Remarks on the Draft Code of Practice for

INVESTIGATION OF ELECTRONIC DATA PROTECTED

BY ENCRYPTION ETC

Prepared by Dr C. H. Lindsey.
(chl@clw.cs.man.ac.uk)

I would expect that many of the matters addressed in these remarks will already have been taken into consideration. Nevertheless, others may not, and it is therefore hoped that these notes may be of assistance to those drafting the Code of Practice applicable to Part III of the Act.

FOREWORD

This speaks of "integrity", "authentication" and "confidentiality", and then goes on to say

The difficulty is that the very same technologies, which are good for business and individual privacy, also present new opportunities for criminals.

which gives the mistaken impression that all three present "new opportunities for criminals", whereas it fact it is only the latter.

1 GENERAL

1.1 This code of practice provides guidance for public authorities on use of the powers concerning the investigation of electronic data protected by encryption provided for under Part III of the Regulation of Investigatory Powers Act 2000 ("the 2000 Act").

But it does more than that. The Act routinely makes a distinction (e.g. in S50(1)(a)) between "obtaining access" to the protected information and "putting it into intelligible form". The former applies where unencrypted data is protected from access by a password (whether applicable to a specific file, or to the whole computer containing the file); the latter applies where genuinely encrypted data needs to be decrypted in order to make it intelligible. The Draft Code currently speaks entirely to the 2nd case; it needs to be written to cover them both equally, especially as the procedures to be adopted in dealing with them may well differ. (Of course, it may sometimes happen that data is both password-protected and encrypted, in which case there will presumably be two keys needed.)

1.3 A copy of this code should be readily available ... . It should also be available where people are detained in custody.

That seems to imply a copy in every Police Station, which would be an overkill. Surely it would suffice for one to be available before a person in custody was interrogated concerning relevant matters. One presumes that these investigations will generally be conducted by officers specialising in this area, and such officers will not be found in every Police Station.

1.5 Part III of the 2000 Act establishes a power to require any person served with an appropriate notice to disclose protected (e.g. encrypted) information in an intelligible form ("plain text").

It is customary to spell "plaintext" as one word.

This is a typical example where the Draft Code ignores the equally important provisions for gaining access to (unencrypted) information. That information is already in intelligible form. The problem is that you cannot get at it.

There are extra requirements where a decryption key rather than plain text is desired. The 2000 Act sets out statutory safeguards for the protection of all information obtained under the Part III power.

Actually this is not so. Due to a lacuna in the Act it is possible to demand a key without satisfying these extra requirements. It is suggested that this Code should nevertheless insist on those requirements in all such cases. Moreover, the Draft Code is lacking in its coverage of some of the statutory safeguards, notably in the case where plaintext rather than keys has been obtained.

Definitions of terms

It would be most helpful at this point to include definitions of various technical terms used in the Code, since the Code may have to be used and acted upon by Officers not currently familiar with the technicalities. I suggest the following:

"protected information" means any electronic data which, without the aid of some "key" (or keys)

(c) is in a form which is not immediately intelligible or legible, but which can be rendered so with the aid of appropriate software or apparatus (for example, the data is in the format of some proprietary word-processing system, or has been compressed using some known algorithm, or can be converted into recognisable sounds or images with the aid of the proper equipment).

"encryption" means the conversion of data into a protected form such that it is not feasible, by examination of the protected form and without the availability of the proper "key", to restore it to its original condition, where such conversion is made with intent to deny knowledge of the data to persons not in possession of the key.
"decryption" is the inverse process to encryption.
"plaintext" means the data in the form it was before encryption, or after decryption.
"ciphertext" means the data in its encrypted form.
"key", in relation to any electronic data, means any physical key, or any code, password, algorithm or other data the use of which (with or without other keys)

a "session key" is one specially created for the purpose of protecting a single (or at most a small limited number of) item(s) of data (for example, a single file or a single communication).
a "multi-use key" is one used to protect many items of data (including, for example, all the communications sent to a given person, only some of which may be the subject of Section 49 notices under the 2000 Act).

