RIPA s 12(7)

[Peter Fairbrother]

On 12/06/14 12:20, Caspar Bowden (lists) wrote:
> On 06/12/14 08:43, Peter Sommer wrote:
>> ..
>> GMail or any of the non-UK webmail service providers could however
>> embed encryption into their offerings but the UK government would not
>> be able to force them to introduce an interception capability;  it
>> would have to be done by agreement.
>
> ..but a s.49 RIP order can require CSP to produce plaintext (or key) to
> any past (or future) data. If the key isn't available (e.g there is
> client-side code) a recipient of a s.49 can be required to give all
> co-operation necessary to have a defence.

I'm beginning to wonder whether that last is actually true.



If you read RIPA s.50, there are many ways the subject of a s.49 notice 
can comply with that notice. most obviously by supplying any/all the 
keys you have - but as far as I can see, you cannot be required to make 
any other actions beyond supplying keys.

OK, with the s.50 definitions of "keys" and "in possession", which do 
not have anything at all to do with the English Language, they are just 
used as terms for some legal stuff here, that's not a big space in 
between - but if an action does not involve revealing a "key" in your 
"possession", afaict you cannot be forced to do it under a s.49 order.


Most specifically, you can't be forced to ask someone else for keys to 
which you only have conditional access to.


I too used to think otherwise :(

>
> Wonder opinions if this sufficient for UK to (coercively) "do a
> Hushmail" ? Or under Intel Services Act, or RIPA Pt.2 ?

I'm not sure what you mean here.


-- Peter F