Silicon.com: Snooping Bill drives first ISP abroad

[Ross Anderson]

Ian:

> >More accurately (given the "highest monkey available" clause in the bill
> >amendments) if the order is served on a UK based managing director, is he
> >required to order a non-uk based technician to serve up the data?
> 
> Maybe; but the non-UK techie's contract could state "obey interception orders
> from any UK person and lose your job."

That's what Goldman Sachs do; we heard their story at the Cambridge
protocols workshop at Easter and it'll be out in the proceedings in a
few months.

The main board in New York has decreed that all key recovery for the
UK will be done in Zuerich and that the responsible staff there are
forbidden to recover keys on UK orders.

Side effect: in future any allegations of fraud in the UK will have
to be investigated by Swiss accountants. So RIP is already doing
tangible harm to Uk commercial interests - and it's not even on the
statute book yet

Richard:

> if you are in the UK and are able to intercept traffic in another
> country then - as I read the Bill -you are obliged to do so if served
> with a warrant in the UK. Since you may well be committing an offence
> in the other country, I think it would be a wise precaution to ensure
> that you do not have such abilities

This is what drove the above. Recovering keys protecting customer
financial data can very easily be a criminal offence in Swiss law. Big
companies don't like the kind of dilemma in which you go to jail if
you do X, and you go to jail if you do not-X.

> so that really only leaves spinning off the hosting as a separate
> non-uk company or subcontracting it to such a non-.uk company

Subcontract the key recovery service to the ACLU. Better still, use
encryption products that don't support key recovery. That way you can
prove you don't have access to the key, and never did.

Ross