Consultation on change to RIP interception definition

Ian Batten igb at
Thu Nov 11 20:47:10 GMT 2010

On 11 Nov 2010, at 20:24, Mary Hawking wrote:

> Does the owner of the account have the legal authority to give consent on
> behalf of all users of that account,

No.   That was the line BT tried to take with Phorm, and there's not the beginning of a legal basis for it.    If CSPs want to try this, they should put wording into contracts with their customers to attempt to impose obligations between their customers and unspecified third parties who are not signatories to the contract, and see how far it gets them.


> and if so, are there any requirements
> for the users to be informed of the consent ant what that consent implies
> for the users?
> Mary Hawking
> -----Original Message-----
> From: Peter Tomlinson [mailto:pwt at] 
> Sent: 11 November 2010 10:02
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Consultation on change to RIP interception definition
> Andrew Cormack wrote:
>> Hmmm. It's tempting to reply to the HO's consultation question of "how
> will this affect CSPs?" by saying that it'll make 3(1) useless since, as
> discussed on the list last time around, the CSP will never know whether the
> "person" who indicated consent (however that's implemented) is still the
> "person" sitting at the keyboard. Not just the question of whether the
> "subscriber" has consented on behalf of all users of the account, but
> whether one user has handed the keyboard to another since clicking "I agree"
> :(
>> Actually I'm struggling to think how a 3(1) that was dependent on the
> *fact* of whether that person had consented (which I think would be the
> effect of deleting the "reasonable belief" clause: Francis?) could ever be
> safely relied on by anyone. So maybe the net effect of the proposed change
> will actually be to delete the whole of 3(1)???
> It seems to me that the assumption will be that the owner of the account 
> will have given consent on behalf of all users of the account (typically 
> of that keyboard). So consent ought to be given in some secure manner 
> (a) that is logged in a way that can be verified and, if the user 
> wishes, changed, and (b) that, if consent has been given, ensures that 
> an informative logo is always displayed in each browser window.
> Peter

More information about the ukcrypto mailing list