Legal Eye: Does Home Office online surveillance go too far?

Increased scrutiny of the public's online activities could undermine the viability of the web, says lawyer Ruth Hoy.

The Home Office's recent announcement that it is working with the EU to grant police powers to hack into personal computers without a warrant threatens to rock the delicate balance between the need to tackle cybercrime and the right to personal privacy.

Clearly cybercrime is increasing, both in sophistication and prevalence, and for the vast majority of law-abiding people these proposals should have little impact on their lives. But does the end really justify the means and can this form of 'remote searching' ever be adequately monitored and implemented?

The EU's proposed extension of what it acknowledges to be "intrusive surveillance" means law enforcement officers will be authorised to covertly gain remote access and monitor a suspect's computer usage provided it is considered both "necessary" and "proportionate" with no judicial oversight or clearance.

Emails, internet searches and instant messaging discussions are just some of the personal data that the police could hack into if they deem it necessary during an active investigation. Should these powers be granted, the police would no longer be required to apply to a magistrate's court for a warrant; rather the approval would be sought from a police chief constable and hence subject to the discretion of a single individual.

Key issues:

♦  Protection vs prosecution: The balancing act between individual right to privacy and common need to prevent cybercrime

♦  Cross-border implications: Should access to information from UK PCs be shared beyond our borders and is there an adequate international legal framework in place to regulate that access?

♦ The commercial cost: Does increasing police access to the internet potentially decrease its commercial appeal?

While these proposals may at first sight seem radical, remote, warrant-free searches of computers are currently legal under parts of the Regulation of Investigatory Powers Act (Ripa). In fact the Association of Chief Police Officers (Acpo) estimates the UK police conducted nearly 200 remote hacking operations in 2007-2008. Similarly, no new legislation is likely to be ushered in with these extended surveillance powers, instead the proposals would be regulated and governed under the existing Ripa legislation.

What is perhaps most controversial, however, is the potential cross-border application of these powers. Part of the EU's plan is to increase data sharing and access between European police forces. This means, in theory at least, that law enforcers in Italy, for example, may have access to information seized from computers in the UK (most likely via Europol), and vice versa.

But this should come as no surprise - the war against cybercrime is not fought within neat national boundaries but is waged on a virtual and therefore international front. So domestic powers alone can only ever have limited effect. That said, providing foreign law enforcement officers with access to UK personal data could not only provoke public concern but also severely test the compatibility and consistency of cyber-regulation across Europe.

Opinion is inevitably divided. Some PC users will object to these powers and view them as tantamount to the police entering their property and going through their personal belongings without permission. Others will claim they have nothing to hide and welcome the extra protection against, for example, the threat of terrorism.

The reality is that most of us lead fairly public lives online, documenting our activities through social networks and providing plenty of information accessible via search engines. The level of privacy we believe we enjoy is actually quite limited and the digital footprint we are already making readily available is pretty sizeable. Of course, some users may reveal more than others but the key thing is: it's the user's choice.

Introducing involuntary infiltration could completely undermine the culture of self-regulation that pervades the internet and render the choice an individual makes about what is and isn't private obsolete. Giving police hacking powers may well reduce levels of cybercrime - but could it also fatally undermine user confidence in the internet and challenge the commercial appeal of everything from social networks to online shopping sites?

Debating the hypothetical merits or downsides of the proposals is only so useful, however. What the law threatens in theory could be very different from its application in practice. How these powers are to be used, or indeed abused, is the real litmus test of their legitimacy and feasibility.

Thus we need greater clarity as to how these new privileges will be regulated and by whom. Most importantly these practices then need to be fully explained to, and accepted by, the end user.

Without clear and transparent guidelines and recourse for any inappropriate use of these powers, it's not only our privacy that may be at risk, but the entire commercial viability of the web itself.

Ruth Hoy is a partner at DLA Piper's technology, media and commercial group.