Users attending the fifth Scrambling for Safety conference last week were in for a shock when they gathered in London to debate the UK government's draft legislation on bugging communications.

Ministers told them in no uncertain terms that if the Regulation of Investigatory Powers (RIP) Bill is passed, third-party service providers will be obliged to allow policemen and spooks such as MI5 access to their clients' communications.

And their clients will never know about it.

The Bill is currently going through the committee stage, in which draft legislation is studied clause by clause. Opponents of the Bill, many of whom were at the conference, claim it gives state agencies unprecedented powers to access data. MP Oliver Heald, Conservative party spokesman on the Bill, claims that only Zimbabwe has rules as tight.

The security nightmare for business was highlighted by Paul Jennings, of AT&T's network security division. Explaining that his clients include large investment banks, for which he is contractually obliged to maintain security, he asked barrister Tim Eicke, of Essex Court Chambers, what he should do if he is served with a notice under RIP. This can require the subject to provide access to IT systems or communications while keeping the bugging operation a secret.

Eicke told Jennings that if RIP becomes law in its present form, he would have to comply. "You will be compromising their security and you won't be able to tell them," he said. "This is one of the very real problems."

He added that if a contract has penalties when security is breached, third-party holders of data, such as services houses, should consider insurance, if they can get it.

Under fire
Charles Clarke, the Home Office minister responsible for the legislation, was given a rough ride from an audience which included corporate users, academics, civil servants and human rights campaigners. Jennings told Clarke: "I'm looking at billions of dollars of liability."

Clarke sought to reassure corporate users that the government is listening to their problems with the Bill, and admitted that businesses will stop storing data in the UK if the state has overly strong powers. "Unless the industry has confidence in the security we are setting up, the whole thing will not succeed," he said. "We believe the security issues can be resolved, and that the solution is collaborative in nature."

Clarke added that the government would be "foolhardy" to introduce a regime significantly at odds with that of other countries.

The key problem
Another potential problem for business users will arise from state agencies using RIP to sequester encryption keys to decrypt scrambled data, says Caspar Bowden, director of think tank The Foundation for Information Policy Research. Subjects of a notice can only refuse if they can prove they do not have, and never have had, the keys.

This will produce "key escrow by intimidation", Bowden warned, referring to the policy of forcing all encryption users to hand their keys to a trusted third party, who in turn would release keys to the authorities if the proper notice was given by security agencies.

Ministers abandoned mandatory key escrow last year after vociferous protests from the IT industry. But because companies will be liable for keys used by their staff, corporate lawyers may well insist on key escrow to protect company directors from criminal charges if they cannot later find a key.

Several speakers believe that the RIP Bill contravenes the European Convention on Human Rights, by making encryption users prove they do not have keys.

This constitutes a major reversal of the burden of proof used in most legal proceedings, under which prosecutors have to prove guilt. Here, defendants have to prove innocence.
Clarke said the Home Office's opinion is that there is no contravention. This could well be tested in the courts when RIP becomes law.