RIPA s 12(7)
Caspar Bowden (lists)
lists at casparbowden.net
Thu Jun 12 18:39:17 BST 2014
On 06/12/14 18:49, Peter Sommer wrote:
> One of the reasons I provided a link to the RIPA Pt 3 Code of Practice
> is that it shows the steps involved and tests that must be applied
> during any attempt to enforce a s49 Order. If the CSP has merely
> advised their customers to use encryption, pointed them in a few
> specific directions but has no further role in setting up the
> encryption system then they can say that in this instance they are a
> mere conduit.
Indeed
> It would be different if they were offering an encrypted webmail
> service, though if the keys are generated by the client or by a third
> party then plainly the CSP has nothing that would help the
> authorities. For conviction under s 49 the authorities have to prove,
> among other things, a reasonable belief that the key or the power to
> decrypt, is in the possession of the person or entity being accused.
A "key" is broader than a key:
"key", in relation to any electronic data, means any key, code,
password, algorithm or other data the use of which (with or without
other keys)---
(a) allows access to the electronic data, or
(b) *facilitates* the putting of the data into an intelligible form;
Moreover in the CoP
6.16 Where a person is required by a section 49 notice to make a
disclosure in respect of any protected information and that person:
. has had possession of the key to the protected information but
no longer has possession of it;
. would have been required by the notice to disclose the key if
it had continued to be in his possession, and
. when given the notice, or within the time by which the notice
must be complied with, is in possession of any information that
would facilitate the obtaining or discovery of the key or the
putting of the protected information into an intelligible form;
the effect of the disclosure requirement is that he shall be
required to disclose all such information to the person to whom he
would have been required to disclose the protected information in an
intelligible form or the key. In other words, to disclose anything
they have that assists putting the protected information into an
intelligible form.
that looks broad enough to ask for the source code to any client-side
Webmail encrypting widget. Quite useful.
can't see how the service provider's arm can be twisted to supply
doctored code (themselves), but MITM and possibly Quantum attacks (?)
CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20140612/6e55ab7f/attachment.html>
More information about the ukcrypto
mailing list