[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) Observer 4/6/2000: "Your privacy ends here"




------- Forwarded message follows -------
From:           	"Caspar Bowden" <cb@fipr.org>
To:             	"FIPR News Archive \(E-mail\)" <news_archive@fipr.org>,
	"FIPR-AC \(E-mail\)" <fipr-ac@netlists.liberty.org.uk>,
	"Ukcrypto \(E-mail\)" <ukcrypto@maillist.ox.ac.uk>
Subject:        	Observer 4/6/2000: "Your privacy ends here"
Date sent:      	Sun, 4 Jun 2000 00:56:41 +0100
Send reply to:  	ukcrypto@maillist.ox.ac.uk

http://www.observer.co.uk/focus/story/0,6903,328071,00.html
Your privacy ends here

A Bill which is slipping through the House of Lords will allow MI5
access to all our online communications, says John Naughton. It could
mean we're all guilty until proven innocent. So why don't we care
more?

Free speech on the net: special report

Sunday June 4, 2000

When you wake on Thursday 5 October next, you will find yourself 
living in a different country. An ancient bulwark of English law - 
the principle that someone is presumed innocent until proven guilty - 
will have been overturned. And that is just for starters. From that 
date also the police and security services will enjoy sweeping powers 
to snoop on your email traffic and web use without let or hindrance 
from the Commissioner for Data Protection. Every UK internet service 
provider (ISP) will have to install a black box which monitors all 
the data-traffic passing through its computers, hard-wired to a 
special centre currently being installed in MI5's London 
headquarters. This new mass surveillance facility is called the 
Government Technical Assistance Centre (GTAC). Who said Jack Straw 
had no sense of humour?  

The Regulation of Investigatory Powers (RIP) Bill which is now before 
the Lords gives the Home Secretary powers of interception and 
surveillance which would be the envy of the most draconian regime. In 
addition to encroaching on civil liberties, the same Bill will also 
drive hordes of e-commerce companies from Britain to countries like 
Ireland where their encryption keys - extended pin numbers allowing 
users to decipher jumbled data - will be protected from government 
prying. An administration which complains continually about making 
Britain 'the most e-friendly country in the world' by 2002 is busily 
making sure that exactly the opposite happens.  

How has this extraordinary state of affairs come about? Is it another 
manifestation of the cock-up theory of history, or are there more 
sinister forces at work? The answer is a bit of both. For some time, 
it has been obvious to Ministers and civil servants that British law 
needed updating to cope with the internet. In an era when online 
trading becomes ubiquitous, for example, some way has to be found of 
making 'digital signatures' legally valid. Accordingly, a special 
Cabinet Office unit headed by Professor Jim Norton set to work to 
devise a new legislative framework for the emerging world of e-
commerce and online communications. The main result of his labour was 
the Electronic Commerce Bill.  

As that Bill went through its Parliamentary hoops, it became clear 
that some parts of it - mainly the sections dealing with data 
encryption, interception and surveillance - were so deeply flawed 
that they threatened to sink the Bill. Given the Government's desire 
to make headway on the e-commerce front, the problematic sections 
were eventually jettisoned and the Electronic Commerce Bill became 
law in 1999.  

It was a smart decision, but it left unresolved the problem of what 
to do about the encryption stuff. The DTI, smarting from its bruising 
at the hands of the computer scientists who had comprehensively 
shredded the original encryption proposals, wanted nothing more to do 
with it. Accordingly the poisoned chalice passed to the Home Office, 
which knows little of business and even less about the internet, but 
is endlessly attentive to the needs of the police, the security 
services and the Byzantine imperatives of official secrecy. The RIP 
Bill is the fruit of that secretive bureaucratic milieu.  

The official rationale for the legislation is that it is required to 
bring UK law into conformance with the European Convention on Human 
Rights. In the end, this will have to be tested in the courts, but 
Straw's confidence is not shared by the Commons Trade & Industry 
Select Committee which last October recommended that the Government 
publish a detailed analysis to substantiate its confidence that the 
Bill does not contravene the Convention. This the Government has so 
far declined to do.  

The Bill has four main parts. The first deals with the interception 
of communications. the second covers 'surveillance and covert human 
intelligence sources'. The third tackles encryption and the fourth 
covers the 'scrutiny of investigatory powers and of the functions of 
the intelligence services'. Parts I to III propose massive extensions 
of the state's powers to spy on its citizens while the fourth 
suggests a regulatory regime which seems laughably inadequate to 
anyone familiar with internet technology. All sections of the Bill 
have been heavily criticised by external experts and a small number 
of committed MPs, but the legislation has passed through its Commons 
scrutiny with its central provisions intact.  

Part I gives the Home Secretary the power to issue a warrant 
requiring ISPs to intercept the communications of one or more of 
their subscribers. The problem is that the internet is not like the 
telephone system - where it is technically feasible to tap into a 
particular individual's communications link. In order to monitor a 
person's internet traffic, you have to tap into all the traffic 
running through his or her ISP. As a result, the expectation is that 
Part I of the Bill will be implemented using so-called 'passive 
monitoring': ISPs will be required to install a 'black box' which 
will monitor all their data traffic and pass it to the GTAC centre.  

