From marcus at connectotel.com Thu Sep 1 09:00:01 2011 From: marcus at connectotel.com (Marcus Williamson) Date: Thu, 01 Sep 2011 09:00:01 +0100 Subject: British intelligence agency called in to break BlackBerry encryption In-Reply-To: <9yacatLb6mXOFAu$@highwayman.com> References: <4E5B6782.6020009@zen.co.uk> <9yacatLb6mXOFAu$@highwayman.com> Message-ID: On Wed, 31 Aug 2011 18:25:47 +0100, you wrote: >Blackberry messages that go via a corporate server are encrypted >differently (the key is held by the corporate -- to the chagrin of India >and various Gulf states), but that wasn't the service that the kids on >the street were using. It's still not clear whether RIM gives access to the corporate server to security services of countries such as India and Saudi Arabia. Here's the RIM CEO blowing up when he was asked straight questions: http://news.bbc.co.uk/1/hi/programmes/click_online/9456798.stm From anish.mohammed at gmail.com Thu Sep 1 09:19:28 2011 From: anish.mohammed at gmail.com (Anish Mohammed) Date: Thu, 1 Sep 2011 09:19:28 +0100 Subject: British intelligence agency called in to break BlackBerry encryption In-Reply-To: References: <4E5B6782.6020009@zen.co.uk> <9yacatLb6mXOFAu$@highwayman.com> Message-ID: yep, i do remember watching the episode of click, the interview went fine till they question was asked. BTW it would be interesting to see what happens if someone were to use more layers of encryption, say skype, possibly over tor overlay ... where would the key hunt end... regards Anish On Thu, Sep 1, 2011 at 9:00 AM, Marcus Williamson wrote: > > On Wed, 31 Aug 2011 18:25:47 +0100, you wrote: > > >Blackberry messages that go via a corporate server are encrypted > >differently (the key is held by the corporate -- to the chagrin of India > >and various Gulf states), but that wasn't the service that the kids on > >the street were using. > > It's still not clear whether RIM gives access to the corporate server to > security > services of countries such as India and Saudi Arabia. Here's the RIM CEO > blowing > up when he was asked straight questions: > > http://news.bbc.co.uk/1/hi/programmes/click_online/9456798.stm > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From danny at spesh.com Thu Sep 1 10:16:42 2011 From: danny at spesh.com (Danny O'Brien) Date: Thu, 1 Sep 2011 02:16:42 -0700 Subject: British intelligence agency called in to break BlackBerry encryption In-Reply-To: References: <4E5B6782.6020009@zen.co.uk> <9yacatLb6mXOFAu$@highwayman.com> Message-ID: On Thu, Sep 1, 2011 at 1:00 AM, Marcus Williamson wrote: > > On Wed, 31 Aug 2011 18:25:47 +0100, you wrote: > > >Blackberry messages that go via a corporate server are encrypted > >differently (the key is held by the corporate -- to the chagrin of India > >and various Gulf states), but that wasn't the service that the kids on > >the street were using. > > It's still not clear whether RIM gives access to the corporate server to > security > services of countries such as India and Saudi Arabia. Here's the RIM CEO > blowing > up when he was asked straight questions: > > http://news.bbc.co.uk/1/hi/programmes/click_online/9456798.stm > > The protocol means that RIM doesn't have the keys for mail sent over enterprise RIM systems (unless it's the pin-to-pin messages, which as someone else mentioned, have the same key installed on every device. I think medium-paranoid companies can change the key globally -- but it's still on all of their extremely devices). Of course, RIM *could* build a back door into their software (or their devices) to bypass all of the enterprise protocol's carefully tended security. But one whiff of that and all the businesses and governments that were lary of using RIM in the first place because of their external management of the BlackBerry infrastructure would run screaming. Anyway, this is different from the consumer BB offering. d. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tharg at gmx.net Fri Sep 2 11:03:13 2011 From: tharg at gmx.net (Caspar Bowden) Date: Fri, 2 Sep 2011 12:03:13 +0200 Subject: French news - Le Monde and traffic data Message-ID: <000301cc6957$87fe4140$97fac3c0$@gmx.net> (I wonder if our Newspaper of Record would get so indignant about an invasion of communications privacy covered up with bogus public interest pretexts ? oh, wait a minute .) http://www.microsofttranslator.com/BV.aspx?ref=zugo &from=&to=en&a=http%3A%2F%2Fwww.lemonde.fr%2Fsociete%2Farticle%2F2011%2F09%2 F01%2Faffaire-bettencourt-les-services-secrets-ont-viole-le-secret-des-sourc es_1566033_3224.html (original http://www.lemonde.fr/societe/article/2011/09/01/affaire-bettencourt-les-ser vices-secrets-ont-viole-le-secret-des-sources_1566033_3224.html) The request of the judge was performed in emergency because there was a risk of decline of evidence - the period of storage of individuals by telephone operators detailed Billings (fadettes) does not exceed one year. The Paris public prosecutor's Office, initially before a preliminary inquiry, had not seen fit toperform this request. Investigators quickly obtained two faxes, classified "confidential", directed by Counterintelligence to Orange. They are both signed by the Divisional Commissioner St?phane Tijardovic, of the DCRI. The first of them, dated July 19, 2010, claiming the detailed phone bills related to the mobile phone of G?rard Davet. The DCRI, led by Bernard Squarcini, a very close deemed officer of Nicolas Sarkozy, then wanted to obtain details of telephone communications passed by our collaborator between 12 and 16 July 