|low graphics version | feedback | help|
|You are in: Talking Point: Forum|
Tuesday, 20 June, 2000, 10:24 GMT 11:24 UK
Net surveillance: Your questions answered
Responsible policing or inappropriate prying - that is the increasingly acrimonious debate in the UK over whether the government should have the power to read your e-mail or track your surfing on the web.
Ministers argue that the internet is easily harnessed for crime and so the power to intercept electronic communications is essential.
But business organisations say snooping could destroy commercial confidentiality and drive e-commerce away. Civil liberties groups also object, saying the proposed powers are an invasion of privacy.
Government minister Charles Clarke answers your questions on net surveillance.
Tom Reeve, UK: How will the Government cope with the sheer volume of Net transactions, the millions of e-mails and website hits that occur every day? Won't the security services and police be overwhelmed by it all?
Charles Clarke: Such a volume would indeed be overwhelming were we interested in the kind of mass surveillance some of the Bill's critics accuse us of. But interception operations are, in fact, specifically targeted. For example, during 1998 (the last year for which figures are publicly available) the Home Secretary and the Scottish Secretary between them signed 2031 warrants. Of these, 487 warrants were in force at the end of that year.
Interception is only ever used in the most serious cases as a method of last resort; the Secretary of State who personally signs the warrant has to be satisfied that there is no other reasonable way of obtaining the required intelligence. This will continue to be the case under the RIP Bill.
Ian Hughes, UK: What safe guards are the government going to introduce to prevent misuse of these proposed new powers?
Charles Clarke: We take the question of safeguards very seriously. Proper statutory safeguards ensure that intrusive powers are not misused, whatever Government is in power. The RIP Bill contains such safeguards.
A number of important principles are involved here, so it may help if I run through them. The first is redress: anyone should have the right to complain about surveillance of themselves or their property, and to have their complaint properly and fairly considered. The Bill establishes an independent tribunal to hear complaints, headed by a judge. Where they find in favour of a complainant, they must inform them, and can direct that any warrant be quashed and compensation paid.
The second principle is oversight. The Bill sets out a number of independent Commissioners - serving or retired senior judges - supported by an office of staff. They have the power to demand any relevant documents or information from the Government, and make a report each year to the Prime Minister on how the powers and duties conferred by the Bill have been carried out.
The third principle is authorisation at an appropriate level. For the most intrusive powers, such as interception and intrusive surveillance, personal authorisation or approval is required from a Secretary of State (the Home Secretary, for example) or a judicial figure. Finally, out of the European Convention on Human Rights the principles of proportionality and necessity have developed. The Bill requires that the powers may only be used in a way proportionate to the aim they seek to achieve, and where their use is necessary in order to achieve that aim. Where a less intrusive and reasonable way of acquiring the same information is available, that method should be used instead.
Iain Robertson, UK: Will the proposed powers be used for specific investigations only, or for generalised low-level intelligence gathering?
Charles Clarke: The Bill is all about regulating investigatory powers, all of which have the potential to intrude into an individual's privacy. The powers being regulated range from those involving a comparatively small degree of intrusion to highly intrusive operations such as eavesdropping in a private house or interception of communications. The Bill lays down the purposes for which different techniques may be deployed, reserving the most intrusive for the highest level of crime or threat to national security. But there is a common theme which runs throughout the Bill in relation to the considerations which the person authorising the use of these powers must make, whether he or she is a police officer or the Secretary of State. They must firstly consider the necessity of the action being considered. It is not sufficient for the operation simply to fit the criteria of "serious crime" for example.
The action must also be necessary for that investigation. Secondly, the technique being used must be proportionate to the threat posed - in simple terms ensuring that sledgehammers are not used to crack nuts. And finally, each of the techniques demands a high level of specificity, whether in the description of the person being investigated or the material being sought.
These are not just requirements of this Bill, but also of the Human Rights Act. And the RIP powers are subject to oversight by independent scrutiny and, where the material is used evidentially, by the Courts.
John Kearney, UK: Why does the Government state publicly that it wishes to bring down the cost of access to the Internet for ordinary people, and then threaten to make ISPs pay for "black boxes" to be installed in their servers? This will clearly drive up running costs which will then be passed on to the customers.
Charles Clarke: I am glad this question has been raised since I am keen to address the misconceptions which are circulating about this issue. There is no mention of "black boxes" in the Bill, and the question of costs of providing an intercept capability is left open. One recent report on the cost implication of this legislation assumed that 120 ISPs would be subject to this requirement in the first instance. That number is a gross overestimate. As I have said in answering the previous questions, interception may only be used as a method of last resort in the most serious cases.
