Investigatory Powers Act - Government mandated backdoors
lists at internetpolicyagency.com
Mon Dec 19 11:17:18 GMT 2016
In article <e7d0ee3b-6153-172a-e7a9-15f6a1491eb4 at zen.co.uk>, Peter
Fairbrother <zenadsl6186 at zen.co.uk> writes
>On 05/12/16 07:54, Roland Perry wrote:
>> In article <ecf10e6b-4863-a5bd-1beb-9c32615683dd at zen.co.uk>, Peter
>> Fairbrother <zenadsl6186 at zen.co.uk> writes
>>> Probably the most important example is Forward Secrecy in eg TLS
>>> suites. In order to maintain the ability to produce the plain text,
>>> relevant operators can effectively be required to modify their systems
>>> to retain the keys used rather than discarding them.
>> As with the A5/1 SM encryption it would be far easier to simply
>> intercept the plain text *after* it has emerged from the TLS 'decoder'
>> at the operator's premises.
>>> Some may consider that a required backdoor, but as the relevant
>>> operator keeps the keys, and they are not available to Plod etc
>>> without a warrant, I don't know whether it really counts. Maybe 1/2 a
>>> required backdoor.
>> Remember, this is about intercepting transmissions happening *now*, not
>> decrypting historic transmissions where for some reason they have been
>> stored while still encrypted by the carrier's internal encryption scheme.
>(an ISP would not usually use TLS, it's more for websites)
>I was thinking more - Plod intercepts an IP (with a warrant) - gets
>ciphertext - asks a relevant operator, eg Googlemail, to decrypt.
>RO says "no I can't, I used forward secrecy and both the keys and
>plaintext are gone".
>HO says "you must maintain the capability" (under s. 254, with the
>relevant authorisation in Ss.254(1)(a) being a putative but not extant
>S.16(1)(a) warrant). See  below.
I'm not going to check the sections quoted with a fine toothed comb, but
in principle the Act can attempt to place such a duty on a carrier to
help provide the plaintext of *future* transmissions, if all the normal
conditions of practicality etc are met. The fun will start when
jurisdictional issues arise.
>>> Of course there is a small problem for the SoS and/or Plod here - if
>>> an effect of the modification to the system, eg removing the deletion
>>> of keys, makes any of the content available to a person other than the
>>> sender or recipient then it would be interception, and unlawful.
>> Only if you don't have a relevant warrant to hand.
> aiui, the relevant authorisation in Ss.254(1)(a) in regard to which
>HO can issue a technical capability order is any relevant authorisation
>of the types in Ss.254(1)(a) which might reasonably come along in
>There doesn't have to be, indeed there cannot reasonably be expected to
>be, any specific authorisation covering everything the order might
>involve at the actual time the order is served.
>However as there is no actual authorisation in existence for everything
>the technical capability order might cover, if the behaviour the order
>requires involves interception then it would be unlawful.
Interception requires making the material available to someone, simply
making one's equipment intercept-ready is not interception.
When a target uses the system, *and* there's a relevant warrant in
force, *then* handing over the product is a *legal* interception.
>I suppose HO or FO might, by some chicanery, have a bulk warrant to
>hand - but I don't think they could have a targeted warrant at the time
>they served the capability order, which covers much more than any
>targeted warrant could.
As the process of negotiating a successfully served capability order is
complex and involves appeals, it's unlikely to be helpful to start that
process *after* you have a specific targeted warrant in your hand.
Unless you are chasing someone like Bin Laden and expect to be on the
case for several years.
>Roland, do you have any historical view on the meaning of 262 (11)
>“Telecommunications service” means any service that consists in the
>provision of access to, and of facilities for making use of, any
>telecommunication system [...]?
>There seem to be two separate requirements, firstly the provision of
>access, and secondly the [provision of] facilities for making use of -
>but I cannot make any sense of that.
Perhaps the it you left out can assist us:
"(whether or not one provided by the person providing the service)"
and noting that a telecommunications system is:
" a system ... for the purpose of facilitating the transmission of
I think it becomes clear that we are talking about connectivity (transit
from the user to the destination server) and an invisible "hence" after
eg. A worked example: Vodafone provides a service which provides access
via GSM and backhaul to the PSTN and hence to BT's network which is
a system for contacting BT's phone subscribers.
More information about the ukcrypto