2010. These requisitions were issued just after the revelation by Le Monde, dated 18-19 July, the content of the statements to the police of Patrice de Maistre, Liliane Bettencourtconfidence man. Manager of fortune are put in difficulty Eric Woerth, Minister of labour of Nicolas Sarkozy. The Elysee was moved from these "leaks" in the press. The DCRI has therefore, as early as July 19, the detailed phone bills of G?rard Davet containing the number of all its correspondents, the time of all its incoming and outgoing calls and their Geolocation. OUT ANY PROCEDURAL FRAMEWORK Is that in a second time that police make a second request to Orange, on 21 July, claiming the list of calls made by David Senate, Advisor technical of the former keeper of the seals Mich?le Alliot-Marie. The latter, on the basis of the first technical expertise, is suspected ofbeing the source of the World. Its fadettes are considered, from 12 to 19 July 2010. In the aftermath, it is removed from Office and ordered to leave the Chancery. Data now in the possession of j. therefore clearly contradict the argument that power has continued tosay with this case. They show that the authorities first acquired confidential information about a journalist before tobe of interest to its possible source. And not the reverse, as they have always argued. The research of the fadettes of Messrs. Davet and Senate is done outside any legal framework. In the revelation of the case, Fr?d?ric P?chenard, Director General of the national police (DGPN), had referred, in a press release on September 13, 2010, "a brief and timely technical verification" on the notebook of Mr. Senate. The DGPN was entrenched behind section 20 of the Act of 10 July 1991 on interceptions of security. However this section 20 applies only for "defence of national interests" and excludes any search for "communications provided to individuals" as the fadettes. Moreover, the DCRI acted out any procedural framework, having informed that on 2 September the Prosecutor's Office of Paris of his initiative. The world had revealed the case, in fall 2010, ensuring, at the end of a thorough investigation, that the Elysee had given the order to end leaks in the case of Bettencourt. The power had denied any technical investigation on the telephone of G?rard Davet, in violation of the secrecy of sources of January 4, 2010. "The DCRI is not the Stasi, told the National Assembly on 4 November the former Minister of the Interior, Brice Hortefeux." "The objective of the DCRI, do not follow the journalists." Nathalie Kosciusko-Morizet, then Secretary of State for the digital economy, spoke, with regard to the surveillance of journalists, "of an old French fantasy" by "the media". Bernard Squarcini, interviewed by the JDD, had denied tobe interested in journalists: "only journalists that interest me are those who fricotent with foreign services", he said. To the head of State, Nicolas Sarkozy, who interviewed on November 16, 2010 by journalists about the possibility that the police services could violate the secrecy of sources Act, responded: "No, I do not imagine, I think not " . The Minister of the Interior, Claude Gu?ant, confirmed, Thursday 1er September on France Info, as the Central Directorate of Interior intelligence (DCRI) had done well to "locations of telephone communications, which is quite different eavesdropping". (also http://www.microsofttranslator.com/BV.aspx?ref=zugo &from=&to=en&a=http%3A%2F%2Fwww.lemonde.fr%2Fsociete%2Farticle%2F2011%2F09%2 F01%2Faffolees-par-les-fuites-dans-l-enquete-bettencourt-les-autorites-se-so nt-affranchies-de-la-loi_1566229_3224.html) -------------- next part -------------- An HTML attachment was scrubbed... URL: From pwt at iosis.co.uk Fri Sep 2 10:31:22 2011 From: pwt at iosis.co.uk (Peter Tomlinson) Date: Fri, 02 Sep 2011 10:31:22 +0100 Subject: Tony Sale, Colossus computer conservationist, dies In-Reply-To: <7ueq57d6af7t88rlmr8n8asvo1vemoboa9@4ax.com> References: <7ueq57d6af7t88rlmr8n8asvo1vemoboa9@4ax.com> Message-ID: <4E60A26A.6070206@iosis.co.uk> End of June I had to be in Milton Keynes for a morning meeting, so decided to travel the previous day, go to Bletchley Park, then stay overnight. This was only my second visit, the first one (courtesy of Bristol BCS section, who had hried a coach and invited me to fill a spare seat) being only a short time after the museum got started. Colossus should be running, I was told in reception, so I trekked up the hill. As I and a couple of other people were looking at the exhibits in the first room, an old man came walking quickly through. Only after he had passed did I realise that it was Tony, looking very much older than the pictures that I had seen. Walking round to Colossus, which was indeed running, I got talking to one of the volunteer guides and an American who had worked in one of the wartime listening stations on the east coast of Scotland. Then Tony appeared from behind Colossus and a very brief exchange ensued before he disappeared again - I sensed that he was closing down. Tony was but a boy when stored program computer architecture was first developed around the time that I was born. At the core of what we use now, the principles are still the same, albeit we have Von Neumann and Harvard architectures and RISC machines, and we simulate as we design (Charles Lindsey pioneered simulation in the latter half of the 1960s with the aid of a govt funded (ACTP) contract, and I wrote the first large scale gate-by-gate simulation model, which was a key stage in the development of the ICT/ICL 1904A/S/X range of mainframes). RIP Peter On 30/08/2011 20:37, Marcus Williamson wrote: > Tony Sale, Colossus computer conservationist, dies > > http://www.bbc.co.uk/news/technology-14720180 > > > . > From amidgley at gmail.com Sun Sep 11 11:49:12 2011 From: amidgley at gmail.com (Adrian Midgley) Date: Sun, 11 Sep 2011 11:49:12 +0100 Subject: Shopping centre uses mobile phone data to "monitor visitor levels" In-Reply-To: References:

