RIPping into our rights
With its Regulation of Investigatory Powers Act, Britain is fast becoming a test site for new forms of surveillance.
The UK government recently backed down from a proposed expansion of state snooping powers.
The government had proposed a draft order which would have extended the surveillance powers available under the Regulation of Investigatory Powers (RIP) Act 2000 (1). If passed, the order would have granted public bodies – including seven Whitehall departments and every local authority – new powers to demand communications data, and would have empowered them to seize private information from phone companies, internet service providers (ISPs) and postal operators, without having to obtain a court order (2).
Prime minister Tony Blair’s official spokesman claimed that ‘this data can only be sought if it is judged to be necessary in the interests of national security; for the purpose of preventing or detecting crime or preventing disorder; or in the interests of the economic wellbeing of the UK; if it is in the interests of public safety, or for the purpose of protecting public health; or for the purpose of assessing or collecting any tax, duty or levy payable to a government department; or for the purpose in an emergency of preventing death or injury, any damage to a person’s physical or mental health; or mitigating any injury or damage to a person’s physical or mental health’ (3).
So that’s all right then.
But overnight the government’s plans were dropped. UK home secretary David Blunkett said on 18 June, ‘we got it wrong and we need to address the fears people have’ (4). Does this backdown demonstrate a newfound respect for our liberties? Hardly.
One reason the government can afford to postpone its plans to expand the RIP Act is because the Act rewrote the rulebook, not only nationally but internationally, when it comes to undermining individual freedom.
In the early 1990s, the FBI sought approval from the US congress for an expansion of surveillance powers. In 1993, after these attempts had failed, the FBI established a coordinating group called the International Law Enforcement Telecommunications Seminar (ILETS), which included British representatives. ILETS aimed to facilitate the interception of communications at an international level, operating clandestinely – weaving its pro-surveillance policies into state legislatures under the cover of other institutions – until the lid was blown on its existence in the late 1990s (5).
When ILETS was formed, the principal UK legislation governing state surveillance – the Interception of Communications Act 1985 – only covered landlines and post. So the UK government tried to sneak new powers to monitor the internet into early drafts of the Electronic Communications Bill, drafted by the Department of Trade and Industry (6) in 1999. This proved controversial, and the surveillance powers were dropped from the Bill before it was passed into law (7). It then fell to the Home Office (8) to expand surveillance powers, with the first drafts of what would become the RIP Act.
In the early days of drafting the RIP Act, Labour ministers assured us that no bodies beyond the police, the security services and Customs and Excise would have the power to snoop on data (9). Charles Clarke, now the Labour party chairman, claimed that, while ‘some have suggested that as many as many as 28 different authorities will be authorised to access communications data’, in truth the RIP Act only ‘lists six authorities and police forces’ (10). In retrospect, these assurances look highly disingenuous.
Because it would criminalise certain aspects of data encryption – in an attempt to stop the use of encryption to conceal criminal acts – the RIP Act kicked off a bidding match for expanded state power between Britain’s political parties. Labour ministers argued that the RIP Act should stipulate two years’ imprisonment for not handing over encryption keys. Conservative ministers argued that, in order to prevent criminals from choosing not to hand over encryption keys as an easy alternative to being sentenced for a worse crime, the penalty for not handing over keys should be extended to 10 years (11).
The RIP Act as passed into law contains many incursions on our liberties – but these can be reduced to a basic two. The first is the power that the Act grants security services to monitor internet traffic, getting to know our internet surfing habits in the name of preventing crime. The Home Office explains, ominously, that the aim here is ‘to obtain a picture of’ a person’s ‘life, activities and associates’ (12).
How is such sweeping surveillance possible? The RIP Act allows ‘the imposition…on persons who…are providing…public telecommunications services…of such obligations as it appears…reasonable to impose for the purpose of securing that it is and remains practicable for requirements to provide assistance in relation to interception warrants to be imposed and complied with’ (13). In practice, this means requiring ISPs to install ‘black boxes’ that record internet traffic data.
The RIP Act sanctioned the creation of the Government Technical Assistance Centre, a mass surveillance facility in MI5’s London headquarters. Potentially all UK internet traffic data will eventually find its way to MI5 (14). The government has denied claims that such traffic monitoring is an invasion of privacy, arguing that surveillance extends only to generic information, rather than to the specific content of communications such as email. But this argument misrepresents today’s communications technology.
