By Ruth Hoy, 21 January 2009 09:00
COMMENT
Increased scrutiny of the public's online activities could undermine the viability of the web, says lawyer Ruth Hoy.
The Home Office's recent announcement that it is working with the EU to grant police powers to hack into personal computers without a warrant threatens to rock the delicate balance between the need to tackle cybercrime and the right to personal privacy.
Clearly cybercrime is increasing, both in sophistication and prevalence, and for the vast majority of law-abiding people these proposals should have little impact on their lives. But does the end really justify the means and can this form of 'remote searching' ever be adequately monitored and implemented?
The EU's proposed extension of what it acknowledges to be "intrusive surveillance" means law enforcement officers will be authorised to covertly gain remote access and monitor a suspect's computer usage provided it is considered both "necessary" and "proportionate" with no judicial oversight or clearance.
Emails, internet searches and instant messaging discussions are just some of the personal data that the police could hack into if they deem it necessary during an active investigation. Should these powers be granted, the police would no longer be required to apply to a magistrate's court for a warrant; rather the approval would be sought from a police chief constable and hence subject to the discretion of a single individual.
Key issues:
♦ Protection vs prosecution: The balancing act between individual right to privacy and common need to prevent cybercrime
♦ Cross-border implications: Should access to information from UK PCs be shared beyond our borders and is there an adequate international legal framework in place to regulate that access?
♦ The commercial cost: Does increasing police access to the internet potentially decrease its commercial appeal?
While these proposals may at first sight seem radical, remote, warrant-free searches of computers are currently legal under parts of the Regulation of Investigatory Powers Act (Ripa). In fact the Association of Chief Police Officers (Acpo) estimates the UK police conducted nearly 200 remote hacking operations in 2007-2008. Similarly, no new legislation is likely to be ushered in with these extended surveillance powers, instead the proposals would be regulated and governed under the existing Ripa legislation.
What is perhaps most controversial, however, is the potential cross-border application of these powers. Part of the EU's plan is to increase data sharing and access between European police forces. This means, in theory at least, that law enforcers in Italy, for example, may have access to information seized from computers in the UK (most likely via Europol), and vice versa.
But this should come as no surprise - the war against cybercrime is not fought within neat national boundaries but is waged on a virtual and therefore international front. So domestic powers alone can only ever have limited effect. That said, providing foreign law enforcement officers with access to UK personal data could not only provoke public concern but also severely test the compatibility and consistency of cyber-regulation across Europe.
Opinion is inevitably divided. Some PC users will object to these powers and view them as tantamount to the police entering their property and going through their personal belongings without permission. Others will claim they have nothing to hide and welcome the extra protection against, for example, the threat of terrorism.
The reality is that most of us lead fairly public lives online, documenting our activities through social networks and providing plenty of information accessible via search engines. The level of privacy we believe we enjoy is actually quite limited and the digital footprint we are already making readily available is pretty sizeable. Of course, some users may reveal more than others but the key thing is: it's the user's choice.
Introducing involuntary infiltration could completely undermine the culture of self-regulation that pervades the internet and render the choice an individual makes about what is and isn't private obsolete. Giving police hacking powers may well reduce levels of cybercrime - but could it also fatally undermine user confidence in the internet and challenge the commercial appeal of everything from social networks to online shopping sites?
Debating the hypothetical merits or downsides of the proposals is only so useful, however. What the law threatens in theory could be very different from its application in practice. How these powers are to be used, or indeed abused, is the real litmus test of their legitimacy and feasibility.
Thus we need greater clarity as to how these new privileges will be regulated and by whom. Most importantly these practices then need to be fully explained to, and accepted by, the end user.
Without clear and transparent guidelines and recourse for any inappropriate use of these powers, it's not only our privacy that may be at risk, but the entire commercial viability of the web itself.
Ruth Hoy is a partner at DLA Piper's technology, media and commercial group.
Comments
There are 7 comments. Join the discussion
1. Mouhamad Naboulsi
In the U.S., We just got rid one bad president and his party because they thought it was ok to do what your EU is proposing.
Good luck in getting rid of all of your presidents and their backword vision.
2. Richard Davies
What about the issue of corrupt police and the fact that they could pass something based on their opinion and not necessarily the law?
Also, I have asked this several times and had no answer...where does an individual stand if they are subjected to a search by mistake? Police do knock down the wrong doors you know...would they admit this and what would the repercussions be?
3. misceng
For the police to obtain access means hacking into a computer just as the criminals do. This means that firewalls and antivirus must have flaws to be exploited by the police thus opening a great big door for cybercrime.
This means that a law to combat crime will make crime easier.
4. anonymous
PC users may need three computers. One stand-alone computer for private information, one connected to the internet and a third computer in an Internet cafe. A nuisance but the only way to maintain control over ones privacy.
And then there is the post.
5. Karen Challinor
The EU's proposed extension of what it acknowledges to be "intrusive surveillance" means law enforcement officers will be authorised to covertly gain remote access and monitor a suspect's computer usage provided it is considered both "necessary" and "proportionate" with no judicial oversight or clearance.
- "no judicial oversight or clearance" if they had evidence they could get a warrant, this allows searches based at best on suspicion or at worst on the say so of a possibly "bad apple" police officer who could then place incriminating evidence on the suspect machine, I'm not saying it will happen but can you prove it won't
remote, warrant-free searches of computers are currently legal under parts of the Regulation of Investigatory Powers Act (Ripa)
- thank you for reminding people that RIPA has already stripped people of their privacy, the current move is simply to allow international sharing of the gathered data, the genie is already out of the bottle, I would like it put back in
Some PC users will object to these powers
- ever seen "CCTV Cities" on television ?, take a long hard look at the ops room staff as they chortle and giggle at the antics of those they surveil, then look at your PC
Others will claim they have nothing to hide
- except of course incompetence, maliciousness, mistakes, corruption, changes in political ideology.... and of course if the police can hack in through your wifi then so can pretty much anyone else
6. Cassandra
Far too Far, who are the police trying to protect and from what? They can obtain a warrant if they have any evidence - and can also act to protect national security - so what other cyber crime needs this extension?
Porn, copywright infringement or phishing? I see no evidence of phishers being caught or targetted. Why collect more information if they lack the resorces to process it? Why avoid civil liberties and accountability, why remove civil reviews, checks and balances? Who decides how to spend the surveliance resource?
7. RM
Of course it does. However, this is merely another step in the systematic abuse of our right to privacy & removal of Civil Liberties which has taken place since 1997. I would therefore say to all readers, use your vote wisely.
An angle that hasn't been considered is that the police need public co-operation to stop crime. Personally, I am no longer willing to provide that co-operation. How many other similarly disenchanted people are there out there?