<001901cc6176$4d464db0$e7d2e910$@net> <002001cc61a9$5d7f68a0$187e39e0$@net> Message-ID: On 23 August 2011 17:14, John Wilson wrote: > the DPA but it's pretty hard to run a business in the UK without > having to register. Which suggests it may be time to cease having registration as a seperate action and funded bureacracy to otehr things one has to do to run a business. -- Adrian Midgley?? http://www.defoam.net/ From lists at internetpolicyagency.com Mon Sep 12 10:41:06 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Mon, 12 Sep 2011 10:41:06 +0100 Subject: Intended recipient Message-ID: This man-in-the-mailbox attack brings a whole new perspective to the "who is the intended recipient" debate. Although there's a historical precedent - people sending faxes to a typo-phone number. Which of course leads to those long legal disclaimers which have been inherited on many corporate emails. Would the activity of these researchers (or malicious counterparts) be an interception in the UK; and as they've modified the public DNS to do this, is it an interception on a public network and therefore criminal? -- Roland Perry From james2 at jfirth.net Tue Sep 13 10:04:38 2011 From: james2 at jfirth.net (James Firth) Date: Tue, 13 Sep 2011 10:04:38 +0100 Subject: Intended recipient In-Reply-To: References: Message-ID: <002501cc71f4$2c3547f0$849fd7d0$@net> > Would the activity of these researchers (or malicious counterparts) be > an interception in the UK; and as they've modified the public DNS to do > this, is it an interception on a public network and therefore criminal? "Modified the public DNS", in that they lawfully purchased internet domains... They may have violated trademarks, or indeed be guilty of fraud (?impersonation?), but don't see how this can be interception. James Firth From lists at internetpolicyagency.com Tue Sep 13 11:02:58 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 13 Sep 2011 11:02:58 +0100 Subject: Intended recipient In-Reply-To: <002501cc71f4$2c3547f0$849fd7d0$@net> References: <002501cc71f4$2c3547f0$849fd7d0$@net> Message-ID: In article <002501cc71f4$2c3547f0$849fd7d0$@net>, James Firth writes >> Would the activity of these researchers (or malicious counterparts) be >> an interception in the UK; and as they've modified the public DNS to do >> this, is it an interception on a public network and therefore criminal? > >"Modified the public DNS", in that they lawfully purchased internet >domains... > >They may have violated trademarks, or indeed be guilty of fraud >(?impersonation?), but don't see how this can be interception. It's difficult, isn't it! Their stated aim was to intercept (small i) emails, of course. And attaching croc clips to wires on a telegraph pole probably isn't illegal *as such* - it's a form of interference with property or perhaps trespass, but I'm not familiar with what criminal law it immediately infringes, before you start listening to the conversations. -- Roland Perry From bdm at fenrir.org.uk Tue Sep 13 11:12:47 2011 From: bdm at fenrir.org.uk (Brian Morrison) Date: Tue, 13 Sep 2011 11:12:47 +0100 Subject: Intended recipient In-Reply-To: References: <002501cc71f4$2c3547f0$849fd7d0$@net> Message-ID: <20110913111247.0000627a@surtees.fenrir.org.uk> On Tue, 13 Sep 2011 11:02:58 +0100 Roland Perry wrote: > In article <002501cc71f4$2c3547f0$849fd7d0$@net>, James Firth > writes > >> Would the activity of these researchers (or malicious > >> counterparts) be an interception in the UK; and as they've > >> modified the public DNS to do this, is it an interception on a > >> public network and therefore criminal? > > > >"Modified the public DNS", in that they lawfully purchased internet > >domains... > > > >They may have violated trademarks, or indeed be guilty of fraud > >(?impersonation?), but don't see how this can be interception. > > It's difficult, isn't it! Their stated aim was to intercept (small i) > emails, of course. Not as such, they are only "intercepting" email that otherwise would have been marked as a failed delivery because there was no MX record for the incorrect domain name. They could have done this without storing the message bodies, all they were interested in were the headers which their mail server legitimately processed. It should be sufficient to simply list the number of incorrectly addressed emails they received. -- Brian Morrison From lists at internetpolicyagency.com Tue Sep 13 12:14:18 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 13 Sep 2011 12:14:18 +0100 Subject: Intended recipient In-Reply-To: <20110913111247.0000627a@surtees.fenrir.org.uk> References: <002501cc71f4$2c3547f0$849fd7d0$@net> <20110913111247.0000627a@surtees.fenrir.org.uk> Message-ID: In article <20110913111247.0000627a at surtees.fenrir.org.uk>, Brian Morrison writes >>Their stated aim was to intercept (small i) >> emails, of course. > >Not as such, they are only "intercepting" email that otherwise would >have been marked as a failed delivery because there was no MX record >for the incorrect domain name. That's very pertinent to my original question - who is the intended