How can the Home Office update RIPA for the Internet age? Is it a good idea to centrally store our phone records, and their modern equivalents? Is it even possible?

I know that I'm coming late to this party that was originally started more than a month ago by the Times. There are good reasons for that - firstly, that it is a bit of a mug's game just reacting to unconfirmed press stories. Secondly, that I was too busy trying to find out what was really going on. For kicks, I decided to email Home Office enquiries for more information. This was what they said:

Public Enquiries (CD) on Tue, 27 May 2008 17:01:53 +0100

The message could not be delivered because the recipient's mailbox is full.

sdcp3cmm305.Poise.HomeOffice.Local 5.2.2

Not exactly helpful. I then emailed the team working on the draft bill, and their response was much more helpful. They understandably didn't provide details on what was proposed, but did outline what they were looking to achieve. The short version is that they want to update existing legal powers to cover new technology. Back in the day, everyone used this ancient device called the telephone, and telecommunications companies stored call detail records (CDR) that showed who the call was made to/from and at what time. This continues to be useful evidence in criminal proceedings. To quote (with permission) the Home Office spokesperson:

We have therefore announced that we will be bringing forward a draft Communications Data Bill which will outline how we intend to update the law, and the appropriate safeguards. Its purpose is to ensure we can retain a comparable level of capability in a changed technological environment, in order to investigate crime and protect the public. Losing the ability to use this data would have very serious consequences for law enforcement and intelligence gathering in the UK.

The spokesperson was also at pains to point out that current capability - that they are looking to update - does not include contents of communications, but merely the fact it took place and who it involved. What I understood by that was the storing of CDRs or their modern equivalents would be routine, as opposed to monitoring contents of communications which is exceptional.

The article from The Times merely reports that the Home Office have been asking questions, and implies that they are planning an uber-database, but the spokesperson said nothing is yet decided. The fact that they have a reaction from the ICO makes it look like something is afoot in that direction, but doesn't mean there is.

As intentions go, I think it is pretty reasonable. Law enforcement use of CDRs is not terribly controversial, but increasingly outdated. However, the practicalities are another matter. The Regulation of Investigatory Powers Act 2000 (RIPA) was controversial when it came in, and its use continues to attract criticism and even anger. It is hard to imagine that an extension of routine powers in this general area will be smooth and simple.

From a practical point of view, it depends on what kinds of things are included. Some possibilities spring to mind: skype and other voip calls, email traffic, web traffic, instant messaging...

Ugh. Just starting with voip calls, monitoring gets us into a bit of a pickle. The easy bit is if the call goes onto the PSTN (i.e. the normal phone network), as the company providing the gateway can easily keep authenticated CDRs as per the old model. However, the modern age makes things more fluid. The Internet allows people to choose their applications, so the moment something gets monitored they could switch to something else. For example, Internet communications packages may start using encryption by default to protect people from criminal interception...and protect against legal interception either accidentally or deliberately.

On a parallel track, I was fascinated by this article in the Guardian from Bruce Schneier, the security guru. Bruce's blog is a must-read for information security professionals, and he often ends up pointing out how pointless or ineffective government security measures are. In the article, Bruce has taken umbrage with customs officials in the US and UK routinely poking around in people's laptops - and even taking copies of data. He outlines how individuals can get around this - and even points to some free software to do it. Interestingly, under RIPA it is illegal to withhold your encryption key/password from law enforcement, but the software Bruce mentions has ways of getting around that by making it impossible to prove you are holding encrypted data. There is nothing illegal about using encryption, or not knowing the key, or forgetting it, although lying to law enforcement is not a good idea.

In short, encryption technology and systems like The Onion Router already provide legal ways to protect communications and data storage from anyone - criminal or law enforcement. The protection is not always perfect, or even terribly good, but it could be enough to render increased monitoring ineffective.

Of course, that may be irrelevant. The technical capability of the average criminal, or the situation around unplanned criminal acts (i.e. people who haven't watched Columbo or CSI) may mean that monitoring bog-standard open communications is actually quite useful. For organised criminals or experts, it will not be effective, but for everyone else - the vast majority gracing our court systems - it may work a treat.

At some point there will be a draft bill, or even a consultation to respond to, but in the meantime we can simply wait and see what the Home Office comes up with. Watch this space!