Consultation on the Draft Code of Practice for the Investigation of Protected Electronic Information: Part III of the Regulation of Invest igatory Powers Act 2000

Ian G Batten ukcrypto at chiark.greenend.org.uk
Wed, 7 Jun 2006 18:26:37 +0100 

On 7 Jun 2006, at 14:50, Watkin Simon wrote:

> Dear colleagues,
>
>
> The Home Office has today (Wednesday 7 June) issued a public  
> consultation on the investigation of protected electronic data,  
> which invites comments on a draft code of practice relating to the  
> exercise of powers under Part III of the Regulation of  
> Investigatory Powers Act 2000 (RIPA) and on proposals for amending  
> section 53 of RIPA.  The closing date for the consultation is 30  
> August.
>
>
> The consultation paper is online at: http://www.homeoffice.gov.uk/ 
> documents/cons-2006-ripa-part3/


It's been a long day, and I'll take a copy to read while my children  
have their swimming lessons.  But at first scan...

Consultation Document:

17(iii) page 6.  ``the apparatus or device containing the protected  
information has come into possession of any person together with  
other apparatus or a device''.  That seems quite sloppy.  I presume  
it's meant to encompass the case of my having a USB stick full on  
unencrypted bad stuff in one pocket and a USB stick full of encrypted  
stuff in the other.  However, `any person' presumably covers a Home  
Office Forensic examiner: surely the case of Home Office Man having  
in his left hand an unencrypted USB stick of Bad Stuff seized in  
Penzance and in his right an encrypted USB stick seized in Lerwick  
can't be used to justify demanding the keys to the latter?  I think  
there needs to be a ``at the point of seizure'' or something in there  
(as you might guess, I wasn't a legal draughtsman in a former life).

Code

3.18 (page 21) needs to be tightened up.  It doesn't really explain  
session keys (for which pretty much the whole point is that the  
`user' doesn't have access to them) and by invoking `symmetric keys'  
it gets itself really confused.   Session keys are symmetric.   
Symmetric keys are not necessarily session keys (for example, my Bad  
Friends and I might agree to just exchange mail using a single fixed  
AES256 key).  The paragraph needs to capture the fact that session  
keys are (a) usually unknown to the user and (b) often ephemeral  
[ssl, ssh].  When they are not ephemeral (the bulk cipher key in a  
file encrypted with PGP) the user nonetheless has limited ability to  
produce them (one could hack GPG to produce them, but I don't think  
it's a standard feature).  The symmetric part is a distraction.

ian