recipient. If the sender has perpetrated a typo, who exactly (legally) did they intend to send it to? >They could have done this without storing the message bodies, all they >were interested in were the headers which their mail server >legitimately processed. They also looked at the bodies I think (strongly implied by Figure 1). But even if they were just "intercepting" the headers, that doesn't change any of my questions (it's only where people are legally looking at [only] traffic data that we have to be picky about the difference between headers and bodies). >It should be sufficient to simply list the number of incorrectly >addressed emails they received. That would be a different, and simpler, study than this appeared to be. If done in the UK would you be looking at a RIPA 3(3) exemption for that? My questions are probably about interpretation of 3(1). -- Roland Perry From zenadsl6186 at zen.co.uk Tue Sep 13 12:24:22 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Tue, 13 Sep 2011 12:24:22 +0100 Subject: Intended recipient In-Reply-To: References: Message-ID: <4E6F3D66.50603@zen.co.uk> Roland Perry wrote: > This man-in-the-mailbox attack brings a whole new perspective to the > "who is the intended recipient" debate. > > addresses-opens-20gb-data-leak> I'm pretty sure the intended recipient has to be the person the sender intends (in his mind) to send the email to, ie the fortune500 company, not the researchers. If the sender made a mistake and the researchers got the email by mistake, then they would be innocent - but that's not what happened, they got the emails intentionally. > > Although there's a historical precedent - people sending faxes to a > typo-phone number. Which of course leads to those long legal disclaimers > which have been inherited on many corporate emails. > > Would the activity of these researchers (or malicious counterparts) be > an interception in the UK; and as they've modified the public DNS to do > this, is it an interception on a public network and therefore criminal? It would be interception twice over if done in the UK, and it would be criminal. First, the change to DNS is a modification to the system 2(2)(a). Second, they are monitoring transmissions sent on a public network 2(2)(b). Both these actions make content available to a person other than the sender or the intended recipient, therefore they are interception as defined in Section 2(2). The actions are done with the purpose of making content available, so they satisfy the requirement for intentionality in S. 1(1) - and therefore they are criminal actions. Note that if you did this by mistake (eg if att.com had a division called spl, and you registered splatt.com without intending to see any ATT mail) it might [1] still be interception - but it wouldn't be a criminal offense as there was no intent. [1] depending on whether the Judge thinks the "as to" in S.2(2) implies an element of intent or not - a moot point -- Peter Fairbrother From james2 at jfirth.net Tue Sep 13 12:37:33 2011 From: james2 at jfirth.net (James Firth) Date: Tue, 13 Sep 2011 12:37:33 +0100 Subject: Intended recipient In-Reply-To: <4E6F3D66.50603@zen.co.uk> References: <4E6F3D66.50603@zen.co.uk> Message-ID: <005301cc7209$8841d670$98c58350$@net> Peter Fairbrother wrote: > I'm pretty sure the intended recipient has to be the person the sender > intends (in his mind) to send the email to, ie the fortune500 company, > not the researchers. > > If the sender made a mistake and the researchers got the email by > mistake, then they would be innocent - but that's not what happened, > they got the emails intentionally. > > > Note that if you did this by mistake (eg if att.com had a division > called spl, and you registered splatt.com without intending to see any > ATT mail) it might [1] still be interception - but it wouldn't be a > criminal offense as there was no intent. > > [1] depending on whether the Judge thinks the "as to" in S.2(2) implies > an element of intent or not - a moot point > Not wanting to give CPS or police an easy ride for letting BT off the hook re Phorm, this neatly highlights why RIPA might become even more illiberal if it enforced a stricter definition of liability. James Firth From bdm at fenrir.org.uk Tue Sep 13 13:41:28 2011 From: bdm at fenrir.org.uk (Brian Morrison) Date: Tue, 13 Sep 2011 13:41:28 +0100 Subject: Intended recipient In-Reply-To: <4E6F3D66.50603@zen.co.uk> References: <4E6F3D66.50603@zen.co.uk> Message-ID: <20110913134128.00002878@surtees.fenrir.org.uk> On Tue, 13 Sep 2011 12:24:22 +0100 Peter Fairbrother wrote: > If the sender made a mistake and the researchers got the email by > mistake, then they would be innocent - but that's not what happened, > they got the emails intentionally. So if there were a long-established domain that had received mis-addressed emails and allowed access to them for research purposes that wouldn't be intentional? -- Brian Morrison From bdm at fenrir.org.uk Tue Sep 13 13:48:17 2011 From: bdm at fenrir.org.uk (Brian Morrison) Date: Tue, 13 Sep 2011 13:48:17 +0100 Subject: Intended recipient In-Reply-To: References: <002501cc71f4$2c3547f0$849fd7d0$@net> <20110913111247.0000627a@surtees.fenrir.org.uk> Message-ID: <20110913134817.00004dc0@surtees.fenrir.org.uk> On Tue, 13 Sep 2011 12:14:18 +0100 Roland Perry wrote: > In article <20110913111247.0000627a at surtees.fenrir.org.uk>, Brian > Morrison writes > >>Their stated aim was to intercept (small i) > >> emails, of course. > > > >Not as such, they are only "intercepting" email that