UK RIP Bill is killer blow to e-commerce

Once again the British government has proven that it still doesn't get the Net - or more precisely, the legal frameworks that…

Once again the British government has proven that it still doesn't get the Net - or more precisely, the legal frameworks that are required for a healthy e-business climate without threatening the right to privacy.

On February 10th, Britain's Home Office released its long-awaited Regulation of Investigatory Powers draft Bill (appropriately abbreviated to RIP, for a Bill that kills off the hopes of many e-commerce companies that this time, they might get things right). The Bill was promised in the Queen's speech last November, when she discussed the need to promote ecommerce in Britain.

Unfortunately, the British government has had consistent problems with e-commerce bills and has had to scrap several, leaving the UK without any legal infrastructure that deals specifically with digital-era issues.

Difficulties have arisen because British law enforcement keeps trying to introduce draconian levels of surveillance, including rights to intercept communications, that lawyers have argued will not stand up in European courts.

READ MORE

These elements also have proved deeply unpopular with Net users, privacy advocates and with businesses and business groups promoting e-commerce. The latter category of people probably has had the most influence in forcing the British government - Tory or Labour-led - to back down.

Business has also had significant influence in challenging laws related to surveillance and interception in the US, where politicians not particularly noted for their support of civil rights or privacy issues, have come out swinging against law enforcement in this area.

With the complex legal, ethical and moral issues it introduces, the Internet sometimes creates strange bedfellows.

The British government's last e-commerce bill, the Electronic Communications Bill, issued in July by the Department of Trade and Industry, had a whole slew of oppressive elements in its controversial Section III. While these toned down previous bills' attempts to introduce restrictions on the use of encryption (the mathematical encoding of documents), in particular, repeated efforts to make key escrow a part of British law, the Bill still prompted widespread protests and promises of a European Court challenge.

Under a key escrow regime users of encryption services would need to lodge decryption keys with third parties to allow decoding of their messages which could be made available to law enforcement agencies. The Federal Bureau of Investigation in the US is enamoured of key escrow, but again, the subject has engendered such voluminous protest and threats of legal challenge, that effectively it has been shelved.

Given the growing awareness of the public and politicians about the implications of key escrow, it's hard to imagine the US could introduce it now.

Britain seems to have accepted this fact as well. The issue has crashed e-commerce bills so many times that the government decided to dump Section III, thus casting out the offensive bits of the current e-commerce Bill, and creating a separate Bill to deal with surveillance. Thus the Queen's speech, and finally, RIP.

But the RIP Bill has confirmed fears that the British government was sneaking around key escrow by introducing only slightly less oppressive encryption controls, despite attempts to present surveillance with positive spin. (Legislation was necessary that would protect communications and ensure third-party access would be properly restricted, the government said last November.)

The Bill allows for the imprisonment of anyone who will not hand over a private key on demand, even if it cannot be proven that the person ever had the key or had lost it.

A "reverse burden of proof" is thus placed on the accused to establish his or her innocence before a trial has taken place. Critics believe this element of the Bill is a breach of the European Convention on Human Rights.

Many lawyers believe it will be impossible to prove that a person has or has not lost a key, and thus to compel someone to produce a key or an unencoded ("plain text") version of a document.

The RIP Bill also requires that Internet Service Providers build into their networks the capability of intercepting their own customers' communications, and regulates for the use of informers - people who will hand over e-mail communications or documents intended for them, but for which law enforcement will not be required to obtain a search warrant.

Mr Casper Bowden, the director of the British technology policy think-tank the Foundation for Information Policy Research, believes the RIP is effectively just "window-dressing" for the same intentions of the highly-criticised Section III proposals.

He has pointed out that the recent lifting of US government restrictions on the export of encryption products, means many thousands more will begin to encode their communications, increasing the likelihood of a court challenge to the RIP Bill.

Britain's trouble could of course be the Republic's gain. Mr Bowden himself complained after the publication of the July e-commerce bill that Britain's surveillance-happy approach to the Net, and consistent failure to create a positive environment for the use of encryption, would only cause companies to select the Republic rather than Britain as an e-commerce base.

The RIP Bill will not help Britain's international image one jot. The UK is now the only jurisdiction in the world that proposes to imprison people for failing to hand over their private keys. On the other hand, we are still waiting to see how the Government will handle the same issue. The Government's e-commerce Bill, due to be published before Easter, is unequivocal on private keys, says a spokesman: under no circumstances can law enforcement force a person to surrender a private key in any matter relating to e-commerce.

That's good news, but now the Department of Justice must tackle the same issues in criminal legislation. To its credit, the Government firmly grasped the private-key nettle within its e-commerce Bill, and wisely avoided the British approach of trying to apply blanket legislation in this highly fraught area. But we need clarification on how the Government intends to proceed with criminal law and digital issues.

Karlin Lillington is at: klillington@irish-times.ie. karlin@indigo.ie

Karlin Lillington

Karlin Lillington

Karlin Lillington, a contributor to The Irish Times, writes about technology