'Person' as in Section 13

[Nicholas Bohm]

At 05:58 PM 8/17/1999 +0100, Michael Bacon wrote:

>Following up, can the legal eagles tell us in general, if to comply with one
>law requires one to break another, where does one stand?  (Other than in the
>dock on one charge or another.)

Difficult.  If the later law expressly requires breach of the earlier, it
amounts to an implied repeal of the earlier, and your're not therefore
breaking it.  But this is rare (and would be a serious failure of
parliamentary draftsmanship).

Where the later law imposes an obligation to do something, but the only
way, in a particular case, of complying involves a breach of the criminal
law, then probably the obligation does not require the breach to be committed.

>Michael (Streaky) Bacon
>  _____
>~(_____)>
>  "    "
>The opinions stated herein are my own and do not necessarily reflect
>those of my employer.
>==
>
>
>-----Original Message-----
>From: Ian Miller [mailto:Ian_Miller@scientia.com]
>Sent: Tuesday, August 17, 1999 9:41 AM
>To: ukcrypto@maillist.ox.ac.uk
>Subject: Re: 'Person' as in Section 13
>
>
>[Sorry to revisit this one after such a long delay.  I have been away.]
>
>At 14:41 06/08/99 +0100, Nicholas Bohm wrote:
>>At 02:16 PM 8/6/1999 +0100, Ian Miller wrote:
>>>An individual is a company's senior system administrator (as it happens I
>>>am; hence the interest) and they have access to company's master
>encryption
>>>keys.  However they only have access by dint of their position, not as a
>>>private individual.  Release of those keys to a third party is summary
>>>dismissal offence.  If the system administrator was personally served with
>>>a warrant, would they be justified in refusing to comply on the grounds
>>>that they, as a private person, have no lawful access to the key?
>>
>>Almost certainly not - if the individual can in practice disclose it, he
>>has sufficient possession to be subject to a clause 10 notice/
>
>Under what circumstances, is it legally true to say that someone 'can in
>practice' do something?  If company policy forbids something, someone may
>be able to do it, but doing it may be criminal offence under the Computer
>Misuse Act.  If there are security precautions designed to prevent it being
>done, it may be possible through a  mixture of subterfuge and cracking
>circumvent these.  To what extent could the recipient of a warrant be
>required to sabotage their employer's security precautions?

I don't think Part III repeals, or authorises breaches of, the Computer
Misuse Act.  Nor do I think it demands system sabotage (and in any case, to
convict would require a jury to believe you were lying when you said you
couldn't break the system, and it's hard to see the basis for that).

>My layman's reading of section 13-(3) is that if the software holding the
>key is designed to do the tipping-off automatically, allowing this to
>happen is okay provided "that person could not reasonably have been
>expected to take steps ... to prevent the disclosure" [13-(3)(b)].  I am
>right (or how likely are the courts to agree) that believing it would be an
>offence under the Computer Misuse Act make it unreasonable to 'take steps'.

A reasonable belief that preventing automatic disclosure would be an
offence ought to do the trick.

Regards,

Nicholas Bohm

Salkyns, Great Canfield,
Takeley, Bishop's Stortford CM22 6SX, UK

Phone		01279 871272	(+44 1279 871272)
Fax		01279 870215	(+44 1279 870215)
Mobile   	0860 636749  	(+44 860 636749)

PGP RSA 1024 bit public key ID: 0x08340015.  Fingerprint:
9E 15 FB 2A 54 96 24 37  98 A2 E0 D1 34 13 48 07
PGP DSS/DH 1024/3072 public key ID: 0x899DD7FF.  Fingerprint:
5248 1320 B42E 84FC 1E8B  A9E6 0912 AE66 899D D7FF