Select Committee on European Union Minutes of Evidence


Letter by Charles Clarke MP, Minister of State, Home Office to Professor Jim Norton, Head of E-Business Policy, Institute of Directors

REGULATION OF INVESTIGATORY POWERS BILL

  Thank you for your letter of 8 June to Jack Straw and Stephen Byers about the Regulation of Investigatory Powers (RIP) Bill. I have also seen the IoD press release that accompanied this and noted your recent comments in the media. I am replying as the Minister with responsibility for the Bill.

  I am grateful for your recognition that there is a need to update, in a properly regulated way, law enforcement powers. I certainly share the IoD's desire to see effective policing of criminal activities in the business environment. You have raised a number of concerns about how the RIP Bill seeks to achieve this goal. I address each, in turn, below.

DEFINITIONS

  You raise a specific concern about references to information "likely to come into the possession of . . ." which appears in Part III of the Bill. Let me clarify the position on this. The futuristic element "or is likely to do so" in Clause 46(1) is needed for cases where there are reasonable grounds for anticipating that, for example, a suspected criminal is using encryption to protect material and reasonable grounds for believing that the location of the relevant key to that material is known. It is entirely conceivable that there will be cases where, for example, the police have reasonable grounds for believing that a suspect in a criminal investigation is using encryption before they apply to the court for a warrant to search his premises. So it is right that the police should be able to apply for authority to serve a decryption notice at the time they apply for a search warrant. The futuristic element in 46(1)(a) allows them to do this. I think that this is entirely sensible.

  You also mention "uncertainty" about who may seek access to encryption key material. The fundamental point is that the power to serve a decryption notice can only be authorised in cases involving lawfully obtained material which has been protected in some way. Clause 46(1) defines the various means by which such material may be obtained.

  Let me expand on this. It is conceivable that protected (eg encrypted) material may be encountered in a very wide range of circumstances. This could include, for example, material seized under a judicially authorised warrant; intercepted under a warrant personally authorised by the Secretary of State; or material obtained under an agency's statutory functions but where no warrant is required. The definitions in Clause 46(1)(a)-(e) account for all these eventualities. The policy objective is to maintain, as far as possible, the effectiveness of all statutory powers and functions.

  Use of the decryption power must be specifically authorised. Clause 46(7) has the effect of saying that the level of authorisation needed to serve a decryption notice in a particular instance will vary according to the power under which protected material has been or is likely to be, lawfully obtained. The details are set out in Schedule 1. Essentially, it is the case that the service of a decryption notice must be authorised by at least the same level as required for the exercise of the underlying power. So, for example, where a notice is served ancillary to an interception warrant personally authorised by the Secretary of State, it will be for the Secretary of State to authorise the service of that notice. In the case of authorities not specifically named in the Bill, but who nevertheless have statutory powers which may conceivably be affected by encryption, the authority to serve a decryption notice must be given by a Circuit Judge (by virtue of paragraph 4(3) and (4) of Schedule 1).

  On the question of where the boundary lies between communication data and content of communication, I acknowledge that the distinction, particularly in the context of the Internet, is not always easy to draw. Lord Bassam spoke about this point and the rationale behind the amendments to Clauses 2 and 20 in Committee on 12 June. And he explained that we are in discussion with industry to find both a practical and easily defined way of ensuring that content of communication cannot be treated as communication data. Putting a detailed technical definiton on the face of the Bill might not be the best solution—the danger being that it would rapidly become obsolete. But we are looking at this closely.

LIABILITY

  You ask about the impact of the encryption provisions on civil liability. Let me make two preliminary points. The first is that in most cases where legitimate businesses are concerned, the disclosure of plaintext rather than keys will be sufficient in responding to a decryption notice. I say more about this below. The text is no more than information to which the authority serving the notice already had lawful access. The second point is one I was keen to emphasise throughout the debates in Parliament on this Part of the Bill. There are proper safeguards in the Bill to ensure, in the unusual instance of a key being required as opposed to text, that the confidentiality of the key is respected. Clause 51(3) is particulary important in this respect.

  These two points mean that a decryption notice is most unlikely to put the recipient in breach of any duty of confidentiality. But I can confirm that the intention behind Part III is to impose a general obligation backed by criminal sanctions. The effect of the obligation on contactual relationships will of course be for the courts. But we would certainly anticipate that a contractual term would not be enforceable if it purported to treat obedience to a statutory obligation as something capable of putting a party in breach of contract.

  I must be even more circumspect about litigation in another jurisdiction, on a contract governed by a foreign law. I can, however, confirm that I said in Committee on this point. A person's duty of confidentiality to another, however it arises, will always be compromised to a greater or lesser extent by national rules requiring the disclosure of information. In this respect, Part III of this Bill does no more than the many disclosure requirements approved by Parliament over the years. Indeed, as I have said, the effect of a decryption notice on confidentiality should be minimal.

  You list a number of further points also raised by the British Chambers of Commerce. I have responded to the BCC on their specific concerns but, for the record, I address them again here.

 PLAINTEXT RATHER THAN KEYS

  You raise the issue of preferred access to the plaintext of protected material rather than a decryption key. I recognise that this is an important point. We have already made an amendment in this area which adds an extra test if keys are to be demanded. It might be helpful if I clarify the position since I know that the Bill has been misread by many.