otherwise would > >have been marked as a failed delivery because there was no MX record > >for the incorrect domain name. > > That's very pertinent to my original question - who is the intended > recipient. If the sender has perpetrated a typo, who exactly (legally) > did they intend to send it to? Well I suppose that would be the address they wanted to type rather than the one they did type. But would it be any different if this were postal mail and a simple numerical error had led to delivery of say a post card to the wrong building? > > >They could have done this without storing the message bodies, all > >they were interested in were the headers which their mail server > >legitimately processed. > > They also looked at the bodies I think (strongly implied by Figure 1). > > ins.pdf> > > But even if they were just "intercepting" the headers, that doesn't > change any of my questions (it's only where people are legally looking > at [only] traffic data that we have to be picky about the difference > between headers and bodies). I was being picky because you could argue that by not looking at the bodies you had not looked at anything privileged, only the outside of the envelope in the case of a letter in the post. > > >It should be sufficient to simply list the number of incorrectly > >addressed emails they received. > > That would be a different, and simpler, study than this appeared to > be. If done in the UK would you be looking at a RIPA 3(3) exemption > for that? My questions are probably about interpretation of 3(1). I think the automatic collection by the server is fair enough, even if the domain name is deliberately weird it isn't as if other such weird domains don't exist. It's looking in the message bodies that crosses some sort of legal line, but you can see why a researcher (rather than some sort of crook) would do that for relatively innocent reasons. -- Brian Morrison From lists at internetpolicyagency.com Tue Sep 13 14:28:21 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 13 Sep 2011 14:28:21 +0100 Subject: Intended recipient In-Reply-To: <20110913134817.00004dc0@surtees.fenrir.org.uk> References: <002501cc71f4$2c3547f0$849fd7d0$@net> <20110913111247.0000627a@surtees.fenrir.org.uk> <20110913134817.00004dc0@surtees.fenrir.org.uk> Message-ID: In article <20110913134817.00004dc0 at surtees.fenrir.org.uk>, Brian Morrison writes >> That's very pertinent to my original question - who is the intended >> recipient. If the sender has perpetrated a typo, who exactly (legally) >> did they intend to send it to? > >Well I suppose that would be the address they wanted to type rather >than the one they did type. But would it be any different if this were >postal mail and a simple numerical error had led to delivery of say a >post card to the wrong building? It would only be analogous if you knew (for example) that lots of letters were sent to slightly the wrong address, and you arranged to assume that address yourself. For example I worked from 37a High St Brentwood for a while, and lots of things were addressed to Brentford (I blame the Nylons adverts). What if someone hypothetically in 37 High St Brentford thought it would be interesting to add a 37A to their letterbox and then read whatever dropped in? >> >They could have done this without storing the message bodies, all >> >they were interested in were the headers which their mail server >> >legitimately processed. >> >> They also looked at the bodies I think (strongly implied by Figure 1). >> >> > ins.pdf> >> >> But even if they were just "intercepting" the headers, that doesn't >> change any of my questions (it's only where people are legally looking >> at [only] traffic data that we have to be picky about the difference >> between headers and bodies). > >I was being picky because you could argue that by not looking at the >bodies you had not looked at anything privileged, only the outside of >the envelope in the case of a letter in the post. I don't think that's a defence if a member of the public is intercepting emails. >> >It should be sufficient to simply list the number of incorrectly >> >addressed emails they received. >> >> That would be a different, and simpler, study than this appeared to >> be. If done in the UK would you be looking at a RIPA 3(3) exemption >> for that? My questions are probably about interpretation of 3(1). > >I think the automatic collection by the server is fair enough, even if >the domain name is deliberately weird it isn't as if other such weird >domains don't exist. It's looking in the message bodies that crosses >some sort of legal line, Although throwing away mis-delivered items isn't perhaps interception, failing to bounce these emails may have given the senders a false sense of security that they'd been delivered. Or perhaps they did send a bounce message too? > but you can see why a researcher (rather >than some sort of crook) would do that for relatively innocent reasons. Research isn't an absolute defence either. -- Roland Perry From lists at internetpolicyagency.com Tue Sep 13 14:42:33 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 13 Sep 2011 14:42:33 +0100 Subject: Intended recipient In-Reply-To: <20110913134128.00002878@surtees.fenrir.org.uk> References: <4E6F3D66.50603@zen.co.uk> <20110913134128.00002878@surtees.fenrir.org.uk> Message-ID: In article <20110913134128.00002878 at surtees.fenrir.org.uk>, Brian Morrison writes >> If the sender made a mistake and the researchers got the email by >> mistake, then they would be innocent - but that's not what happened, >> they got the emails intentionally. > >So if there were a long-established domain that had received >mis-addressed emails and allowed access to them for research purposes >that wouldn't be intentional? Another tricky question (mainly about the 'intent'). But the researchers aren't committing any offence by reading them, if someone else made them available (as far as I know). -- Roland Perry From bdm at fenrir.org.uk Tue Sep 13 14:53:55 2011 From: bdm at fenrir.org.uk (Brian Morrison) Date: Tue, 13 Sep 2011 14:53:55 +0100 Subject: Intended recipient In-Reply-To: References: <002501cc71f4$2c3547f0$849fd7d0$@net> <20110913111247.0000627a@surtees.fenrir.org.uk> <20110913134817.00004dc0@surtees.fenrir.org.uk> Message-ID: <20110913145355.00006995@surtees.fenrir.org.uk> On Tue, 13 Sep 2011 14:28:21 +0100 Roland Perry wrote: > Although throwing away mis-delivered items isn't perhaps > interception, failing to bounce these emails may have given the > senders a false sense of security that they'd been delivered. Or > perhaps they did send a bounce message too? Well the problem is the mail system doesn't care about intent, it only cares about the addresses it sees. So from its point of view the emails *had* been delivered. Why would you send a bounce either, many domains accept mail to all addresses @ so they're not being bounced. -- Brian Morrison From lists at internetpolicyagency.com Tue Sep 13 15:10:48 2011 From: lists at internetpolicyagency.com (Roland Perry) Date: Tue, 13 Sep 2011 15:10:48 +0100 Subject: Intended recipient In-Reply-To: <20110913145355.00006995@surtees.fenrir.org.uk> References: <002501cc71f4$2c3547f0$849fd7d0$@net> <20110913111247.0000627a@surtees.fenrir.org.uk> <20110913134817.00004dc0@surtees.fenrir.org.uk> <20110913145355.00006995@surtees.fenrir.org.uk> Message-ID: In article <20110913145355.00006995 at surtees.fenrir.org.uk>, Brian Morrison writes >> Although throwing away mis-delivered items isn't perhaps >> interception, failing to bounce these emails may have given the >> senders a false sense of security that they'd been delivered. Or >> perhaps they did send a bounce message too? > >Well the problem is the mail system doesn't care about intent, it only >cares about the addresses it sees. So from its point of view the emails >*had* been delivered. Why would you send a bounce either, many domains >accept mail to all addresses @ so they're not being bounced. The researchers might want to arrange for their server to send a bounce message in case any of the senders or recipients sued them for the consequences of any of the emails being undelivered. Which would have been more obvious to the sender had they bounced (in the absence of the researcher's registration for the typo-domains). -- Roland Perry From zenadsl6186 at zen.co.uk Wed Sep 14 04:42:32 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 14 Sep 2011 04:42:32 +0100 Subject: Intended recipient In-Reply-To: References: <002501cc71f4$2c3547f0$849fd7d0$@net> Message-ID: <4E7022A8.5010709@zen.co.uk> Roland Perry wrote: > In article <002501cc71f4$2c3547f0$849fd7d0$@net>, James Firth > writes >>> Would the activity of these researchers (or malicious counterparts) be >>> an interception in the UK; and as they've modified the public DNS to do >>> this, is it an interception on a public network and therefore criminal? >> >> "Modified the public DNS", in that they lawfully purchased internet >> domains... >> >> They may have violated trademarks, or indeed be guilty of fraud >> (?impersonation?), but don't see how this can be interception. > > It's difficult, isn't it! Their stated aim was to intercept (small i) > emails, of course. > > And attaching croc clips to wires on a telegraph pole probably isn't > illegal *as such* Oh yes it is. It's modification "as to" make content available. Listening to it is another, seperate, offence. A note on intent, done for another purpose, may be slightly relevant here. Intent in part 1 chapter 1 of RIPA comes in two or perhaps three kinds: who the intended recipient of a communication is; the intention of a person as to whether he meant to intercept, as in ss. 1(1); and potentially, an interceptor's intent as whether his actions would have the result of making content available to a person other than the sender or intended recipient, as in the phrase "as to" in ss. 2(2). The first kind, who the intended recipient is, is almost entirely clear. Intention exists only in the human mind, and in this case the only mind involved is that of the sender. It is what is in his mind which counts, and the intended recipient of a communication is the recipient he has in mind when he sends the communication. Someone reading the address of a misaddressed communication might believe that the intended recipient was someone other than the recipient the sender intended, but he would be mistaken - the actual intended recipient is always the person the sender intends to receive the message. The second kind of intent, which is required for a person's actions to be a crime, is less clear. ss.1(1) says "It shall be an offence for a person intentionally and without lawful authority to intercept..." But intention to do what? Intention to intercept? Intention to intercept without lawful authority? Something else? Does a genuine but mistaken belief that a person's actions have lawful authority, while knowing those actions to be interception, prevent those actions from being an offence? I am not clear on that point. Further, interception was defined in section 2, and later