Hackers and online fraudsters, web bugs and cookies. We are all well aware that someone somewhere might be watching what we are doing online, but how would we feel if we knew that the police, the security services or even our employer was routinely scanning our emails, monitoring our internet usage and listening in to our phone calls?

This is exactly the power given to these agencies by the Regulation of Investigatory Powers (RIP) Act.

Many people would react to this news by saying that, perhaps with the exception of online banking and trading, their internet usage and email would be of no interest to anyone else. And besides, we are used to being watched on CCTV as we walk around the High Street, and having our calls monitored when we buy insurance by phone, for example.

However, John Wadham of Liberty summed up the objections of most opponents of the Act when he said: "Whilst some of our communications are trivial and of no interest to anyone, all of us make some very private calls which are not the business of anyone else."

Rules of engagement

So what exactly does RIP say? The first part of the Act deals with the interception of landline and mobile phone calls, emails, pager messages and the monitoring of internet use (that is, noting which websites you visit).

The Act distinguishes between the content of emails, phone calls and so on, and the 'communications data' that surrounds them, such as the email address of the sender and receiver of an email, or a phone bill listing the numbers one caller has dialled.

There are strict rules on why content can be intercepted, including crime prevention and for reasons of national security. However, the reasons why communications data can be intercepted are hazy and wide-ranging, including such grounds as public safety and public health.

The communications data part of the Act is not yet law, and the government had, at the time of writing, only just introduced a draft code of practice which most opponents felt did not go far enough in mitigating their fears.

RIP stipulates that interception facilities will be installed at internet service providers (ISPs), although as we write no ISPs have yet installed this equipment and in reality the government will probably only insist on the larger ISPs installing it.

The equipment will channel data from the ISP to a new agency, the Internet Government Technical Assistance Centre, which will then be able to sift all this information for whatever it is looking for. Just what is done with this data is not clear, neither is what technologies will be used to filter the information.

The only comfort for the law-abiding person on the street is that such a huge amount of information will be going through this centre that only a tiny fraction of it could ever be read by human eyes.

Mass monitoring

Mass monitoring of communications is not entirely unheard of. It recently came to light that security services in the UK, the US, Canada, and New Zealand had all been running Echelon, a surveillance system which automatically intercepts phone calls, emails and faxes.

For opponents of RIP, one of the main problems is that such snooping is not only the preserve of the law enforcement and security forces, but it gives similar powers to employers to listen in on employee phone calls and read employee emails.

This legislation has in part been prompted by employers' fears that internet connections could be used for illegal practices, such as downloading child pornography, or simply for introducing viruses to a company's servers.

And, of course, many companies feel they are losing many working hours as their staff surf the web for their own private purposes. A recent survey by Webserve found that 70 per cent of pornography downloads and 60 per cent of online shopping happen in office hours.

Hannah Reed, of the employment rights office at the Trades Union Congress (TUC), maintained that employers have seized on the Act to crack down unduly. "Our view is that a lot of employers have held [RIP] as a free licence to monitor emails and telephone calls," she said.

She stressed that the TUC is very much opposed to this. "There is no free licence for employers to monitor employees on a random basis. Staff have basic rights to privacy which are protected under the Data Protection Act [DPA] and the Human Rights Act [HRA]," she warned.

Reed recognised that employers need to check that their internet systems are not being abused, but called for restraint in the monitoring of staff. "People need to find a work/life balance. They are working longer hours and there should be some means whereby they are able to make urgent phone calls and emails without these being monitored," she said.

She is also worried that facts that could lead to discrimination against employees, such as sexual orientation, could be garnered from intercepted phone calls or emails.

Yaman Akendeniz, of Cyber-Rights and Cyber-Liberties, sees this part of the legislation as one that could easily lead to legal action, given the contradictions between RIP, the DPA and the HRA. "I'm sure that sooner or later someone will be dismissed due to monitoring of their internet usage or email interception and then there might be a challenge in the courts," she said.

