U.K. e-mail law reaches U.S.

About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store

NEWS

U.K. e-mail law reaches U.S.

By Laura Rohde
September 1, 2000 1:01 pm PT

WITH THE PASSAGE last month of the Regulation of Investigatory Powers (RIP) Act 2000, the U.K. government officially granted itself broad powers to access e-mail and other encrypted Internet communications, and in its wake it has left organizations worldwide to come to grips with the implications of the surveillance law that will come into effect on Oct. 5.

ADVERTISEMENT

<a href="http://ad.doubleclick.net/jump/idg.us.info.news/article;abr=!ie;pos=imu;pkey=security;skey=;paud=;saud=;sz=336x280;tile=2;ord=320003170508?"> <img src="http://ad.doubleclick.net/ad/idg.us.info.news/article;abr=!ie;pos=imu;pkey=security;skey=;paud=;saud=;sz=336x280;tile=2;ord=320003170508?" border="0"> </a>

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

TOP NEWS

IT SOLUTION SEARCH

Passed by both the House of Commons and House of Lords and signed into law by the queen on July 28, RIP was roundly celebrated by the Home Office, the government department assigned with overseeing the new law.

"[RIP] will ensure that the U.K.'s law enforcement and security agencies have the powers they need to do their job effectively in a changed technological world," said Jack Straw, U.K. home secretary, in his official statement marking the passage of the bill. "We recognize that powers such as interception are intrusive. That is precisely why they should be very closely regulated."

Tony Benn, member of British Parliament in the Commons and former minister for technology in the 1970s, sees RIP differently.

"The concerns [of RIP] are various: the cost to business, the intolerable imposition on civil liberties, the fact that it gives the security services just completely uncontrollable powers, [and] the fact that it creates new offenses -- if you refuse to disclose your password you're liable to be put in prison for that," Benn says. "It is a terrifying bill and it's something Joe Stalin would have been proud to have if the technology was available at the time."

RIP is just one instance of governments around the world becoming increasingly involved in electronic surveillance. The U.S. government is currently arguing over Carnivore and in July, the Dutch government admitted that its security service, BVD, has been collecting e-mail messages sent abroad by companies.

U.S. companies with operations in the United Kingdom need to focus on RIP and the impact the law may have on its secure operations, including company e-mail and encryption keys.

What is RIP?

Among other provisions, RIP requires ISPs in the United Kingdom to track all data traffic passing through their computers and route it to the Government Technical Assistance Center (GTAC). The GTAC is being established in the London headquarters of the U.K. security service MI5, the equivalent to the FBI in the United States. ISPs in the United Kingdom have expressed concern that the cost of establishing the technology required by the RIP bill would be crippling.

Under another provision of RIP, if a company official is asked to surrender an encryption key to the government, that individual is barred by law from telling anyone -- including his or her employer or anyone else in the company, be it senior management or security staff -- that he or she has done so. Guidelines for this "tipping-off" offense, as it is known, could leave an international company completely unaware that what it assumes is secure company data may be under investigation by MI5. Those violating the tipping-off offense can face up to five years in prison.

Before its passage, amendments added to RIP by the Lords gave the government the discretion to allow companies to turn over printed text rather than encryption keys. Furthermore, as with telephone wiretaps, in most cases the home secretary must personally approve in writing all interception warrants as well as financial compensation for ISPs required to install monitoring equipment.

But there are instances in which the home secretary can be bypassed: for example, if a company requests a warrant from a police superintendent. As the law is laid out, individuals and companies must disclose any "protected information" required by the U.K. government that it finds to be: "(a) in the interests of national security; (b) for the purpose of preventing or detecting crime; or (c) in the interests of the economic well-being of the United Kingdom."

Although employees are protected against the consequences, such as lawsuits or termination, of passing encryption keys or encrypted data to the government, that protection does not extend outside the United Kingdom to other jurisdictions, such as in the case of a parent company based in the United States.

This may sound ominous, but Amsterdam, Netherlands-based Forrester Research analyst Claire Powell says U.S. companies with offices in the United Kingdom shouldn't worry about any privacy repercussions from RIP, such as the government intercepting sensitive corporate information and passing it on to U.K. companies.

"Frankly, I don't think the man or woman on the street will see much of a direct effect," Powell says. "The national security body in the United States [such as the FBI] is not too dissimilar [to MI5]. There has been an enormous amount of hype about the dangers of RIP, but it will be no more of an intrusion into your privacy than other existing laws such as telephone tapping."