With older forms of communication, generic information, such as addresses on envelopes or telephone numbers, is separable from content, such as letters and telephone conversations. This is why we enjoy a degree of privacy from the post office and telephone companies. But on the internet, such distinctions break down. Simply by looking at traffic data, which contains the web addresses that individuals visit, the authorities can develop an intimate knowledge of internet users’ reading habits and even the terms we use when searching the internet.
The second of the RIP Act’s principal incursions on our liberties is the power that the Act grants the authorities, whenever data has been seized and ‘a key to…protected information is in the possession of any person’, to ‘impose a disclosure requirement in respect of the protected information’ (15). In short, the authorities can demand the keys to encrypted communications.
Encryption, although as yet far from ubiquitous, has increasingly become a standard part of electronic communications. Encryption can be understood as a technical means of compensating for the lack of privacy inherent in electronic communications, as compared with other communications. It allows people who communicate via the internet to enjoy the new technology’s advantages over older forms of communication, while also enjoying a degree of privacy that, with older forms of communication, was a given.
But the authorities resent the autonomy that the internet grants to internet users – to communicate easily, rapidly and internationally; to pursue any conceivable interest; to obtain and exchange words, images and sounds at the click of a mouse. The authorities would have internet communications be less private than other communications, as a kind of perverse levy on the benefits the internet provides to its users.
For those in government who don’t have expert knowledge of information technology (IT), the internet appears as an unknown quantity. The specifics of how the internet works are of less interest than the all-encompassing danger it supposedly poses to polite society and state authority. The expert opinion of IT buffs is called in selectively by government, when it helps to make the case for regulation and surveillance. But this same expert opinion is often ignored, when it might recommend placing limits on state power.
For this reason, the RIP Act is a technically inept piece of legislation. The technically competent among us will be able to evade some of the surveillance that the Act prescribes (16). The stated data monitoring aims of the Government Technical Assistance Centre are not technically feasible in their entirety (17). And when the Act passed through the House of Lords (18), peers openly joked about not understanding its technical content – leading John Naughton, author of A Brief History of the Future: The Origins of the Internet (19), to complain that ‘watching this body mess with our freedoms is like seeing a monkey casually dismantling a clock’ (20).
But it is a fallacy to assume that technically inept and unworkable legislation poses less of a threat to our liberties than better informed legislation. If anything, the opposite is true, as the frustrated authorities become more hungry for whatever private information they can obtain. Caspar Bowden, former director of the Foundation for Information Policy Research (21), points out that if ‘interception’ is ‘stymied by encryption’, then ‘the police will look to compensate through automated mass surveillance of online behaviour’ (22).
The most disturbing aspect of the RIP Act is that it acted as a harbinger of international developments in surveillance legislation. This fact went largely unrecognised until the terrorist attacks of 11 September, by which time the precedent for compromising privacy in the name of security had already been set.
Tim Berners-Lee, inventor of the worldwide web, attacked the RIP Act for giving governments ‘great power to abuse personal and commercial innovation’. He claimed that if similar legislation were proposed in the USA, where civil liberties have greater currency than in the UK, it would be thrown out ‘in a second’ (23). But similar legislation was proposed in the USA, and passed after 11 September, in the form of the Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act (24).
Prior to 11 September, Yaman Akdeniz, director of the pressure group Cyber Rights and Cyber Liberties (25), said of the RIP Act: ‘The IRA is no longer a problem. The Cold War is over. There are no real security threats. Just who are they targeting?’ (26) His mistake was to assume that the RIP Act was a response to a legitimate threat. In truth, it was legislation motivated more by a general sense of powerlessness, and awaiting a more specific justification. 11 September provided that justification.
Jack Straw claimed that the terrorist attacks had been allowed to occur ‘not because of any lapse by the intelligence or security services, but because people had a two-dimensional view of civil liberties’. He gloated that those who had opposed the RIP Act ‘will now recognise they were very naive in retrospect’ (27).
The UK was the only Western country where defence of liberty was sufficiently weak to allow the introduction of legislation like the RIP Act prior to 11 September. After 11 September, John Naughton correctly predicted that ‘the UK’s RIP Act will be replicated worldwide…a hard rain’s gonna fall’ (28). Sure enough, the US authorities instantly looked to the RIP Act as a model for their own anti-terrorist legislation.
Three factors have contributed to the recent international broadside against privacy: an international hunger for greater surveillance powers on the part of insecure authorities, as embodied by ILETS; the convenience of the illiberal UK as a testing ground for new forms of surveillance; and the international blank cheque provided by 11 September for forms of state power that would previously have met with more resistance.
The RIP Act is significant, because it is a fulcrum on which these three factors rest. Its very existence sets a precedent that diminishes any opportunity to mount a defence of privacy in the policy arena. This is why, while keeping a keen eye on policy developments, the privacy discussion must be had out as a public political debate.
Sandy Starr has consulted and written on internet regulation for the Organisation for Security and Cooperation in Europe, and for the European Commission research project RightsWatch. He is a contributor to Spreading the Word on the Internet: Sixteen Answers to Four Questions, Organisation for Security and Cooperation in Europe, 2003 (download this book (.pdf 576 KB)); From Quill to Cursor: Freedom of the Media in the Digital Era, Organisation for Security and Cooperation in Europe, 2003 (download this book (.pdf 399 KB)); and The Internet: Brave New World?, Hodder Murray, 2002 (buy this book from Amazon (UK) or Amazon (USA)).
Human rights RIP, by Sandy Starr
Playing the ID card, by Josie Appleton
Taking liberties all round, by Sandy Starr
(1) See the Regulation of Investigatory Powers (RIP) Act 2000
(2) See Government sweeps aside privacy rights, Stuart Miller, Guardian, 11 June 2002; UK pushes boundaries of citizen surveillance, Neil McIntosh, Guardian, 12 June 2002; No 10 defends wider electronic surveillance, Stuart Millar and Lucy Ward, Guardian, 12 June 2002; ‘Snoop’ plans raise privacy fears, BBC News, 12 June 2002
(3) No 10 defends plans to change access to records, Guardian, 11 June 2002
(4) ’Snoop’ climbdown by Blunkett, BBC News, 18 June 2002
(5) See ILETS and the ENFOPOL 98 affair, Duncan Campbell, Telepolis, 29 April 1999; EU and FBI launch global telecommunications surveillance system: ‘not a significant document’ – UK Home Secretary, Statewatch, February 1997
(6) See the Department of Trade and Industry website
(7) See DTI drops crime from e-bill, Jill Treanor, Guardian, 20 November 1999
(8) See the Home Office website
(9) See Government snoopers to have new ground rules, Jon Hibbs, Daily Telegraph, 28 December 1999
(10) Big browser is watching the web, Caspar Bowden and Charles Clarke, Observer, 25 June 2000
(11) See Tories demand tougher computer penalties, BBC News, 9 May 2000
(12) MI5 bugging exempt from privacy act, Richard Norton-Taylor, Guardian, 27 March 2000
(13) Regulation of Investigatory Powers (RIP) Act 2000, Part I, Chapter I, Section 12
(14) See Brits launch online spy network, Wired News, 2 May 2000; Spy centre to spread its web, BBC News, 1 May 2000; Questions over net snooping centre, BBC News, 6 June 2002; Government to build new email and surfing surveillance centre, Will Knight, ZD Net UK, 2 May 2000; Your privacy ends here, John Naughton, Observer, 4 June 2000
(15) Regulation of Investigatory Powers (RIP) Act 2000, Part III, Section 49
(16) See RIP bill no match for technology, Mark Tran, Guardian, 27 June 2000
(17) See New web spy system is not up to the job, say the experts, Nick Paton Walsh, Observer, 18 June 2000; Questions over net snooping centre, BBC News, 6 June 2002
(18) See the House of Lords website
(19) A Brief History of the Future: The Origins of the Internet, by John Naughton. Buy this book from Amazon (UK) or Amazon (USA)
(20) Take a tip m’lord – save cookie talk for teatime, John Naughton, Observer, 18 June 2000
(21) See the Foundation for Information Policy Research website
(22) Big browser is watching the web, Caspar Bowden and Charles Clarke, Observer, 25 June 2000
(23) Father of the web lashes snooping bill, Jamie Dowsrd, Observer, 11 June 2000
(24) See Online insecurity, by Sandy Starr
(25) See the Cyber Rights and Cyber Liberties (UK) website
(26) Climbdown on e-snooping Bill, Jamie Doward, Observer, 2 July 2000
(27) Net freedom fears ‘hurt terror fight’, BBC News, 28 September 2001
(28) Internet will be a prime target in war on terrorism, John Naughton, Observer, 16 September 2001
To enquire about republishing spiked’s content, a right to reply or to request a correction, please contact the managing editor, Viv Regan.