This memorandum is submitted by the Home Office in response to the request from the Chair to the Joint Committee on the draft Communications Bill to the Secretary of State for the Home Department, requesting answers to questions relating to the impact on telecommunications operators of legislation for which the Home Office has policy responsibility, including the Regulation of Investigatory Powers Act (RIPA) and the Anti-terrorism, Crime and Security Act (ATCSA). In particular the Committee wished to receive information about the regulatory requirements imposed by these Acts on telecommunications operators and the extent, if any, to which these requirements are co-ordinated with those imposed by Oftel and, in the future, by OFCOM.

  Attached at Annexes 1 and 2 are the Regulatory Impact Assessments for Part I and Part III of RIPA, which were laid before Parliament at the time of the passage of the Bill. These have not changed significantly and money has been set aside by the government to help industry meet the cost of the measures in the Act.

  Part I of RIPA provides powers (section 11) to ensure that when a provider of public postal or telecommunications services is asked to carry out a specific interception there is a duty on them to take reasonably practicable steps to comply. The Act also contains powers (section 12) to ensure that such providers are capable of carrying out the lawful interception of communications.

  Interception of communications by UK law enforcement agencies is lawful only when the Secretary of State is satisfied that it is necessary on one of the limited grounds set out in the Act and that its use is proportionate in what is sought to be achieved, and authorises it personally by warrant.

  Section 12 provides that the Secretary of State may, by notice, require a Communications Service Provider (CSP) to maintain an interception capability and meet obligations provided for by an Order (Section 12(2)). The draft Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002 was laid before Parliament on 22 May. The order requires affirmative resolution and was debated in Standing Committee on 18 June and was approved. A copy of the Order is attached at Annex 3.

  The Schedule to the Order lists those obligations which appear to the Secretary of State reasonable to impose on CSPs for the purpose of securing that it is practicable for them to meet requirements to provide assistance in relation to interception warrants. For the purpose of the Order interception of communications means the interception of a communication in the course of its transmission by means of a postal service or telecommunications system. The obligations in Part I of the Schedule will apply to CSPs who provide, or propose to provide, a public postal service. The obligations in Part II of the Schedule will apply, subject to paragraph 2(3) of the Order, to CSPs who provide, or propose to provide, a public telecommunications service.

  The draft Order has been the subject of lengthy public consultation (from December 2000 to August 2001) and extensive dialogue between government and industry. A draft copy of the Order has also been considered by the European Commission in accordance with European Transparency Directive 98/34/EC.

  It is the government's intention that a Notice given to a CSP under Section 12 will, wherever possible, be the product of prior dialogue and agreement between the government's representatives and the CSP in question. However, should a CSP consider that a Notice given to it is unreasonable, either in terms of the steps it requires the CSP to take in order to meet the obligations in the notice or in terms of the financial consequences of these steps, the CSP may refer the Notice to the Technical Advisory Board, which has been set up under Section 13 of RIPA. The duties of the TAB are to consider the technical requirements and the financial consequences of a Notice on the CSP to which it is given. The TAB must report its findings to the Secretary of State and to the CSP. The Secretary of State, after considering the report of the TAB may either withdraw the Notice or issue a further Notice with or without modifications.

  Oftel was consulted on a regular basis both during the policy formulation and development which led to the Act and during the passage of the Act through Parliament. The Home office continues to consult Oftel as and when necessary on interception issues and intends to do the same with OFCOM.

  Section 14(2) of RIPA places a duty on the Secretary of State to ensure that arrangements are in force for securing that CSPs receive a fair contribution to the costs incurred as a consequence of both the imposition of obligations provided for by a Section 12 Order and the invocation of interception warrants. At present the government has arrangements in place with all those CSPs currently providing interception and pays a substantial contribution to the costs they incur.

  The government intends to continue with the existing agreements at least until the end of this financial year, when it will seek to put in place a new regime which will more closely identify those costs arising from warrant invocation and those arising from the maintenance of an interception capability. In developing a new costing regime, considerable assistance and transparency will be needed from industry. To this end, officials have begun to consult widely on this issue.

  Part III of RIPA deals with the provision of plain text documents and specifically with release of encryption keys to the law enforcement agencies. The Regulatory Impact Assessment (RIA) on this part of the Act was made in December of 1999 and is attached. A Code of Practice is about to be published for public consultation. It has been widely discussed since March of 2001 with CSPs and the Agencies. On the basis of those discussions we remain of the view that the estimates in the RIA are still well founded.

  Issues of encryption have been subject of discussion between the Home Office, Oftel and the industry. The Performance and Innovation Unit (PIU) Report on Encryption & Law Enforcement of 1999 highlighted the need for a Government Industry Forum. As a result of this recommendation a Forum now meets and includes members from Oftel. It is intended that in due course this Forum will include OFCOM.

  The Government intends that the industry will be recompensed for costs incurred in delivery of any keys required.

  Part II of the Anti Terrorism Crime & Security Act (ATCSA) provides for the drawing up of a voluntary code of practice between the Government and the telecoms industry. The purpose of the code will be to establish what data will be retained by the industry for the purpose of safeguarding national security or the prevention or detection of crime or the prosecution of offenders which may relate directly or indirectly to national security, and for what period.

