FW: RIPA Part III

Peter Fairbrother ukcrypto at chiark.greenend.org.uk
Tue, 13 Jun 2006 22:26:12 +0100 

----------
From: Watkin Simon <Simon.Watkin@homeoffice.gsi.gov.uk>
Date: Fri, 9 Jun 2006 09:02:32 +0100
To: 'Peter Fairbrother' <zenadsl6186@zen.co.uk>
Subject: RIPA Part III

Peter,

 

I came across this:

http://groups.google.com/group/sci.crypt/browse_thread/thread/749728257c58e0
54/84ab1ae8461a7aa9#84ab1ae8461a7aa9
<http://groups.google.com/group/sci.crypt/browse_thread/thread/749728257c58e
054/84ab1ae8461a7aa9#84ab1ae8461a7aa9>

 

In it you wrote:

 

"Keys used only for signatures are excluded from being the subject of
demands, but the question of whether a signature key used to authenticate a
request for access to a database is excluded is by no means settled - I have
been asking the Home Office for guidance on that point for several years
now, without getting it resolved."

 

A key used to authenticate a request for access is out.

A key used to undertake access is in.

 

"Now if a key is used to sign a request for access to a database, it is
undoubtedly being used to establish the authenticity of the request - but is
it also being used to access the database? I'm pretty sure a Judge could say
yes, and in fact I think they probably would. That's a different use, and
the key is  then demandable."

 

A key used to authenticate and access is in.

 

"More, if the person upon whom a notice is served is unable to give a key,
it is it then his duty to give the police any information in their
possession which "would facilitate the obtaining or discovery of the key or
the putting of the protected information into an intelligible form".  s50(9)
Afaict the signature-key exclusion does not apply to this information. This
is again unclear though."

 

That a person cannot be required to disclose a key used only for
authentication is absolute.

 

"Even if it turns out that signature keys used to authenticate requests for
data are exempt, which possibility I regard as naive foolishness, Judges do

not like arguments like that which make whole swathes of law meaningless,
they tend to think "Parliament must have meant something, it's my job to

decide what", ...  ... how many databases actually do it that way?"

 

What would happen in practice is that the investigator would turn to the
person doing the authenticating.  So, if you had a bank the bank would be
asked to assist the enquiry, not unlike - in the offline world - letting the
officer in the front door holding the key to the safety deposit box which he
had seized with a warrant.

 

"It is a defence to show that you don't know the key. However there is an
implicit assumption that you _do_ know the key, and the point is again

unclear - extremely so in this case, many people are worried that the burden
of proof is being reversed."

 

The prosecutor has to prove beyond reasonable doubt that you had it or you
had known it.  Parliament has put a high hurdle in place for the prosecutor.
The defendant only has to "raise an issue" and the prosecutor has to prove
the contrary beyond reasonable doubt.  It's a bit more than just "I don't
know it" but not much more.

 

"Yes, it's possible, almost easy, for the criminal, and the terrorist, and
the paedophile to avoid/evade the law - but it isn't so easy for the average
windows luser. "

 

You'd be surprised how average they are.

 

"I am not interested in the criminal or terrorist or paedophile (weren't
there four horsemen? I forget the fourth) - I am interested in protecting

the innocent, the man-in-the-street, from this intrusion. "

 

That's a bit like saying the police use these battering rams to break
people's doors down so we must all have bank vault strength front doors.  We
must protect the innocent from that too.

 

"More important, this is a step in the wrong direction, towards a tyranny of
information, and should be resisted on that basis alone."

 

Not used properly, only necessarily and only proportionately it isn't.

 

Do you think there are law-abiding people out there discussing how to commit
the perfect murder, or the perfect robbery (and who will never commit murder
or robbery) with as much passion as how to evade to section 49 notice (and
who will never be given one)?

 

Simon 

 



**********************************************************************
This email and any files transmitted with it are private and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please return it to the address
it came from telling them it is not for you and then delete it from your
system.

This email message has been swept for computer viruses.

**********************************************************************



The original of this email was scanned for viruses by Government Secure
Intranet (GSi)  virus scanning service supplied exclusively by Cable &
Wireless in partnership with MessageLabs.
On leaving the GSI this email was certified virus free.
The MessageLabs Anti Virus Service is the first managed service to achieve
the CSIA Claims Tested Mark (CCTM Certificate Number 2006/04/0007), the UK
Government quality mark initiative for information security products and
services.  For more information about this please visit www.cctmark.gov.uk