The Bill does contain the power to require individual Internet Service Providers to develop and maintain an interception capability, but only after a great deal of consultation on the precise terms of that capability. We have no intention of imposing unreasonable costs on anybody. We are discussing this now with the relevant industry players. To inform this debate, we commissioned an independent study on these important cost and technical issues. If you're interested, you can find the report on the RIP Bill page of the Home Office website at:
The second point, which we have always acknowledged, is that the interception regime can only function properly on the basis of a co-operative relationship between Government and industry. It would be in no-one's interests for us to impose such heavy costs on an ISP that, to take an extreme example, they were driven out of business and an interception target stopped using their service.
Colin Wright, UK: Why should I feel safe when the serial number and password which I use to access my bank account could be in the hands of an organisation whose staff leave their portable computers (full of such data) in taxis and wine bars.
Charles Clarke: We recognise the need to store securely all sensitive material, including keys for example, obtained under the RIP Bill. There are two limbs to this. Firstly, Clauses 14 and 51 of the Bill set out, for example, strong statutory safeguards restricting the use, copying and retention of material obtained under the new powers. Independent Commissioners will have a statutory responsibility to oversee the safeguards arrangements, and to report any inadequacies to the Prime Minister.
Secondly, deploying the highest level of protection for keys and other sensitive information relating to key holders is a specific objective of the technical project to establish the new Technical Assistance Centre which will assist law enforcement over encryption. I do not believe that your laptop analogy quite stacks up. The security that will be given to material such as any keys obtained under the Bill is akin to that given to intercept material now. And when was the last time you saw any of that leaking out?
Phil Saum, UK: Why does the minister feel there is justification to violate a fundamental human right, privacy, to an, as yet, unsubstantiated risk of criminal activity?
Charles Clarke: Criminals are quick to use the latest technologies in an effort to evade detection. We would be putting our heads in the sand if we thought otherwise. You talk about fundamental human rights. Protecting individuals' legitimate rights has been uppermost in our minds in developing the RIP Bill. This Government passed the Human Rights Act 1998 which incorporates into UK law the European Convention on Human Rights (ECHR). It comes into force in October this year. Article 8 of the ECHR provides a right to privacy. But it is not an absolute right.
The Convention permits interference with an individual's privacy but only where this is in accordance with the law and necessary in a democratic society as being in the interests of, for example, national security or for the prevention of crime. These are precisely the sort of strictures the RIP Bill puts in place. I recognise that some of the powers contained in the Bill - interception of communications for example - are particularly intrusive. That is precisely why they should, as the Bill proposes, be closely regulated. The Bill tackles a big issue - the balance between protecting individual rights and ensuring that effective powers are in place to catch criminals. I believe that we've struck the right balance.
Stuart Wyatt, UK (Currently in France): If -ALL- internet traffic is going to be filtered and monitored through MI5, how do you feel that your own personal correspondence from the Houses of Parliament will also be potentially read by an internal spy?
Charles Clarke: Firstly, as I said to Tom Reeve above, it is emphatically not the case that we intend, or that the Bill permits, interception of all Internet traffic. Interception operations now are specifically targeted. This will continue to be the case under the RIP Bill. It sets out extremely tight limits on what can be done.
How do I feel knowing that my own personal correspondence could be read? Well, as I point out above, given the number of warrants issued and the reasons for them, this is extremely unlikely. But to the extent that it could happen though, I am reassured by a number of factors. My communications could only be read if that was necessary for one of the three purposes the Bill allows. Again, they could only be read if there were no other reasonable and less intrusive way of obtaining the information. Any copy made of my communications would have to be destroyed as soon as it was no longer necessary. Its dissemination would be very tightly controlled and limited. It would only be seen by a small number of individuals. The task of using interception to fight serious crime and defend the vital interests of the country is not taken lightly. Where it is used, it produces results time after time. The Bill will help ensure that it continues to be just as valuable in the future.
Tom Brown, United States: Strong cryptography is a fact of life and anomysation easy to achieve. How can the government possibly hope to control what it doesn't have the resources to police?
Charles Clarke: The RIP Bill is not about controlling the use of cryptography. As you say, the fact is that strong encryption is freely available. Another fact which we have accepted, as have other governments (including your own) is that increasing criminal use of strong encryption means that law enforcement, whether it likes it or not, is going to take a hit. This is the unpalatable reality. The challenge for governments is to find ways of minimising, as far as possible, the extent of this hit.
We, and the US Government, recognise that there are no single or simple answers. That is why both countries have proposed similar packages of measures to help including new powers to assist law enforcement, money for dedicated technical resources and, importantly, a recognition of the need to forge a greater co-operative relationship with industry.
Tim Child, USA: As US executive why should put my millions of $'s of hardware into internet co-location sites in the UK and deal with the surveillance issues, when I can go to Dublin or Benelux and not have a government surveillance problem?
