It started out as a dog’s breakfast. It has now completed its passage through the Commons and House of Lords, and got Royal Assent on 28 July. As tempting as it is to complete the metaphor, there are those who concede that the Bill has been notably improved, the Confederation of British Industry amongst them. However, Lord Cope, who became a dab hand at summing the Bill up during the various stages of its ignominious journey through Parliament, has done so once again as the Bill now returns briefly to the Commons before becoming law – “It is still not a good Bill. It has been done in too much haste.”
The Key Issue
The Act has a number of controversial aspects, none less inflammatory than the stipulation that law enforcement agencies may in certain circumstances require delivery up of encryption keys in order to decrypt protected information. Whatever the safeguards, and admittedly some have been introduced over the last month, this still makes the UK the only G8 country to allow state access to encryption keys. It has been pointed out vociferously, from as long ago as the ill-fated DTI proposals for trusted third parties under the previous government, that surrendering encryption keys to a third party could potentially undermine a company’s entire security system. Unfortunately, it now looks as though the threat of such an eventuality is just something that companies will have to learn to live with.
However, there have been concessions. Authorities will now only be entitled to the delivery up of decrypted text rather than the key itself unless there are special circumstances to justify disclosure of the key. This is where the draft Codes of Practice published in July by the Home Office to accompany the Act come in. The Code of Practice on the investigation of electronic data protected by encryption states that special circumstances will vary from case to case but gives “by way of illustration”, two examples. These are where:
trust is an issue – where there is doubt about the bona fides of a person or organisation being asked to comply with a disclosure requirement, for example where involvement in criminality is suspected; or
timeliness is an issue – if the holder of the key is unable to provide the plain text quickly enough (and the relevant authority can).
The Act requires that in all cases a judge giving a direction for delivery up of a key in the disclosure notice must be satisfied that “the direction is proportionate to what is sought to be achieved by prohibiting any compliance with the requirement in question otherwise than by the disclosure of the key itself”. Not surprisingly, the CBI has criticised the Code for lacking clarity, untrustworthiness and problems with timing both being concepts which lack precision.
So what if the nightmare becomes reality and a company’s security is undermined? At the eleventh hour, the Lords introduced an amendment giving a person whose protected information or key has been disclosed a right to sue the relevant authority for any breach of its duty to protect the security of the key. The new Interception of Communications Commissioner, a senior judge, will now be charged with overseeing the disclosure notice process and the adequacy of the safeguard arrangements. The Commissioner will also be able to report to the Prime Minister whenever he sees fit rather than annually as originally intended.
The Cost
The second area of controversy surrounds the cost to the likes of ISPs of setting up monitoring equipment in order to comply with the requirement in Part I of the Act to maintain an “interception capability”.
First some good news. The Home Office has conceded to the establishment of a Technical Advisory Board charged with overseeing any notice served on telecoms providers including ISPs to provide the necessary interception capability so that an authority’s power under an interception warrant can be exercised. Anyone to whom a notice is given may refer it to the Board to consider the technical requirements and the financial consequences. The Board will then make recommendations to the Secretary of State. It should be of some comfort that the membership of the Board will include those likely effectively to represent the interests of the recipients of interception warrants.
Now the bad news. It is widely accepted that the Home Office has greatly underestimated the costs faced by companies required to maintain an interception capability. The Home Office has put aside £20 million but where that figure comes from and what it will cover is far from clear. It is supposed to represent a “fair contribution” over a three year period, although there is still pressure to make that commitment open-ended. There has been widespread condemnation of the inadequacy of the government’s proposed contribution. The Federation for Electronic Industry has criticised the calculation as having no basis and being nowhere near enough money for ISPs. Similarly the ISPA has criticised the government for severely underestimating the costs of monitoring e-mail. Never mind the technical expense, who’s going to pay the legal costs when companies start scrambling to their lawyers for advice on challenging and complying with interception orders?
The Offences
Whether or not you agree with legislation that allows the interception and surveillance of electronic data, you have to concede that the way this Act goes about it is far from satisfactory. Failure to comply with a disclosure notice for the delivery up of an encryption key still looks like being an offence charged not on the basis of innocence until guilt is proven but on some middle ground. There is an assumption that someone who has been in the possession of a key continues to be in possession of the key at all subsequent times, unless it is shown that the key was not in his possession after the giving of the notice and before the time by which he was required to disclose it.
The vagaries of “tipping off” remain although perhaps more subtle. Should you ever be served with a disclosure notice containing a “secrecy requirement”, or for some reason get wind of one, you will remain bound to maintain the secrecy of its existence for the rest of your life. Thankfully the secrecy requirement is no longer a presumed consequence of becoming aware of a disclosure notice. What comfort that actually amounts to remains to be seen.
The relevant draft Code of Practice also now requires an authority seeking permission to serve a disclosure notice, so far as is practicable, to establish whether the recipient uses software that gives an automatic warning about key disclosure. If he or she does, the authority must ascertain whether it is reasonable in all the circumstances for the recipient to take steps to prevent this disclosure from happening. The draft Code also requires an authority to seek to establish, again so far as is practicable, the appropriate senior person within an organisation so that that person can be the recipient of the notice rather than some lowly employee. Ambition carries hidden dangers.
The end?
The Bill may be done and dusted, but don’t think that’s the end of the matter. The communications industry will be looking to exorcise as many demons from the proposed Codes of Practice as possible once the formal consultation process on the guidelines begins.
Rico Calleja is an Information Lawyer. He recently left Theodore Goddard to join McDermott, Will & Emery.