The difficulty is that the very same technologies, which are good for business and individual privacy, also present new opportunities for criminals.which gives the mistaken impression that all three present "new opportunities for criminals", whereas it fact it is only the latter.
1.1 This code of practice provides guidance for public authorities on use of the powers concerning the investigation of electronic data protected by encryption provided for under Part III of the Regulation of Investigatory Powers Act 2000 ("the 2000 Act").But it does more than that. The Act routinely makes a distinction (e.g. in S50(1)(a)) between "obtaining access" to the protected information and "putting it into intelligible form". The former applies where unencrypted data is protected from access by a password (whether applicable to a specific file, or to the whole computer containing the file); the latter applies where genuinely encrypted data needs to be decrypted in order to make it intelligible. The Draft Code currently speaks entirely to the 2nd case; it needs to be written to cover them both equally, especially as the procedures to be adopted in dealing with them may well differ. (Of course, it may sometimes happen that data is both password-protected and encrypted, in which case there will presumably be two keys needed.)
1.3 A copy of this code should be readily available ... . It should also be available where people are detained in custody.That seems to imply a copy in every Police Station, which would be an overkill. Surely it would suffice for one to be available before a person in custody was interrogated concerning relevant matters. One presumes that these investigations will generally be conducted by officers specialising in this area, and such officers will not be found in every Police Station.
1.5 Part III of the 2000 Act establishes a power to require any person served with an appropriate notice to disclose protected (e.g. encrypted) information in an intelligible form ("plain text").It is customary to spell "plaintext" as one word.
This is a typical example where the Draft Code ignores the equally important provisions for gaining access to (unencrypted) information. That information is already in intelligible form. The problem is that you cannot get at it.
There are extra requirements where a decryption key rather than plain text is desired. The 2000 Act sets out statutory safeguards for the protection of all information obtained under the Part III power.Actually this is not so. Due to a lacuna in the Act it is possible to demand a key without satisfying these extra requirements. It is suggested that this Code should nevertheless insist on those requirements in all such cases. Moreover, the Draft Code is lacking in its coverage of some of the statutory safeguards, notably in the case where plaintext rather than keys has been obtained.
2.3 ... By way of illustration, this includes information which has been, or is likely to be:It would be useful to give an example of non-statutory acquisition of protected information, such as where the information is voluntarily disclosed to the authorities by a member of the public, a "whistleblower", for example.
- ...
- or has, or is likely to, come lawfully into the possession of a public authority but not by use of their statutory functions.
2.4 ... In such cases, it must be likely that encryption is being used to protect information.Or that it is protected by a password.
2.5 Permission to serve a disclosure notice may not be given where any protected information has been obtained unlawfully by a public authority.Change "where any" to "in respect of".
3.1 This section explains the level of permission needed to serve a section 47 notice.Except that it omits many of the finer details, and this could lead to incorrect procedures being followed in the more obscure cases. Schedule 2 of the Act is extremely complicated, and is better explained diagrammatically in the form of a flowchart, such as that to by found at <http://www.cs.man.ac.uk/~chl/schedule1.html>. Please feel free to make any use you see fit of that chart (though its wording is not necessarily suited to the style of the Code, and would need a certain amount of Bowdlerization); but check it carefully first, because I suspect it contains at least one bug.
3.3 ... And, with certain exceptions, the general practice will be that permission to serve a notice should be given by the same person who authorised the use of the underlying power (where applicable).Yes, that is a good overall picture, but there are exceptions. Consider, for example, the following:
Hazard is an officer of the Health and Safety Executive. He has a statutory right to inspect the records pertaining to some piece of machinery, but these records turn out to be protected (by password/encryption/whatever) so he needs permission to serve a Section 49 notice. He could always go to a Judge, but is there a simpler way? Looking at Schedule 2, clearly paragraphs 2 and 3 do not apply (he is relying on S49(1)(d)). Paragraph 4(1)(b) seems to apply. Paragraph 4(2) does not apply, because he is not a member of the police, or customs and excise, or Her Majesty's forces. Turn to paragraph 4(3). He does not have the appropriate permission unless he can satisfy paragraph 4(4), but if he can satisfy that paragraph, then he apparently has permission without further ado. He easily satisfies paragraph 4(4)(a) (or if not, then one of the other sub-paragraphs of 4(4). Therefore he can give himself permission without going to a Judge, of to a person of rank equivalent to Superintendent, or to anybody else. Is that really correct?