the definition may be refined by Judges, but seldom will a person decide his actions on exactly that definition. If a person genuinely believes his actions are not interception then they are not an offence under ss.1(1), as it is not his intention to intercept. Whether or not he "ought to" know his actions amount to interception. The third kind of intent, whether the actions are such ""as to" make some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication", ss. 2(2), is largely unclear. It is even unclear whether a person's intent is relevant. It is quite possible to interpret "as to" to have strictly the meaning that the outcome of the potential interceptor's actions is or would have been that content was made available, irrespective of what was in the potential interceptor's mind. Other interpretations might include: whether a reasonable person would expect the result of the actions to be the making available of content; whether the potential interceptor ought to have a reasonable expectation that his actions would lead to content being made available; whether he actually has such a reasonable expectation; or whether he actually believes his actions would or might lead to content being made available. -- Peter Fairbrother From clive at davros.org Wed Sep 14 12:23:21 2011 From: clive at davros.org (Clive D.W. Feather) Date: Wed, 14 Sep 2011 12:23:21 +0100 Subject: Intended recipient In-Reply-To: <4E7022A8.5010709@zen.co.uk> References: <002501cc71f4$2c3547f0$849fd7d0$@net> <4E7022A8.5010709@zen.co.uk> Message-ID: <20110914112321.GE84656@davros.org> Peter Fairbrother said: > The first kind, who the intended recipient is, is almost entirely clear. > Intention exists only in the human mind, and in this case the only mind > involved is that of the sender. It is what is in his mind which counts, > and the intended recipient of a communication is the recipient he has in > mind when he sends the communication. > > Someone reading the address of a misaddressed communication might > believe that the intended recipient was someone other than the recipient > the sender intended, but he would be mistaken - the actual intended > recipient is always the person the sender intends to receive the message. While they might be mistaken, is that mistakeness sufficient to negate mens rea? I suspect this would be a question of fact for the jury rather than a question of law. > The second kind of intent, which is required for a person's actions to > be a crime, is less clear. ss.1(1) says "It shall be an offence for a > person intentionally and without lawful authority to intercept..." > > But intention to do what? Intention to intercept? Intention to intercept > without lawful authority? The former. If it meant the latter it would say "intentionally to intercept without lawful authority". It's clear, at least to me, that this is parsed as: a person ((intentionally to intercept ...) and (without lawful authority to intercept ...)) > Does a genuine but mistaken > belief that a person's actions have lawful authority, while knowing > those actions to be interception, prevent those actions from being an > offence? I am not clear on that point. Surely that's exactly the point on which Cliff Stanford got convicted? He believed he had lawful authority, and he even had a QC's opinion to back him up. > Further, interception was defined in section 2, and later the definition > may be refined by Judges, but seldom will a person decide his actions on > exactly that definition. See above. > If a person genuinely believes his actions are > not interception then they are not an offence under ss.1(1), as it is > not his intention to intercept. However, a person is deemed to know the law. So the question is not what he thinks that "interception" means, but what it *actually* means. So if he is misinterpreting s.2, he's still committing an offence. If he's misinterpreting the *facts* as to whether his actions are (say) "modifying" (e.g. he didn't realize that the wire he attached the crocodile clips to was part of a public network) *then* he has a defence. > It is even unclear whether a person's intent is relevant. It is quite > possible to interpret "as to" to have strictly the meaning that the > outcome of the potential interceptor's actions is or would have been > that content was made available, irrespective of what was in the > potential interceptor's mind. I don't think a court would accept this was a strict liability offence, because there's none of the wording that would imply that. -- Clive D.W. Feather | If you lie to the compiler, Email: clive at davros.org | it will get its revenge. Web: http://www.davros.org | - Henry Spencer Mobile: +44 7973 377646 From zenadsl6186 at zen.co.uk Wed Sep 14 17:07:01 2011 From: zenadsl6186 at zen.co.uk (Peter Fairbrother) Date: Wed, 14 Sep 2011 17:07:01 +0100 Subject: Intended recipient In-Reply-To: <20110914112321.GE84656@davros.org> References: <002501cc71f4$2c3547f0$849fd7d0$@net> <4E7022A8.5010709@zen.co.uk> <20110914112321.GE84656@davros.org> Message-ID: <4E70D125.80000@zen.co.uk> Clive D.W. Feather wrote: > >> The second kind of intent, which is required for a person's actions to >> be a crime, is less clear. ss.1(1) says "It shall be an offence for a >> person intentionally and without lawful authority to intercept..." >> >> But intention to do what? Intention to intercept? Intention to intercept >> without lawful authority? > > The former. If it meant the latter it would say "intentionally to intercept > without lawful authority". It's