Investigatory Powers Act - Government mandated backdoors

Peter Fairbrother zenadsl6186 at
Fri Dec 9 19:57:11 GMT 2016

On 05/12/16 07:54, Roland Perry wrote:
> In article <ecf10e6b-4863-a5bd-1beb-9c32615683dd at>, Peter
> Fairbrother <zenadsl6186 at> writes
>> Probably the most important example is Forward Secrecy in eg TLS
>> suites. In order to maintain the ability to produce the plain text,
>> relevant operators can effectively be required to modify their systems
>> to retain the keys used rather than discarding them.
> As with the A5/1 SM encryption it would be far easier to simply
> intercept the plain text *after* it has emerged from the TLS 'decoder'
> at the operator's premises.
>> Some may consider that a required backdoor, but as the relevant
>> operator keeps the keys, and they are not available to Plod etc
>> without a warrant, I don't know whether it really counts. Maybe 1/2 a
>> required backdoor.
> Remember, this is about intercepting transmissions happening *now*, not
> decrypting historic transmissions where for some reason they have been
> stored while still encrypted by the carrier's internal encryption scheme.

(an ISP would not usually use TLS, it's more for websites)

I was thinking more - Plod intercepts an IP (with a warrant) - gets 
ciphertext - asks a relevant operator, eg Googlemail, to decrypt.

RO says "no I can't, I used forward secrecy and both the keys and 
plaintext are gone".

HO says "you must maintain the capability" (under s. 254, with the 
relevant authorisation in Ss.254(1)(a) being a putative but not extant 
S.16(1)(a) warrant). See [2] below.

>> Of course there is a small problem for the SoS and/or Plod here - if
>> an effect of the modification to the system, eg removing the deletion
>> of keys, makes any of the content available to a person other than the
>> sender or recipient then it would be interception, and unlawful.
> Only if you don't have a relevant warrant to hand.

[2] aiui, the relevant authorisation in Ss.254(1)(a) in regard to which 
HO can issue a technical capability order is any relevant authorisation 
of the types in Ss.254(1)(a) which might reasonably come along in future.

There doesn't have to be, indeed there cannot reasonably be expected to 
be, any specific authorisation covering everything the order might 
involve at the actual time the order is served.

However as there is no actual authorisation in existence for everything 
the technical capability order might cover, if the behaviour the order 
requires involves interception then it would be unlawful.

I suppose HO or FO might, by some chicanery, have a bulk warrant to hand 
- but I don't think they could have a targeted warrant at the time they 
served the capability order, which covers much more than any targeted 
warrant could.

Roland, do you have any historical view on the meaning of 262 (11) 
‚ÄúTelecommunications service‚ÄĚ means any service that consists in the 
provision of access to, and of facilities for making use of, any 
telecommunication system [...]?

There seem to be two separate requirements, firstly the provision of 
access, and secondly the [provision of] facilities for making use of - 
but I cannot make any sense of that.



More information about the ukcrypto mailing list