Snooping Bill gets security seal of disapproval

We've heard all the political hype surrounding the UK government's 'Snooping Bill', but how does it make the security professional feel? In the first of a regular series on security, Bob Walder, from security specialists and independent test lab NSS, lets rip...

If you thought the acronym RIP meant Rest In Peace then you have another thing coming. You'll be doing anything but resting in peace once the new Regulation of Investigatory Powers Bill comes into effect later this year. And if you thought the phrase "innocent until proven guilty" was a given in the British judicial system, then think again. Once the aforementioned Bill is passed a whole raft of civil liberties that we have taken for granted until now could simply disappear. Because once the RIP Bill makes it onto the statute books the basic idea is that all internet communications that pass through the UK can be copied automatically, and sent in full, to the spooks at MI5. The idea is that government agencies - with a suitable warrant, of course - should be able to tap into any internet communication travelling to or from any particular user. In fact, they will be able to access all your emails, follow your online purchases, and even check out which websites you are browsing in real time. How is this to be achieved? Well the onus seems to be falling on ISPs to install some form of black box monitoring system within their networks that will allow traffic passing across networks to be copied to a third party. Large companies may also be forced to install such devices and, predictably, neither they nor the ISPs are falling over themselves to support such measures given that there will be significant costs involved, in addition to the privacy issues. The Home Office is quick to point out that police powers to intercept communications under the new Bill will actually be restricted more than at present and these powers will only be used in defence of national security or on suspicion of serious crime such as narcotics smuggling or terrorism. A nice sentiment, but will those of us who know just how easy it is to tap into internet communications at the best of times really sleep easy knowing that the spooks have a ready-made wire tap in every ISP in the country? Still, not to worry, we can always encrypt all our data - that will put a spanner in their works, eh? Not really, since the powers relating to encryption are even more Draconian than those relating to interception and it is these powers that are likely to have the most profound effect on ecommerce in the UK. The new Bill allows the Home Office and its representatives to demand encryption keys be handed over to the authorities, with penalties for failure to comply including two years in jail. Note that this applies even to those organisations holding keys for third parties. So if you are a key escrow agency or are simply holding a copy of a key for a business partner you can be forced to give it up. And you are not allowed to tell the person who owns the key that you have been asked to hand it over, meaning the person in question will continue to use the key even though it is no longer secure. If you do tip someone off, the penalty here can be up to five years in jail. Nor is it any defence to say that you no longer possess the key. The burden of proof has now shifted to the victim (sorry, I mean alleged perpetrator) to convince the authorities the key is no longer, or indeed ever was, in their possession. This smacks of "guilty until you can prove you are innocent", and flies in the face of everything we have come to hold dear about our wonderful democracy and its legal system. After the latest reading in the House of Lords, this reverse burden of proof has been toned down and the Home Office has been quick to point out that they are not trying to send people to jail for forgetting their passwords or losing keys. But if the legislation is there, there is always the scope for it to be misused, and the ramifications for businesses wanting to conduct commerce on the internet are serious. Under one RIP provision, company directors will be held legally responsible for company data and the control of their business's encryption keys. Directors would be subject to fines or imprisonment if keys were lost. How effective these measures will be against money launderers, child pornographers and drug traffickers is anybody's guess. But my guess is that the effect on such lowlifes will be minimal, to say the least. However, the effect on legitimate business-to-business (B2B) communication in particular could be far-reaching and potentially very damaging. The UK government's stated desire to make Britain - and I quote from the Department of Trade and Industry document entitled 'Promoting Electronic Commerce' - "the best environment for electronic business by 2002" certainly cannot be helped by such legislation. The only way the government will achieve this is to abandon this crippled Bill and start again from scratch - this time listening to industry experts who actually know what they are talking about. Otherwise, it could well be a case of UK ecommerce RIP.