  Discussions have been taking place with members of the industry and the Agencies to try to establish mutually acceptable solutions on these issues.

  At present, CSPs are only authorised to retain communications data for the period which is required by their own business purposes. This means that data which is relevant to national security or criminal investigations may be erased or anonymised before the need for it can be identified. Technical differences between telecommunications systems and commercial pressures to minimise retention have also led to wide variations in retention policies across industry.

  New communications services such as "unlimited calls", "pre-pay" and "always on" may mean that traditional retention may not take place at all. All this means an increasing risk that criminals may escape detection and prosecution according to which network or package they use for their communications.

  It is important we carefully balance the needs of law enforcement against the need to protect privacy and the impact of any new rules on industry and the single market. The consultation process will deliver the technical specification that will accompany the voluntary code.

  Chapter II Part I of RIPA is the medium by which access to communications data is obtained. RIPA does not alter the present situation it outlines those Public Authorities that may under the Act request access to such communications data. It places a duty on the part of the telecommunications operator, who may be in possession or capable of obtaining any communications data to comply with the requirements of the notice served by the public authority. It also places a duty on the Secretary of State to ensure that arrangements are in force, as he thinks appropriate, for the making of appropriate contributions towards the cost incurred by the telecommunications operators in complying with any notices under the provisions of Chapter II Part I of RIPA.

  Data retention will be discussed at the next Government Industry Forum to take place on 28 June 2002. Oftel will be represented at that Forum and it is hoped that OFCOM will accept a similar position in the future.

1. TITLE

  Provision of a reasonable interception capability, and of reasonable assistance in giving effect to interception warrants.

2.  PURPOSE AND INTENDED EFFECT OF THE MEASURE

(i) Issue and Objective

  Issue: The Interception of Communications Act 1985 (IOCA) was introduced in order to provide a comprehensive framework for interception. It applies to the interception of all communications on the United Kingdom's postal or public telecommunications systems conveyed by the Post Office, British Telecom and any other public telecommunications operator licensed under the Telecommunications Act 1984. At the time the legislation was passed, this definition encompassed all known methods of communicating by public networks and attempted to provide for future developments.

  The last 15 years have seen tremendous changes taking place in the communications industries in the United Kingdom. This has meant that the existing legislation, and in particular its narrow scope, have become rapidly out of date.

  Objective: The objective is for the Secretary of State to be able to issue legally binding requirements on any Communications Service Provider ("CSP", such as public telecommunications operators, postal carriers, internet service providers and international simple resale providers) for the maintenance of a reasonable interception capability in respect of their publicly available communications services. The Bill leaves open the question of how the cost for this should be allocated. In addition, any person or organisation named on the schedule to an interception warrant, including CSPs, should be under a legal obligation to provide reasonable assistance in order to give effect to the warrant.

  The intention behind this objective is to maintain, as far as possible, the effectiveness of the current Act on which the law enforcement, security and intelligence agencies rely in combating serious crime and threats to national security, by extending its scope to all CSPs.

(ii) Risk Assessment

  Without the new powers, there is a risk that any criminally minded individual could use a service provided by a CSP which is outside the scope of the current Act, thereby making it considerably more difficult, if not impossible, for law enforcement to intercept his communications. The risk is extremely difficult to quantify but, as an illustration, and at the top end of the scale, lawful interception of communications played a part—often the crucial part—in operations by police and HM Customs during 1996 and 1997 which led to:

—  1,200 arrests;

—  the seizure of drugs with a street value of over £600 million;

—  the seizure of over 450 firearms.

  These successes would have been in jeopardy had the criminals used networks which fall outside the scope of the current Act's warranty regime, because there is no requirement for the providers of such networks to have an interception capability.

3. OPTIONS

  Three options have been identified:

Option 1:  Rely on existing powers.

Option 2:  Extend the scope to include all CSPs, with an obligation to provide reasonable assistance but with no obligation to provide a reasonable intercept capability.

Option 3:  Extend the scope to include all CSPs, with an obligation to provide both a reasonable intercept capability with respect to their publicly available services and reasonable assistance in giving effect to interception warrants.

Issues of Equity and Fairness

  None of the identified options would seem likely to discriminate against any particular element of society.

  The proposed requirements in the Bill (Option 3) have been met by Public Telecommunications Operators and the Post Office since IOCA came into force in 1985, but not by other CSPs who were either not in existence or very small players in 1985 and who are therefore outside the legislation's scope. It could be argued that imposing similar requirements on all CSPs within the UK will contribute towards ensuring a fair and level commercial playing field, placing no one section of the UK's communications industry at a disadvantage when operating at home or internationally.

4.  BENEFITS

Option 1—Rely on existing powers

  The benefits in relying on existing powers would lie in the unfettered way in which communications industries outside the current scope, and in particular the Internet industry, could develop their services. This option would offer no benefits to law enforcement.

