Something has been forgotten as a result of all the fuss surrounding the Regulation of Investigatory Powers (RIP) Bill that was passed last month after a stormy parliamentary passage.
No matter what the law on intercepting communications such as email says, no-one is beyond the reach of the security services. That is to say, if bugging technology exists, it will be used.
This means there is only one way to keep something secure. As George Orwell put it in his novel 1984: "Nothing was your own except the few cubic centimetres inside your head."
"If [the security services] want to listen, they will do it anyway. They will only go through the legal process if they want to use it in court. Data gathered through illegal means can be compared with an informant who will not appear in court - it may provide vital leads, but is useless in securing a conviction," said a security expert who works with MI5.
But the Bill means that the UK security services have more legal scope to tap electronic communications than neighbouring countries. Ireland, for example, has no such legislation. The Netherlands does, but internet service providers (ISPs) are not required to enable an interception capability until 2001.
Under the Bill, the UK security services will install 'black boxes' - sealed monitoring devices that analyse traffic being directed through selected ISPs. They are thought to work in a similar way to network management software, which monitors and scans traffic. The black boxes will send data to a new Government Technical Assistance Centre, which will be based at MI5's Millbank offices in London.
As a result of all this, some UK organisations are preparing to send parts of their IT infrastructure offshore. Three ISPs, Claranet, Greennet and Poptel, said last month that they may move their equipment outside the UK to enable UK users to send email via another country.
"Ireland's attitude towards internet privacy is an enlightened one," said Shaun Fensom, Poptel's chairman.
But is it? Legally, the Republic has so far given its security services no powers to intercept internet traffic at all and says it has no plans to introduce such regulations. There are signs that this may change, however.
First, Ireland is likely to face international pressure from countries such as the UK if it does not introduce similar laws. Second, there are reports that the Irish government is actually quite keen on bugging the internet.
The Phoenix, the Irish equivalent of Private Eye, claims that the country recently joined Echelon, a network that spies on satellite data. This is run by the US and UK security services for the benefit of themselves, Canada, Australia and New Zealand.
Echelon was exposed in a report to the European Parliament by security expert Duncan Campbell and its very existence indicates how vulnerable companies are to having their data tapped by government agencies.
GCHQ, the Cheltenham-based organisation that operates the UK end of the system, is perfectly within its legal rights to intercept communications that may boost the country's economic interests, and its US equivalent, the National Security Agency (NSA), does the same.
But the Campbell report provided details of how the NSA used information acquired through Echelon to help US aerospace groups Boeing and McDonnell-Douglas beat European rival Airbus in landing a defence contract. Much to the fury of the French, it did this by allegedly finding evidence that Airbus bribed Saudi officials.
US politicians responded to French criticism by claiming that France runs a similar electronic spy network, nicknamed Frenchelon. Russia also maintains interception stations in Cuba and Vietnam, which are thought to be used increasingly for economic espionage.
In terms of legal interception powers, other countries are also rapidly catching up with the UK. For example, earlier this month, Japanese legislation was passed that legalised the tapping of email.
Furthermore, the Campbell report mentioned that an FBI-organised group of experts from 20 countries, known as the International Law Enforcement Telecommunications Seminar, had been set up and was pushing for black box-style bugging of ISPs around the world.
But when asked whether data was more likely to be tapped in the UK than elsewhere, Simon Owen, a director of ebusiness for consultants Arthur Andersen, said: "No. If people in other countries are up to no good, I'm sure they will investigate. The UK authorities have come clean, and said, 'This is what we are doing.'"
So the issue for UK IT managers is apparently not whether their company's data is safe from the state, because it patently isn't. The real task in hand is to try and make it as safe as possible from danger, while ensuring compliance with legislation.
Controversially, the RIP Act enables the security services to demand companies' encryption keys - data which will decode a scrambled email - if the unscrambled text is not made available to them. Few other countries allow this, although the Home Office claims that Singapore and Malaysia already do, and that the US, Belgium, the Netherlands and India intend to follow suit. "Key management should be on the agenda," said Owen.
Specifically, he believes that organisations should consider using session keys - separate encryption codes created for each occasion - rather than simply reusing one key over and over again. "If you have just one key, that could give access to a whole year of correspondence," he explained.
A final point to bear in mind is the importance of maintaining conventional security procedures as well. Philip Ryan, head of information security for consultants Peapod, said research data commonly goes missing when business people travel to Russia or China. "You can be sure, if you're of enough interest, your stuff will be gone through, your room will be bugged and your phone line will not be secure," he warned.
Problems are also caused by staff simply losing physical sources of data, as MI5 managed to do recently when one of its employees left a computer lying about in London.
So it seems that physical security can be a bigger worry than RIP. And RIP may not even be that much of a big deal.
|Email security measures around the world|
|Australia Passed legislation last December allowing the Australian Security Intelligence Organisation (ASIO) to obtain warrants for hacking into any computer. This permits ASIO to alter, collect or even delete information held on a computer.|
|Ireland Has no specific powers to intercept email and an ecommerce bill published in April ruled out the requirement to force disclosure of encrypted data within that bill's powers. However, it will be under pressure to follow the UK and other major powers.|
|Netherlands Had given ISPs until April 2001 to install an interception capability. Each warrant must be approved by a judge and the interception must be divulged when the case comes to court. The Dutch have not yet decided who can access traffic data, but are demanding ISPs store this information until they do.|
|Japan Wiretapping law came into effect earlier this month, and includes email correspondence. Tapping was previously illegal. The law only allows interception for criminal investigations into drugs, guns and smuggling of immigrants, and requires a court warrant. It is controversial because police corruption is common and several opposition parties have already said they want to scrap the bill.|
|UK Requires permission from a chief constable or similarly ranked official for security services to read traffic data, and an interception warrant from the Home Secretary to read emails sent or received by an individual/organisation. Some ISPs will install black boxes, connected to MI5.|
|The US The security services have both the legal capability and the means to tap internet traffic. There are three levels of authorisation needed to access traffic. For example, a search warrant is required to obtain the contents of an email. Data is collected through Carnivore, a US version of the black boxes planned for UK ISPs. Carnivore is 'a special filtering tool' that sorts out the information from the data stream.|
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago