News-E-commerce

Analysis of The R.I.P. (Regulation of Investigatory Powers) Bill
By Hon. James Baring

The UK Security services have arguments in favour of being able to have access, if required and when authorised, to traffic on the Internet.

The principle argument is based on the existing provisions which entitle and enable them to intercept mail and telephonic communications under certain circumstances.

If these are considered necessary for the security services to carry out their job, it is argued that the same entitlement and enablement must apply to electronic text messaging over data networks because, if it did not, all communications that were designed to avoid surveillance and were prejudicial to the security of the state and the legal conduct of affairs could use such a method of communication.

That being the case, it would be a waste of time to even bother to intercept any communications at all. It would be further argued that such a state of affairs would encourage other nations which possess advanced technology to use it to conduct surveillance of their owm on traffic generated within or passing through the UK data networks.

Since there is a perception of a growth in the sophistication and potential of the effects of terrorism and fraud using advanced technology, those whose job it is to defend the public against it will naturally demand the means to do the job they have been given.

It is a fact that, given the current structure of data networks and the capability of government communications establishments, interception of data can be achieved regardless of any act of parliament that may or may not be passed in the near future.

The argument then devolves onto the matter of ENCRYPTION, and of the identity of the sender and receiver of messages. If it is a fact that data can be intercepted, there are three properties of the traffic that are of significance:

1. The sender
2. The receiver(s)
3. The content

What has to be decided is:

1. Is anonymity acceptable on the part of the sender, poster or author (in the case that these are the same, or in the case that they are not)?

2. Anonymity of the receiver may be achieved if data is broadcast or posted only if anonymity of access also possible. Should this be permitted? Bear in mind that the identity in each case is the identity assigned to a user. As with a telephone number, it may not be the registered user of hardware or software that is using it at a particular time. Password protection is only a limited guarantee unless enhanced by intelligent usage.

3. Should the content be allowed to be encrypted in such a way as to be effectively unreadable without the key, even by the most well equipped national security agency?

There are some quite serious arguments against the current state of affairs which allow a high degree of anonymity to those adept in the technology. However the major arguments are centred on the matter of encryption.

Government authorities have in the past proposed two possible solutions to satisfy the needs of security services:

1. The level of encryption should be limited to that which satisfies ordinary users but which security services equipped with the latest technology would be able to break. This has because a non-starter because it has proved impossible to define such a level or maintain it with the passage of time.

2. The encryption keys set by a user are also to be held by a trusted third party. This comes up against objections relating to the security of keys that are outside the direct control of the user, as well as the expense of such a system if the keys were to be changed regularly to overcome security problems even to a limited extent. Then there are the arguments about whether the third party has, or has not, to reveal to the user of the key if a judicial application has been made to release the key to the security services, either before or after the fact.

In addition to those opposing either type of limitation to encryption in the name of the right to privacy or the right to freedom, there are those who say that any restriction on the use of encryption or any routine that compromises its security will prevent those countries which are subject to it from developing their electronic commerce, which will then migrate to offshore electronic centres, having much of the world to choose from.

The resolution of these arguments must be based in some way on the following logic:

In the case of the threat to civil liberties and privacy, this must be weighed against estimates of the perceived threat and the consequences that might result from each possible decision. For example, if the most draconial laws are unlikely to achieve effective protection, they are a waste of time. If, on the other hand, a coherent security strategy could be considered as significantly altering the probablity in the long term of the security of the great majority of people against very considerable threats to their physical or economic welfare, then civil liberty and privacy may have to give some ground. Debates in the Houses of Parliament and the media will, one hopes, shed some light.

In the case of the threat to e-commerce, this must be assessed in terms of the actual estimated impact on the various types of e-commerce. This will depend on the extent to which the use of encryption in e-commerce is subject to any surveillance or 'key escrow' which may be imposed, which may or may not be subject to the same requirements as when encryption is used for other purposes.

There are also, one presumes, permutations that have not so far been much discussed, such as a trade off between the agreed and verified establishment of identity and the allowable use of secure encryption of content and an enhanced level for those who accept this.