.

    Note that if you ever had the key you will have to produce evidence you no longer have it, i.e. provide evidence for a negative. Also, if the notice requiring disclosure demands secrecy it is an offence to let anyone know that you've been asked to hand over the key(s) in question on pain of 5 years imprisonment.

    The legal requirements here undermine the use of public key systems, such as PGP, to protect information that is communicated between people. Whilst it is possible to set things up to minimise this impact and even circumvent these powers, this simply imposes costs on ordinary users who wish to keep their communications secret for any reason (criminals can circumvent these powers anyway!), and also puts people who use PGP at risk of having to disclose their private keys (thus compromising the security of all the info sent to them) or going to prison for destroying, forgetting or losing a key. return to index in 'Regulation of Investigatory Powers Act (2000) - a commentary' document on

    See sections 49 to 56 which define the powers and offences related to this issue. See also Schedule 2.


    The government can access internet traffic data
    for the purposes of national security, prevention/detection of crime, in the interests of the UK's economic well being, in the interests of public safety, for protecting public health, for tax assessment/collection, for preventing death/injury or damage to a person's health in the event of an emergency and for any reason the Secretary of State deems fit. Internet traffic data falls under the definition of "communications data" described in section 21.

    The problem with this is that it enables the electronic equivalent of putting someone on surveillance for any reason whatsoever. The listed reasons are all vague and if that doesn't cover it the Home Secretary can authorise it for his own reasons anyway. The state can thus gather information such as what websites you visit and when, who you email, who emails you, what newsgroups you read, all the phone numbers you call, what software you've downloaded, what documents you've downloaded, where and when you log on to a machine and from where you logged on, etc. Essentially any government department or any police officer can demand this information, as long as it is deemed to be required under the grounds listed above.

    Sections 21 to 25 detail how communications data can be accessed and what is regarded as communications data.

    It is illegal for surveillance data to be used in legal proceedings
    This means that were the government to illegitimately intercept your communications, the surveilled data cannot be used in a court of law, the existence of a surveillance data cannot be mentioned in a court of law, and that surveillance cannot be used to provide evidence to be used in a court of law.

    The main objection here is that if someone has illegitimately been the subject of an interception warrant there is no legal way for them to know about it (except through investigation by a tribunal and very limited circumstances).

    See section 17 of the act describes the exclusions discussed above. Sections 65-70 describe a tribunal that can investigate the use of interception return to index in 'Regulation of Investigatory Powers Act (2000) - a commentary' document on magnacartaplus.orgwarrants, however any complaints must be made within a year for this to occur.


James Hammerton



© 2000, 12 September

the address for this document is

1445 words
prints as 5 A4 pages (on my printer and set-up)

link to briefings documents at