Option 2—Extend the scope, with no obligation to build in capability

  This option would also be welcomed by those providers currently outside the legislation's scope. And an extension to the scope, requiring CSPs to provide assistance, would be of some benefit to law enforcement. However, were such providers to make no provision for interception on their networks, it could prove difficult or even impossible for an interception warrant to be given effect within the necessary time-scale, even with the full assistance of the provider concerned. Such a capability would have to be developed from scratch by the agency on whom the warrant had been served, and the cost would be much higher than if capability had been designed in from the start. This option would also put those CSPs who have built an interception capability into their systems at a competitive disadvantage.

Option 3—Extend the scope, with an obligation to build in capability

  Obliging all CSPs to provide and maintain a reasonable interception capability with regard to their publicly available services best answers the intention outlined at Section 2 above, of maintaining the effectiveness of the current Act in combating serious crime and threats to national security.

Quantifying and Valuing the Benefits

  The key intention—combating serious crime and threats to national security—is highly valued but notoriously difficult to quantify. The relative merits of the three options in quantitative terms, then, are not easy to pin down.

  However, the figures at Section 2 above give an indication of the potential drawbacks of Option 1. All these successes would be in jeopardy.

  Option 2 would help to mitigate these drawbacks, but only to a very limited extent. Many of those CSPs currently outside the scope of IOCA already provide assistance to law enforcement.

  Option 3 should enable the successes outlined at Section 2 to continue. Interception represents an extremely high value for money method of investigation for law enforcement, yielding accurate and up to date intelligence for relatively little cost. To take the example of drugs, the following figures give some indication of the technique's importance.

  In 1998 the Government spent £1.4 billion tackling the drugs problem[89], including around £420 million on law enforcement activity and £170 million on health services. In addition, 50-70 per cent of the estimated £1.5 billion spent per annum on drugs by users is raised through acquisitive crime. The cost to victims of this crime, much of which involves shoplifting and burglary from commercial premises, could be three to five times higher[90]. This gives a cost to victims of in the region of £3.5 billion.

  In addition, money lost to the Exchequer in lost revenues is estimated to be £220 million per annum for alcohol smuggling and £1.7 billion for tobacco smuggling[91]. These figures yield a total cost to the country of £6.8 billion per annum.

  During a 12 month period during 1998-1999 Customs seized 1.25 tonnes of Class A drugs, and made 93 arrests in connection with those drugs, through interception. In fact, in 1998 52 per cent of the total amount of heroin seized by Customs was a direct result of interception; and the total value of drugs seized in 1998 as a result of interception was in excess of £185 million. This comes to over 10 per cent of the total sum spent on drugs per annum in the UK, an amount which could cost the country up to £500 million each year. Meanwhile, in work against alcohol and tobacco smuggling, recent Customs interception operations have been sufficiently successful that the number of staff working on interception against these targets has doubled.

  Further details of the benefits of interception are provided in a confidential annex to this document.

5.  COMPLIANCE COSTS FOR BUSINESS, CHARITIES AND VOLUNTARY ORGANISATIONS

(i) Business Sectors Affected

  The legislative proposals affect four key business sectors: public telecommunications operators; international simple voice resale providers; internet service providers; and postal carriers. Given the rapid development of technology since IOCA was enacted, it is expected that other groups will be affected in the longer term as new innovations are introduced into the communications marketplace.

  Public telecommunications operators are licensed under Sections 7 and 8 of the Telecommunications Act 1984, and their systems designated as public telecommunication systems under section 9. They include some cable companies and mobile operators. In total they number around 40. They are subject to the current Act, and already provide a reasonable interception capability.

  International simple voice resale providers (ISVRs) are licensed under Section 7 of the Telecommunications Act, and buy bulk international line space from PTOs to resell the calls. 233 were licensed by the DTI as of July 1999. In most cases it is expected that such providers will not need to be involved in the effecting of interception warrants; this will be done by the PTO providing the network which the ISVR is using.

  Internet service providers (ISPs) are also licensed under Section 7 of the Telecommunications Act. The Internet Service Providers Association lists around 80 members, although not all of these are ISPs; and the London Internet Exchange lists 82. In total there are now over 300 operating in the UK.

  Postal carriers fall into two separate categories. The first, operated by the Post Office, is already subject to the Act and should see little change. The second comprises all those mail carriers and couriers which offer publicly available services. Where the destination or origin of mail or parcels is overseas, or transportation involves carriage by air, carriers are already subject to Customs and Aviation regulations.

(ii) Compliance Costs

  Option 1 would not result in any additional costs to business since there would be no changes to current practices. Option 2 would represent a small additional cost to those CSPs currently outside the Act, in terms of the manpower, training and physical costs associated with providing reasonable assistance to an intercepting agency.

  Option 3 would require some CSPs to provide an interception capability for the first time; for others it would make no change to the status quo. Compliance costs would vary on a case to case basis, and are extremely difficult to predict. For example, equipment used for interception could also be used for other purposes, such as the prevention of fraud on the network. However, some key factors for each business sector are outlined below:

  Public Telecommunications Operators: It is not expected that Option 3 would impose any significant additional cost on this business sector. Precise costs for the capability already provided are hard to calculate, because interception capability was just one of a number of requirements specified to manufacturers when switching and other equipment was purchased. However, a rough estimate might suggest that the capital cost per year plus annual running costs for equipment and staff could be up to 0.03 per cent of turnover. Specific figures are subject to commercial sensitivities.