Impact on e-business

The British Chamber of Commerce has estimated that implementing the bill will cost companies 46 billion pounds (U.S. $69.9 billion) over five years, and on June 16, the Lords received an open letter signed by 50 organizations asking that the bill be further amended or scrapped. The letter, which was signed by Esther Dyson, interim chairwoman of the Internet Corporation for Assigned Names and Numbers (ICANN); Consumers International; Amnesty International; and others, reads in part as follows: "We are deeply concerned that the bill will inhibit the development of the Internet and e-commerce."

But during the final RIP debate in the Commons, Home Office Minister Charles Clarke argued that the law will not harm e-commerce in the United Kingdom and that it suffers primarily from a perception problem, caused mainly by alarmist reports in the media.

"Given the comments made in the overseas media, we must explain clearly what the bill is and is not, and why we do not believe it poses a threat to e-commerce in Britain; on the contrary, it will help to achieve the government's aim of a strong and secure e-commerce economy, to which we are all committed," Clarke said to the Commons.

Clarke stressed that "propaganda is needed" to re-educate the public about the bill and asked the Commons to help promote "the interests of this country's businesses when the time comes."

Should U.S. companies worry?

For the most part, RIP has yet to make any impression on the collective consciousness of the U.S. corporate community operating in the United Kingdom. Officials at companies such as Novell, when solicited for comments about RIP, they said had not even heard of it.

"This is a political issue, and I don't want to start taking a position on English politics," says Dennis Raney, senior vice president and COO of Novell, who has not read the bill. "But with regard to the English market, we want to sell product [in the United Kingdom] regardless. ... Whatever happens, we'll have to figure out how to live within the letter of the law. But we're not going to pull out of England because of a law like [RIP], we've just got too many customers [there]."

Officials at other individual Fortune 1000 companies, such as Wal-Mart, Citigroup, and Boeing, all said they were unaware of the new legislation and requested more information on RIP. Once that was done and the officials were contacted again, they each declined to comment on the act or how they plan on dealing with the legislation in their U.K. bureaus.

"At the moment we are declining to comment on the RIP Act, though we are looking into the details of the legislation," Citigroup U.K. spokesman Stephen Goldman says. "It is quite a sensitive area, so just how much any company is going to talk about it [RIP] on the record is difficult to tell right now."

"There is going to be a considerable grinding of gears while technology managers try and come to grips with RIP, not to mention figuring out how they are going to explain the details of this law to their boards," says Caspar Bowden, director of the Foundation for Information Policy Research (FIPR), the London-based independent organization that studies the interaction between information technology and society.

U.S. companies operating in the United Kingdom might change some business practices. Although in the past the United Kingdom has been favored by them as a jumping-off point for entering the European market, Marianne Kolding, a London-based analyst for IDC, points out that whereas most companies and individuals wouldn't have much to fear from the U.K. government on a day-to-day basis, U.S. companies worried about even the slightest possibility of a security breach due to RIP may choose to bypass the United Kingdom altogether by selling products and services but not establishing extensive U.K. business operations.

"Personally, I find RIP rather worrying, to be honest. There is really no one policing the police," Kolding says.

"RIP is very complex legislation but there are a range of options for companies outside of the U.K. looking to protect themselves," FIPR's Bowden says.

"Companies may put in place stricter policies about what an employee can and cannot write about in e-mail," Kolding says.

Furthermore, companies can expressly forbid their employees from responding to any "key requests" for information from the Home Office or MI5, such as not returning phone calls from the government. A company also can reroute sensitive information around U.K. employees, a process that some companies already have begun, according to Bowden.

"Effectively, U.K. employees have become firewalled from the rest of the company. It is a quite drastic but effective measure," Bowden says.

According to Bowden, companies inside and outside of the United Kingdom always want to protect their best interests and in some cases they may feel that doing so necessitates leaving, a situation the United Kingdom will not be able to assess or rectify until after the damage has already been done.

"The government won't know if companies pull out of the U.K., as these companies aren't going to drop the Department of Trade and Industry a note saying 'goodbye and thanks for the fish,' " Bowden says.

The official text of the RIP Act 2000 can be found online at www.legislation.hmso.gov.uk/acts/acts2000/20000023.htm.

