RIPA s 12(7)

Ian Batten igb at
Thu Jun 12 15:44:43 BST 2014

On 12 Jun 2014, at 12:20, Caspar Bowden (lists) <lists at> wrote:

> On 06/12/14 08:43, Peter Sommer wrote:
>> ..
>> GMail or any of the non-UK webmail service providers could however embed encryption into their offerings but the UK government would not be able to force them to introduce an interception capability;  it would have to be done by agreement.
> ..but a s.49 RIP order can require CSP to produce plaintext (or key) to any past (or future) data. If the key isn't available (e.g there is client-side code) a recipient of a s.49 can be required to give all co-operation necessary to have a defence.
> Wonder opinions if this sufficient for UK to (coercively) "do a Hushmail" ? Or under Intel Services Act, or RIPA Pt.2 ?

That's the basic debate, I think.

That anyone who wants to offer an end-to-end crypto solution that doesn't involve customers compiling PGP themselves is
gambling that when the S.49 music stops, they can absolutely convince a judge that although they offered the service
and provided significant assistance in running it (keyservers, perhaps) they genuinely don't have the keys.  One position
is that S.12 could be used to frustrate the service in the first place: I think we've concluded that's not realistic.  But I think
the protection racket angle, "well, you could run that service, but you'd have to convince a judge that your fancy zero-knowledge
proof was genuine when you claim you can't decrypt stuff on your network, encrypted with your software, using keys that
you store" would be a fairly powerful deterrent to anyone but the most committed.

On the other hand, suppose the CSP in this case were Google, and they lost such an action: they claimed (accurately) that
they couldn't help with a S.49 notice, but the court didn't believe them.  What would happen next?  


More information about the ukcrypto mailing list