A plan by the British government to monitor business e-mails and obtain data encryption keys could harm the United Kingdom’s chances of becoming an e-commerce leader, according to the British Chambers of Commerce (BCC).
The Regulation of Investigatory Powers bill (RIP), which was introduced in Parliament earlier this year, would give police the go-ahead to set up a monitoring center to intercept private e-mails and mobile phone communications. The bill also provides for government access to encryption keys.
UK Internet service providers (ISPs) have expressed their dissatisfaction with the plan, which would require them to foot the bill for installing a wideband connection to the police monitoring center.
On Monday, BCC Director General Chris Humphries sent a letter to Home Secretary Jack Straw outlining the competitive disadvantages of the RIP bill, which the BCC believes “will frustrate the government’s ambition of making the UK the best place to trade electronically by 2002.”
In the letter, Humphries acknowledged the need for law enforcement agencies to have access to electronic data, but asked that appropriate methods for providing access be incorporated into the law.
The BCC is concerned that passing the bill, which was designed to help police track and catch online crooks, will drive British businesses to offshore ISPs. There are also fears that the measure will keep investors from funding British e-commerce projects.
While acknowledging that the plans are “at a very early stage and are subject to consultation with the industry,” the BCC’s letter expressed concern that the government has underestimated the costs involved with setting up the monitoring center.
The government has put the price tag for the monitoring plan at just over $45 million (US$). However, the BCC feels that the costs for the software and hardware needed will far exceed that amount.
The BCC is also concerned about government access to encryption keys. According to Humphries, a demand to surrender a full decryption key — particularly in a corporate environment — is such a serious potential invasion of commercial privacy that it should be subject to a separate judicially authorized warrant, in addition to the original interception warrant.
In the letter Humphries said that allowing the government access to encryption keys “raises a number of obvious questions with regard to the potential civil liability of the company if the surrendered keys were used in such a way that an innocent third party suffered loss.”
To protect companies, the BCC would like to see provisions added to the bill that would call for safe storage of surrendered encryption keys. In addition, “law enforcement agencies should be made clearly liable in civil law for any loss resulting from their misuse or failure to secure a key,” Humphries said.
Employees as Snoops
According to the BCC, the bill could turn employees into snoops by forcing them to turn over sensitive data to police without notifying company directors.
Humphries said that the proposed law “raises the possibility that the government could be seen to be acting as a shadow director by controlling an employee over the directors of the company.”
The BCC is calling for an amendment to the bill that would require requests for encryption keys to be served on the directors of the company — instead of individual employees — except in “the most exceptional circumstances.”
The BCC also believes the bill should be amended to “give sufficient employment protection to the employee” on which the demand for the encryption key is served.