  The way the Bill works is this. By virtue of Clauses 47(2) and (3), the disclosure of plain text, in responding to a section 46 notice, will always be sufficient unless the notice contains a specific direction that only a key is sufficient. And imposing such a direction is limited, by Clause 47(4), to occasions where it is believed that there are "special" circumstances of the case making this necessary and that imposing such a requirement is believed to be proportionate to what is sought to be achieved by doing so.

  As I have indicated during the passage of the Bill, we envisage that the disclosure of the plain text, rather than a key, will be sufficient in almost all cases responding to a decryption notice. This is certainly true of legitimate businesses who are not, themselves, suspected of involvement in any criminality. But even if keys are demanded, it is also important to recognise that businesses are free to disclose a session key (if one exists) rather than a private key in responding to a notice. The Bill allows them to do this. I highlighted this point in Committee. But all this said, we are considering, in the light of your and the BCC's concerns, whether there is room for making the position clearer in the Bill itself.

SECURITY OF KEYS

  You also raise the issue of security of keys and liability. We recognise the need to store securely all sensitive material, including any keys, obtained under the Bill. There are two limbs to this. Firstly, Clause 51 sets out strong statutory safeguards governing the retention, copying and destruction of material obtained under the new powers. Independent Commissioners will have a statutory responsibility to oversee the adequacy of the safeguards arrangements, and to report any inadequacies to the Prime Minister. Secondly, deploying the highest level of protection for keys and other sensitive information relating to key holders is a specific objective of the technical project to establish the new Technical Assistance Centre which will assist law enforcement over encryption.

  It is important to stress that the Bill does not give any protection to the Government if it uses interception or decryption wrongly. In fact, the Bill and the Human Rights Act together strengthen the individual's position against the state. Every interference with privacy rights must follow the law to the letter, and must be justifiable. If it is not, the individual or business concerned can sue.

GOVERNMENT AS "SHADOW DIRECTOR"

  The concern here is about the effect of serving decryption notices inside a corporate environment. I hope I can offer some reassurance.

  Notices will clearly have to be served at the most appropriate place within an organisation. If notices are served on an IT department for example, we fully envisage that Directors should also normally be informed. The Bill says that notices may allow such disclosure. There would, it seems to me, have to be pretty exceptional circumstances for this not to happen—perhaps, for example, where the Director himself is suspected of involvement in criminal activity. We have always thought that this is probably something to be covered in the Code of Practice, rather than on the face of the Bill. But we are giving further thought to this. And it is important to remember that the "tipping off" offence does not come into play in all cases. Imposing a secrecy requirement is limited, by virture of Clause 50(3), to occasions where it is reasonable to maintain, for example, the covert nature of an investigation.

CLAUSE 49 OFFENCE

  Let me clarify the situation as regards this offence. Clause 49(1) states that a person is guilty of an offence if he fails to comply with a requirement to disclose a key and he is a person who has, or has had, possession of the key to the protected data in question. Thus the burden, and it is a significant one, falls on the prosecution to prove possession of the key beyond reasonable doubt. There are statutory defences in 49(2) and (3) for those who have lost or forgotten keys; where keys have been destroyed: or where it was not practicable to disclose a key within the timescale asked. These need only to be established on the lower level of proof—the balance of probabilities. That is, an accused explains what has happened and it will be for the court to decide whether, on balance, he is telling the truth.

  How might someone demonstrate that, on balance, they no longer have a key? I think that businesses are in a good position in this regard. A business, for example, might show that it is prescribed company IT security policy to change keys after a particular length of time; that there are logs or records tracking the destruction or revocation of particular keys; and that new keys are now being used for all company business. This said, and as Lord Bassam indicated during Second Reading of the Bill in the House of Lords on 25 May, we welcome suggestions on how the offence in Clause 49 might be improved. We are considering ourselves ways of improving the construction of the offence to see whether, as with the rest of the Bill, we have got the balance right.

ISP COSTS

  You raise, finally, the issue of the requirement in Clause 12 of the Bill to maintain an interception capability. We know that questions of costs are critical for communications service providers (CSPs). There is a clear obligation in the Bill to consult with all those affected before any new requirements come into force. This process has already started with all sectors of the CSP industry.

  Maintenance of an interception capability forms a basic requirement for CSPs in countries who are in commercial competition with the UK, both in Europe and globally, including countries such as France, Germany, the Netherlands, Sweden, Canada, the USA and Australia. We feel that viewed in an international context, the proposed requirements in Part I of the Bill are not unreasonable nor will they place the UK's communication services at a commercial disadvantage. And in reaching a decision on what constitutes appropriate intercept requirements, we will take full account of internationally recognised standards such as the International User Requirements for the Lawful Interception of Communications and other interception standards (eg those produced by the European Telecommunications Standards Institute).

  As you will know, we commissioned an independent report from Smith Group Ltd on technical and cost issues associated with providing a reasonable intercept capability (a copy is available on the Home Office website). We did so to better inform the debate with, particularly, Internet Service Providers (ISPs) on these critical issues. Prior to this, figures were being bandied about that bore little resemblance to what the real costs would be. We now welcome the opportunity to engage with industry in a more informed way than has previously been the case.

  It is important to remember though that we are not simply talking about ISPs in relation to interception. Public Telecommunications Operators (PTOs) bear costs at present. So we must look at ensuring a level playing field. We do not currently require all PTOs to possess an intercept capability. Similarly we do not expect to ask all ISPs in the UK to have a standing intercept capability in the future.

  A copy of this letter goes to Jack Straw and Stephen Byers. I am also arranging for a copy to be placed on the RIP Bill page of the Home Office website.

19 June 2000


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2000