any

"symmetric key" means a key which can be used both to encrypt (or otherwise protect) data, and then to decrypt (or provide access to) it again (in typical usage, session keys are symmetric and passwords used to protect files are symmetric).
"asymmetric key pair" means a matching pair of keys, where one key is used to encrypt data, but only the other one is capable of decrypting it (the typical usage is for the decrypting key to be a secret known only to the recipient of the communications, but for the encrypting key to be publicly known so that anybody can encrypt messages for that recipient). One may speak of data being encrypted "with" the encryption key, or being encrypted "to" the decryption key. It is a common (but not invariable) practice for multi-use keys to be asymmetric.
"electronic signature" means anything in electronic form incorporated into or logically associated with any data by the signatory (or other source of the data) whose purpose is to facilitate the establishment of its authenticity, or integrity, or both. Note, in particular, that the data itself is unaffected by the signature, so that it may be read as easily as if the signature had not been present (this is the essential test of whether a key is being used for encryption or signature purposes).

I also use the term

"noticee" means the recipient of a Section 49 notice.

since it saves much verbiage in these remarks. I do not necessarily intend that it should be used in the Code, though that idea might nevertheless appeal to the drafters.

2 POWER TO REQUIRE DISCLOSURE

2.3 ... By way of illustration, this includes information which has been, or is likely to be:

...

or has, or is likely to, come lawfully into the possession of a public authority but not by use of their statutory functions.

It would be useful to give an example of non-statutory acquisition of protected information, such as where the information is voluntarily disclosed to the authorities by a member of the public, a "whistleblower", for example.

2.4 ... In such cases, it must be likely that encryption is being used to protect information.

Or that it is protected by a password.

2.5 Permission to serve a disclosure notice may not be given where any protected information has been obtained unlawfully by a public authority.

Change "where any" to "in respect of".

3 PERMISSION LEVELS

3.1 This section explains the level of permission needed to serve a section 47 notice.

Except that it omits many of the finer details, and this could lead to incorrect procedures being followed in the more obscure cases. Schedule 2 of the Act is extremely complicated, and is better explained diagrammatically in the form of a flowchart, such as that to by found at <http://www.cs.man.ac.uk/~chl/schedule1.html>. Please feel free to make any use you see fit of that chart (though its wording is not necessarily suited to the style of the Code, and would need a certain amount of Bowdlerization); but check it carefully first, because I suspect it contains at least one bug.

3.3 ... And, with certain exceptions, the general practice will be that permission to serve a notice should be given by the same person who authorised the use of the underlying power (where applicable).

Yes, that is a good overall picture, but there are exceptions. Consider, for example, the following:

Hazard is an officer of the Health and Safety Executive. He has a statutory right to inspect the records pertaining to some piece of machinery, but these records turn out to be protected (by password/encryption/whatever) so he needs permission to serve a Section 49 notice. He could always go to a Judge, but is there a simpler way? Looking at Schedule 2, clearly paragraphs 2 and 3 do not apply (he is relying on S49(1)(d)). Paragraph 4(1)(b) seems to apply. Paragraph 4(2) does not apply, because he is not a member of the police, or customs and excise, or Her Majesty's forces. Turn to paragraph 4(3). He does not have the appropriate permission unless he can satisfy paragraph 4(4), but if he can satisfy that paragraph, then he apparently has permission without further ado. He easily satisfies paragraph 4(4)(a) (or if not, then one of the other sub-paragraphs of 4(4). Therefore he can give himself permission without going to a Judge, of to a person of rank equivalent to Superintendent, or to anybody else. Is that really correct?

3.5 Firstly, by virtue of paragraph 1 of Schedule 2 to the 2000 Act, public authorities may always seek permission to serve a disclosure notice from: ... a Circuit judge ...

It would be worth pointing out that it is always in order to go to a judge, even though the option of going to the Secretary of State, or other appropriate warrant issuer, is also available.

3.8 Paragraph 2 to the 2000 Act describes other cases in which public authorities may obtain judicial permission to serve a disclosure notice.

In fact, this only applies to the police, and customs and excise.

Paragraphs 3.5-3.15 cover most of Schedule 2, but I see no mention of the cases to be covered by paragraph 4(4) of Schedule 2 (the case that Hazard slipped through above).

