RIP Crypto Bill - Report on Economic Impacts
j...@freedom.net
Date: Fri, 16 Jun 2000 11:29:24
Subject: RIP Crypto Bill - Report on Economic Impacts
New report on the costs of the UK crypto bill (June 12).
Executive Summary is appended below.
http://www.britishchambers.org.uk/newsandpolicy/downloads/lsereport.pdf
The executive summary of the report is available on
http://www.britishchambers.org.uk/newsandpolicy/ripbillsummary.htm
EXECUTIVE SUMMARY
General
1. There exists a clear need for a rigorous framework for the regulation of
law enforcement access to communications media, including the Internet.
Placing such regulation within the framework of the European Convention on
Human Rights is a welcome and necessary objective. Business requires
confidence that efficient and effective policing of criminal activities is
regulated by clear and well reasoned legislation.
2. The RIP Bill as it stands is entirely inadequate as a mechanism to
achieve efficient and reasonable interception and surveillance Its effect is
likely to be loss of confidence in e-commerce, unacceptable costs to
business and to the UK economy, confusion and uncertainty at numerous levels
of business activity, and an onerous imposition on the rights of
individuals.
3. The justification for the Bill has been established to a large extent on
anecdote and
rhetoric. While attempting to achieve a long term infrastructure for
interception and surveillance, the government has failed to produce a threat
model to form the foundation for a rational assessment of the need for many
of the provisions of RIP.
4. The effect of the Part I provisions of the Bill can justifiably be
described as mass surveillance of internet activities without judicial
warrant or adequate oversight. The Bill substantially increases the power of
public authorities without correspondingly increasing the scope for
oversight and accountability.
Business and economic implications
5. The construction of the definitions used in the Bill tends to be
excessively broad, leading to substantial doubt as to the level of exposure
to cost, risk and disruption for business. Of even greater concern, are the
implications that arise as various Agencies explore how this new framework
might be 'stretched' in the future. These imponderables cast uncertainty
over future investment decisions.
6. The Bill will create significant economic repercussions. It imperils the
government's intention of making Britain the most desirable place to trade
electronically. As it stands, RIP is likely to create a legal environment
which will inhibit investment, impede the evolution of e-commerce, impose
direct and indirect costs on business and the consumer, diminish overall
trust in e-commerce, disrupt business-to-business relationships, place UK
companies at a competitive disadvantage, and create a range of legal
uncertainties which will place a growing number of businesses in a
precarious position.
7. There is compelling evidence that the enactment of RIP will create a
trend amongst UK firms to establish a range of operations offshore, while
creating an environment hostile to the creation of, and investment in, new
business activities in the UK.
8. The government has substantially underestimated the cost of compliance by
ISPs. The most realistic estimate is of the order of £640 million over the
next five years.
9. The overall financial implication of RIP, in terms both of losses and
leakage from the UK economy, and of cost of implementation, may be in the
order of £46 billion in the first five years of operation.
10. The Bill will impose Government-mandated design and technical
requirements for communications systems which will have the effect of
"freezing" technological advancement thereby discouraging industry from
investing in otherwise promising products and services. Government-mandated
design and technical requirements would make consumers and industry
dependent upon the Government to revise the requirements frequently enough
to keep up with technological changes.
11. The practical operation of Section 46 presents a real threat to the
security of corporate signature keys, and must be regarded as a major
impediment to the establishment of public confidence in electronic commerce
in the United Kingdom.
Legal issues
12. There are substantial grounds for the view that the Bill contravenes and
compromises a number of legal rights and responsibilities. On the balance of
legal opinion, Part III contravenes the European Convention on Human Rights.
Elements of part I may breach the Data Protection Act, while the execution
of the Bill's provisions in both part I and III are likely to compromise a
range of conditions relating to duty of care.
13. The practical implications of RIP will depend to a great extent on the
provisions in secondary legislation, and the scope of the anticipated Code
of Practice. The fact that the government has failed to provide details of
either has placed UK business at a great disadvantage
in assessing the legislation.
14. The Bill poses a number of unresolved questions about the position of
the legislation with regard to both employment and company law. Amongst the
most prominent of these is a potential issue of the Government being deemed
to be acting as a 'shadow director'. This raises a number of obvious
questions with regard to the potential civil liability of the company if the
surrendered keys were used in such a way that an innocent third party
suffered loss.
15. It is unclear where the boundary is drawn between 'content' of messages
or transactions, (where warranted access is required) and 'communications
data' (where access would not appear to require a warrant. The amendments
tabled by Lord Bassam to Clause 2 and Clause 20 make this concern even
greater.
16. The Bill is unclear about which officials, at what level, in which
Departments may seek access to encryption key material and communications
data. Of greater importance is the lack of clarity in the Bill on the
question of warrant procedure and validation
17. There is considerable concern in the business community on the degree of
individual and corporate liability flowing from exposure in other
jurisdictions to actions potentially required in the UK to comply with the
RIP Bill. If full decryption (as opposed to the generally preferred option
of session) keys are demanded using a Section 46 notice with an associated
'tipping-off' order, individuals working for multi-national companies may be
placed in a perilous position. They may have compromised the international
transactional security of that organisation yet be directly barred from
informing senior management of that exposure. Such an individual may
possibly be protected under UK law for these actions but their exposure in
other jurisdictions - particularly that of a non-UK parent company - is
uncertain.
Other key issues
18. Both Part I and Part III of the Bill raise important questions both for
the functioning of media and for the status of legal professional privilege
19. The Part III issue of the reverse burden of proof regarding lost or
missing keys carries with it important considerations for civil rights.
These provisions also have important repercussions for business for the
management and retention of revoked keys.
20. An international survey of laws indicates that the provisions of RIP
have been rejected in numerous jurisdictions. The closest parallel is the
Russian SORM scheme, which pre-dates RIP, and which appears to have a common
genesis.
21. There exist a number of technical means of overcoming the intentions of
the legislation. The use of these mechanisms, which include new forms of
encryption and anonymising services, will circumvent the provisions of the
legislation. The pursuit of solutions will have the effect of driving up
costs of compliance and creating more onerous impositions on individual
rights.