 |
|
|
Security - RIP If you thought the acronym RIP meant Rest In Peace then you have another think coming, because you will be doing anything but resting in peace once the new Regulation of Investigatory Powers (RIP) bill comes into effect later this year. And if you thought the phrase “innocent until proved guilty” was a given in the British justice system, then think again once the aforementioned bill is passed, at which point a whole raft of civil liberties that we have taken for granted until now could simply disappear – laid to rest – RIP. Because once the RIP bill makes it onto the statute books the basic idea is that all Internet communications that pass through the UK can be copied automatically – and in full – to the spooks at MI5. The idea is that government agencies, with a suitable warrant, of course, should be able to tap into any Internet communication travelling to or from any particular user. In fact, they will be able to access all your e-mails, follow your on-line purchases, and even check out which Web sites you are browsing in real time. How is this to be achieved? Well the onus seems to be falling on the ISP’s at the moment to install some form of “black box” monitoring system within their network that would allow traffic passing across that network to be copied to a third party. Large companies may also be forced to install such devices and, predictably, neither they nor the ISP’s are falling over themselves to support such measures given that there will be significant costs involved, not to mention the privacy issues.� Home Office spokespersons are quick to point out that police powers to intercept communications under the new bill will actually be restricted more than they are at present and that these powers will only be used in defence of national security or on suspicion of serious crime, like narcotics smuggling or terrorism. Nice words, but will those of us who know just how easy it is to tap into Internet communications at the best of times really sleep easy knowing that the spooks have a ready-made wire tap in every ISP in the country? Still, not to worry, we can always encrypt all our data – that will put a spanner in their works, eh? Not really, since the powers relating to encryption are even more draconian than those relating to interception, and it is these powers that are likely to have the most profound effect on e-commerce in the UK. The new bill allows the Home Office and its representatives to demand that encryption keys be handed over to the authorities, with penalties for failure to comply including two years in jail. Note that this applies even to those organisations holding keys for third parties. So if you are a key escrow agency or are simply holding a copy of a key for a business partner you can be forced to give it up. And you are not allowed to tell the person who owns the key that you have been asked to hand it over, meaning that the person in question will continue to use the key even though it is no longer secure. If you do tip someone off, the penalty here can be up to five years in jail. Nor is it any defence to say that you no longer possess the key. The burden of proof has now shifted to the victim (sorry, I mean “alleged perpetrator” of course) to convince the authorities that they key is no longer, or indeed ever was, in their possession. This smacks of “guilty until you can prove you are innocent”, and flies in the face of everything we have come to hold dear about our wonderful democracy and its legal system. It would appear, after the latest reading in the House of Lords, that this reverse burden of proof will be removed or toned down in the final bill, and the Home Office has been quick to point out that they are not trying to send people to jail for forgetting their passwords or losing keys.� But if the legislation is there, there is always the scope for it to be misused, and the ramifications for businesses wanting to conduct commerce on the Internet could be serious.� Under one RIP provision, company directors would be held legally responsible for company data and the control of a business's encryption keys. Directors would be subject to fines or imprisonment if keys were lost. How effective will these measures be against money launderers, child pornographers and drug traffickers? My guess is that the effect on such lowlifes will be minimal, to say the least. But the effect on legitimate users, and on business-to-business (B2B) communications in particular could be far reaching and potentially very damaging. The government’s stated� desire to make Britain – and I quote from the Department of Trade and Industry document entitled “Promoting Electronic Commerce” -� “the best environment for electronic business by 2002” certainly cannot be helped by such legislation. The only way the government will achieve this is to abandon this crippled bill and start again from scratch – this time listening to industry experts who actually know what they are talking about. Otherwise, it could well be a case of UK e-commerce – RIP.
|
|
Send mail to [email protected] with
|
