FW: RIPA Part III

Peter Fairbrother ukcrypto at chiark.greenend.org.uk
Tue, 13 Jun 2006 22:26:25 +0100 

----------
From: Peter Fairbrother <zenadsl6186@zen.co.uk>
Date: Fri, 09 Jun 2006 11:29:13 +0100
To: Watkin Simon <Simon.Watkin@homeoffice.gsi.gov.uk>
Subject: Re: RIPA Part III

Hi Simon.


Thanks for the unexpected reply. Can I repost it elsewhere?

Some comments are below.

--
Peter


You wrote:


> In it you wrote:
> 
> 
> 
> "Keys used only for signatures are excluded from being the subject of
> demands, but the question of whether a signature key used to authenticate a
> request for access to a database is excluded is by no means settled - I have
> been asking the Home Office for guidance on that point for several years
> now, without getting it resolved."
> 
> 
> 
> A key used to authenticate a request for access is out.
>
> A key used to undertake access is in.
>
> "Now if a key is used to sign a request for access to a database, it is
> undoubtedly being used to establish the authenticity of the request - but is
> it also being used to access the database? I'm pretty sure a Judge could say
> yes, and in fact I think they probably would. That's a different use, and
> the key is  then demandable."
> 
> 
> 
> A key used to authenticate and access is in.

And now we come to the actual question - a key has been used to authenticate
requests for access. In so doing, has it been used to access?

I already knew the rest, and you didn't answer that one.

> 
> "More, if the person upon whom a notice is served is unable to give a key,
> it is it then his duty to give the police any information in their
> possession which "would facilitate the obtaining or discovery of the key or
> the putting of the protected information into an intelligible form".  s50(9)
> Afaict the signature-key exclusion does not apply to this information. This
> is again unclear though."
> 
> 
> 
> That a person cannot be required to disclose a key used only for
> authentication is absolute.

Good. It would be nice to see this stated in the CoP.

> "Even if it turns out that signature keys used to authenticate requests for
> data are exempt, which possibility I regard as naive foolishness, Judges do
> 
> not like arguments like that which make whole swathes of law meaningless,
> they tend to think "Parliament must have meant something, it's my job to
> 
> decide what", ...  ... how many databases actually do it that way?"
> 
> 
> 
> What would happen in practice is that the investigator would turn to the
> person doing the authenticating.  So, if you had a bank the bank would be
> asked to assist the enquiry, not unlike - in the offline world - letting the
> officer in the front door holding the key to the safety deposit box which he
> had seized with a warrant.

And if the database is in a country which does not have GAK laws, what then?
do they just give up trying?


> "It is a defence to show that you don't know the key. However there is an
> implicit assumption that you _do_ know the key, and the point is again
> 
> unclear - extremely so in this case, many people are worried that the burden
> of proof is being reversed."
> 
> 
> 
> The prosecutor has to prove beyond reasonable doubt that you had it or you
> had known it.  Parliament has put a high hurdle in place for the prosecutor.
> The defendant only has to "raise an issue" and the prosecutor has to prove
> the contrary beyond reasonable doubt.  It's a bit more than just "I don't
> know it" but not much more.

We'd like to know just how much more. We would like to see that spelled out
in the CoP.
 
> "Yes, it's possible, almost easy, for the criminal, and the terrorist, and
> the paedophile to avoid/evade the law - but it isn't so easy for the average
> windows luser. "
> 
> 
> 
> You'd be surprised how average they are.

I doubt it. I used to teach an introduction to computing course, and
everybody I know seems to want me to fix their computers.


> "I am not interested in the criminal or terrorist or paedophile (weren't
> there four horsemen? I forget the fourth) - I am interested in protecting
> 
> the innocent, the man-in-the-street, from this intrusion. "
> 
> 
> 
> That's a bit like saying the police use these battering rams to break
> people's doors down so we must all have bank vault strength front doors.  We
> must protect the innocent from that too.
> 
> "More important, this is a step in the wrong direction, towards a tyranny of
> information, and should be resisted on that basis alone."
> 
> 
> 
> Not used properly, only necessarily and only proportionately it isn't.

Considered as a step, it doesn't matter whether it is used in a necessary or
proportionate manner. It's still a step in the wrong direction.

It's a step towards "You have no privacy. We know all about you. All your
base are belong to us.".

And "step"? - it's a giant leap.

The basic flaw is in the idea that people should not be able to keep secrets
from their governments. When they cannot there is a tyranny of information.

 
> Do you think there are law-abiding people out there discussing how to commit
> the perfect murder, or the perfect robbery (and who will never commit murder
> or robbery) with as much passion as how to evade to section 49 notice (and
> who will never be given one)?

The fundamental difference is that murder and robbery are crimes, and we all
agree that they are crimes, and they hurt people, whereas many people think
evading a s 49 notice should not be a crime, and it doesn't hurt people. And
it isn't a crime anyway, but you know what I mean.