February 26, 2001, 5:22 PM — Having been so uncomplimentary about lawyers a few weeks back, I've decided that it's time I knew more about the law -- at least the law as it affects our IT department. So I've been doing a bit of research into the Byzantine mess of rules and regulations that surrounds our everyday work.
It's hard stuff. My respect for lawyers is growing, if they can put up with a career full of documents of this complexity. Mind you, they probably say the same about IT.
The Law in Two Acts
Apart from the issues of inappropriate e-mails and monitoring that I discussed last week, there are two legal worries at the back of my mind at the moment: the Regulation of Investigatory Powers Act (RIPA) and the Data Protection Act (DPA).
These laws are specific to the U.K., but security managers around the world face a patchwork of similar laws. For example, the RIPA debate is broadly similar to the Carnivore debate that's been going on in the U.S. Carnivore is the FBI's (apparently successful) attempt to enforce monitoring of e-mail traffic by installing "black box" devices at Internet service providers. RIPA takes a similar approach in the U.K. but goes quite a bit further.
At heart, RIPA is the British government's attempt to extend its powers of surveillance to cover the Internet. The previous law, the Interception of Communications Act, became law in 1985, when few foresaw the rise of mass e-mail and the Internet.