The Home Office has published, with as little fanfare as possible (paper published on Tuesday, press release only on Friday), the threatened public consultation on RIPA Part III - after a delay of over 6 years !
Consultation paper, and Draft Statutory Code of Practice on Investigation of Protected Electronic Data (293 K )
(.pdf with non-standard fonts, presumably to make it harder to copy and paste any of the text)
The consultation closes on 30 August 2006.
Covert Investigation Policy Team
2 Marsham Street
London SW1P 4DF
No doubt we will look at this more deeply, and may, if we can summon up our depleted stock of civic duty, bother to re-iterate our previous criticisms of RIPA.
At first glance:
The section on the increased penalties of 5 years for non-disclosure of a Cryptographic Key or the plaintext, in "national security" investigations does nothing to clarify the recently changed law, which was amended by the Terrorism Act 2006.
What exactly is the definition of a "national security" investigation ? Where is the line drawn between say, a "normal" online credit card fraud, involving, say, SSL/TLS session encyption, and a similar fraud, where some of the money is heading for possible, if indirect, support of terrorist organisations ? Who declares that it is a "national security" investigation, and what profff is there that this power is not being abused in secret ?
Remember that RIPA Part III has bever been commenced, so nobody has any experience of whether the 2 year penalty made any difference or not.
The consultation paper is now telling people what the critics of RIPA were saying back in the year 2000, namely that if someone is facing 10 years in prison or more for possesion of child porn or terrorist related material, why would they ever disclose a key under penalty of 2 years prison ? Even the 5 year "national security" penalty seems to be uselss, given that the paealty for "possession of anything that might be useful to a terrorist" is up to 7 years under the Terrorism Act 2000, and under the Terrorism Act 2006, the vaguue, catch all "acts preparatory to terrorism" carries a life sentence.
The consultation paper then goes off into very dangerous ground such as suggesting that people could be convicted of say, having child porn images, merely on circumstantial evidence and suspicion, because they may have some encrypted material in their possession, i.,e. images which nobody can actually decipher and view.
Given the technical problems of proving whether any random chunk of disk space contains encrypted material or not, this could sort of legal power could easlily be abused to "frame" a suspect illegally, and they would have no way of disproving a false allegation.
There should be far more concrete examples of where the Home Office allege, in direct contradiction of the official reports of both the Interception of Communications Commissioner and of the intelligence Services Commisioner, that there is any large scale use of encyption, which cannot be broken by the National Technical Assistance Centre
The suspicion must be that this "consultation" is a result of the dubious justifications put forward during the controversial "90 days" pre-charge detention debate on the Terrorism Act 2006, this time being re-cycled for the chold porn betes noirs.
At first glance, the Code of Pratice, even after 6 years of alleged "consultation" and presumably "deep thought" by the Home Office still seems to be woefully inadequate.
Despite now imposing a horrendously complicated bureaucratic authorisation and recording procedure, the Home Office still have not bothered to think about DIgiatal Signatures to help authenticate Encryption Key Disclosure Notices - this could help release Encryption Keys held by Trusted Third Parties or large companies, much more quickly than otherwise.
There is no recognition of the fact that the vast majority of people will never see a properly formatted, serial numbered and duly signed Disclosure Notice, let alone be able to properly authenticate one, whilst under the threat of 5 years in prison for a "tipping off" offence.
Simply providing a telephone number for someone to phone to "authenticate" a Disclosure Notice is nowhere near good enough ! It will lead to data thieves and spies stealing confidential Encryption Keys and data and money, by using fake Disclosure Notices.
They do now admit to the existance of software designed to automatically detect the tampering with or revocation of cryyptographic keys.
They do now admit to the existance of split keys.
How either of these features of modern software is compatible with the ferocious penalties for "tipping off" seems to be just a lot of handwaving and wishful thinking.
The Code of Practice gives vague instructions that whover authorises the grabbing of Encryption Keys, especially multi-use ones, or ones from Financial Institutions, or trequires the additional imposition of a secrecy condition, needs to be aware of the collateral damage and business disruption that this will cause.
There is going to be some serious confusion with the way in which the document claims that a "session key" is the same as as a "symmetric key" - this might usually be the case, but not always. Similarly there are plenty of uses of "symmtric keys" which are not used as "session keys".
There seems to be no acknowledgement that most users of "session keys" will not usually be aware of them, or aware of which specific one their software happened to be using at a particular time.
There is no redress for any company that suffers such collateral damage or destruction of commercial confidentiality involving innocent customers' data etc.
It is unclear how the Code of Pratice instruction that any Disclosure Notice served on a Financial Institution which is regulated by the Financial Services Authority, must be notoified to the Chiairman of the FSA. There simply is no provsion for this in the Regulation of investigatory Powers Act, the Chairman of the FSA is not on the same legal footing as the RIPA Commissioners i.e. the Interception Commissionor or the Intelligence Services Commissionor or the Chief Surveillance Commissioner etc. and so it must be illegal under the stupid "tipping off" offences.
There are no criminal penalties for officious or incompetent officials requesting excessive amounts of data or making repeated, vexatious requests.
This consultation document gives no details of costs or of financial compensation.