No escape from the spooks

Something has been forgotten as a result of all the fuss surrounding the Regulation of Investigatory Powers (RIP) Bill that was passed last month after a stormy parliamentary passage.

No matter what the law on intercepting communications such as email says, no-one is beyond the reach of the security services. That is to say, if bugging technology exists, it will be used.

This means there is only one way to keep something secure. As George Orwell put it in his novel 1984: "Nothing was your own except the few cubic centimetres inside your head."

"If [the security services] want to listen, they will do it anyway. They will only go through the legal process if they want to use it in court. Data gathered through illegal means can be compared with an informant who will not appear in court - it may provide vital leads, but is useless in securing a conviction," said a security expert who works with MI5.

But the Bill means that the UK security services have more legal scope to tap electronic communications than neighbouring countries. Ireland, for example, has no such legislation. The Netherlands does, but internet service providers (ISPs) are not required to enable an interception capability until 2001.

Under the Bill, the UK security services will install 'black boxes' - sealed monitoring devices that analyse traffic being directed through selected ISPs. They are thought to work in a similar way to network management software, which monitors and scans traffic. The black boxes will send data to a new Government Technical Assistance Centre, which will be based at MI5's Millbank offices in London.

Going offshore
As a result of all this, some UK organisations are preparing to send parts of their IT infrastructure offshore. Three ISPs, Claranet, Greennet and Poptel, said last month that they may move their equipment outside the UK to enable UK users to send email via another country.

"Ireland's attitude towards internet privacy is an enlightened one," said Shaun Fensom, Poptel's chairman.

But is it? Legally, the Republic has so far given its security services no powers to intercept internet traffic at all and says it has no plans to introduce such regulations. There are signs that this may change, however.

First, Ireland is likely to face international pressure from countries such as the UK if it does not introduce similar laws. Second, there are reports that the Irish government is actually quite keen on bugging the internet.

The Phoenix, the Irish equivalent of Private Eye, claims that the country recently joined Echelon, a network that spies on satellite data. This is run by the US and UK security services for the benefit of themselves, Canada, Australia and New Zealand.

Echelon was exposed in a report to the European Parliament by security expert Duncan Campbell and its very existence indicates how vulnerable companies are to having their data tapped by government agencies.

GCHQ, the Cheltenham-based organisation that operates the UK end of the system, is perfectly within its legal rights to intercept communications that may boost the country's economic interests, and its US equivalent, the National Security Agency (NSA), does the same.

But the Campbell report provided details of how the NSA used information acquired through Echelon to help US aerospace groups Boeing and McDonnell-Douglas beat European rival Airbus in landing a defence contract. Much to the fury of the French, it did this by allegedly finding evidence that Airbus bribed Saudi officials.

US politicians responded to French criticism by claiming that France runs a similar electronic spy network, nicknamed Frenchelon. Russia also maintains interception stations in Cuba and Vietnam, which are thought to be used increasingly for economic espionage.

In terms of legal interception powers, other countries are also rapidly catching up with the UK. For example, earlier this month, Japanese legislation was passed that legalised the tapping of email.

Furthermore, the Campbell report mentioned that an FBI-organised group of experts from 20 countries, known as the International Law Enforcement Telecommunications Seminar, had been set up and was pushing for black box-style bugging of ISPs around the world.

Coming clean
But when asked whether data was more likely to be tapped in the UK than elsewhere, Simon Owen, a director of ebusiness for consultants Arthur Andersen, said: "No. If people in other countries are up to no good, I'm sure they will investigate. The UK authorities have come clean, and said, 'This is what we are doing.'"

So the issue for UK IT managers is apparently not whether their company's data is safe from the state, because it patently isn't. The real task in hand is to try and make it as safe as possible from danger, while ensuring compliance with legislation.

Controversially, the RIP Act enables the security services to demand companies' encryption keys - data which will decode a scrambled email - if the unscrambled text is not made available to them. Few other countries allow this, although the Home Office claims that Singapore and Malaysia already do, and that the US, Belgium, the Netherlands and India intend to follow suit. "Key management should be on the agenda," said Owen.

Specifically, he believes that organisations should consider using session keys - separate encryption codes created for each occasion - rather than simply reusing one key over and over again. "If you have just one key, that could give access to a whole year of correspondence," he explained.

A final point to bear in mind is the importance of maintaining conventional security procedures as well. Philip Ryan, head of information security for consultants Peapod, said research data commonly goes missing when business people travel to Russia or China. "You can be sure, if you're of enough interest, your stuff will be gone through, your room will be bugged and your phone line will not be secure," he warned.

Problems are also caused by staff simply losing physical sources of data, as MI5 managed to do recently when one of its employees left a computer lying about in London.

So it seems that physical security can be a bigger worry than RIP. And RIP may not even be that much of a big deal.