RIPA s 12(7)

Caspar Bowden (lists) lists at casparbowden.net
Thu Jun 12 18:39:17 BST 2014 

On 06/12/14 18:49, Peter Sommer wrote:
> One of the reasons I provided a link to the RIPA Pt 3 Code of Practice 
> is that it shows the steps involved and tests that must be applied 
> during any attempt to enforce a s49 Order.  If the CSP has merely 
> advised their customers to use encryption,  pointed them in a few 
> specific directions but has no further role in setting up the 
> encryption system then they can say that in this instance they are a 
> mere conduit.

Indeed

> It would be different if they were offering an encrypted webmail 
> service, though if the keys are generated by the client or by a third 
> party then plainly the CSP has nothing that would help the 
> authorities. For conviction under s 49 the authorities have to prove, 
> among other things, a reasonable belief that the key or the power to 
> decrypt, is in the possession of the person or entity being accused.

A "key" is broader than a key:

    "key", in relation to any electronic data, means any key, code,
    password, algorithm or other data the use of which (with or without
    other keys)---
    (a) allows access to the electronic data, or
    (b) *facilitates* the putting of the data into an intelligible form;

Moreover in the CoP

    6.16 Where a person is required by a section 49 notice to make a
    disclosure in respect of any protected information and that person:

        . has had possession of the key to the protected information but
        no longer has possession of it;
        . would have been required by the notice to disclose the key if
        it had continued to be in his possession, and
        . when given the notice, or within the time by which the notice
        must be complied with, is in possession of any information that
        would facilitate the obtaining or discovery of the key or the
        putting of the protected information into an intelligible form;

    the effect of the disclosure requirement is that he shall be
    required to disclose all such information to the person to whom he
    would have been required to disclose the protected information in an
    intelligible form or the key. In other words, to disclose anything
    they have that assists putting the protected information into an
    intelligible form.

that looks broad enough to ask for the source code to any client-side 
Webmail encrypting widget. Quite useful.

can't see how the service provider's arm can be twisted to supply 
doctored code (themselves), but MITM and possibly Quantum attacks (?)

CB


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140612/6e55ab7f/attachment.html>

More information about the ukcrypto mailing list