Legal labyrinth befuddles snoopers

The glut of legislation governing covert surveillance has made it a nightmare to work out what different law enforcement agencies can do, according to lawyers.

The Regulation of Investigatory Powers (RIP) Act 2000 was designed to extend snooping laws to cover new forms of communication.

But other laws, such the Data Protection Act 1998, the Human Rights Act 1998, and the Anti-terrorism, Crime & Security Act 2001, all feed into to this legislative soup.

The resultant situation is a "nightmare for those trying to make sense of it", said Jonathan Armstrong, an e-commerce specialist at law firm Eversheds.

The RIP Act provides a mechanism for law enforcement agencies to apply for internet or mobile phone taps. In order lawfully to carry out such surveillance, the agencies must apply to the Home Secretary for a warrant.

These are only issued for specific types of investigation, such as those concerning "serious crimes" or involving national security.

Unfortunately, the legislation does not define what a serious crime is, meaning that it will probably require test cases, according to Rupert Battcock, internet lawyer at Nabarro Nathanson.

The RIP Act also allows some other "senior officials" to issue warrants in emergency situations, but is less clear about who is regarded as "senior". It is these provisions that have alarmed some privacy watchdogs.

Ian Brown, director of the Foundation for Information Policy Research, warned that unprecedented powers were being "given to the police without any judicial oversight".

The legislation gives the police powers to require telephone companies and internet service providers (ISPs) to keep a vast amount of detail about individuals' communications.

This includes names and addresses of users, phone numbers called, source and destination of emails, the identity of websites visited and mobile phone location data.

The biggest players in government snooping are agencies such as MI5, MI6, Government Communications Headquarters, and the National Intelligence Criminal Service. Police forces are also able to request taps to assist in their investigations.

In 2001, the government announced that the National Technical Assistance Centre (NTAC) would be set up to assist the various law enforcement agencies in intercepting and decrypting multimedia communications.

To achieve a permanent intercept capability, NTAC needs ISPs to make alterations to their networks. But the suggestion that an outsider's equipment, in the form of a 'black box', would be installed on a provider's network has met with resistance.

"We cannot allow appliances on our networks when we don't know what they are doing," explained Tim Snape of the ISP Association.

Others are more relaxed. Roland Perry, director of public policy at the London Internet Exchange, pointed to the experience in Holland, where the introduction of surveillance equipment at ISPs was treated "much in the same way as restaurants view health and safety: a necessary requirement of running the business".

He added that discussions are still ongoing about the work required to make networks capable of carrying out the snooping.

If the process of such surveillance is unclear, the problems faced by others wishing to monitor electronic communications are worse.

Employers were initially barred from snooping on their employees under the RIP Act. To get round this, the Lawful Business Practice code allowed employers to snoop on their staff, provided they follow certain criteria.

This should have clarified the position for employers, but it did not account for data protection legislation, said Armstrong, and employers will not receive definitive guidance over what type of snooping is permissible until the Information Commissioner, Elizabeth France, has published a code of practice.

This code was to have been made available in early 2001 but, after numerous revisions and discussions, the final version is yet to be released.

The risk to employers of being seen as negligent in not undertaking some form of staff monitoring is too great for most employers, according to Armstrong.

The best policy is to be "open and up-front, and to seek informed consent" to the monitoring of emails and telephone calls, he concluded.

The Covert Human Intelligence Sources Code Of Practice can be found here.