RIPA S.12(7) and other pressure points
igb at batten.eu.org
Wed Jun 11 12:40:34 BST 2014
Hey ho, we're on the RIPA train again.
RIPA section 12 lays down provision for the home secretary to direct CSPs to maintain an interception capability.
Section 12(7) provides that if a CSP refuses, the Home Secretary can go to a (civil) court and seek remedies.
To be concrete, imagine an email provider (Gmail, say) or ISP who proposes to run a service that
encourages or enables their customers to run end-to-end encryption, such that the ISP (etc) did
_not_ have any keys to respond to a a RIPA S.49 notice. And let's assume for the purposes at hand that they
can prove they don't have keys in a relatively accessible and comprehensible way.
Some questions that have arisen from a debate with a colleague.
1. Imagine your clients are using end-to-end encryption, and you have somehow encouraged them. Do your S.12
responsibilities include any obligation to make it easier for an interception to obtain plaintext (or, alternatively,
to not make it any harder)?
2. This thanks to Julian Huppert when we asked him about this on Monday. Could S.94 of the Telecommunications
Act be engaged to try to convince the operator to modify their network? As amended, S.94(8) limits this to
"providers of public electronic communications networks". As Julian pointed out, "telecommunications networks" aren't
defined in the 1984 Act; further reading of the history of S.94(8) implies that the meaning from S.32 of the
Communications Act 2003 applies, which would cover pretty well any imaginable service offered at scale.
3. Has any CSP who has been approached with S.12 powers refused to comply (other than by shutting down
the service?) As the Technical Advisory Board has never met, one would tend to suspect that no such dispute
has ever taken place.
4. If someone did refuse, forced a meeting of the TAB, still refused, and ended up in court, how likely is it that
the government would (a) fight and (b) win an action under S.12(7)?
My core question is: if you decided to deploy a service which offered strong end-to-end encryption, it's likely it
would attract interest from agencies. If you were of a mind to follow in the footsteps of Richard Ingram in
Arkell v Pressdram and force the matter to a court, what would be the likely outcome?
[[ This is a hypothetical question, by the way: I have no such product, nor any such intention. ]]
My guesses are (1) No (2) on the face of it yes (3) I suspect not (4) who knows? My answer to the core
question is that the government would do almost anything to avoid the dispute getting into open court.
More information about the ukcrypto