4 PROCESS OF GIVING PERMISSION

justification for why it is believed that imposing a disclosure requirement is necessary whether:

...
in the interests of the economic well-being of the United Kingdom; or

There are further limitations than that, contained if various other Acts and precedents. There were referred to by Ministers when the matter was raised in Parliament; specifically, it was said that "the interests of the economic well-being of the United Kingdom" in no way related to anything which could be considered as industrial espionage, but were intended to refer to acts of foreign powers, terrorists, etc. which threatened our economic well-being. These limitations should be codified at this point. Would the activities of the striking miners have come within this provision?

a consideration of the proportionality implications of imposing a disclosure requirement;

This needs considerable amplification, including an analysis of the disruption caused to the business of the noticee.

4.8 The requirements are that the person proposing to give a section 47 notice believes, on reasonable grounds, that:

the person on whom the notice is to be served has possession of a key to the relevant protected information;

That needs some amplification to cover the case where it may be necessary to bring together several part-keys before the protected information can be accessed or decrypted. The Code needs to state that normal practice should be to serve Section 49 notices on the holders of all those part-keys (or at least on a sufficient number of them) so that they can act in concert to deliver the plaintext, rather than being forced to disclose actual keys as implied by S50(3)(b).

The Minister mad an explicit promise that this matter would be covered. From Hansard on July 19th, Col 1052:

I hope that those arrangements would normally apply. But as I explained on Report, we cannot allow the recipient of a notice as of right to tell someone else about the Section 49 notice, whether to seek assistance or for some other reason. That is because the notice may contain a secrecy requirement. On the other hand, where there are no operational reasons for preventing that sort of disclosure, I agree that it should be allowed.

This afternoon I give an undertaking that we will expressly make that point in the code of practice."

likely to be of value in carrying out the statutory powers or duties of the public authority making the application;

The words "likely to be of value in" should now, of course, read "necessary for".

what is sought to be achieved by imposing a disclosure requirement is proportionate;

This needs amplification as before.

it is not reasonably practicable for the public authority concerned to obtain the plain text of the relevant protected information ...

"to access, or obtain the plaintext of, ..."

5 FORM OF NOTICES

5.2 The 2000 Act makes a number of stipulations about the form of a disclosure notice. By virtue of section 47(4) of the 2000 Act, all notices given by public authorities must: ...
b) describe the protected material to which the notice relates;

This needs considerable amplification. Exactly what is said depends on whether it is access to the data or decryption of the data that is at issue, and then on the particular method of protection or encryption that is (or is believed to be) being used. The code must make provision for additional, or more explicit, description to be provided if the noticee claims he has not been given sufficient information to comply. In particular, the following points must be covered:

The material must be narrowly described. If a particular, identifiable, file is required, the notice must not ask for access to the whole computer (even though that may turn out to be the only way the recipient can oblige). If the officer is in possession of a single encrypted message, he must identify it precisely (by time, date, sender, etc.) rather than asking for all messages received round about that time.
In the case where the key (or one of the applicable keys) can be identified from the protected information, the identity of the key must be given.
If all the necessary description cannot be included in the notice (for example, because it refers to messages "likely to be received", or the notice accompanies a warrant to seize the computer, or to seize identified information from it) arrangements to provide the full description at a later stage must be included.
In the usual case where the protected information is already (or is likely to become) in the possession of the noticee, there is little more to be said. However, if it is known, or if it turns out, that the noticee no longer has (or never had) the protected information in his possession, then arrangements should be made to provide him with access to it, or with a copy of it.
If it is considered inappropriate to provide the protected information to him for some reason, then he must be given sufficient information with which to identify all of the keys which might enable it to be decrypted (since the Act gives him an absolute right to use, or disclose, any of those keys at his choice). In particular, this means that if the protected information includes a session key encrypted with a multi-use key, then he must be given at least a copy of the encrypted session key, or whatever else is necessary for him to obtain the session key according to the particular encryption method used.
Whilst the Section 49 notice must itself always be given in writing, it should be regarded as acceptable and normal for further descriptive details that may be needed, or copies of the protected information where relevant, to be delivered electronically.

