Although regulations under Chapter 1 are certainly an improvement on the IOCA11; it still has its failings. The main issue is the lack of judicial oversight. 12 The Home Office states that the use of judges would be inappropriate because of the need for an executive officer to deal with cases of national security and economic well-being. 13 However, Judges already possess powers to grant judicial warrants under the Official Secrets Act 1911, section 9, and the Official Secrets Act 1989, section 11.
The likelihood of abuse ever being uncovered is also severely reduced as interception is never revealed at any later time to the subject. The overwhelming number of reviews carried out by the Tribunal or Commissioner makes it highly unlikely that any errors will be highlighted, though this does not amount solely to a breach of the European Convention. 15 The terms used under section 5 also seem to be widely open to interpretation. This can be seen with the definition of "serious crime" which differs from the version in PACE.
There is also no legislative protection offered for privileged material, though the draft Code of Practice on Interception does provide some recognition, as well as for medical religious and journalistic materials. 17 RIPA does not address all relevant forms of interceptions, such as by foreign agencies either within the UK or targeted at the UK. 18 RIPA also fails to consolidate pre-existing codes of regulation of surveillance; it amends,19 but does not replace, the Wireless Telegraphy Act 1949 section 5, the Intelligence Services Act 1994, section 5, and the Police Act 1997, Part III.
There are also economic concerns when looking at the impact of RIPA. Compliance costs on UK Communications Service Providers and an attempt to preserve customer privacy against snooping by the Government Technical Assistance Centre may cause many companies to relocate beyond the reaches of RIPA. Chapter 2: Acquisition and disclosure of communications data RIPA gives clearer, more explicit powers that that given under section 29 of the Data Protection Act 1998.
20 This allows data users to make disclosures if necessary for the prevention or detection of crime or for the purpose of any criminal proceedings by the users of personal data contrary to the stated restraints on the registered forms of disclosure. Although RIPA addresses the growth and increasing demands of the private sector and in particular the telecommunications sector, RIPA potentially allows a large range of public agencies to access private information, using standards and procedures which are not as stringent as those laid out by the European Convention of Human Rights.
Part II of RIPA provides a broader statutory basis for surveillance and interception in order to ensure that the "in accordance with law" requirement of Art 8(2) was met for the use of three types of covert surveillance, namely, directed surveillance, intrusive surveillance and the use and conduct of covert human intelligence sources. Part II of the Act does provide an element of legal accountability in relation to the authorisation of many surveillance operations. However, the different authorisation standards applicable to intrusive and directed surveillance are difficult to justify and might not satisfy Convention standards.
Part II also allows for a considerable amount of detail to be determined through the use of delegated legislation that does little for the clarity of the law, which already allows broad discretion and very limited independent oversight. In Amman v. Switzerland21 the European Court re-iterated the need for clear and precise rules governing covert surveillance techniques. Whether Part II of the Act meets those standards is still open to discussion. Part III was seen as one of the more controversial aspect of the Act and was introduced despite the anxieties over possible human rights infringements.
It makes it a crime to refuse to decrypt almost any encrypted data requested by authorities as part of a criminal or terror investigation. Individuals who are believed to have the cryptographic keys necessary for such decryption will face up to 5 years in prison for failing to comply with police or military orders to hand over either the cryptographic keys, or the data in a decrypted form. It is in such instances where a minimal interpretation of the Convention has led to the statutory rubber stamp for somewhat illiberal state action22. The European Court of Human Rights stated that;
"Tapping and other forms of interception of telephone conversations constitute a serious interference with private life … It is essential to have clear, detailed rules on the subject, especially as the technology available for use is continually becoming more sophisticated. "23 The law has been criticized for the power its gives investigators, which is seen as dangerously broad. Authorities tracking the movement of terrorist funds could demand the encryption keys used by a financial institution, for instance, thereby laying bare that bank's files on everything from financial transactions to user data.
Therefore, it can be said that, Part III fails to ensure the employment of the best available methods for key protection. RIPA and the draft Code of Practice24 fail to give adequate guidance on the design, development, implementation and operation of the procedures, standards and technical mechanisms needed to provide protection for keys. It is felt that the consequences for disclosure of citizen data is minimal, highlighted by the fact that there are no criminal offences attached to disclosure.
The conclusions of the Trade and Industry Committee were that "the proposed code of practice may prove to be toothless" and "the impression is given by the legislation that infringements of the code of practice will go unpunished". 25 The law also allows authorities to compel individuals targeted in such investigation to keep silent about their role in decrypting data. This will be handled on a case-by-case basis; however, it's another worrisome facet of a law that has been widely criticized for years.