<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 11/06/2014 12:40, Ian Batten wrote:<br>
</div>
<blockquote
cite="mid:EC846839-8C56-4430-8F9D-B08FE977A6A3@batten.eu.org"
type="cite">
<pre wrap="">Hey ho, we're on the RIPA train again.
RIPA section 12 lays down provision for the home secretary to direct CSPs to maintain an interception capability.
Section 12(7) provides that if a CSP refuses, the Home Secretary can go to a (civil) court and seek remedies.
To be concrete, imagine an email provider (Gmail, say) or ISP who proposes to run a service that
encourages or enables their customers to run end-to-end encryption, such that the ISP (etc) did
_not_ have any keys to respond to a a RIPA S.49 notice. And let's assume for the purposes at hand that they
can prove they don't have keys in a relatively accessible and comprehensible way.
Some questions that have arisen from a debate with a colleague.
1. Imagine your clients are using end-to-end encryption, and you have somehow encouraged them. Do your S.12
responsibilities include any obligation to make it easier for an interception to obtain plaintext (or, alternatively,
to not make it any harder)?</pre>
</blockquote>
<br>
I suggest not. Section 12 is about intercepting communications, not
about making them intelligible, to which latter purpose a whole lot
of quite different provisions are made.<br>
<br>
<blockquote
cite="mid:EC846839-8C56-4430-8F9D-B08FE977A6A3@batten.eu.org"
type="cite">
<pre wrap="">
2. This thanks to Julian Huppert when we asked him about this on Monday. Could S.94 of the Telecommunications
Act be engaged to try to convince the operator to modify their network? As amended, S.94(8) limits this to
"providers of public electronic communications networks". As Julian pointed out, "telecommunications networks" aren't
defined in the 1984 Act; further reading of the history of S.94(8) implies that the meaning from S.32 of the
Communications Act 2003 applies, which would cover pretty well any imaginable service offered at scale. </pre>
</blockquote>
<br>
Anything at all can be ordered, provided it is proportionate, and
that must include modifying the service. It is hard to see that
secretly frustrating the security features for all users could be
proportionate, but doing so for some might be. It would be a
judicial review that HMG would hate to fight, though.<br>
<br>
<blockquote
cite="mid:EC846839-8C56-4430-8F9D-B08FE977A6A3@batten.eu.org"
type="cite">
<pre wrap="">
3. Has any CSP who has been approached with S.12 powers refused to comply (other than by shutting down
the service?) As the Technical Advisory Board has never met, one would tend to suspect that no such dispute
has ever taken place.
4. If someone did refuse, forced a meeting of the TAB, still refused, and ended up in court, how likely is it that
the government would (a) fight and (b) win an action under S.12(7)?</pre>
</blockquote>
<br>
The Government would fight if they felt it mattered enough, which
seems inherently pretty unpredictable. Equally unpredictable is
whether they would win, since it depends what points were at issue.
If the argument was about making communications intelligible I think
they'd lose; but since that would be apparent in advance, they
wouldn't fight that one.
<blockquote
cite="mid:EC846839-8C56-4430-8F9D-B08FE977A6A3@batten.eu.org"
type="cite">
</blockquote>
Nicholas<br>
<div class="moz-signature">-- <br>
<style type="text/css">
A:link
{ text-decoration: none; color:#0000bb; }
A:visited
{ text-decoration: none; color:#990099; }
A:active
{ text-decoration: none; color:#bb0000; }
A:hover
{ text-decoration: underline; color:#bb0000; }
</style><span style="font-family: monospace;"><a
href="http://www.ernest.net/contact/index.htm">Contact
and PGP key here</a></span><br>
</div>
</body>
</html>