These points relate directly to promises made by the Minister. In Hansard (Col 1038) we find:

"I think that I understand the concern behind the first part of the amendment tabled by the noble Lord, Lord Lucas. He may be worried that persons could be forced to hand over a master key rather than, say, a session key because the authority serving the notice provided insufficient information. Clearly, a notice must contain enough detail to enable the person served with it to know exactly what is being asked of him or her. That is also in the authorities' best interests.
We are addressing that in the code of practice. We have already set out a first stab at what a disclosure notice might look like in the initial draft code that we published last week. As your Lordships will have seen, we suggest, for example, that the notice makes it clear that where the disclosure of keys is required, or where someone does not have the relevant plain text in their possession, they have the flexibility to disclose any key of their choosing that carries out the necessary decryption. To do that, they will clearly need to know to what information the notice relates. That is properly a matter best left for the code of practice."

And further on in Col 1039:

"When the noble Lord, Lord Phillips of Sudbury, moved a similar amendment on Report, he wondered whether someone served with a disclosure notice who was not in possession of the relevant protected information at that time could be penalised unjustly under the Part III powers. I think that he described it as the "Willie and Steve" scenario. The short answer is "No". We recognise that the recipient of a disclosure notice will not always have the relevant protected information in their possession. In the scenario painted so ably by the noble Lord, Lord Phillips, it is entirely possible that someone may have received a message, decrypted it and destroyed it. They cannot be penalised for that. By virtue of Clause 50, they may disclose a key. If the circumstances are right, it may be possible for them to be given the protected information.
As I said on Report, we do not believe it right to include a blanket provision that a person serving a notice must in all cases provide the recipient of a notice with all the relevant protected information that they do not possess. That would be the effect of the amendment. In some cases that will be appropriate, but in others it will not. The issue is best dealt with in the code of practice. As I said on Report, we shall take away the comments of your Lordships and other interested parties and try to reflect them in fleshing out the details of the code on this point."

I shall return to the exceptional circumstances in which it might be appropriate not to give the protected information to the noticee when I come to discuss Section 8 of the Code.

f) specify the time by which the notice is to be complied with;

The wording of the Act now requires that time to be "reasonable in all the circumstances". The Code therefore needs to give some guidance on this matter. I would suggest that an elapsed time of 24 hours should be the norm, measured from the time at which the noticee has been provided with all the information referred to above. That time may then be varied up or down if exceptional circumstances so require. Exceptional urgency in the need for the plaintext might be good grounds for a shorter (perhaps considerably shorter) time, but issues of proportionality would then arise. Particular difficulties encountered by the noticee in retrieving his copy of the key, or in accessing suitable equipment to derive the plaintext, or in making arrangements with other keyholders where several keys are needed in order to decrypt the data should be grounds for a longer period. It should be incumbent upon the officer issuing the notice to be aware of the circumstances in which the noticee will be operating, and to be prepared to listen to representations made by the noticee and if necessary to amend the notice accordingly.

g) describe what disclosure is required (i.e. the plain text of protected information or a key) or how that requirement is to be fulfilled (to whom is the required information to be disclosed).

It should also, at this point, summarise the safeguards established by the Act and by this Code regarding the safe storage of the disclosed material, and the limitations as to the purposes for which it may be used.

5.3 Where a relevant public authority has obtained a direction that a key rather than plain text - is required to be disclosed, the notice should make it clear, in accordance with section 48 of the 2000 Act, that the choice of which key to disclose (if there is more than one which can access the protected information or put it into an intelligible form), rests with the person on whom the notice is being served. For further information see Section 8 of this code (keys).

The wording used at this point should explicitly mention sessions keys and the likely benefit to the noticee of disclosing same, in those cases where the encryption system used so allows. Again, the explicit safeguards established by the Act and by this Code for the storage of disclosed keys should be summarised.

5.6 The Act also permits certain disclosures to be made where these are authorised by the person serving the notice or by the terms of the notice itself. For further information about this, see Section 6 of this code on Service on notices.

The notice should contain an explicit invitation to the noticee to seek permission if he feels that further people need to be told (for example, on the grounds that he needs their cooperation in order to comply).

6 SERVICE OF NOTICES

6.4 It is important, in these circumstances, to consider carefully who should receive a notice. The starting position, subject to any operational considerations, should be to choose the person best able to comply.

The Act goes into some detail as to who the notice should be served on in the case of a corporate body or a firm. It is necessary to identify some appropriate "senior officer", and the Code needs to set out some standard practices to be followed in this regard. Issues to be addressed include:

If the company operates on several sites, is it the most senior officer at the relevant site?
If the company is part of a conglomerate, is it a senior person of the company that is to be served, or is it a senior person of the parent company?
If the company is a multinational one, is the notice served on the most senior person in the UK, or on the most senior person worldwide?

6.7 The person giving the notice should, as far as practicable and necessary, take steps to explain to the recipient of the notice its contents and what is required to be done in pursuance of it. In particular, the person serving the notice should be prepared to explain:

...
any requirement to disclose a key (if appropriate) with clarification that the choice of which key to disclose is up to the recipient of the notice;

This should include explicit mention of sessions keys, as indicated earlier.

And finally, this section of the Code should include procedures to be followed when amending a notice (for example to add a requirement to disclose a key where previously only plaintext had been asked for). There should also be procedures to be followed when withdrawing a notice (with particular reference to when the underlying warrant is withdrawn).

7 EFFECT OF SERVING A NOTICE

This section should include some explanation of the procedures to be followed where it is known (or it turns out that) there are several keys held by several keyholders required to decrypt the data. Normal practice should be that they should be permitted to act together so as to disclose the plaintext, as discussed above.

8 KEYS

8.3 The Act imposes extra tests for demanding keys, over and above those for requiring the disclosure of plain text. Keys may only be required to be disclosed when the extra statutory requirements set out in section 49(2) of the Act, described in the following paragraph, have been fulfilled.

Since that was written, there are now extra requirements in the Act. Specifically, there are extra requirements in the case of multi-use keys, and there is requirement to inform the Surveillance Commissioner (though why it is the Surveillance Commissioner and not the Interception Commissioner is entirely unclear). In particular, the Minister agreed that notification to the Commissioner should take place as soon as possible (and normally well within the statutory 7 days). See Hansard for July 19th Col 1053:

"Having said that, we shall ensure that the code of practice should encourage best practice in terms of immediate notification, or something similar."

8.5 Circumstances will vary from case to case. But by way of illustration, consideration may be given to seeking permission to require the disclosure of a key where:

No, that is not good enough. Ministers have given explicit promises on several occasions that the circumstances in which this power would be used would be set our explicitly in the Code of Practice. To give examples "by way of illustration" comes nowhere near fulfilling those promises. Businesses who are concerned about this power (as many are) need to be able to arrange their affairs so that compromise of their valuable multi-use keys can be avoided, and for this there need to be hard and fast rules. Only two grounds for using this power have ever been mentioned, and Lord Bassam has said (Col 1057):

"Earlier the noble Lord, Lord Lucas, referred to the matters of trust and timeliness. I readily confirm that those are precisely the values which we seek. We see no reason why anything else should be the case."

In actual fact, there are currently four situations in which a key (perhaps even a multi-use key) could be forced out of an unwilling noticee:

trust is an issue - where there is doubt about the bona fides of the person or organisation being asked to comply with a disclosure requirement e.g. the person or organisation concerned is suspected of involvement in criminality; (it should be noted, however, that with all the commonly used encryption systems, disclosure of a session key would provide absolute proof of the correctness, or otherwise, of the plaintext).

timeliness is an issue - if a person or organisation has the key to protected information but cannot, for whatever reason, carry out the necessary decryption and provide the relevant plain text quickly enough in time critical situations (and where the relevant authority can),

However, the Code should require that this power is not invoked unless it is known for certain that the noticee could not provide plaintext within the required tight timescale (it is not the officer's function to second-guess what facilities the noticee might be able to put in place). Moreover, since the noticee has an absolute right to choose to disclose a session key, and since the time taken to extract the session key from the protected information is essentially the same as the time taken to extract the plaintext, it is hard to see any circumstance in which this power would be used in practice.

The noticee no longer has (or never had) the protected information, and the officer declines to let him have a copy. He is thereby forced to disclose a key instead (S50(3)(b)). Two circumstances were mentioned where declining the copy might be justified:

(b) The noticee was himself suspected of criminality; it is even harder to imagine how or why this could apply - it requires a scenario wherein the suspect is entitled to see the information (as in case (a)) but has not seen it yet nor is likely to (but why ever not?) and the authorities, who do not yet know what it contains, believe his criminal purposes would be furthered if he did see it.

Several keys, in the possession of several keyholders, are required to decrypt the data, but there are grounds for including a secrecy clause in the notice to prevent "tipping off" one of them (hence S50(3)(b) comes into play).

Again, the Code must spell out very precise rules at this point regarding the manner in which this power is exercised.

It is to be noted that cases 3 and 4 above are covered directly by S50(3), and therefore fail to come under the safeguards provided by S51 (this situation is known as "Lord Lucas's lacuna"). Nevertheless, in order to fulfil the promises made by Ministers on many occasions that keys would only be demanded in rare and special circumstances, with special safeguards, the Code of Practice should require those safeguards to be applied equally in all four cases. I.e. declining to provide the protected information, or placing a tipping off constraint on a keyholder should require it to be shown that the purposes of the notice would be defeated without those extra constraints, and that they were proportionate having regard, in particular, to other data protected by any multi-key, and the effects on the noticee's business. Moreover, the appropriate Commissioner should be informed.

8.8 By virtue of section 48 of the Act, where a direction has been given to require that a key be disclosed, the recipient of the notice may choose which key or keys to disclose (if there is more than one which can carry out the required decryption).

Again, there should be explicit mention of session keys at this point.

8.10 But where there are reasonable grounds to believe that a key has been used for electronic signature and, additionally, confidentiality purposes, that key may be required to be disclosed under the terms of the 2000 Act.

But how far back can "has been used" go? 15 years? There is nothing in the Act to prevent that, but it would clearly be inappropriate in view of the common usage of dual-purpose keys in systems deployed before the Act (such usage can now be expected to diminish, and it is no longer regarded as good practice, but that is no comfort to those who already use such keys).

On the other hand, it would be difficult to specify that such keys should not have been used for both purposes during the currency of the investigations which gave rise to the notice. In resisting an amendment to that effect, the Minister pointed out that the investigations might have been in progress for as much as six months. In view of this, I therefore propose that the Code should stipulate that keys regularly used for electronic signatures should not be demanded in Section 49 notices unless they had also been used also for confidentiality purposes during the preceding 12 months. That should give plenty of leeway, and it would give a clear indication to those who already have such keys as to the steps they should take to avoid the potential problem.

9 SECRECY REQUIREMENT AND "TIPPING OFF"

9.2 Section 52 of the 2000 Act creates an offence where the recipient of a disclosure notice which explicitly contains a secrecy requirement, or a person who becomes aware of it, "tips off" or discloses to another that a notice has been served, or reveals its contents or the things done in pursuance of it. The provision is designed to preserve but only where necessary - the covert nature of an investigation and to deter deliberate and intentional behaviour designed to frustrate statutory procedures and assist others to evade detection. There is a similar offence for unauthorised disclosures in Part I of the 2000 Act (section 18).

The words "deliberate and intentional behaviour" are crucial there. They need amplification by stating that neither public revocation of a key (provided no reason is given) and lack of behaviour (e.g. by failing to deny that a notice has been served) do not amount to such "deliberate and intentional behaviour". To add this explicitly to the Code would be in line with several Home Office pronouncements to this effect.

If, for some reason, the noticee is to be required to take special or unusual measures to keep the existence and contents of the notice secret, and if such measures will involve him in additional expense, then the notice must stipulate those measures in detail, and he should be reimbursed for the costs incurred.

9.5 Disclosure notices served by public authorities other than those specifically named in the preceding paragraph may not include a secrecy requirement.

For the removal of all doubt, it would be useful to give examples of the excluded bodies here.

9.7 ... . This is because interception is necessarily secret, as the provisions of Part I of the 2000 Act confirm. But in a case where a computer containing protected material is seized during a search warranted under the Police and Criminal Evidence Act 1984, a secrecy requirement may not be justified since the search will have been overt.

"would not be justified" would convey the intended meaning better.

9.8 As described in Sections 5 and 6 of this code, the fact that a disclosure notice contains a secrecy requirement should be made clear to the recipient of that notice.

Moreover, the noticee should be explicitly invited to request permission to tell additional people (perhaps including reference to 9.17 and 9.18 of the Code).

9.14 Section 52(6) of the 2000 Act provides a statutory defence to ensure that persons may approach a legal professional for advice about the effect of the Part III provisions, and that advice may in turn be given, without either party being guilty of "tipping off". There is a further statutory defence in section 52(7) where a disclosure was made by a lawyer in connection with legal proceedings.

Mention should also be made that it is always lawful to tell the appropriate Commissioner.

10 RECEIPT OF INFORMATION

10.1 This section concerns the practice for receiving the information required to be disclosed under a section 47 notice.

However, the section is written almost entirely with reference to the handing over of keys. It needs considerably rewriting to ensure that it covers, equally well, the handing over of plaintext (which will be the common case, anyway).

Moreover, it speaks of handling certain information as SECRET without recognising that there are two entirely separate reasons for using that classification:

To protect the valuable property of the noticee, particularly his multi-use key whose compromise could ruin his entire business (recall that the noticee will most often be an innocent party so far as the investigation is concerned). The Home Office gave an undertaking, even before the Bill was considered by Parliament, that seized keys would be treated to the level of SECRET for this reason alone (since the authorities have no way of knowing the value of the key to the noticee, they must always proceed on the assumption that its value is arbitrarily large). Moreover, the importance of protecting the noticee's valuable property is also now explicitly recognised in the Act.
To hide from public view the investigatory techniques that are being used, particularly in the case where communications have been intercepted under warrant.

It would seem that those who drafted this code had purpose number 2 in mind rather more than purpose number 1, resulting in various anomalies; notably that the level of protection given under purpose 1 seems to vary according to whether purpose 2 applies as well, which is patently ridiculous. The noticee wants his keys protected to the highest standard whether or not the authorities also have their own secrecy needs. It will take rather a substantial rewrite to correct this state of affairs.

10.3 In circumstances in which a disclosure requirement for a key is necessary in support of a statutory power to intercept communications, then that key will be handled as SECRET⁶ information from its handover to the person giving the notice or its transmission to any processing facility and during processing and storage within any processing facility. Once the handover has taken place, it shall be the duty of the person serving the notice or the official in charge of any processing facility to ensure physical or electronic transmission appropriate to SECRET material.

This is the first example of the anomaly. Keeping the key SECRET is only one among many things that the authorities might like to be kept SECRET (such as the fact that the key has been seized at all). But to the noticee, it is of primary concern.

On the other hand, considering the noticee's position only, the Code has made a huge and unnecessary overkill. Granted that a multi-use key, which could decrypt a substantial part of the communications delivered to a company by all sorts of people unconnected with the investigation, is an exceedingly valuable commodity from the point of view of that company (and hence worthy of protection to the demands of SECRET) it should be realised that such keys will rarely (indeed probably never) be handed over in practice. What will be handed over will be session keys and, since these protect only a single communication, their value is much less.

Therefore, much trouble and expense would be saved within GTAC if the Code were to specify that only multi-use keys needed to be handled as SECRET, and that session keys could be handled according to a lower level of confidentiality. Indeed, since session keys and plaintext are more or less interchangeable; session keys should be protected to exactly the same level as plaintext, whatever level that might turn out to be.

Moreover, the footnote

⁶ Defined as: "The compromise of this information or material would be likely: to raise international tension; to damage seriously relations with friendly governments; to threaten life directly, or seriously prejudice public order, or individual security or liberty; to cause serious damage to the operational effectiveness of security of UK or allied forces or the continuing effectiveness of highly valuable security or intelligence operations; to cause substantial material damage to national finances or economic and commercial interests."

gives entirely the wrong impression since it relates entirely to purpose 2. The compromise of valuable company multi-use keys is unlikely to raise international tension or to damage relations with friendly governments. The reason why they need to be treated as SECRET arises from purpose 1 and it would be better to make that explicit, either in this footnote ot elsewhere.

On the other hand, the Code distinguishes some apparently "lesser" cases where the key is disclosed in support of some statutory power other than warranted interception (10.5), so that purpose 2 does not apply. This leads to the reverse case of the anomaly, allowing keys disclosed in the lesser cases not to be protected so carefully, which is absurd.

11 SAFEGUARDS

11.1 This section concerns the arrangements for safeguarding information obtained under Part III of the 2000 Act. The statutory requirements are set out in section 53 to the Act.

Again, this section places undue emphasis on safeguards with respect to keys, and again it needs to be rewritten to make it clear how seized plaintext (and the equivalent session keys) are to be handled.

11.2 All keys to protected information obtained under a disclosure notice must be handled in accordance with approved safeguards. These may vary for different agencies and/or different classes of disclosure but must accord with the general principles set out in this code.

Again, this seems much weaker that is proposed in 10.3 and exhibits the same anomaly. And why should protection afforded to a key depend on the "agency". Is it not the case that only GTAC may receive and hold seized keys (at least multi-use keys - session keys do not matter so much).

11.5 If discrete parts of the protected information itself can be identified as subject to privilege or special procedure material, that information should be deleted. However this may not take place if such an action carries the risk of damaging the remainder of the information or the evidential status of such information.

It would be useful to point out, in particular, that this might apply where there was an electronic signature covering the whole of the material.

11.6 The number of persons to whom any key, the detail of any key or the fact of possession of a key is disclosed, and the extent of disclosure, must be limited to the minimum that is necessary to allow protected information to be made intelligible. This obligation applies equally to disclosure to additional persons within an agency, to disclosure outside the agency and to any data processing facility.

There is absolutely no reason why anyone outside of GTAC (or indeed more than a very small group of persons within GTAC) should ever need to be provided with the seized key (I speak here primarily of multi-use keys). Rather, other agencies who have legitimate need for the plaintext should apply to GTAC to have it decrypted within GTAC (or, equivalently, to have a session key obtained) and then only the plaintext (or session key) should be delivered to those agencies. It is always safer to take the data to the key than to bring the key to the data, and the Code should make it absolutely clear that this is the procedure to be followed.

11.8 In the case of keys required to make intelligible protected information other than incept material, neither the key, the detail of any key nor the fact of possession of a key may be disclosed to any person unless that person's duties are such that he/she needs to know the information to process the protected information or to conduct a criminal prosecution.

Again, the absence of purpose 2 is being used to weaken compliance with the needs of purpose 1. There should be absolutely no difference in the way in which keys are handled in the two cases.

11.10 The number of copies made of any key or the detail of any key must be limited to the minimum that is necessary to allow protected information to be made intelligible. A record must be maintained of any copy made. Where protected information is put in an intelligible form using a disclosed key, and that intelligible information is used in criminal proceedings copies of the key will be required for evidential or disclosure purposes.

Note that intercepted material will never be needed for evidential purposes. In the case of other material, it will be sufficient (with all commonly used encryption systems) for the expert witness who is to testify to be provided with the protected information and the session key. Thus no cause to move copies of any multi-use key outside of GTAC should ever arise.

11.13 In the circumstances in which a disclosure requirement for a key is necessary in relation to protected information other than intercept material, it shall be the duty of the person serving the notice to protect the material from unauthorised disclosure. While a key disclosed for such purposes will normally be unclassified, the person serving the notice may require that any key handed over shall be handled at a higher level of security if this is necessary in the particular circumstances of the case.

Again, this exhibits the same anomaly. The person serving the notice is not in a position to make this judgement because he will not be aware of all the circumstances that will be known to the noticee (and, generally speaking, he has no authority to pry into the noticee's business in order to find out).

12 OVERSIGHT

12.9 The 2000 Act adds to the remit of the Chief Surveillance Commissioner established under the Police Act 1997 the following functions as regards Part III of the Act (so far as these are not the responsibility of the Commissioners listed above): ...

the adequacy of the safeguards arrangements for protecting keys so far as these are not the responsibility of one of the other Commissioners.

I am not aware of any circumstance where one of the other Commissioners would not have responsibility for this. If there is such an example, it should be mentioned here.

Moreover, there is now a further situation where the Surveillance Commissioner has responsibilities under PART III, namely he is to be informed whenever a demand for actual keys is included in a notice. I am still curious to know why the Surveillance Commissioner was singled out for this role, when the Interception Commissioner would have been the obvious choice (and, moreover, the one more likely to have acquired some expertise in this area).

Appendices 1 and 2

These need bringing into line with the various suggestion I have made elsewhere in this document.