The news that henceforth all UK internet traffic will find its way to 
MI5 does not seem to have yet reached MPs, most of whom don't 
understand the technology and assume that the Home Office must know 
what it is doing. Defenders of the Bill point out that MI5 can only 
legally read the content of communications for which specific 
warrants exist, which is true. But they fail to notice that the Bill 
affords no such protection to the pattern of one's internet 
connections.  

In other words, while MI5 may need a warrant actually to read your 
email, many other people will have essentially unregulated access to 
logs of the websites you access, the pages you download, the 
addresses of those with whom you exchange email, the discussion 
groups to which you belong and the chat rooms you frequent - in 
short, a comprehensive record of what you do online and with whom. It 
will be interesting to see how this squares with the European 
Convention's requirements about privacy.  

It is Part III of the Bill, however, which is most likely to 
contravene the Convention. Section 46 gives the Home Secretary the 
power to compel the surrender of keys used to encrypt communications 
data. Failure to comply carries a prison sentence of two years. If 
someone cannot comply because they have lost or forgotten the key 
then they have to prove that to the satisfaction of a court. In other 
words, the burden of proof is shifted from the prosecution to the 
defence - one is presumed guilty until proved innocent. And how do 
you prove that you have forgotten something?  

Even more oppressive is the Bill's creation of a secondary offence - 
revealing that you have been required to supply, or supplied, a 
decryption key - which carries an even stiffer penalty. Under the 
terms of the Bill, for example, the police could arrive at 4am and 
demand that you produce such a key. If you were unable to comply and 
were taken in for questioning, it would be a criminal offence 
punishable by five years' imprisonment to explain to your family why 
you were being dragged off.  

Civil liberties campaigners are predictably opposed to the RIP Bill. 
But it is also widely opposed by the business community. Even 
Professor Norton, the architect of the Government's e-commerce 
legislation, describes the proposals as 'a classic own goal' that 
will undermine the aim of making Britain a centre for e-commerce. 
Encryption is central to e-business, and many companies have 
contractual agreements with clients for whom they hold cryptographic 
keys. Under the RIP Bill they would be banned from revealing that 
they had surrendered a key and thereby compromised the client's 
security.  

'This is a clear case,' says Norton, 'of the futility of government 
treating internet policy as a national issue when what is needed is 
international agreement. A UK firm which handed over the key of a 
multinational client would be vulnerable to a compensation claim in 
an overseas court for compromising that client's global security. US 
businesses are not happy about that liability and will opt to work in 
countries like Ireland.'  

The most astonishing thing about . Straw's pre-emptive strike on 
civil liberties and e-commerce is that, to date, there has been 
almost no public discussion of it. The Ministers driving his Bill 
through Parliament concede that the powers they seek are sweeping, 
but argue that they can be trusted to apply them reasonably and that 
in any case the powers are commensurate with the threat from online 
criminals, terrorists, paedophiles and pornographers. In the absence 
of proper safeguards, the first argument is absurd.  

As far as the second is concerned, nobody has yet produced any 
convincing empirical evidence that the supposed threats are more than 
the fantasies of security services and hysterical projections of some 
newspapers. The internet undoubtedly provides a conduit for criminal 
conversations and porno graphic transactions. But then so does the 
telephone system and the Royal Mail, and yet nobody proposes tapping 
every phone in the land or scanning every letter. A terrifying 
erosion in our liberties is being planned, yet the threat is largely 
ignored.  

Could it be that this collective passivity is because, for most 
citizens, the liberties that are being eroded lie in the future 
rather than the present? Most people do not currently encrypt their 
email, even though an unencrypted email is as vulnerable to snooping 
as an ordinary postcard. But in five years' encryption will have 
become a necessity.  

Human nature being what it is, people will lose or forget their 
decryption keys - and some will find themselves attempting to 
convince a judge that they are not paedophiles feigning amnesia to 
qualify for a shorter sentence. Will they then remember Burke's 
warning that for evil to triumph it is necessary only for good men to 
do nothing? And will they wonder why they had not been more alarmed 
on the morning of 5 October 2000?  

Rest of the world  

Most countries impose no restrictions on the use of encryption by 
their citizens. The exceptions tend to be authoritarian regimes such 
as those in Russia and China.  

IRELAND: New e-commerce Bill makes it illegal for government to 
access commercial cryptographic keys.  

FRANCE: The government has recently announced a new policy of totally 
relaxing controls on domestic use of encryption.  

US: No domestic controls on use of cryptography, though Washington 
looks enviously at the UK RIP bill.  

GERMANY: Has long been the European leader in opposing restrictions 
on citizens' use of encryption.  

Over the coming weeks The Observer will print a series of articles 
and opinion pieces on the proposed RIP Bill. If you wish to voice 
your opinion online you can do so at www.observer.co.uk. To find out 
more about the Bill see www.fipr.org/rip/  


------- End of forwarded message -------