Adducing sufficient evidence to raise an issue (was RE: Consultation on the Draft Code of Practice for the Investigation of Protected Electronic Information: Part III of the Regulation of Investigatory Powers Act 2000

Thu, 08 Jun 2006 16:55:55 +0100

Caspar Bowden wrote:

> Introduction "This formal consultation provides an opportunity to tell
> the Government if
> 
> there is anything more or anything different that should be included in
> the code
> 
> before it is put to Parliament for approval."
> 
> 
> 
> "10.5 A person shall be taken to have shown they were not in possession
> of a key to
> 
> protected information at a particular time if sufficient evidence of
> that fact is
> 
> adduced to raise an issue with respect to their not having had
> possession of the
> 
> key. The prosecutor has to prove the contrary beyond reasonable doubt."
> 
> 
> 
> This seems to be the only reference to the heart of the matter of the
> reversal of the burden of proof. As ukcrypto veterans will recall, this
> phraseology ("adducing sufficient evidence to raise an issue") was
> introduced in a government amendment under pressure in the Lords, so
> presumably the government must have some idea what this means. I would
> argue that (aside from other ECHR concerns) to meet a forseeability test
> under HRA/ECHR the public needs to have a good idea what key
> management/destruction practices will suffice to allow this defence to
> be relied on. Of course, the government was pressed on this at the time,
> and the best they could come up with is that whatever key management
> procedures the individual used should be explained to the authorities,
> and the courts would decide whether this was credible.
> 
> 
> 
> After six years, we get a new consultation without any further
> clarification or elaboration of perhaps the most critical issue in the
> entire legislation.

Afaict, the "consultation" doesn't clarify any of the issues at all.

For instance, are signature keys used only to authenticate inter alia a
request for access to (protected) data demandable - can access keys be
demanded to data in eg a foreign server, ie data which is not now in the
possession of the Police but which is likely to come into their possession
if they have the access keys which may or may not be demanded, but is not
likely to come into their possession if the access keys are not available to
them - when can "flat" data be assumed to be protected data - can the
subject get confidential assistance in order to determine what data the
Police have in their possession, eg can he in confidence try all the keys he
has, some of which may be for data not in the Police's possession, to see
which ones open the data the Police have - who is the ultimate judge of
whether something is likely to come into the Police's possession (the Courts
I guess) - and so on, I can't be bothered to list them all now and I'd
probably miss a few anyway

Nor is the CoP anything I would call a Code of Practice, it's just RIPA
restated.

Incidentally this raises the issue of what a code of practice is supposed to
be - I had rather imagined it as a "you can do this, you can't do that, you
can do that but you shouldn't unless they sky is falling, you should always
do this even though you don't have to, this is what "proportionate" means,
don't issue an order if it's only about a few spliffs" kind of thing - but
perhaps that was overly naive.

(don't issue an order on an MP's secretary without asking the PM's office
first - that you can demand keys in the financial interests sf the UK does
not mean you have a licence to demand keys as part of widespread industrial
espionage - und so weiter

-- 
Peter Fairbrother