RIPA s 12(7)

Peter Sommer peter at pmsommer.com
Thu Jun 12 07:43:29 BST 2014 

Surely an important element is the form that the encouragement to use 
encrypted email took.

If all that the CSP is doing is reminding their users that email is 
insecure,  that they should use encryption and pointing them to some 
sources of advice,  it is difficult to  see that the CSP has any 
responsibility for what is happening nor would it be feasible for them 
to introduce a capability to do deal with "protected information" - 
after all,  UK law enforcement resources in this area are all 
centralised and shared - at NTAC.

You may find it helpful to the the appropriate RIPA Code of Practice:

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/97959/code-practice-electronic-info.pdf

GMail or any of the non-UK webmail service providers could however embed 
encryption into their offerings but the UK government would not be able 
to force them to introduce an interception capability;  it would have to 
be done by agreement.

I agree with Nick (no, not that one)



Peter Sommer

On 11/06/2014 15:11, Nicholas Bohm wrote:
On 11/06/2014 12:40, Ian Batten wrote:
> Hey ho, we're on the RIPA train again.
>
> RIPA section 12 lays down provision for the home secretary to direct CSPs to maintain an interception capability.
>
> Section 12(7) provides that if a CSP refuses, the Home Secretary can go to a (civil) court and seek remedies.
>
> To be concrete, imagine an email provider (Gmail, say) or ISP who proposes to run a service that
>   encourages or enables their customers to run end-to-end encryption, such that the ISP (etc) did
> _not_ have any keys to respond to a a RIPA S.49 notice.  And let's assume for the purposes at hand that they
> can prove they don't have keys in a relatively accessible and comprehensible way.
>
> Some questions that have arisen from a debate with a colleague.
>
> 1.  Imagine your clients are using end-to-end encryption, and you have somehow encouraged them.  Do your S.12
> responsibilities include any obligation to make it easier for an interception to obtain plaintext (or, alternatively,
> to not make it any harder)?

I suggest not.  Section 12 is about intercepting communications, not 
about making them intelligible, to which latter purpose a whole lot of 
quite different provisions are made.

>   
> 2.  This thanks to Julian Huppert when we asked him about this on Monday.  Could S.94 of the Telecommunications
> Act be engaged to try to convince the operator to modify their network?  As amended, S.94(8) limits this to
> "providers of public electronic communications networks".  As Julian pointed out, "telecommunications networks" aren't
> defined in the 1984 Act; further reading of the history of S.94(8) implies that the meaning from S.32 of the
> Communications Act 2003 applies, which would cover pretty well any imaginable service offered at scale.

Anything at all can be ordered, provided it is proportionate, and that 
must include modifying the service.  It is hard to see that secretly 
frustrating the security features for all users could be proportionate, 
but doing so for some might be.  It would be a judicial review that HMG 
would hate to fight, though.

> 3.  Has any CSP who has been approached with S.12 powers refused to comply (other than by shutting down
> the service?)  As the Technical Advisory Board has never met, one would tend to suspect that no such dispute
> has ever taken place.
>
> 4.  If someone did refuse, forced a meeting of the TAB, still refused, and ended up in court, how likely is it that
> the government would (a) fight and (b) win an action under S.12(7)?

The Government would fight if they felt it mattered enough, which seems 
inherently pretty unpredictable.  Equally unpredictable is whether they 
would win, since it depends what points were at issue. If the argument 
was about making communications intelligible I think they'd lose; but 
since that would be apparent in advance, they wouldn't fight that one.
Nicholas

-- 
THE INFORMATION CONTAINED IN THIS E-MAIL IS CONFIDENTIAL AND LEGALLY PRIVILEGED.  IT IS INTENDED ONLY FOR THE ADDRESSEE NAMED ABOVE. IF YOU ARE NOT THE ADDRESSEE ANY DISTRIBUTION, COPYING OR DISCLOSURE OF THIS E-MAIL IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED IT IN ERROR PLEASE NOTIFY THE SENDER BY E-MAIL IMMEDIATELY AND DESTROY THE ORIGINAL

More information about the ukcrypto mailing list