RIP: the last analysis

The Regulation of Investigatory Powers (RIP) Bill, which gives the security services the right to tap internet traffic, was passed in the House of Commons last week and has now received the Royal Assent.

At the same time, the country's ebusinesses started trying to decide what damage limitation exercises to introduce to try to cope with legislation that many think is disastrous.

One ISP, Poptel, said it is "pretty likely" to move part of its operations outside of the UK - probably by locating a mail server offshore to handle encrypted email.

"There is likely to be a time when some of our users, for perfectly legal reasons, will want this facility," said Shaun Fensom, the company's chairman.

Other organisations may well do the same. Goldman Sachs, one of the world's leading investment banks, told internet think-tank the Foundation for Information Policy Research (FIPR) that it is thinking about moving its encryption key system from its main non-US office in the UK to Switzerland.

Caspar Bowden, director of the FIPR, said: "I think people are rubbing their eyes. They can't quite believe the government is doing this, but they are."

Concerns centre on the administration's plans to install a 'black box' at some ISPs' sites that will be connected to MI5's London headquarters. On the say-so of a chief constable, the security service will be allowed to examine internet traffic from an individual or group that is thought to pose a security threat.

The security services are concerned by the increasing use of internet encryption software, which comes with virtually unbreakable keys that can be used on standard computer equipment. This enables individuals to communicate with near-perfect secrecy. (Although the point could be made that individuals were able to do this before electronics made remote surveillance possible, the security services don't quite see it this way.)

Key escrow
The UK government's first bash at crypto legislation was key escrow - an idea that the Conservatives later admitted was a mistake. This would have required encryption users to deposit keys to unlock their encrypted messages with a trusted third party.

The third party would keep the keys safe from prying eyes unless the security services asked for them, in which case it would hand them over. But the costs and legal implications of the scheme, which was dreamed up solely for the convenience of the security services, made the idea highly unpopular with the IT industry.

As a result, key escrow was dumped after a review by the incoming Labour government. The Department of Trade and Industry (DTI), which was handling IT at the time, saw its chance to pass crypto policy over to the Home Office and get rid of a sticky issue.

It seemed like a good idea at the time. But Dr Ross Anderson of Cambridge University's Computer Sciences department and chairman of the FIPR, claimed: "The DTI made a serious error in allowing this to be taken over by the Home Office. It may have seen it as a poisoned chalice it was well rid of, but it will come back to haunt them."

Government ministries tend to lend the most sympathetic ear to those organisations over which they hold the most sway. As a result, the DTI bends over backwards when working with IT companies and the commercial sector in general. But this constituency is now up in arms at the legislation the Home Office has produced.

In contrast, the Home Office's main contacts are the police and security services. Charles Clarke, a spokesman whose media appearances tend to see him emphasising how important it is that the government is tough on crime, presided over the internet interception clauses that are now part of the RIP Bill.

In other words, the Home Office was less likely than the DTI to be sympathetic to the IT industry in its drafting of legislation - and it wasn't.

For example, the original Bill contained a clause that meant individuals could end up in prison if they lost the encryption key for an email requested by the security services. Rather than being innocent until proven guilty, such individuals would have to demonstrate their innocence on a balance of probabilities.

But this section was changed following protest from the IT industry, with support from the Conservative party, which means that, as with other UK law, an individual's guilt must now be proven. The government has also stressed it will only apply these powers after it has attempted and failed to obtain the plain text (unencrypted version) of a message.

And to ease the financial pain of ISPs, the government has pledged £20m towards covering the costs of installing the black boxes that will undertake the wire-tapping: the original plan was that ISPs would pay to be bugged, making a hike in the cost of web services likely.

Although FIPR's Anderson conceded: "I suppose there has been a slight improvement in a few details," he added that, in the FIPR's opinion, the UK will be at a disadvantage to the rest of Europe as a result of perceived extra costs and legal risks because no other western country has legislation that allows governments access to keys.

"The UK will have no credibility overseas. Companies considering a UK base for ecommerce will base it elsewhere," he added.

Acting quickly
So why was the RIP Bill rushed through? One possibility is that it was necessary to provide the security services with a clear legal footing. Otherwise, the Human Rights Act, which takes effect on 2 October and incorporates the European Charter on Human Rights with all of its attendant privacy rights, would almost certainly have been used to mount a legal challenge to their activities.

But what happens now is unclear. No timescales have been provided for installing the black boxes, there are no clear guidelines as to how interception will work - expect to see legal battles here - and it is anyone's guess as to how many international companies will move their IT operations overseas as a result of the new legislation.

In a somewhat unfortunate turn of phrase, the Home Office's Clarke told the House of Commons that there will be a "propaganda" campaign to convince the world that the UK is still a good place to do ecommerce.

His choice of phrase illustrates the way that the freewheeling libertarian culture of the internet has collided with the tough-on-crime mentality of the Home Office and lost - although it is the nature of the internet that its users are able to move their operations around.

Poptel's plans to move its email server offshore are the result of demand from its customers, which include trade unions and campaigning organisations. Groups pushing to improve areas such as civil liberties do not necessarily want the security services - whose powers they might be campaigning against - to have access to their communications.

But Poptel once also hosted another well-known organisation that prided itself on being an ardent civil liberties campaigner, although it now seems to have changed its views along with its ISP. That organisation, of course, is the Labour Party.