Letter by Charles Clarke MP, Minister
of State, Home Office to Professor Jim Norton, Head of E-Business
Policy, Institute of Directors
REGULATION OF INVESTIGATORY POWERS BILL
Thank you for your letter of 8 June to Jack
Straw and Stephen Byers about the Regulation of Investigatory
Powers (RIP) Bill. I have also seen the IoD press release that
accompanied this and noted your recent comments in the media.
I am replying as the Minister with responsibility for the Bill.
I am grateful for your recognition that there
is a need to update, in a properly regulated way, law enforcement
powers. I certainly share the IoD's desire to see effective policing
of criminal activities in the business environment. You have raised
a number of concerns about how the RIP Bill seeks to achieve this
goal. I address each, in turn, below.
You raise a specific concern about references
to information "likely to come into the possession of . .
." which appears in Part III of the Bill. Let me clarify
the position on this. The futuristic element "or is likely
to do so" in Clause 46(1) is needed for cases where there
are reasonable grounds for anticipating that, for example, a suspected
criminal is using encryption to protect material and reasonable
grounds for believing that the location of the relevant key to
that material is known. It is entirely conceivable that there
will be cases where, for example, the police have reasonable grounds
for believing that a suspect in a criminal investigation is using
encryption before they apply to the court for a warrant to search
his premises. So it is right that the police should be able to
apply for authority to serve a decryption notice at the time they
apply for a search warrant. The futuristic element in 46(1)(a)
allows them to do this. I think that this is entirely sensible.
You also mention "uncertainty" about
who may seek access to encryption key material. The fundamental
point is that the power to serve a decryption notice can only
be authorised in cases involving lawfully obtained material which
has been protected in some way. Clause 46(1) defines the various
means by which such material may be obtained.
Let me expand on this. It is conceivable that
protected (eg encrypted) material may be encountered in a very
wide range of circumstances. This could include, for example,
material seized under a judicially authorised warrant; intercepted
under a warrant personally authorised by the Secretary of State;
or material obtained under an agency's statutory functions but
where no warrant is required. The definitions in Clause 46(1)(a)-(e)
account for all these eventualities. The policy objective is to
maintain, as far as possible, the effectiveness of all statutory
powers and functions.
Use of the decryption power must be specifically
authorised. Clause 46(7) has the effect of saying that the level
of authorisation needed to serve a decryption notice in a particular
instance will vary according to the power under which protected
material has been or is likely to be, lawfully obtained. The details
are set out in Schedule 1. Essentially, it is the case that the
service of a decryption notice must be authorised by at least
the same level as required for the exercise of the underlying
power. So, for example, where a notice is served ancillary to
an interception warrant personally authorised by the Secretary
of State, it will be for the Secretary of State to authorise the
service of that notice. In the case of authorities not specifically
named in the Bill, but who nevertheless have statutory powers
which may conceivably be affected by encryption, the authority
to serve a decryption notice must be given by a Circuit Judge
(by virtue of paragraph 4(3) and (4) of Schedule 1).
On the question of where the boundary lies between
communication data and content of communication, I acknowledge
that the distinction, particularly in the context of the Internet,
is not always easy to draw. Lord Bassam spoke about this point
and the rationale behind the amendments to Clauses 2 and 20 in
Committee on 12 June. And he explained that we are in discussion
with industry to find both a practical and easily defined way
of ensuring that content of communication cannot be treated as
communication data. Putting a detailed technical definiton on
the face of the Bill might not be the best solutionthe
danger being that it would rapidly become obsolete. But we are
looking at this closely.
You ask about the impact of the encryption provisions
on civil liability. Let me make two preliminary points. The first
is that in most cases where legitimate businesses are concerned,
the disclosure of plaintext rather than keys will be sufficient
in responding to a decryption notice. I say more about this below.
The text is no more than information to which the authority serving
the notice already had lawful access. The second point is one
I was keen to emphasise throughout the debates in Parliament on
this Part of the Bill. There are proper safeguards in the Bill
to ensure, in the unusual instance of a key being required as
opposed to text, that the confidentiality of the key is respected.
Clause 51(3) is particulary important in this respect.
These two points mean that a decryption notice
is most unlikely to put the recipient in breach of any duty of
confidentiality. But I can confirm that the intention behind Part
III is to impose a general obligation backed by criminal sanctions.
The effect of the obligation on contactual relationships will
of course be for the courts. But we would certainly anticipate
that a contractual term would not be enforceable if it purported
to treat obedience to a statutory obligation as something capable
of putting a party in breach of contract.
I must be even more circumspect about litigation
in another jurisdiction, on a contract governed by a foreign law.
I can, however, confirm that I said in Committee on this point.
A person's duty of confidentiality to another, however it arises,
will always be compromised to a greater or lesser extent by national
rules requiring the disclosure of information. In this respect,
Part III of this Bill does no more than the many disclosure requirements
approved by Parliament over the years. Indeed, as I have said,
the effect of a decryption notice on confidentiality should be
You list a number of further points also raised
by the British Chambers of Commerce. I have responded to the BCC
on their specific concerns but, for the record, I address them
You raise the issue of preferred access to the
plaintext of protected material rather than a decryption key.
I recognise that this is an important point. We have already made
an amendment in this area which adds an extra test if keys are
to be demanded. It might be helpful if I clarify the position
since I know that the Bill has been misread by many.
