The Regulation of Investigatory Powers (RIP) Bill, which will enable the police and security services to investigate telephone, email and server data, could cost UK companies more than £46bn, the British Chamber of Commerce (BCC) warned last week.

An independent report by the BCC, the London School of Economics and University College, London, found that implementing the Bill would cost internet service providers (ISPs) £640m alone, compared to the UK government's estimate of £34m.

Civil liberties groups say the Bill in its present form breaches privacy rights, and industry players have warned of a potential adverse effect on the economy, but it has been discovered that basic networking technology could render the Bill impossible to enforce.

Steganography and Deffie-Hellman
Basic network techniques, such as the steganographic file system and the Deffie-Hellman key exchange, make it virtually impossible to trace data transmission or storage, leaving the Bill open to abuse from the very criminals it is trying to catch.

Nicholas Bohm, Ecommerce Working Group member at the Law Society, said: "RIP acts like a salesman for steganography and secure messaging techniques. Their deployment might not have happened if it weren't for this bill."

The steganographic file system hides data behind multiple passwords so that it looks as if there are no files stored. If a password is entered, a number of files appear on screen. After a second password, more files appear, and so on.

"When pressed for codes, someone could give three passwords and say: 'That is it, you now know all my secrets,' and no-one can prove otherwise," said Bohm. "It makes it a powerful tool, especially for laptop users who have the plausible excuse that they use steganography to protect data on the road."

Caspar Bowden, director of the Foundation for Information Policy Research (FIPR), said: "Steganography is a way to avoid the RIP Bill."

While steganography hides stored data, Bohm said that the Deffie-Hellman key exchange could be used for hiding transmissions. The technique is popular with lawyers and banks for sending confidential data such as contracts or financial results.

Key exchange
The Deffie-Hellman key exchange was developed in 1976 and creates a random key, unknown to the users, to encrypt data while sending it over a secure connection. It then destroys this key when the transmission is complete.

"As the technique keeps the key a secret from its users, they can prove that they never had it, which safeguards them from RIP prosecution for data transmission," said Bohm. "The key needs a telephone transmission such as DSL, rather than the internet, because that is based on store-and-forward, which would still expose users to the RIP Bill. But with a simple black box on top of your phone and some software from, for instance, Starium, it is easy and inexpensive to safely send encrypted data."

"If Deffie-Hellman is combined to steganographic file storage, there is virtually no trace of either transmission or storage which makes it extremely difficult to enforce the RIP Bill," he added.

Escalating costs
Gregory Smith, chairman of the security group at the Telecommunication Managers Association, said: "The Bill does not explain how businesses can deal with its impact. It [could] be very destructive to the economy. Many companies are already going abroad."

UK ISPs are set to play a vital role in enforcing the Bill. The Smith Group recommended to the Home Office that ISPs install a black box to select and intercept the information that passes through their servers and feed it to the government's new £25m data monitoring centre.

Martin Sutherland, author of the Smith Group report, said: "The black box is essential for the technical implementation of the RIP Bill."

Going abroad
Foreign ISPs do not have black boxes on their premises. A Home Office spokesman confirmed that the government could not demand "codes to encrypted messages stored on offshore servers".

Bohm said that using an overseas ISP may become part of the strategy for companies. "Intercepting data directly from the telecoms network is less convenient, and therefore unlikely to happen. With an offshore ISP, costs may be higher, but volume of traffic would make it a realistic scenario for commercial users," he said.

He also warned that the Bill makes the UK unattractive. "Companies outside the UK would be foolish to use a UK ISP. It would expose their international traffic to an interception of confidential messages that otherwise would not arise," he said.

Smith added that the Bill is too loose in its description of ISPs. "There is no definition, so if it passes as it is, the part about ISPs could just as well apply to network managers, while the Bill gives too little direction on how to comply," he said.