  International Simple Voice Resale Providers: Again, Option 3 should have a minimal impact on this business sector.

  Internet Service Providers: Option 3 would represent a significant additional cost in some cases. At this stage precise costs are hard to calculate: discussions with businesses are progressing, but negotiations with regard to requirements and cost allocation are at an early stage. The industry itself has stated that it is currently too early to give a clear idea of the costs involved.

  Internet access services are increasingly offered to the public by companies other than traditional telecommunications operators; for example, retail chains and broadcasting companies. However, although the capability and assistance requirements will fall on some of these providers, in practice these will be the responsibility of those who operate the system on which the service runs. As stated above, the Bill leaves open the question of cost allocation. Any costs falling on industry are likely to have some impact on these new providers.

  Postal Carriers: Those carriers who responded to the consultation exercise stated that they already have an interception capability, and that any costs imposed by Option 3 would therefore be very small.

(iii) Total Compliance Costs

  Total compliance costs in the short terms are not expected to exceed the measure of significance (£20 million) used by the Regulatory Impact Unit of the Cabinet Office. More details are commercially and operationally sensitive, and are therefore included in a confidential annex to this document. However, an indication of the scale of interception carried out in response to warrants can be taken from the number of warrants issued each year. The following statistics are presented in line with the practice of the Interception Commissioner:

1993-1998 Warrants for Interception[92]

(FIGURES IN BOLD REPRESENT THOSE WARRANTS LEFT IN PLACE AT THE END OF THE YEAR.)

Year	Home Secretary		Secretary of   State for Scotland
1992	874	337	92	27
1993	998	372	122	37
1994	947	359	100	37
1995	997	405	138	72
1996	1,142	477	228	63
1997	1,456	460	256	38
1998	2,031	487	268	54

6.  RESULTS OF CONSULTATIONS

  The Government's consultation document "The Interception of Communications in the United Kingdom" was published on 22 June. It proposed that the scope of the existing legislation be extended, and that CSPs be required to provide a reasonable intercept capability with regard to those networks they operated which were publicly available (ie Option 3).

  In total 85 responses to the document were received, fairly equally divided between government, industry and other interests. There was a general recognition that the Interception of Communications Act 1985 did need updating, but that in principle the interception of communications was justifiable where it was done for clearly defined purposes and with proper safeguards in place.

  Nearly all respondents also conceded that the scope of the legislation should be extended to cover all CSPs providing publicly available services: this proposal was particularly welcomed by the law enforcement community, and by those providers already subject to IOCA. However, there was less agreement about how to allocate the costs this extension in scope would involve. Those responses where permission to publish was not withheld—and a summary of all responses—are available from the Home Office website at www.homeoffice.gov.uk/oicd/conslist2.htm.

7.  SUMMARY AND RECOMMENDATIONS

  Following Option 1 is not realistic. It is essential that the scope of the interception legislation be extended, if existing powers are not to be seriously degraded by the growth of new technology.

  Option 2 would involve an extension in scope, which would be of benefit insofar as intercepting agencies could require reasonable assistance from the CSP concerned. However, were such providers to make no provision for interception on their networks, it could prove difficult or even impossible for an interception warrant to be given effect within the necessary time-scale, even with the full assistance of the provider concerned. Such a capability would have to be developed from scratch by the agency on which the warrant had been served. This option would also put those CSPs who have built an interception capability into their systems at a disadvantage.

  Option 3, which proposes an extension in scope and corresponding requirement on CSPs to provide a reasonable interception capability, has therefore been identified as the most appropriate way forward. This option will entail cost to some sectors of the communication provider industry, substantial in some cases. But this must be set against the wider costs to society that would accrue from allowing the use of communications technologies effectively inaccessible to law enforcement to undermine their ability to detect and prevent serious crime and threats to national security. Option 3 is also considered to be the most effective option for ensuring a level commercial playing field for all CSPs in the UK.

  Maintenance of an interception capability forms a requirement for CSPs in countries where these providers are in commercial competition with the UK, both in Europe and globally, including such countries as France, Germany, the Netherlands, Sweden, Canada, the USA and Australia.

8.  ENFORCEMENT, SANCTIONS, MONITORING AND REVIEW

  All warrants for interception are personally and expressly authorised by the Secretary of State. Following devolution, the function of authorising interception warrants in respect of serious crime targets located in Scotland has been executively devolved to Scottish Ministers. It is proposed to introduce an offence of "tipping off" another person that a warrant has been served, or telling them of its content. There will be statutory defences. Further, the Bill will introduce a civil liability in respect of a failure to comply with the requirement to provide a reasonable intercept capability or reasonable assistance in giving effect to an interception warrant.

  Although it will be for the Secretary of State to decide what constitutes a reasonable capability, he cannot do so unless the Order identifying the requirement is laid before Parliament. Before the Order is laid before Parliament, the Secretary of State must have consulted relevant interests as to its contents. This will help meet the policy intention that any requirements are reasonable, proportionate and do not place CSPs at a disadvantage compared with their competitors.

