https - hopefully not too stupid a question

Andrew Cormack Andrew.Cormack at ja.net
Mon Jun 18 13:26:33 BST 2012 



> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Francis Davey
> Sent: 18 June 2012 13:00
> To: UK Cryptography Policy Discussion Group
> Subject: Re: https - hopefully not too stupid a question
> 
> 2012/6/18 Andrew Cormack <Andrew.Cormack at ja.net>:
> >
> > Hmmm. For example if I wrote a webmail server where sending a mail
> involved a packet whose content looked like
> > "<message>This is an e-mail
> message</message><to>Andrew at ja.net</to><subject>test message</subject>"
> > Then you have to read every byte of that message (most of which are
> content) in order to find the traffic data buried within it.
> >
> 
> It is not "traffic data comprised in or attached to a communication
> (whether by the sender or otherwise) for the purposes of any postal
> service or telecommunication system by means of which it is being or
> may be transmitted" (RIPA s2(5)). That is, although it might give
> information about who is the intended addressee, it is not there for
> the purposes of the telecommunication system that is transmitting it.
> 
> Obviously if you set up an internal mail system that read email
> messages and extracted that sort of information from inside and then
> re-routed them, then s2(5) would exclude from the definition of
> "interception" on your network conduct on your network which looked
> inside the emails.
> 
> In other words, the 2(5) use of "traffic data" is relative to the
> system where interception might otherwise be taking place.
> 
> Remark;  The bill re-uses RIPA's definition of "interception".
> 
> > I'd been assuming that pulling traffic data out of the inside of a
> packet would be interception because it would inevitably "make
> available" the rest of the inside of packet, thus satisfying the
> requirement of "interception" in 2(2).
> >
> > But you're suggesting that 2(5)(b) might trump that, so that "making
> available" *is* OK, if it is necessary to *find* the traffic data. From
> a privacy point of view, that sounds depressingly plausible.
> >
> 
> Only if its traffic data for the purposes of 2(5)(a) which will only
> be the case if the telecommunications system is using that data. That
> is a bit circular I realise, but it means that it won't be permissible
> to try to obtain everything that is traffic data but only traffic data
> used by the system.
> 
> --
> Francis Davey

Francis
Thanks, that's very useful. IIUC my example is exactly the sort of thing the "black boxes" are going to be asked to do - Internet Access Providers being asked to dig out the comms data that will be used by those webmail etc. providers that won't voluntarily participate in data retention/disclosure. So it's commsdata for the purpose of the webmail provider but just bytes for the access provider.

Andrew

--
Andrew Cormack
Chief Regulatory Adviser, Janet
t: +44 1235 822302
b: http://webmedia.company.ja.net/edlabblogs/regulatory-developments/
Janet, the UK's research and education network
www.ja.net

More information about the ukcrypto mailing list