The second part of RIP lays out some ground rules concerning when surveillance by the police and security services can be carried out, and when it cannot.

However, most opponents argue that the Act is not sufficiently clear on what can be called intrusive surveillance and does not do enough to protect the privacy of ordinary people.

The third part is one of the most controversial and, as yet, it is not in force. This part concerns encryption and makes it an offence not to hand over encryption keys when requested to do so by law enforcement agencies.

The government argues that such measures will mean that paedophiles, for example, will be forced to decrypt any picture files, so the police have enough evidence to prosecute.

Opponents of the Bill have put forward the view that most paedophiles, and indeed almost any other criminal, would opt for a two-year sentence for refusing to decrypt their files rather than a much longer sentence for their actual crime.

At the same time, asking businesses and individuals to hand over potentially commercially sensitive and other personal files, such as financial details, is an infringement of civil liberties and could have far-reaching implications if that data was then leaked.

Ways around RIP

So are there ways around the RIP provisions? Yes, and most criminals will have already found them.

To keep your internet usage private, you might want to change ISP. If you are a customer of a large ISP you might prefer to use a smaller one, making sure that your new ISP does not simply use a larger ISP to run its services. You might also consider joining one that is registered abroad.

Poptel, ClaraNet and GreenNet have all voiced their intention of moving abroad if they are ever forced to install interception equipment.

Avoiding your email being intercepted is equally easy. You could use an email encryption service, or an anonymous re-mailer service which cloaks who has sent and who is to receive the email.

If you have a permanent connection, such as ADSL, you could even use direct email, avoiding having your email stored on your ISP's servers waiting for download. Consumer direct email packages will doubtless soon be widely available.

If your web connection uses IP version 6, all this becomes irrelevant. IPv6 uses encryption keys that are automatically created and then destroyed once the communication is complete.

Finally, if you do not want your encrypted files to be read, there are a range of precautions you can take. You can store them on removable disks and keep the disks well hidden, or you can upload files to a secure storage facility outside the UK. Alternatively, you could use an encryption method known as steganography which, roughly speaking, hides text files in graphic or audio file formats.

One further point. If you think that RIP turns the UK into a Big Brother state, forthcoming European Union legislation could make matters worse still. The UK government has recently signed the EU Cybercrime Treaty, which takes an altogether tougher stance.

It forces communications operators, such as ISPs and telecoms operators, to keep records of all phone calls, faxes, emails and web use for seven years. It gives security forces greater powers for carrying out surveillance than RIP, and allows far greater powers of interception, even for minor crimes.

What is RIP?

RIP was drafted with good intentions in mind: to allow the police and other law enforcement and security agencies greater powers to prevent and solve crime.

Criminals are increasingly reliant on new technologies such as the internet and mobile phones, so the Act gives powers to the police and other agencies to intercept such things as emails and mobile phone calls. Previous legislation on such matters was piecemeal and did not take into account these new technologies.

However, many opponents of the Act fear that it goes too far, allowing the police, and especially the security services, the right to snoop and pry into the private affairs of everyone, including law-abiding individuals.

In addition, the Act allows companies to monitor the emails, phone calls and internet use of their staff. Opponents see this as a contravention of the Data Protection Act and of the European Convention on Human Rights, which includes the right to respect for private and family life.

The main substance of the Act is in its first three parts. The first allows law enforcement agencies and the security services to intercept phone calls and emails, and to gain access to such things as itemised telephone bills.

The second lays down some ground rules on surveillance, trying, but many would argue not succeeding, in distinguishing between direct and intrusive surveillance and when each is justified. The third, widely condemned, part deals with encryption.

Although it is not yet in force it will make it an offence not to hand over an encryption key to an authorised person. Refusal or inability to do so will result in a two-year jail sentence.

Opponents argue that this will reward the criminals, who will take the lighter sentence rather than face longer sentences for their actual crimes, while at the same time it will punish the innocent for losing the encryption key or for trying to keep commercially sensitive or personal files private.