The way the Bill works is this. By virtue of
Clauses 47(2) and (3), the disclosure of plain text, in responding
to a section 46 notice, will always be sufficient unless the notice
contains a specific direction that only a key is sufficient. And
imposing such a direction is limited, by Clause 47(4), to occasions
where it is believed that there are "special" circumstances
of the case making this necessary and that imposing such a requirement
is believed to be proportionate to what is sought to be achieved
by doing so.
As I have indicated during the passage of the
Bill, we envisage that the disclosure of the plain text, rather
than a key, will be sufficient in almost all cases responding
to a decryption notice. This is certainly true of legitimate businesses
who are not, themselves, suspected of involvement in any criminality.
But even if keys are demanded, it is also important to recognise
that businesses are free to disclose a session key (if one exists)
rather than a private key in responding to a notice. The Bill
allows them to do this. I highlighted this point in Committee.
But all this said, we are considering, in the light of your and
the BCC's concerns, whether there is room for making the position
clearer in the Bill itself.
You also raise the issue of security of keys
and liability. We recognise the need to store securely all sensitive
material, including any keys, obtained under the Bill. There are
two limbs to this. Firstly, Clause 51 sets out strong statutory
safeguards governing the retention, copying and destruction of
material obtained under the new powers. Independent Commissioners
will have a statutory responsibility to oversee the adequacy of
the safeguards arrangements, and to report any inadequacies to
the Prime Minister. Secondly, deploying the highest level of protection
for keys and other sensitive information relating to key holders
is a specific objective of the technical project to establish
the new Technical Assistance Centre which will assist law enforcement
It is important to stress that the Bill does
not give any protection to the Government if it uses interception
or decryption wrongly. In fact, the Bill and the Human Rights
Act together strengthen the individual's position against the
state. Every interference with privacy rights must follow the
law to the letter, and must be justifiable. If it is not, the
individual or business concerned can sue.
The concern here is about the effect of serving
decryption notices inside a corporate environment. I hope I can
offer some reassurance.
Notices will clearly have to be served at the
most appropriate place within an organisation. If notices are
served on an IT department for example, we fully envisage that
Directors should also normally be informed. The Bill says that
notices may allow such disclosure. There would, it seems to me,
have to be pretty exceptional circumstances for this not to happenperhaps,
for example, where the Director himself is suspected of involvement
in criminal activity. We have always thought that this is probably
something to be covered in the Code of Practice, rather than on
the face of the Bill. But we are giving further thought to this.
And it is important to remember that the "tipping off"
offence does not come into play in all cases. Imposing a secrecy
requirement is limited, by virture of Clause 50(3), to occasions
where it is reasonable to maintain, for example, the covert nature
of an investigation.
CLAUSE 49 OFFENCE
Let me clarify the situation as regards this
offence. Clause 49(1) states that a person is guilty of an offence
if he fails to comply with a requirement to disclose a key and
he is a person who has, or has had, possession of the key to the
protected data in question. Thus the burden, and it is a significant
one, falls on the prosecution to prove possession of the key beyond
reasonable doubt. There are statutory defences in 49(2) and (3)
for those who have lost or forgotten keys; where keys have been
destroyed: or where it was not practicable to disclose a key within
the timescale asked. These need only to be established on the
lower level of proofthe balance of probabilities. That
is, an accused explains what has happened and it will be for the
court to decide whether, on balance, he is telling the truth.
How might someone demonstrate that, on balance,
they no longer have a key? I think that businesses are in a good
position in this regard. A business, for example, might show that
it is prescribed company IT security policy to change keys after
a particular length of time; that there are logs or records tracking
the destruction or revocation of particular keys; and that new
keys are now being used for all company business. This said, and
as Lord Bassam indicated during Second Reading of the Bill in
the House of Lords on 25 May, we welcome suggestions on how the
offence in Clause 49 might be improved. We are considering ourselves
ways of improving the construction of the offence to see whether,
as with the rest of the Bill, we have got the balance right.
You raise, finally, the issue of the requirement
in Clause 12 of the Bill to maintain an interception capability.
We know that questions of costs are critical for communications
service providers (CSPs). There is a clear obligation in the Bill
to consult with all those affected before any new requirements
come into force. This process has already started with all sectors
of the CSP industry.
Maintenance of an interception capability forms
a basic requirement for CSPs in countries who are in commercial
competition with the UK, both in Europe and globally, including
countries such as France, Germany, the Netherlands, Sweden, Canada,
the USA and Australia. We feel that viewed in an international
context, the proposed requirements in Part I of the Bill are not
unreasonable nor will they place the UK's communication services
at a commercial disadvantage. And in reaching a decision on what
constitutes appropriate intercept requirements, we will take full
account of internationally recognised standards such as the International
User Requirements for the Lawful Interception of Communications
and other interception standards (eg those produced by the European
Telecommunications Standards Institute).
As you will know, we commissioned an independent
report from Smith Group Ltd on technical and cost issues associated
with providing a reasonable intercept capability (a copy is available
on the Home Office website). We did so to better inform the debate
with, particularly, Internet Service Providers (ISPs) on these
critical issues. Prior to this, figures were being bandied about
that bore little resemblance to what the real costs would be.
We now welcome the opportunity to engage with industry in a more
informed way than has previously been the case.
It is important to remember though that we are
not simply talking about ISPs in relation to interception. Public
Telecommunications Operators (PTOs) bear costs at present. So
we must look at ensuring a level playing field. We do not currently
require all PTOs to possess an intercept capability. Similarly
we do not expect to ask all ISPs in the UK to have a standing
intercept capability in the future.
A copy of this letter goes to Jack Straw and
Stephen Byers. I am also arranging for a copy to be placed on
the RIP Bill page of the Home Office website.
19 June 2000