RIP: a framework for 21st century law enforcement - or an unnecessary burden on British business?

The RIP Bill is currently wending its way through the UK parliament's labyrinthine processes - bad news if you think laws take too long to draw up, good news if you think something needs changing.

The Bill has had its second reading in parliament, and is currently at committee stage. It will then proceed to a report stage, and then on to a third reading. It will become law in October. (See http://www.homeoffice.gov.uk/oicd/ripbill.htm .)

In other words, it's not too late to voice your concerns. Indeed, the draft legislation has already received over 60 amendments.

In brief, the Bill is designed to regulate the covert surveillance and interception of communications by law enforcement and security agencies more closely than existing legislation. It will also update that legislation on the use of these powers by law enforcement agencies to cover "new technologies" which have been developed in recent years.

The main area of contention surrounds the 'burden of proof' issue. Civil liberties groups claim that the basic human right to be innocent until proven guilty is reversed under this Bill. Law enforcement agencies can demand the encryption keys to enable them to access scrambled data. If they believe you are or were in possession of such a key and are unable to provide this key, it is up to you to prove you never had it.

The government denies this. Home office minister Charles Clarke said in an open letter (http://www.homeoffice.gov.uk/oicd/openrip.htm ) on the subject: "Accusations that the Bill reverses the burden of proof are simply wrong... The burden, and it is a significant one, falls on the prosecution to prove, beyond reasonable doubt, that an accused person is, or has been, in possession of a key to unlock particular protected data. There are statutory defences for individuals who have lost or forgotten a key. These need only to be established on the lower level of proof - the balance of probabilities."

But the controversy doesn't end there. Critics are still waiting for clarification on what 'balance of probabilities' means. Clarke has yet to provide such clarification.

The actual logistics of monitoring electronic communications have also sparked debate. The only organisations in a position to intercept many encrypted messages are the ISPs - and the ISPs aren't happy that they might have to foot the bill for installing the necessary equipment. Clarke hinted to Silicon.com that he will relent on this issue. He told our reporter: "The Bill gives the Home Office the power to assist with the funding of [compliance], and the precise amount and nature and circumstances will depend on some detailed analyses that we're doing at the moment."

ISPs wait with baited breath. But they may not be the only organisations affected: the Bill also makes provision for the interception of data on private networks - something which will interest many a multinational. Furthermore, as Ovum analyst Duncan Chapple pointed out on a recent Silicon.com Behind the Headlines programme, the proposals could also throw a spanner in the works for courier firms which are providing secure electronic communications services to businesses.

Chapple said: "Lots of people handle encrypted documents where it wouldn't be appropriate for them to have the key. If I was an organisation like Federal Express people might pass me encrypted information to pass on to a third party. I'd lose the confidence of customers if I had to show that I was able to 'unencrypt' that information at any time."

Online banks are particularly concerned about this facet of RIP. It's been suggested that some businesses would leave the UK as a result. Again, Clarke counteracted that claim in his open letter: "The government has no intention of imposing unreasonable burdens on industry. Our aim is to make the UK the best and the safest place in the world to do ecommerce. We know that business too wants a secure environment in which to operate. The Bill will help us achieve that."

Perhaps even more significant is the allegation that the Bill contravenes human rights standards as laid out under the European Convention on Human Rights, including the presumption of innocence, protection of privacy and freedom from random surveillance. Back to Clarke's letter: "So does the Bill mean RIP for individual rights? No. I would encourage people to read what the Bill actually says - not what some commentators say it says. We have examined the issue of rights in its widest sense. This includes the rights of those who do not yet have Internet access, who may not know what asymmetric encryption is all about, but who nevertheless have the right to live in a society free from crime. The Bill is not about Big Brother."

These are just a handful of the contentious issues - the Bill has 73 clauses in it, and the debate is set to rage on. An Observer columnist called RIP "probably the worst piece of legislation ever laid before Parliament."

So what do you think? We want to hear your responses to the following questions. Email editorial@silicon.com and we will reveal the results on Friday.

1) When did you first hear about the RIP Bill?
2) Is legislation of this type necessary to protect the individual from criminal activity?
3) Do you think it is right that the burden of proof will be reversed as a result of this Bill?
4) Will it affect the way you do business?

For more details, see the Bill itself (http://www.publications.parliament.uk/pa/cm199900/cmbills/064/2000064.htm ) or click on the links below to see what its main critics have to say.

http://www.cyber-rights.org/reports/crcl-rip.htm
http://www.liberty-human-rights.org.uk/mlobby.html
http://www.fipr.org/
http://www.stand.org.uk