RIPA S.12(7) and other pressure points
Peter Fairbrother
zenadsl6186 at zen.co.uk
Sat Jun 14 21:37:05 BST 2014
On 11/06/14 12:40, Ian Batten wrote:
> Hey ho, we're on the RIPA train again.
>
> RIPA section 12 lays down provision for the home secretary to direct CSPs to maintain an interception capability.
>
> Section 12(7) provides that if a CSP refuses, the Home Secretary can go to a (civil) court and seek remedies.
>
> To be concrete, imagine an email provider (Gmail, say) or ISP who proposes to run a service that
> encourages or enables their customers to run end-to-end encryption, such that the ISP (etc) did
> _not_ have any keys to respond to a a RIPA S.49 notice. And let's assume for the purposes at hand that they
> can prove they don't have keys in a relatively accessible and comprehensible way.
>
> Some questions that have arisen from a debate with a colleague.
>
> 1. Imagine your clients are using end-to-end encryption, and you have somehow encouraged them. Do your S.12
> responsibilities include any obligation to make it easier for an interception to obtain plaintext (or, alternatively,
> to not make it any harder)?
The Regulation of Investigatory Powers (Maintenance of Interception
Capability) Order 2002
Schedule: OBLIGATIONS ON SERVICE PROVIDERS
"10. To ensure that the person on whose application the interception
warrant was issued is able to remove any electronic protection applied
by the service provider to the intercepted communication and the related
communications data."
As I read that, it only applies to encryption applied by the service
provider, not to any encryption applied by the users.
I don't think the fact that the service provider has encouraged the
users to use encryption makes any difference, the service provider has
not applied the encryption himself.
As you point out, if you can prove you don't have any keys then you
can't be served a RIPA s.49 notice (which can require you to assist in
making comms intelligible in other ways than using a key - but if you
don't have keys, they can't serve you a s.49 notice in the first place).
Under s. 12 the Secretary of State can only give notices requiring
behaviour from service providers which is in accord with an existing
order - and making it easier for an interception to obtain plaintext
(or, alternatively, to not make it any harder) does not fall under the
only order in existence, as above.
The Secretary of State could of course make a new order under RIPA s.12,
which would have to go through Parliament. An order requiring assistance
with encryption as you describe would probably just about technically
pass muster, see eg s.12(11); but as yet such an order hasn't been made.
I doubt it would be politically acceptable however, for the moment at least.
> 2. This thanks to Julian Huppert when we asked him about this on Monday. Could S.94 of the Telecommunications
> Act be engaged to try to convince the operator to modify their network?
Modification of the network (assuming it was such "as to make some or
all of the contents of the communication available, while being
transmitted, to a person other than the sender or intended recipient of
the communication") would be interception under RIPA.
It might well be lawful interception under:
RIPA ss.1(5) "(c) it is in exercise, in relation to any stored
communication, of any statutory power that is exercised (apart from this
section) for the purpose of obtaining information or of taking
possession of any document or other property;"
see eg (NTL Group Ltd) v Crown Court at Ipswich for a judicial
redefinition of "stored communication".
However if it wasn't lawful under ss.1(5) as above, then afaict the
Telecommunications Act 1984 does not make the modification, and thus the
interception, lawful.
Section 94 of the Telecommunications Act 1984 does not authorise
otherwise unlawful acts (except as in 94(3) as amended, not relevant here).
> As amended, S.94(8) limits this to
> "providers of public electronic communications networks". As Julian pointed out, "telecommunications networks" aren't
> defined in the 1984 Act; further reading of the history of S.94(8) implies that the meaning from S.32 of the
> Communications Act 2003 applies, which would cover pretty well any imaginable service offered at scale.
Yes - though s.94 would not apply to eg people who (only) supply
encryption software.
> 3. Has any CSP who has been approached with S.12 powers refused to comply (other than by shutting down
> the service?) As the Technical Advisory Board has never met, one would tend to suspect that no such dispute
> has ever taken place.
>
> 4. If someone did refuse, forced a meeting of the TAB, still refused, and ended up in court, how likely is it that
> the government would (a) fight and (b) win an action under S.12(7)?
>
> My core question is: if you decided to deploy a service which offered strong end-to-end encryption, it's likely it
> would attract interest from agencies. If you were of a mind to follow in the footsteps of Richard Ingram in
> Arkell v Pressdram and force the matter to a court, what would be the likely outcome?
You would probably be required to assist. somehow - even if the
judgement wasn't exactly in line with the law, see eg (NTL Group Ltd) v
Crown Court at Ipswich. Judges often just make it up as they go along.
I repeat,
End-to-end encryption should really be end-to-end - it should be
impossible for the service provider to able to provide any assistance in
in obtaining plaintext.
>
> [[ This is a hypothetical question, by the way: I have no such product, nor any such intention. ]]
>
> My guesses are (1) No (2) on the face of it yes (3) I suspect not (4) who knows?
Yes.
> My answer to the core
> question is that the government would do almost anything to avoid the dispute getting into open court.
Yes. But we also have closed Courts these days ...
-- Peter F
More information about the ukcrypto
mailing list