  The use of warrants will be subject to specific safeguards and oversight procedures. These include a Commissioner to review the exercise of the Secretary of State's authorisation powers and a Tribunal to deal with complaints. A statutory code of practice is also proposed to govern the conduct of the agencies in applying for and effecting warrants, and in handling the resulting product.

1.  TITLE

  Investigation of Electronic Data Protected by Encryption etc.

2.  PURPOSE AND INTENDED EFFECT OF THE MEASURE

(i)   Issue and Objective

  Issue:  The Government is committed to promoting electronic commerce. But for e-commerce to reach its full potential, people need confidence in the security of transactions. Cryptography, the science of how codes work, can help instil that confidence. The technology can be used to guarantee the integrity, authenticity and confidentiality of electronic data. And it can be used to help prevent some types of crime (eg fraud over the Internet). There is a difficulty though in that the same technology can also be put to criminal use.

  For law enforcement, it is the confidentiality aspect that is the important issue—the ability of criminals to protect or "encrypt" the content of their stored data or communications. Strong encryption packages are available whose codes cannot realistically be broken by any means other than using the relevant decryption key. Criminals are increasingly using this technology to frustrate law enforcement investigations. There is currently no explicit legal basis to allow law enforcement agencies to require the disclosure of a decryption key. And the difficulties for law enforcement will increase, as strong encryption becomes more readily available and easier to use.

  Government has a responsibility for ensuring that the United Kingdom remains a secure environment in which e-commerce can flourish. The issue then is how to facilitate the lawful use of cryptography by business and others while making it as difficult as possible for criminals to exploit the same technology for their own purposes.

  Objective:  The proposal is to establish a new statutory power to enable properly authorised persons (such as members of the law enforcement, security and intelligence agencies) to serve written notices requiring the disclosure of the means necessary to make encrypted material intelligible (eg a decryption key) or the disclosure of the material itself in an intelligible form (plain text). They may make this demand of whomever it reasonably appears holds or can access a relevant key. The ability to serve a written notice will only apply to lawfully obtained information and will need to be authorised by, for example, the Secretary of State, Scottish Ministers, or a judge depending on the powers under which information has been, or is being, lawfully obtained. It will be an offence to refuse to comply with the terms of a written notice.

  The objective is to help maintain, so far as possible, the effectiveness of existing statutory powers on which the United Kingdom's law enforcement, security and intelligence agencies rely in combating serious crime and threats to national security.

(ii)   Risk Assessment

  Without the new powers, there is a risk that any criminally minded individual could use encryption successfully to evade detection and prosecution. Criminal use of encryption threatens to undermine statutory law enforcement powers in two broad areas: search and seizure and interception of communications.

  The risk is extremely difficult to quantify but, as an illustration, and at the top end of the scale, the successes outlined in the Regulatory Impact Assessment for Part I of the Bill, achieved as a result of lawful interception of communications, would have been in jeopardy had the criminals encrypted their communications and had the law enforcement agencies lacked the powers to ensure their timely decryption . The prognosis is that law enforcement's difficulties will increase as encryption becomes more pervasive and as communications technologies converge. And the bottom line is that society as a whole will suffer if criminals are able to use new technologies, such as encryption, with complete impunity.

3.  OPTIONS

  Three options have been identified:

  Option 1:  Rely on existing powers.

  Option 2:  Grant further powers to demand access to keys or plain text.

  Option 3:  Establish a system of licensing with mandatory key escrow.

Issues of Equity and Fairness

  None of the identified options would seem likely to discriminate against any particular element of society.

  The most significant equity issue is that which stems from the very use of encryption. The balance to be struck is between ensuring that individuals and businesses may freely use the technology for legitimate purposes whilst limiting the possibilities for using the same electronic processes for criminal purposes. In short, is the potential burden created by the new power to demand access to decryption keys or plain text justified by the need to maintain public safety?

4.  BENEFITS

(i)   Option 1—Rely on existing powers

  The benefits in relying on existing powers would lie in the unfettered way in which the use of encryption could contribute to the development of e-commerce. And whilst recognising that encryption can help prevent certain types of crime, there are no benefits for law enforcement in Option 1 in terms of detecting and prosecuting criminal activity since existing powers are considered to be deficient.

(ii)   Option 2—Grant further powers to demand access to keys or plain text

  It is not considered that this option would significantly fetter the spread of encryption or the development of e-commerce. And it would benefit law enforcement by helping to maintain the effectiveness of existing statutory powers on which the agencies rely in seeking to ensure that the United Kingdom remains a safe place for everyone to live and work (business included).

(iii)   Option 3—Mandatory Key Escrow

  This option would require all providers of encryption services to bank copies of their client's keys with a third party. This would benefit law enforcement since it would facilitate lawful access to keys—usually without the knowledge of the suspect. If key escrow was widely adopted and implemented, no other technique would give anything like the same functionality in meeting the needs of law enforcement. But industry has argued, and the Government has accepted, that mandating the introduction of key escrow would significantly impair the confidence of individuals and business in the confidentiality of their electronic transactions. This lack of confidence would hamper the development of e-commerce—a stated objective of the Government. It would also mean a loss of competitiveness for the United Kingdom economy.