Laura Rohde is a London correspondent for the IDG News Service, an InfoWorld affiliate.

	Carnivore stirs surveillance controversy -- Margret Johnston, IDG News Service The latest uproar over government surveillance of digital communications in the United States has centered on a system that the FBI calls Carnivore. The FBI has said it regrets choosing that name because it sounds like the government's goal is to devour e-mail indiscriminately, but the name has stuck as the bureau has tried over the past several weeks to justify the use of the system. The existence of Carnivore was first revealed in April, but reports about the system started welling up early in the summer after the FBI began briefing ISPs and telecommunications companies about it and after a conflict involving the ISP EarthLink. The bureau has said that its run-in with EarthLink marked the only time in 25 total implementations of Carnivore that an ISP resisted having the system placed on its network. In every other case, ISPs have fully cooperated, according to the FBI. In the EarthLink case, a federal magistrate ruled against the company, forcing it to allow the bureau to access its network traffic. The FBI has said its use of the system is legal under U.S. wiretap laws and has shown fierce resistance to releasing specifics about the system. Carnivore has been used in criminal and national security investigations to read the e-mail of the targets of their investigations and to determine with whom the suspects are exchanging e-mail. The bureau has declined to provide any other details about the investigations in which Carnivore was used because they are still in litigation. Now the FBI finds itself in court over efforts by privacy advocates and the American Civil Liberties Union to force the disclosure information about Carnivore. The ACLU, the Electronic Privacy Information Center (EPIC), and other privacy groups aren't convinced Carnivore is legal, and they have filed a Freedom of Information Act (FOIA) request seeking documents about the system, including computer source code and object code. In the latest development, the FBI said on Aug. 16 it planned to release 3,000 pages of documents pertaining to Carnivore in response to the FOIA request. But the bureau's proposed schedule for the release of the documents -- the first batch is expected within 45 days -- left the impression that the release could be dragged out over several months or even years. The ACLU and EPIC plan to request a more expedited timetable, but it appeared that for now the FBI maintains an upper hand in keeping details of Carnivore secret. Carnivore works by running a packet-sniffer program to select the data inside the ISP's local network. Carnivore is capable of picking up only the packets that use the IP addresses to which the FBI has been granted access under a court order, FBI officials have said. The system does not monitor all traffic moving across an ISP's servers but rather sees a subset of that data, according to the bureau. The ISP provides the subset based on the specifications of the court order, and only data permitted by the court order is filtered out, the FBI says. Opponents, however, are skeptical that Carnivore is that selective, especially because many ISPs allocate IP addresses dynamically. So Carnivore would have to sweep a broad range of addresses, including those used by people who have nothing to do with an investigation, to work. Among other things that disturb opponents is the possibility that the content of an e-mail message or its subject line could be revealed to investigators when they don't have authority to see it. Some implementations of Carnivore have been carried out under "pen register" and "trap-and-trace" orders for which there is a lower standard for the court order. These types of orders are meant to tell investigators only with whom a suspect is communicating, not the content of the messages. The FBI intends to clear up that and other questions about Carnivore by selecting a university by Sept. 15 to conduct verification.

RELATED SUBJECTS

Security

SPONSORED WHITE PAPERS

EMC - Lower costs and improve reliability-Get the EMC CLARiiON white paper!
Ciphertrust - Are you ready for Sobig.G? Learn how to protect your email systems.
CDW - Personal attention. CDW. The Right Technology. Right Away.
EMC - Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
Intel - Free Intel white paper shows you how to deploy a secure wireless LAN
Cisco - FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
Verity, Inc. - "Mass Consolidation Hits the Web-Search Market"
McDATA - Download a FREE storage consolidation white paper from McDATA(R).
Lucent Technologies - Overcoming Common Firewall Limitations
Lucent Technologies - Leverage Your Mobile High Speed Data Access. Download Free White Paper!
Nokia - Get the scoop! Mobilizing business white papers & case studies.
BMC Software - Maximize the Potential of Enterprise Data: Free white paper!
Network Associates - Free white paper - Strategies for Optimizing Network Costs and Benefits
Entrust - Manage identities across applications. Improve productivity.
Stalker Software - CommuniGate Pro - Transform your Email and Calendaring
Remedy - A NEW Gartner Research Note:Producing Quality IT Services

Search the IDG White Paper Library: