tag:blogger.com,1999:blog-3993498847203183398.post508795283488425828..comments2024-03-19T09:14:24.926+00:00Comments on RevK<sup>®</sup>'s ramblings: Ban random numbersRevKhttp://www.blogger.com/profile/12369263214193333422noreply@blogger.comBlogger22125tag:blogger.com,1999:blog-3993498847203183398.post-67847067863919749702015-07-21T08:45:28.843+01:002015-07-21T08:45:28.843+01:00True enough. Hopefully something which will come u...True enough. Hopefully something which will come up in the context of the current reform, although, despite the focus at the moment on encryption, I would be surprised if s49 was a major issue - it was rather sidelined by the potential for decryption obligations to be imposed on providers under what would have been an order under the draft Communications Data Bill, and I suspect that the push will be for powers more akin to those, separate from s49.Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-36131589405123104352015-07-21T08:12:49.805+01:002015-07-21T08:12:49.805+01:00Absolutely no need to apologise. I was just trying...Absolutely no need to apologise. I was just trying to say that there aren't tomes about this subject; our discussion on here is pretty much the most comprehensive scholarly discussion on the topic!DrAlbanhttps://www.blogger.com/profile/18200275249304885716noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-92149187057262796612015-07-21T07:19:53.469+01:002015-07-21T07:19:53.469+01:00Indeed, and if ever in the face of police I would ...Indeed, and if ever in the face of police I would be looking for some proper legal advice, don't worry!RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-66816583617848018132015-07-21T06:48:31.155+01:002015-07-21T06:48:31.155+01:00The "knowledgeable" point was aimed more...The "knowledgeable" point was aimed more at hoping that Adrian would not attempt to advise himself in the event of receiving a s49, but rather seek proper advice, rather than a attempted slight on you, and my apologies if that is how it came across!<br /><br />Agreed that s49 is a poorly put together power.Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-52497472996264918912015-07-20T21:58:54.071+01:002015-07-20T21:58:54.071+01:00You're not going to get solicitors much more k...You're not going to get solicitors much more knowledgeable than me. And that's not because I've studied this area particularly intently, more that the notices aren't that frequent and there isn't much case law...<br /><br />"It is intended to be caught (arguable whether successfully or not) within s53(3)"<br /><br />It's clumsy, though. Who's to say what 'sufficient' evidence is? Is the oral evidence of the person who's forgotten the key, 'sufficient'? I would rather the legislation were clearer.<br /><br />Regarding your s49 countermeasures, Theresa May would say a terrorist would try to make it appear as though protected information wasn't actually protected information, so that wouldn't necessarily take you that far. But I think you appreciate that.<br /><br />"(FWIW, I'm not of the view that these kind of things get signed off casually — but I can't point to any external data point for this.)"<br /><br />Well s18 searches by inspectors certainly do. Extensions to 24 hours in custody by superintendents do to a lesser extent. Whilst I hate these notices on principle, it irks me even more that it's a policeman making the decision to issue them and not a judge. You simply can't trust the police.DrAlbanhttps://www.blogger.com/profile/18200275249304885716noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-6874291684566284582015-07-14T19:56:55.960+01:002015-07-14T19:56:55.960+01:00Oh, I completely get where you are coming from her...Oh, I completely get where you are coming from here. I don't think - but could be wrong - that IOCCO audits s49 notices, so even that degree of oversight is absent. And I would agree that oversight is essential in a self- authorising framework.Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-78541683244232623842015-07-14T19:37:51.463+01:002015-07-14T19:37:51.463+01:00I understand you may have reason to believe oy jud...I understand you may have reason to believe oy judt hope that those empowered to sign a S49 notice do so with due diligence.<br /><br /> But what consequences would they face if they didn't?<br /><br />I can't think of time a chief inspector has been forced to resign... Which suggests they have a lot of latitude for being over casual.<br /><br />Apologies if it sounds like I've an axe to grind, that not my intent - I just wish to highlight what appears to me to be a failure mode of the type of legalisation.Rogerhttps://www.blogger.com/profile/16832778902341816748noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-34702431546871523512015-07-14T16:38:09.279+01:002015-07-14T16:38:09.279+01:00I would hope that, at the point Adrian gets handed...I would hope that, at the point Adrian gets handed a s49, notwithstanding his undoubted skills and interest in dealing with legal issues, he contacts a solicitor knowledgeable in this area!<br /><br />> Forgetting a password would definitely provide a 'reasonable excuse' but, since s53 doesn't include that caveat<br /><br />It is intended to be caught (arguable whether successfully or not) within s53(3):<br /><br />a person shall be taken to have shown that he was not in possession of a key to protected information at a particular time if–<br />(a) sufficient evidence of that fact is adduced to raise an issue with respect to it; and<br />(b) the contrary is not proved beyond a reasonable doubt.<br /><br />Advice I have given in the past around preparing to deal with a potential s49 notice in the case of data which could be mistaken for protected information but which is, in fact, not protected information, was to create a clear, documented recorded of the process of creation of the data, and hyperlink to it in the footer / end of the email in which the data were sent, such that anyone viewing the email content would be able to click through and read it, and thus immediately have a statement of purported fact, which would need to be disproved. Definitely not foolproof, but potentially going some way towards mitigating risk here.<br /><br />I'm not aware of any case law on this particular point about random data sending, though (although an animal rights activism case springs to mind in terms of forgetting passwords).<br /><br />(FWIW, I'm not of the view that these kind of things get signed off casually — but I can't point to any external data point for this.)Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-64582477458855157372015-07-13T23:18:06.842+01:002015-07-13T23:18:06.842+01:001.) Someone calls the police and says that you'...1.) Someone calls the police and says that you've been committing an indictable offence (theft, fraud, sending a picture of the fallen Madonna with the big boobies in the post [s85 Postal Services Act 2000]).<br /><br />2.) The police don't bother getting a search warrant and instead arrest you and then get an inspector to authorise a s18 PACE search. They then search your house and take your laptop.<br /><br />3.) You've been sending your mate, Barry, some random data (you have a true random number generator based on a Geiger counter and he wants regular samples) via email. You keep telling the police this in interview, but you've annoyed them by not confessing immediately.<br /><br />4.) PC Pickles then says to a superintendent that you're a fraudster and that he needs to give you a s49 RIPA notice. The superintendent rubber stamps it after considering if you have the key to the encrypted data, if it's necessary to prevent crime, that it's proportionate and that it's not reasonably practicable to get it any other way. N.B. the act seems to assume that PC Pickles will be infallible in his detection of protected information, and doesn't even include a proviso that he have reasonable grounds to believe that the information is protected information.<br /><br />5.) You're then handed a s49 notice. If you knowingly fail to comply, you commit an offence under s53 of RIPA.<br /><br />As a side note, offences include caveats such as 'without reasonable excuse'. Forgetting a password would definitely provide a 'reasonable excuse' but, since s53 doesn't include that caveat, it remains to be see if forgetting a password would be a 'knowing failure'.<br /><br />You're then prosecuted like in any other case. In my opinion, the prosecution would have to show, beyond all reasonable doubt, that:<br /><br />i.) The information on which the notice is based is indeed protected information and not just random information;<br /><br />ii.) That you had the ability to decode it/provide the key for decoding to the police; and<br /><br />iii.) That you failed to do so upon receipt of a valid s49 notice.DrAlbanhttps://www.blogger.com/profile/18200275249304885716noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-25382855851237895732015-07-13T22:29:47.237+01:002015-07-13T22:29:47.237+01:00I'll admit; I chuckled at your suggestion of b...I'll admit; I chuckled at your suggestion of banning children.DrAlbanhttps://www.blogger.com/profile/18200275249304885716noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-54254739443670224122015-07-13T11:35:27.956+01:002015-07-13T11:35:27.956+01:00Just ban all communication. It's the only way ...Just ban all communication. It's the only way to be 100% sure people are not sending coded message. <br />Also ban children, just to be sure nothing bad happen to them. <br />Alternatively just redefine "communication" and "encryption", it seems to have worked with "poverty". Brexit factshttps://www.blogger.com/profile/09499046210014193575noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-4480629692663508342015-07-11T23:28:32.255+01:002015-07-11T23:28:32.255+01:00As I see it, there is one big flaw with your blogs...As I see it, there is one big flaw with your blogs about the proposed encryption ban and that is the following.<br /><br />- Most of the people reading (and commenting) on your posts understand and agree [albeit perhaps to varying levels] with you about the absurdity behind trying to ban it.<br /><br />--<br /><br />Thus, the only task we're left with is the job of trying to argue amongst ourselves as to exactly what level of { craziness / impracticality / poorly thought-through / knee-jerkiness [sp?] ) the concept is in the first place.<br /><br />---<br /><br />Now if only someone could find a way of teaching politicians about common-sense and simple logic... <br /><br />How about the following for starters ...<br /><br />1. Email [random politician] an encrypted copy of your blog<br />2. Make sure that you actually do keep the key (in case you are asked for it)<br />3. In order for "them [the powers that be]" to be certain that you are not issuing any coded threats to the government, they would need to decode the message and examine the contents<br /><br />(Ah, just spotted a flaw in my idea .. You might not be allowed to create a random number to work out which politician to send it to)Steven Wilmothttps://www.blogger.com/profile/00771671711326044189noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-18586709905174480552015-07-11T16:31:55.680+01:002015-07-11T16:31:55.680+01:00You make a very good point about intercept - I cou...You make a very good point about intercept - I could be quite innocent, but if I send to or receive from someone that is under suspicion, I could find my communications with them intercepted and be expected to decrypt it. If I make an app to send random data, I should make sure its "intended recipient" is Theresa May.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-66179874062862813232015-07-11T15:45:55.155+01:002015-07-11T15:45:55.155+01:00Indeed, bans will only impact legitimate use by th...Indeed, bans will only impact legitimate use by the 64 million people in the UK that are not terrorists. The criminals will be able to use encryption in many ways without detection.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-77704468478955896692015-07-11T15:30:58.039+01:002015-07-11T15:30:58.039+01:00As a thought experiment shift the thinking away fr...As a thought experiment shift the thinking away from public key crypto and towards an xor-based one time pad.<br /><br />I send you some random data... Or is it just random data? Perhaps it's a key (a pad)? Or a cyphertext for a pad that you already have? Or maybe I'll just send you a pad for it later.<br /><br />Only when both parts are generated does any "intent" become clear and if I am compelled to produce "the missing half" then I can then provide something that generates whatever other plaintext I like.<br /><br />There are cypher systems that extend this approach via public key crypto to provide plausible deniability by allowing me to produce any one of several possible keys under compulsion that create a legitimate looking decryption - just not the plaintext that was originally intended.Anonymoushttps://www.blogger.com/profile/03699617656518666561noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-14542146186176393432015-07-11T15:16:55.603+01:002015-07-11T15:16:55.603+01:00Part III, not Part II. A bad time for a typo. My a...Part III, not Part II. A bad time for a typo. My apologies.Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-68790692470411528152015-07-11T15:10:28.045+01:002015-07-11T15:10:28.045+01:00There seems to be a bit of confusion here as to ex...There seems to be a bit of confusion here as to exactly what the legislation says, and clarifying this might be useful before getting into the second stage of interpreting it.<br /><br />Adrian does not mention it specifically here but, for clarity, it seems to be Part II of RIPA 2000, which deals with the right to require the decryption of, or provision of keys to enable the requesting authority to decrypt, "protected information".<br /><br />The bit relevant to the defence is s53, in particular s53(2)-(4): http://www.legislation.gov.uk/ukpga/2000/23/section/53<br /><br /><br />(A small side point but, in terms of your second point, about the "legitimate intercept", it is not necessarily true that you must be suspected of something for an encrypted email of yours to be intercepted: you may be communicating with someone who is an intercept target, such that any email you send to that person are intercepted. Probably a silly point, but worth flagging perhaps.)Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-10377454884416077532015-07-11T13:50:48.466+01:002015-07-11T13:50:48.466+01:00What if I purchased a hard drive that was encrypte...What if I purchased a hard drive that was encrypted and I haven't wiped yet. I do not know the key. It can't provide it.<br /><br />"failure to provide" cannot possibly be the wording, it has to be "withholding".Andrew Murphyhttps://www.blogger.com/profile/05559103554821540335noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-78845470956888562212015-07-11T12:49:06.098+01:002015-07-11T12:49:06.098+01:00Tricky - I am sure you (or rather a computer in yo...Tricky - I am sure you (or rather a computer in your possession and control) had the keys for your last Facebook access, but being a transient DH pair, they were deleted automatically. What if asked to provide that key now to decode an intercept of that access?RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-60943021262942558542015-07-11T12:47:00.696+01:002015-07-11T12:47:00.696+01:00Nope. If there ever was a key not providing it is ...Nope. If there ever was a key not providing it is a breach of the law. The only defense being if there was never a keyboggitshttps://www.blogger.com/profile/14019016939005063064noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-57021943812452073862015-07-11T12:42:17.846+01:002015-07-11T12:42:17.846+01:00Yeh, but I can forget and later remember - it was ...Yeh, but I can forget and later remember - it was a crazy law when it was made, and is just as crazy now.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-57279965773010462262015-07-11T12:41:02.072+01:002015-07-11T12:41:02.072+01:00I think they have to prove beyond a reasonable dou...I think they have to prove beyond a reasonable doubt that you know the key to the encryption for you to be prosecuted.<br /><br />As fair as I am aware "I forgot the key" is a totally valid defence... as long as you give no evidence to the contrary... such as later giving them the key Andrew Murphyhttps://www.blogger.com/profile/05559103554821540335noreply@blogger.com