<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/12/14 18:49, Peter Sommer wrote:<br>
</div>
<blockquote cite="mid:5399DA15.2010101@pmsommer.com" type="cite">One
of the reasons I provided a link to the RIPA Pt 3 Code of Practice
is that it shows the steps involved and tests that must be applied
during any attempt to enforce a s49 Order. If the CSP has merely
advised their customers to use encryption, pointed them in a few
specific directions but has no further role in setting up the
encryption system then they can say that in this instance they are
a mere conduit. <br>
</blockquote>
<br>
Indeed<br>
<br>
<blockquote cite="mid:5399DA15.2010101@pmsommer.com" type="cite"> It
would be different if they were offering an encrypted webmail
service, though if the keys are generated by the client or by a
third party then plainly the CSP has nothing that would help the
authorities. For conviction under s 49 the authorities have to
prove, among other things, a reasonable belief that the key or the
power to decrypt, is in the possession of the person or entity
being accused.
<br>
</blockquote>
<br>
A "key" is broader than a key:<br>
<blockquote>“key”, in relation to any electronic data, means any
key, code, password, algorithm or other data the use of which
(with or without other keys)—<br>
(a) allows access to the electronic data, or <br>
(b) <b>facilitates</b> the putting of the data into an
intelligible form; <br>
</blockquote>
Moreover in the CoP<br>
<blockquote>6.16 Where a person is required by a section 49 notice
to make a disclosure in respect of any protected information and
that person:<br>
<blockquote>• has had possession of the key to the protected
information but no longer has possession of it;<br>
• would have been required by the notice to disclose the key if
it had continued to be in his possession, and<br>
• when given the notice, or within the time by which the notice
must be complied with, is in possession of any information that
would facilitate the obtaining or discovery of the key or the
putting of the protected information into an intelligible form;<br>
</blockquote>
the effect of the disclosure requirement is that he shall be
required to disclose all such information to the person to whom he
would have been required to disclose the protected information in
an intelligible form or the key. In other words, to disclose
anything they have that assists putting the protected information
into an intelligible form.<br>
</blockquote>
that looks broad enough to ask for the source code to any
client-side Webmail encrypting widget. Quite useful.<br>
<br>
can't see how the service provider's arm can be twisted to supply
doctored code (themselves), but MITM and possibly Quantum attacks
(?)<br>
<br>
CB<br>
<br>
<br>
</body>
</html>