RIPA set to create conflicts of interest between employers and employees

Richard Clayton richard at highwayman.com
Thu, 11 Apr 2002 18:45:24 +0100 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In article <hoZ7stI9Wct8EAWj@highwayman.com>, Richard Clayton
<richard@highwayman.com> writes

>The Regulation of Investigatory Powers Act (RIPA) has the potential to
>create conflicts of interest between employer and employee because of the
>way it provides government agencies with the right to demand from
>individual employees private keys to unlock encrypted information held
>in their employers possession. 

But the Lords amended the Bill so that if it is a shared key then you
have to start at the top!  s49(5) s49(6)
  
>This is the warning contained in The RIPA Report published by law firm
>Nabarro Nathanson. It is advising companies which handle encrypted
>information, especially Internet Service Providers (ISPs),

ISPs don't handle much encrypted information that they can decode, and
are therefore far less affected than, say, a bank

> that they
>should act now in order to prevent such a conflict of interest arising. 
>
>What happens if an investigating authority approaches the wrong
>individual in the company and requires them to produce private records
>relating to emails of other employees? asks Dai Davis of Nabarro
>Nathanson 

this is of course a different issue - and relates to the collection of
communications data under s22. There it is clear that the "operator"
must be approached - so that would have to be the body corporate

>And what happens if the individual wishes to take legal
>advice? Technically, the individual is allowed to take external legal
>advice, but cannot ask his supervisor or colleagues to approve taking
>that advice. 

erm why ?

is this some confusion with s54 (tipping off, as applied to keys, and
not s22) or just a general worry about perverting the course of justice?

>Under RIPA, where an in-house lawyer is consulted, it would
>appear that the in-house lawyer would be conflicted out from giving
>advice to the recipient of the notice served under RIPA, he warns. 

surely this press release can't be written by a legal firm wanting to
sell more services ?

>Nabarro Nathanson is advising clients which handle encrypted information
>to undertake a six step RIPA plan which requires them to:
>
>*  Review and audit encrypted information held by the company and
>   identify under which jurisdictions the information is kept 

who controlled the key might be a better thing to consider, since its
the key and the control of the key which matters [[assuming of course
that you think it matters to hand over your private keys that you spend
the rest of your commercial life protecting at considerable cost]]

>*  Develop a company policy with regards to how the company would process
>   requests for private keys by government agencies invoking RIPA 
>*  Ensure the company has adequate practices and standard procedures in
>   place to deal with RIPA and include these procedures in staff manuals 
>*  Review contracts of employment to see if they cope with the
>   implications of RIPA and, if appropriate, amend them accordingly 
>*  Make employees aware of RIPA and of the procedures adopted by the
>   company to deal with any government agency requesting information
>   under the terms of RIPA 
>*  Put procedures in place in advance which will allow staff access to
>   external legal advice.

all fine points - getting procedures in front of staff will reduce all
sorts of cockups, and will of course ensure that many of the issues have
been thought through calmly before plod starts knocking on the door...

>ISPs and companies wanting a copy of Nabarro Nathansons RIPA Report can
>obtain one by calling 020 7524 6000 or by visiting the Publications
>section of the firm's website at www.nabarro.com.

the report is at:

   http://www.nabarro.com/uploads/files/180.pdf

and contains very little interesting info that didn't make it into the
press release (to be honest, the vast majority of the text is in the
press release already and the main addition in the report is some pretty
coloured pie charts). However, these points are relevant for the 100
ISPs polled:

*  only 39 per cent of managers in the ISPs polled said they were aware
   of RIPA, whilst 61 per cent were unaware of the Act

*  thirty three per cent of ISPs were considering moving functionality
   abroad to avoid

*  the cost and other problems of having to reveal private keys under
   RIPA - forty four per cent of ISPs felt the Government should provide
   their company with a grant to cover the costs of RIPA.

I wonder if that means that 33% of ISPs are considering moving things
abroad, 6% are not and 61% haven't addressed the issue yet ?  Though
apparently 5% of ISPs would like a grant for covering the costs of an
Act of Parliament that they've never heard of.

Wonderful things surveys!

- -- 
richard                                              Richard Clayton

Are you a Friend of FIPR yet?       http://www.fipr.org/friends.html

-----BEGIN PGP SIGNATURE-----
Version: PGPsdk version 1.7.1

iQA/AwUBPLXLtBfnRQV/feRLEQL9qgCgu17e14mQEcfht7nm19tjUo9FcygAn1uL
+QEuTvwXP2ukCT+BZ3TkUGGH
=vlNM
-----END PGP SIGNATURE-----