5.  QUANTIFYING AND VALUING THE BENEFITS

  As set out in the Regulatory Impact Assessment for Part I, the objective of combating serious crime is difficult to quantify. The objective of promoting e-commerce presents similar difficulties. The relevant merits of the three options in quantitative terms, then, are not easy to pin down.

  However, the figures for interception successes in Part I give an indication of the potential drawbacks of Option 1. All these successes would be in jeopardy.

  Option 2 would help mitigate these drawbacks to some extent. It seems unlikely that this option, involving properly authorised access to keys/plain text, will significantly limit the development of e-commerce.

  Finally, the merits of making key escrow a mandatory condition of being a licensed provider of cryptographic services (Option 3) were the subject of detailed consideration by a special task force set up under the auspices of the Performance and Innovation Unit (PIU) of the Cabinet Office which held discussions with industry during February and March 1999. A PIU report on encryption and law enforcement, drawing on the findings of the task force, was published in May 1999[93]. It recommended that the Government should no longer pursue key escrow as a policy option.

6.  COMPLIANCE COSTS FOR BUSINESS, CHARITIES AND VOLUNTARY ORGANISATIONS

(i)   Business Sectors Affected

  Encryption software may be supplied and used in a number of ways. For example, the technology might be supplied either directly to an individual customer or indirectly via a company network. It follows that any business involved in producing or supplying encryption products or services or using such products; or individuals using the technology could, conceivably, be affected by the Government's proposals.

  Costs would occur where an individual or a business was the subject of an authorised written notice demanding access to keys or plain text. It is very difficult to predict how frequently this will happen. But the presumption is that in a relatively short space of time, as the technology becomes more widespread and easier to use, encryption will become the technology of choice for criminals seeking to maintain the confidentiality of their communications or data.

(ii)   Compliance Costs

  Option 1 would not result in any additional costs to business since there would be no changes to current practices. Option 3, (key escrow) was proposed by the previous administration in March 1997 as part of a mandatory licensing regime and previously considered as an element of this Government's approach (but under a voluntary licensing scheme). Key escrow would involve costs associated with the secure storage of keys but this was not the only factor in the decision to abandon this option. Business argued that to impose key escrow on them would hinder their business development without significantly helping the law enforcement case. Both technical and commercial reasons were identified which ultimately led to the abandonment of the policy linking key escrow to licensing.

  Under Option 2, law enforcement agencies would have the power to serve written notices requiring that a relevant decryption key is surrendered or that specified material is delivered up in an intelligible form (plain text). The individual or organisation served with the notice would therefore incur certain costs in the process of complying with the terms of the notice. Keys or plain text would be required to be delivered in a timely and secure fashion. Compliance costs may vary on a case to case basis and may differ depending on the technology being used. Providing actual figures on compliance costs is difficult at this stage. The market is in its infancy and it is impossible to predict the range and type of services which will emerge.

  The Government envisages that in most cases, the production of plain text will be deemed acceptable in response to the service of a notice, especially with respect to reputable businesses. Compliance costs may, in such instances, be limited to the administrative costs of processing that notice and handing over the plain text of the data in question. These costs could range from a few hundred to a few thousand pounds depending on the nature of the organisation and the data in question. Costs may be greater where, in cases of urgency for example, an organisation is required to provide assistance outside the times it normally operates or where information has to be sourced from another site (possibly outside the United Kingdom). But in any case, the Government is proposing to meet the marginal costs which eg a business might incur in complying with the requirements of a notice (along the lines of the present regime for interception warrants).

  Where a notice specifies that a key be handed over, the individual/business will need to take a view on whether their security has been compromised and there is a need to change their or their clients keys. The Bill contains Statutory safeguards governing the retention and use to which a key obtained under the new powers may be put. But despite this, a business may decide that its security has been compromised and may incur consequential costs in changing keys. These will depend on the size and nature of the security system concerned. They could be limited to fairly modest IT and administration costs running from a few hundred to perhaps a few thousand pounds, depending on the individual circumstances. The Government envisages that this outcome is only likely to occur in a minority of cases.

(iii)   Total Compliance Costs

  Estimating total compliance costs is difficult because of the variables involved in the calculation. It is difficult to predict precisely how often the new law enforcement powers would be used. But experience indicates that criminals are quick to exploit new technologies in an attempt to evade detection. So the presumption is that an increasing proportion of unintelligible material will be encountered during law enforcement investigations (such as those involving interception, numbers for which are outlined in Part I) as strong encryption technologies become more readily available and easier to use. Individual costs for complying with notices are also difficult to predict (as indicated in (ii) above) as are consequential costs incurred in changing keys. A rough estimate could be achieved though by taking an average consequential cost of say, £2,000 for changing a key. Even if this was multiplied by, say, an illustrative figure for interception warrants issued per year (2,031 for 1998), total compliance costs to business relating to Part III of the RIP Bill are not expected to exceed the measure of significance (£20 million) used by the Regulatory Impact Unit of the Cabinet Office.

