'Person' as in Section 13
Ian Miller
Ian_Miller at scientia.com
Tue, 17 Aug 1999 17:40:33 +0100
[Sorry to revisit this one after such a long delay. I have been away.]
At 14:41 06/08/99 +0100, Nicholas Bohm wrote:
>At 02:16 PM 8/6/1999 +0100, Ian Miller wrote:
>>An individual is a company's senior system administrator (as it happens I
>>am; hence the interest) and they have access to company's master encryption
>>keys. However they only have access by dint of their position, not as a
>>private individual. Release of those keys to a third party is summary
>>dismissal offence. If the system administrator was personally served with
>>a warrant, would they be justified in refusing to comply on the grounds
>>that they, as a private person, have no lawful access to the key?
>
>Almost certainly not - if the individual can in practice disclose it, he
>has sufficient possession to be subject to a clause 10 notice/
Under what circumstances, is it legally true to say that someone 'can in
practice' do something? If company policy forbids something, someone may
be able to do it, but doing it may be criminal offence under the Computer
Misuse Act. If there are security precautions designed to prevent it being
done, it may be possible through a mixture of subterfuge and cracking
circumvent these. To what extent could the recipient of a warrant be
required to sabotage their employer's security precautions?
My layman's reading of section 13-(3) is that if the software holding the
key is designed to do the tipping-off automatically, allowing this to
happen is okay provided "that person could not reasonably have been
expected to take steps ... to prevent the disclosure" [13-(3)(b)]. I am
right (or how likely are the courts to agree) that believing it would be an
offence under the Computer Misuse Act make it unreasonable to 'take steps'.
Ian