Who's Been Snooping In MY Inbox?
If you ever read the London Times, you'll know that there are a
few things currently taking a beating in the British press. Most recently
is Peter Mandelson, former Northern Ireland Secretary, for alleged
misconduct; most famously is millions of British cows who may or may not
be feeling very well; and in the high-tech sector, and most appropriate to
this column, there is the Regulation of Investigatory Powers (RIP) Bill, a
wide-ranging piece of legislation implemented to track criminal activity
on the Internet. The RIP Bill (whose acronym provides generous fodder for
the notoriously large-typed and alliterative British tabloid headlines)
was passed in July of last year and, apparently, has enjoyed a level of
popularity in the U.K. formerly reserved only for fish milkshakes.
The gist of the legislation, which was spun off as a separate bill from
the already-passed Electronic Communications Bill, is as follows. In order
to prosecute criminal activity conducted via the Internet, British law
enforcement agencies can demand interception of electronic communications
that pass under the lintels of U.K.-based Internet service providers and
businesses, allow surveillance of e-mail suspected to reveal criminal
activity, use informants, and decrypt coded e-mail. Some ISPs may be
required to install a "black box" that will allow for
interception of all Internet traffic through that ISP. All organizations
may be required to decrypt contentious information and provide the
government with full access to any and all electronic communication. (An
earlier version of the bill was modifieda first draft would have
required businesses to turn over their encryption processes lock, stock
and barrel, rather than the modified version, which requires them to
decode certain communications on a case-by-case basis.)
It's not quite as alarming as it sounds, despite the moderate level of
media-inspired hysteria it launched. Notice use of the words "can
demand access" and "may be required." The British
government has stressed the law has not been implemented so low-level
government agents can sit at their desks and monitor titillating e-mails
exchanged between friends about their weekends. However, it still poses
some interesting problems for U.K.-based businesses.
It's a hard issue to approach without sounding like a script for an
episode of The X-Files. ("You've SEEN the e-mails, Scully,
what do you THINK the Home Office is doing with them? Papering their bird
cages?") The British government's official line is that the RIP Bill
is just another arm of its right to tap the phone calls of suspected
criminals. The U.S. government, obviously, does this too, provided they
have a warrant to do so. (Helloooooo, FBI.) Supporters of the U.K. bill
point out that monitoring can only be undertaken with a warrant signed and
sealed personally by the Home Secretary, Mr. Jack Straw, or by someone who
sits very close to him. In other words, if a warrant gets signed to come
after your electronic communications, chances are you've been very, very
bad and deserve it. Any interception warrants must be authorized by an
independent Commissioner, who must be either a sitting judge or a former
judge. A great deal of the misunderstanding and junk-press-spawned
hysteria seems to have derived from the assumption that a warrant is not
needed. It is.
In a nutshell, unless you're buying plutonium from Azerbaijan via
e-mail, chances are pretty good the British government won't have its
fingers in your e-mail inbox, nor will the men in black show up on your
But you never can tell, can you?
Opponents of the law, which include organizations such as Amnesty
International, most U.K.-based Internet service providers and businesses
who deal in sensitive information (such as financial institutions), not to
mention the British public in general, have been vocal and emphatic. The
public objects to the invasion of privacy, the banks object to the
possibility of having to turn over private consumer data, and the Internet
service providers, who will likely take the lion's share of the burden,
are wondering about their future viability in the U.K. Many ISPs have
begun making not-so-idle comments about moving their operations off-shore
to avoid having to comply with the law. In most cases, the financial
responsibility to install "reasonable interception capabilities"
(when notified by the government to do so) will fall on the ISP.
But the biggest problem seems to be a lack of communication between the
ISPs and those policing the intercepts. An article in Wired News
reported that enforcement of the law by less-than-well trained local
police forces are inspiring a spate of stupid, time-wasting questions on
the part of the police to Internet service providers, who now find
themselves in the position of having to educate the police on the basics
of Internet 101. Ridiculous demands by law enforcement officers, from
asking ISPs to check their records to see if suspected criminals have
accounts with them, to demanding information on users of other ISPs, some
of them in other countries, have prompted many ISPs to throw up their
hands in disgust and make even louder grumbles about moving to friendlier
For those of us removed from the law by national borders, it provides
an interesting litmus test. (Although U.S.-based companies that do
business in the U.K. need to be aware that the law does apply to their
communications that flow into and out of the U.K.) Although the U.S.
government has assured us that the FBI's infamous Carnivore system is less
far-reaching than the U.K. law, no one has quite come clean about exactly
what Carnivore is, so it's hard to make a comparison. We have been told
that the "black box" approach of the RIP Bill is counter to the
Fourth Amendment of the Constitution prohibiting unlawful searches and
seizures, and that "Carnivore chews all the data on the network, but
it only actually eats the information authorized by a court order"
(hence its charming name), in the manner of an electronic wire tap, but
after that, it's anybody's guess. I can't come down too hard on the U.K.
law by comparison, for the process has supposedly been fully disclosed,
unlike with Carnivore. The old adage about the devil you know and the
devil you don't know springs to mind.
In the meantime, let's enjoy reading the Web postings of the conspiracy
theorists on both sides of the Atlantic, and look forward to the day that
either the RIP Bill or Carnivore become the topics of either a John Grisham
novel, a major Hollywood film extravaganza, or both.
The author, who reminds readers to avoid purchasing plutonium from
Azerbaijan over the Internet, may be contacted at firstname.lastname@example.org.