7.  RESULTS OF CONSULTATIONS

  The Government published a consultation document on 5 March 1999[94] proposing that new powers to require disclosure of decryption keys or plain text be introduced (ie Option 2). The DTI published a summary of responses in July 1999[95]. Of those responding, there was a general recognition that law enforcement agencies should be given reasonable assistance (subject to proper authorisation) to carry out investigations. Law enforcement agencies responding to the document were unanimous that the actual or potential threat use of encryption by criminals represents a serious threat to them and to society. There was a welcome that new powers were being proposed to counter this threat.

  The PIU report on encryption and law enforcement, published in May 1999, which drew on the work of the special task force on encryption which held detailed discussions with industry about the encryption issue, discounted linking key escrow to licensing (Option 3) as a way forward. But the report specifically recommended the introduction of new powers to assist law enforcement agencies (ie Option 2).

  A draft Electronic Communications Bill was published on 23 July 1999[96] for public consultation. It contained draft Clauses providing for new powers to allow lawful access to decryption keys or the plain text of encrypted material under proper authority (ie Option 2). A summary of responses was again published by the DTI in November 1999[97]. The Government has considered carefully the views of commentators who expressed a number of concerns about the detailed legislative proposals. And having reflected carefully on its position, the Government decided that the proposed new law enforcement powers should be removed from the DTI's Electronic Communications Bill (which was subsequently introduced to Parliament on 18 November 1999) and included in the Regulation of Investigatory Powers (RIP) Bill. The provisions which appear in the Bill include a number of changes made in the light of the consultation exercise.

8.  SUMMARY AND RECOMMENDATIONS

  Following Option 1 is not realistic. It is essential that statutory powers designed to protect public safety are not undermined by new technologies. Encryption is already causing difficulties for law enforcement agencies and these will undoubtedly increase. As regards Option 3, the Government's consultation document published in March consulted on the basis that key escrow would not be a requirement of licensing. The Government accepted the recommendation contained in the PIU report to abandon the policy of linking key escrow to licensing. It has explicitly been ruled out as an option in the DTI's Electronic Communications Bill currently before Parliament (Clause 13).

  Option 2, providing new powers to allow access to decryption keys or plain text under proper authority, has therefore been identified as the most appropriate way forward which goes some way to meeting the needs of law enforcement while, at the same time, not hindering the growth of e-commerce in the UK. This will entail some costs to those served with written notices. But these must be set against the wider costs to society (eg those involved in tackling the drugs problem set out in the Regulatory Impact Assessment for Part I) that would result from criminals being able to use encryption technologies with impunity. It is considered that the balance therefore lies in favour of pursuing Option 2. And there are benefits which, in monetary terms, are not easily defined. Take Internet paedophile activity as an example. Each paedophilic image is an instance of child abuse. Given the propensity for those involved in distributing such images over the Internet to use encryption to conceal their activities, victims of abuse will remain unidentified and their abusers free to commit further crimes unless law enforcement has the ability to decrypt such material.

9.  ENFORCEMENT, SANCTIONS, MONITORING AND REVIEW

  It will be necessary to obtain proper authority to invoke the new powers requiring the disclosure of decryption keys or plain text. The level of authority will vary depending on the underlying statutory power. In many cases, this will mean that use of the power will need to be authorised by, for example, the Secretary of State, Scottish Ministers or a Judge.

  It is proposed to introduce two new offences in relation to the new powers: an offence of failure to comply with the terms of a written notice and, in certain circumstances, an offence of "tipping off" another person that a notice has been served or the content of it. There will be statutory defences.

  The use of these powers will be subject to specific safeguards and oversight procedures to protect the security and privacy of material obtained under a written notice. There will be a Commissioner to review the exercise of the Secretary of State's new authorisation powers and a Tribunal to deal with complaints. It is also proposed that the Secretary of State consults on, and issues, a Statutory Code of Practice governing the use of the new powers.

  The Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002

Made ..................................................................2002

Coming into force .............................1st August 2002

  Whereas the Secretary of State has consulted the persons listed in section 12(9) and (11) of the Regulation of Investigatory Powers Act 2000 ([98]) about this order;

  And whereas a draft of this Order has been laid before Parliament and approved by a resolution of each House;

  Now, therefore, the Secretary of State, in exercise of the powers conferred on him by section 12(1), (2) and (5) and section 78(5) of that Act, hereby makes the following Order:

Citation, commencement and interpretation

  1.—(1) This Order may be cited as the Regulation of Investigatory Powers (Maintenance of Interception Capability) Order 2002 and shall come into force on 1st August 2002.

  (2)  In this order "service provider" means a person providing a public postal service or a public telecommunications service, or proposing to do so.

Interception capability

  2.—(1)  The Schedule to this Order sets out those obligations which appear to the Secretary of State reasonable to impose on service providers for the purpose of securing that it is and remains practicable for requirements to provide assistance in relation to interception warrants to be imposed and complied with.

  (2)  Subject to paragraph (3) the obligations in—

(a) Part I of the Schedule only apply to service providers who provide, or propose to provide, a public postal service; and

(b) Part II of the Schedule only apply to service providers who provide, or propose to provide, a public telecommunications service.

