Investigatory Powers Act - Government mandated backdoors

Peter Fairbrother zenadsl6186 at zen.co.uk
Tue Dec 20 13:24:54 GMT 2016 

On 19/12/16 11:17, Roland Perry wrote:
> In article <e7d0ee3b-6153-172a-e7a9-15f6a1491eb4 at zen.co.uk>, Peter
> Fairbrother <zenadsl6186 at zen.co.uk> writes
>[..]
>> I was thinking more - Plod intercepts an IP (with a warrant) - gets
>> ciphertext - asks a relevant operator, eg Googlemail, to decrypt.
>>
>> RO says "no I can't, I used forward secrecy and both the keys and
>> plaintext are gone".
>>
>> HO says "you must maintain the capability" (under s. 254, with the
>> relevant authorisation in Ss.254(1)(a) being a putative but not extant
>> S.16(1)(a) warrant). See [2] below.
>
> I'm not going to check the sections quoted with a fine toothed comb, but
> in principle the Act can attempt to place such a duty on a carrier to
> help provide the plaintext of *future* transmissions, if all the normal
> conditions of practicality etc are met.

We furiously agree.

> The fun will start when
> jurisdictional issues arise.

Jurisdictional issues? SoS's in sekkrit midnight duels? Judges passing 
the port to the right? Enquiring minds ..

>>>> Of course there is a small problem for the SoS and/or Plod here - if
>>>> an effect of the modification to the system, eg removing the deletion
>>>> of keys, makes any of the content available to a person other than the
>>>> sender or recipient then it would be interception, and unlawful.
>>>
>>> Only if you don't have a relevant warrant to hand.
>>
>> [2] aiui, the relevant authorisation in Ss.254(1)(a) in regard to
>> which HO can issue a technical capability order is any relevant
>> authorisation of the types in Ss.254(1)(a) which might reasonably come
>> along in future.
>>
>> There doesn't have to be, indeed there cannot reasonably be expected
>> to be, any specific authorisation covering everything the order might
>> involve at the actual time the order is served.
>>
>> However as there is no actual authorisation in existence for
>> everything the technical capability order might cover, if the
>> behaviour the order requires involves interception then it would be
>> unlawful.
>
> Interception requires making the material available to someone, simply
> making one's equipment intercept-ready is not interception.

Tricky. The wording includes "modifying equipment ... as to ... make 
available"

AFAICT, available means that a person could see it, or have it in his 
possession - not that he necessarily does.

So, as we have discussed before, placing a tap controlled by the the CSP 
might not be interception, whereas placing a tap controlled by eg GCHQ 
would be interception, whether it was used or not, and could not 
lawfully be done under a maintenance order.

[Placing such a tap on a cable leaving the country might be lawful under 
a bulk access warrant, if the warrant was for "all traffic on the cable" 
- but I don't know whether that's allowed. Placing a tap controlled by 
the ISP would be more likely to be lawful.

Even an internal ISP tap might be considered interception; though I 
doubt many Courts would do anything serious about it, even if they agreed.]


> When a target uses the system, *and* there's a relevant warrant in
> force, *then* handing over the product is a *legal* interception.

My point is that an interception may also have already occurred, eg when 
the system was modified, before any material was handed over.

[...]

>> Roland, do you have any historical view on the meaning of 262 (11)
>> “Telecommunications service” means any service that consists in the
>> provision of access to, and of facilities for making use of, any
>> telecommunication system [...]?
>
> It's 261(11)
>
>> There seem to be two separate requirements, firstly the provision of
>> access, and secondly the [provision of] facilities for making use of -
>> but I cannot make any sense of that.
>
> Perhaps the bit you left out can assist us:
>
>  "(whether or not one provided by the person providing the service)"
>
> and noting that a telecommunications system is:
>
>  " a system ... for the purpose of facilitating the transmission of
>    communications"
>
> I think it becomes clear that we are talking about connectivity (transit
> from the user to the destination server) and an invisible "hence" after
> the "and".

I don't follow. Connectivity in the first part, "provision of access", 
maybe, though I don't see how that becomes clear; and something else in 
the second part, "provision of facilities for making use of, "invisible 
hence [1] or no.

[1] afaics the invisible hence doesn't make any difference: to be a 
telecomms service operator you still have to do both parts.

>
> eg. A worked example: Vodafone provides a service which provides access
>     via GSM and backhaul to the PSTN and hence to BT's network which is
>     a system for contacting BT's phone subscribers.

Doesn't help my understanding any.


Trying to follow your reasoning, with a different example: BT "provide 
access" to the PSTN, a telecommunications system, in the form of copper 
connectivity.

BT also provide "facilities for making use of" that service in the form 
of billing, routing, directories etc.

Vodaphone do much the same.



But Googlemail? Now here's a rub. If you are right then perhaps 
Googlemail do provide "facilities for making use of" the Googlemail 
system [which afaict is a telecomms system], but they do not provide 
access to it, ie connectivity.

And therefore Googlemail are not relevant operators, and not subject to 
a maintenance of capability order.

Maybe? Be nice if it was so.



-- Peter Fairbrother

More information about the ukcrypto mailing list