clear, at least to me, that this is parsed > as: > a person ((intentionally to intercept ...) and (without lawful > authority to intercept ...)) > >> Does a genuine but mistaken >> belief that a person's actions have lawful authority, while knowing >> those actions to be interception, prevent those actions from being an >> offence? I am not clear on that point. > > Surely that's exactly the point on which Cliff Stanford got convicted? He > believed he had lawful authority, and he even had a QC's opinion to back > him up. Good point, I had forgotten about Stanford. I think you must be right about that interpretation. >> Further, interception was defined in section 2, and later the definition >> may be refined by Judges, but seldom will a person decide his actions on >> exactly that definition. [...] >> If a person genuinely believes his actions are >> not interception then they are not an offence under ss.1(1), as it is >> not his intention to intercept. > > However, a person is deemed to know the law. So the question is not what > he thinks that "interception" means, but what it *actually* means. > > So if he is misinterpreting s.2, he's still committing an offence. If he's > misinterpreting the *facts* as to whether his actions are (say) "modifying" > (e.g. he didn't realize that the wire he attached the crocodile clips to > was part of a public network) *then* he has a defence. Might a Judge think his actions, which amount to interception even though he does not realise it, are intentional, and that alone is sufficient? I don't think so. I think there is a requirement for him to know his actions amount to interception for his interception to be intentional. It isn't about whether his actions are interception, but whether he thinks they are. And I don't see that the reason his thinking is mistaken matters at all to that point. But this also concerns a point of law - whether his good-faith mistake of law is exculpatory; I think it is, see s.8 Criminal Justice Act 1967, and under RIPA s.1(1) intent is a required element of the crime - which isn't really relevant here. >> It is even unclear whether a person's intent is relevant. It is quite >> possible to interpret "as to" to have strictly the meaning that the >> outcome of the potential interceptor's actions is or would have been >> that content was made available, irrespective of what was in the >> potential interceptor's mind. > > I don't think a court would accept this was a strict liability offence, > because there's none of the wording that would imply that. Agreed. That doesn't prevent a Judge taking that interpretation however - there is after all a requirement for intent in s.1(1), which would prevent strict liability. Actually it's quite a good interpretation, one I prefer - it makes things much simpler without breaking anything. A Judge might disagree. But perhaps you misunderstood me? - the paragraph is quoted in isolation. When I said "It is even unclear whether a person's intent is relevant" I meant that only in the context of the words "as is". It is of course relevant in other ways. -- Peter Fairbrother From marcus at connectotel.com Fri Sep 16 15:21:01 2011 From: marcus at connectotel.com (Marcus Williamson) Date: Fri, 16 Sep 2011 15:21:01 +0100 Subject: Comantra (telephone scammer) has its MS partner status revoked Message-ID: <2om677l3kdggae0qmiob4q3s37iahi32ln@4ax.com> Over the last year the UK media has run a number of stories about fake tech support companies making unsolicited calls to people in the UK, such as this one: http://www.guardian.co.uk/money/2011/jul/29/computer-phone-scam One of the worst offenders is Comantra, based in India. This company boasted Microsoft "Gold partner" status and always told me in e-mails and telephone calls, when I challenged them, that what it was doing was legal. This was despite the fact that they were calling vulnerable people at home, telling them that they had a computer problem, then charging them by credit/debit card to "fix" it. I first became aware of the issue when a friend of my father's received a call from this company. After trying for the last 6 months to get MS to recognise the seriousness of this issue, I've had a response from MS indicating that they have investigated the matter and Comantra has now lost its MS partner status, meaning that it can now no longer use its MS connection to give it respectability. The MS statement I received last Friday, which is rather light on detail, is: " We were made aware of a matter involving one of the members of the Microsoft Partner Network acting in a manner that caused us to raise concerns about this member's business practices. Following an investigation, the allegations were confirmed and we took action to terminate our relationship with the partner in question and revoke their Gold status. There are no circumstances under which we would ever allow partners or any other organisations to pose as Microsoft. We view matters such as these extremely seriously and take immediate action if such behaviour is brought to our attention and found to be the case. We continue to encourage customers to exercise caution from scams and follow the guidance found at http://www.microsoft.com/security/default.aspx " I received the statement via the MS PR agency, Bite Communications. Contact: Mat Gazeley E-mail: Mat.Gazeley at bitecommunications.com Tel: 020 8741 1123 So, this announcement from MS is one step closer to getting this kind of scam eliminated in the UK. Hope this is of interest. best wishes Marcus Williamson