  (3)  The obligations in Part II of the Schedule shall not apply to service providers who—

(a) do not intend to provide a public telecommunications service to more than 10,000 persons in any one or more parts of the United Kingdom and do not do so; or

(b) only provide, or propose to provide, a public telecommunications service in relation to the provision of banking, insurance, investment or other financial services.

INTERCEPTION CAPABILITY NOTICES

  3.—(1)  The Secretary of State may give a service provider a notice requiring him to take all such steps falling within paragraph (2) as may be specified or described in the notice.

  (2)  Those steps are ones appearing to the Secretary of State to be necessary for securing that the service provider has the practical capability of meeting the obligations set out in the Schedule to this Order.

REFERRAL OF NOTICES TO THE TECHNICAL ADVISORY BOARD

  4.  The period within which any person to whom a notice has been given under article 3 may refer the notice to the Technical Advisory Board is specified as being before the end of 28 days from the date of the notice.

  Home Office Parliamentary Under-Secretary of State 2002

OBLIGATIONS ON SERVICE PROVIDERS

Part I:

  1.  To ensure the interception and temporary retention of postal items destined for addresses in the United Kingdom for provision to the person on whose application the interception warrant was issued.

  2.  To provide for the interception and retention of postal items sent by identified persons where the carrier keeps records of who sent which item in the course of their normal business.

  3.  To maintain a system of opening, copying and resealing of any postal item carried for less than £1.

  4.  To comply with the obligations set out in paragraphs 1 to 3 above in such a manner that the chance of the interception subject or other unauthorised persons becoming aware of any interception is minimised.

Part II: Interception Capability for Public Telecommunication Services

  5.  To provide a mechanism for implementing interceptions within one working day of the service provider being informed that the interception has been appropriately authorised.

  6.  To ensure the interception, in their entirety, of all communications and related communications data authorised by the interception warrant and to ensure their simultaneous (ie in near real time) transmission to a hand-over point within the service provider's network as agreed with the person on whose application the interception warrant was issued.

  7.  To ensure that the intercepted communication and the related communications data will be transmitted so that they can be unambiguously correlated.

  8.  To ensure that the hand-over interface complies with any requirements communicated by the Secretary of State to the service provider, which, where practicable and appropriate, will be in line with agreed industry standards (such as those of the European Telecommunications Standards Institute).

  9.  To ensure filtering to provide only the traffic data associated with the warranted telecommunications identifier, where reasonable.

  10.  To ensure that the person on whose application the interception warrant was issued is able to remove any electronic protection applied by the service provider to the intercepted communication and the related communications data.

  11.  To enable the simultaneous interception of the communications of up to 1 in 10,000 of the persons to whom the service provider provides the public telecommunications service, provided that those persons number more than 10,000.

  12.  To ensure that the reliability of the interception capability is at least equal to the reliability of the public telecommunications service carrying the communication which is being intercepted.

  13.  To ensure that the intercept capability may be audited so that it is possible to confirm that the intercepted communications and related communications data are from, or intended for the interception subject, or originate from or are intended for transmission to, the premises named in the interception warrant.

  14.  To comply with the obligations set out in paragraphs 5 to 13 above in such a manner that the chance of the interception subject or other unauthorised persons becoming aware of any interception is minimised.

  Part I of the Regulation of Investigatory Powers Act 2000 ("the 2000 Act") contains provisions about the interception of communications transmitted by means of public postal service or a public telecommunications service. Interception is permitted under the 2000 Act by certain public authorities who obtain an interception warrant. This Order sets out the obligations which it appears to the Secretary of State reasonable to impose on the providers of public postal services or a public telecommunications services ("service providers") for the purpose of securing that it is and remains practicable for requirements to provide assistance in relation to interception warrants to be imposed and complied with.

  These obligations are set out in the Schedule to the Order. The obligations in Part I of the Schedule relate only to persons who provide, or propose to provide, a public postal service. The obligations in Part II of the Schedule relate only to persons who offer, provide, or propose to provide a public telecommunications service to more than 10,000 persons in any one or more parts of the United Kingdom, other than service providers who only provide a public telecommunications service in relation to the provision of banking, insurance, investment or other financial services.

  Article 3 enables the Secretary of State to ensure compliance with the obligations by providing that he may give a service provider a notice requiring it to take the steps described in the notice. The notice may only contain steps which appear to the Secretary of State necessary for securing that that service provider has the practical capability of meeting those obligations set out in the Schedule which apply to that service provider.

  Article 4 specifies the period within which a person served with a notice may refer it to the Technical Advisory Board.

  This Order was notified in draft to the European Commission in accordance with Directive 98/34/EC, as amended by Directive 98/48/EC.

90   Research by South Bank University. Back

91   Memorandum from HM Customs and Excise to the Treasury Select Committee Sub-Committee. Back

92   It should be noted that a proportion of the increase in warranty activity is partly due to the larger number of services being used by individual interception subjects, rather than being entirely due to an increase in the number of interception targets per se. Back

93   Encryption and Law Enforcement-A Performance and Innovation Unit Report-26 May 1999. Back

94   Building Confidence in Electronic Commerce-URN 99/642. Back

95   URN 99/891. Back

96   Promoting Electronic Commerce-Cm 4417. Back

97   URN 99/1218. Back

98   2000 c. 23. Back