Charles Clarke: You should invest here because the UK is a good place to do business. And I think that you will be disappointed if you believe that the other countries you mention are not wrestling with the same question of how best to update law enforcement powers for a new technological age. The US is doing just that. So are the Benelux countries. Look at Holland and its Internet interception policy. The Dutch Telecommunications Act 1998 provided a legal framework for interception by Internet Service Providers, who have until April 2001 to install an interception capability. And I hope you're not taking all your comfort from the recent Irish e-commerce bill for your faith in Dublin's claimed attractiveness.
The common perception is that the Irish Bill rules out completely and forever law enforcement access to encryption keys. But, importantly, there is no indication that the relevant Irish provision applies to anything other than the narrow scope of the Bill itself. It is silent, as is the Irish Government, on the big question of wider law enforcement access to encrypted material. We have already grasped this nettle.
Andrew Herron, UK: Please explain how this draconian bill will in any way improve the UK's ability to become a leading centre for e-commerce?
Charles Clarke: Well, firstly I disagree with your assessment that RIP is "draconian". There are restrictions, safeguards and oversight mechanisms across all parts of the Bill to prevent the powers being misused. These are more tightly drawn than ever before. This Government's goal is to make the UK the best and safest place in the world to do e-commerce. The Electronic Communications Act, recently passed, together with the RIP Bill will help us achieve this aim. I know that business too wants a secure environment in which to operate. Like us, industry does not wish to see the burgeoning e-economy overrun with high tech criminals. This would be in no-one's interests. So we need to update law enforcement powers but in a way that does not over-burden business. Again, it is all about a balance.
Michael Beckwith, UK: I believe the police need a warrant by the local magistrates to search a house, will the police need a warrant to search through a person's private web space?
Charles Clarke: You are quite correct that in some circumstances, the police do need a search warrant to be authorised by a Magistrate before searching a house, although there are other circumstances where this is not necessary, for example a search of property which takes place after the controller of that property is arrested (s18 Police and Criminal Evidence Act 1984).
But to answer your question, where the data is already in existence and sitting on a server somewhere, the police would require a Production Order (authorised by a Crown Court judge) to obtain that file. Where the material would constitute content of communications, and the police wish to intercept it, they would require a warrant personally authorised by the Secretary of State. This could only be granted for the purposes set out in Clause 5(3) of the RIP Bill (i.e. prevention or detection of serious crime etc.). Only where the police are only interested in obtaining communications data - i.e. addressing information - would they be able to do this with internal police authorisation, and then only for one of the purposes set out in Clause 21(2) of the Bill.
Philip Rowlands, UK: Under this bill, an innocent person who forgets their password will have to prove this fact to the court to avoid conviction. Since direct evidence is impossible to produce, surely this unfairly reverses the burden of proof? Or does the Government assume that innocent people are never prosecuted?
Charles Clarke: The Bill does not reverse the burden of proof. This is an important point. There is an offence for non-compliance with a decryption notice in Clause 49 of the Bill. But the burden falls on the prosecution to prove, beyond reasonable doubt, that an individual has, or has had, a decryption key. I believe this to be a significant burden - and it's on the prosecution. To take your example Philip, I appreciate that forgetting a password is an entirely reasonable thing to do. There are statutory defences in the Bill to cover this. These need only to be proved on the lower level of proof - the balance of probabilities. The real question is whether it is reasonable or fair to ask this of someone. I believe that it is. If it came to a prosecution, an individual would, for example, be in a unique position to explain where they got their password or key from; how they normally used it; when they last used it and what they normally did when they forgot it - were they able to get a new one or was all their data always lost? These are the sorts of things that, once the authorities had proved their case, an individual might explain to a court. It would then be for the court to decide whether, on balance, they were telling the truth.
Richard Lamont, UK: How can the government claim that the RIP bill will be of significant benefit in the fight against crime, when it is highly probable that a criminal clever enough to keep one jump ahead of the existing law will also be clever enough to keep one jump ahead of the new law, for example by using ephemeral keys, stenography or offshore 'anonymizers'?
Charles Clarke: We had a similar query above. Yes, some clever criminals will always seek ways to circumvent whatever laws are in place. They will use technologies that are most readily available and easiest to use. Not all the answers to these difficulties are to be found in the pages of the RIP Bill. We have never claimed that they were. As I said to Tom Brown above, the prognosis is actually a gloomy one. But there are things that we can do to ensure, as best we can, that law enforcement powers are not undermined critically by rising criminal use of new technologies. The Bill forms a part - but a vital part - of the package of measures we are putting in place to help in this. It covers powers important in keeping society safe. The Bill will help to ensure that these remain effective as we begin the 21st century.
The BBC is not responsible for the content of external internet sites
Other Talking Point forums:
Links to other Forum stories
|^^ Back to top
News Front Page | World | UK | UK Politics | Business | Sci/Tech | Health | Education | Entertainment | Talking Point | In Depth | AudioVideo
To BBC Sport>> | To BBC Weather>>
© MMIII | News Sources | Privacy