Net snooping bill 'fatally flawed'

A technical loophole has been exposed that could render the government's Regulation of Investigatory Powers (RIP) Bill useless.

If the Bill, which is being hotly contested in the House of Lords, is made into law the loophole means that basic network technology available to criminals and network managers could make it impossible to enforce.

Nicholas Bohm, a member of the Law Society's ecommerce working party, said that the government's £25m RIP data monitoring technology, which is strongly opposed by businesses, can be bypassed by setting up steganographic file systems and Diffie-Hellman key exchange networks, which have been around since 1976.

The Diffie-Hellman key exchange system uses random keys to encrypt data sent down a normal telephone line. Once transmission is complete, all keys are automatically destroyed.

The information must be sent over telephone lines rather than using internet connections, but it is inexpensive to install, virtually undetectable by police and legal to use.

"It is fair to say that network managers may not want to share all their company's data - not because they want to hide criminal activities but because they are in charge of data that is confidential," said Bohm.

Steganographic file systems layer messages behind messages and multiple passwords, and make it possible to store data without detection.

"RIP acts like a salesman for steganography and secure messaging techniques, such as Diffie-Hellman. Their deployment might not have happened if it had not been for the RIP Bill," said Bohm.

Caspar Bowden, research director for the Foundation for Information Policy, said: "Steganography is a valid way to avoid the Bill. Criminals will not hand over multiple passwords to the police, who will not know that the data is there."

Gregory Smith, Telecommunication Managers Association security group chairman, said: "The law doesn't take into account any technological realism. These systems make it unlikely that data would be intercepted."

A legitimate company using these systems would hand over keys to unlock secret messages stored on their computer systems. However, they can't give the police the Diffie-Hellman keys because they don't have them and so any voice line transmissions will remain secret.

Adrian Noad, business development director at RAM Mobile Data, said: "A law should be just and enforceable - the RIP Bill is neither."

First published in Network News