RIPA S.12(7) and other pressure points

[Peter Fairbrother]

On 11/06/14 12:40, Ian Batten wrote:
> Hey ho, we're on the RIPA train again.
>
> RIPA section 12 lays down provision for the home secretary to direct CSPs to maintain an interception capability.
>
> Section 12(7) provides that if a CSP refuses, the Home Secretary can go to a (civil) court and seek remedies.
>
> To be concrete, imagine an email provider (Gmail, say) or ISP who proposes to run a service that
>   encourages or enables their customers to run end-to-end encryption, such that the ISP (etc) did
> _not_ have any keys to respond to a a RIPA S.49 notice.  And let's assume for the purposes at hand that they
> can prove they don't have keys in a relatively accessible and comprehensible way.
>
> Some questions that have arisen from a debate with a colleague.
>
> 1.  Imagine your clients are using end-to-end encryption, and you have somehow encouraged them.  Do your S.12
> responsibilities include any obligation to make it easier for an interception to obtain plaintext (or, alternatively,
> to not make it any harder)?

The Regulation of Investigatory Powers (Maintenance of Interception 
Capability) Order 2002

Schedule: OBLIGATIONS ON SERVICE PROVIDERS

"10. To ensure that the person on whose application the interception 
warrant was issued is able to remove any electronic protection applied 
by the service provider to the intercepted communication and the related 
communications data."


As I read that, it only applies to encryption applied by the service 
provider, not to any encryption applied by the users.

I don't think the fact that the service provider has encouraged the 
users to use encryption makes any difference, the service provider has 
not applied the encryption himself.

As you point out, if you can prove you don't have any keys then you 
can't be served a RIPA s.49 notice (which can require you to assist in 
making comms intelligible in other ways than using a key - but if you 
don't have keys, they can't serve you a s.49 notice in the first place).




Under s. 12 the Secretary of State can only give notices requiring 
behaviour from service providers which is in accord with an existing 
order - and making it easier for an interception to obtain plaintext 
(or, alternatively, to not make it any harder) does not fall under the 
only order in existence, as above.

The Secretary of State could of course make a new order under RIPA s.12, 
which would have to go through Parliament. An order requiring assistance 
with encryption as you describe would probably just about technically 
pass muster, see eg s.12(11); but as yet such an order hasn't been made.

I doubt it would be politically acceptable however, for the moment at least.


> 2.  This thanks to Julian Huppert when we asked him about this on Monday.  Could S.94 of the Telecommunications
> Act be engaged to try to convince the operator to modify their network?

Modification of the network (assuming it was such "as to make some or 
all of the contents of the communication available, while being 
transmitted, to a person other than the sender or intended recipient of 
the communication") would be interception under RIPA.


It might well be lawful interception under:

RIPA ss.1(5) "(c) it is in exercise, in relation to any stored 
communication, of any statutory power that is exercised (apart from this 
section) for the purpose of obtaining information or of taking 
possession of any document or other property;"

see eg  (NTL Group Ltd) v Crown Court at Ipswich for a judicial 
redefinition of "stored communication".


However if it wasn't lawful under ss.1(5) as above, then afaict the 
Telecommunications Act 1984 does not make the modification, and thus the 
interception, lawful.

Section 94 of the Telecommunications Act 1984 does not authorise 
otherwise unlawful acts (except as in 94(3) as amended, not relevant here).

> As amended, S.94(8) limits this to
> "providers of public electronic communications networks".  As Julian pointed out, "telecommunications networks" aren't
> defined in the 1984 Act; further reading of the history of S.94(8) implies that the meaning from S.32 of the
> Communications Act 2003 applies, which would cover pretty well any imaginable service offered at scale.

Yes - though s.94 would not apply to eg people who (only) supply 
encryption software.


> 3.  Has any CSP who has been approached with S.12 powers refused to comply (other than by shutting down
> the service?)  As the Technical Advisory Board has never met, one would tend to suspect that no such dispute
> has ever taken place.
>
> 4.  If someone did refuse, forced a meeting of the TAB, still refused, and ended up in court, how likely is it that
> the government would (a) fight and (b) win an action under S.12(7)?
>
> My core question is: if you decided to deploy a service which offered strong end-to-end encryption, it's likely it
> would attract interest from agencies.  If you were of a mind to follow in the footsteps of Richard Ingram in
> Arkell v Pressdram and force the matter to a court, what would be the likely outcome?

You would probably be required to assist. somehow - even if the 
judgement wasn't exactly in line with the law, see eg  (NTL Group Ltd) v 
Crown Court at Ipswich. Judges often just make it up as they go along.

I repeat,

End-to-end encryption should really be end-to-end - it should be 
impossible for the service provider to able to provide any assistance in 
in obtaining plaintext.

>
> [[ This is a hypothetical question, by the way: I have no such product, nor any such intention. ]]
>
> My guesses are (1) No (2) on the face of it yes (3) I suspect not (4) who knows?

Yes.

> My answer to the core
> question is that the government would do almost anything to avoid the dispute getting into open court.

Yes. But we also have closed Courts these days ...


-- Peter F