3.5 Firstly, by virtue of paragraph 1 of Schedule 2 to the 2000 Act, public authorities may always seek permission to serve a disclosure notice from: ... a Circuit judge ...It would be worth pointing out that it is always in order to go to a judge, even though the option of going to the Secretary of State, or other appropriate warrant issuer, is also available.
3.8 Paragraph 2 to the 2000 Act describes other cases in which public authorities may obtain judicial permission to serve a disclosure notice.In fact, this only applies to the police, and customs and excise.
Paragraphs 3.5-3.15 cover most of Schedule 2, but I see no mention of the cases to be covered by paragraph 4(4) of Schedule 2 (the case that Hazard slipped through above).
4.8 The requirements are that the person proposing to give a section 47 notice believes, on reasonable grounds, that:That needs some amplification to cover the case where it may be necessary to bring together several part-keys before the protected information can be accessed or decrypted. The Code needs to state that normal practice should be to serve Section 49 notices on the holders of all those part-keys (or at least on a sufficient number of them) so that they can act in concert to deliver the plaintext, rather than being forced to disclose actual keys as implied by S50(3)(b).
- the person on whom the notice is to be served has possession of a key to the relevant protected information;
The Minister mad an explicit promise that this matter would be covered. From Hansard on July 19th, Col 1052:
I hope that those arrangements would normally apply. But as I explained on Report, we cannot allow the recipient of a notice as of right to tell someone else about the Section 49 notice, whether to seek assistance or for some other reason. That is because the notice may contain a secrecy requirement. On the other hand, where there are no operational reasons for preventing that sort of disclosure, I agree that it should be allowed.
This afternoon I give an undertaking that we will expressly make that
point in the code of practice."
5.2 The 2000 Act makes a number of stipulations about the form of a disclosure notice. By virtue of section 47(4) of the 2000 Act, all notices given by public authorities must: ...This needs considerable amplification. Exactly what is said depends on whether it is access to the data or decryption of the data that is at issue, and then on the particular method of protection or encryption that is (or is believed to be) being used. The code must make provision for additional, or more explicit, description to be provided if the noticee claims he has not been given sufficient information to comply. In particular, the following points must be covered:b) describe the protected material to which the notice relates;
"I think that I understand the concern behind the first part of the amendment tabled by the noble Lord, Lord Lucas. He may be worried that persons could be forced to hand over a master key rather than, say, a session key because the authority serving the notice provided insufficient information. Clearly, a notice must contain enough detail to enable the person served with it to know exactly what is being asked of him or her. That is also in the authorities' best interests.And further on in Col 1039:We are addressing that in the code of practice. We have already set out a first stab at what a disclosure notice might look like in the initial draft code that we published last week. As your Lordships will have seen, we suggest, for example, that the notice makes it clear that where the disclosure of keys is required, or where someone does not have the relevant plain text in their possession, they have the flexibility to disclose any key of their choosing that carries out the necessary decryption. To do that, they will clearly need to know to what information the notice relates. That is properly a matter best left for the code of practice."
"When the noble Lord, Lord Phillips of Sudbury, moved a similar amendment on Report, he wondered whether someone served with a disclosure notice who was not in possession of the relevant protected information at that time could be penalised unjustly under the Part III powers. I think that he described it as the "Willie and Steve" scenario. The short answer is "No". We recognise that the recipient of a disclosure notice will not always have the relevant protected information in their possession. In the scenario painted so ably by the noble Lord, Lord Phillips, it is entirely possible that someone may have received a message, decrypted it and destroyed it. They cannot be penalised for that. By virtue of Clause 50, they may disclose a key. If the circumstances are right, it may be possible for them to be given the protected information.I shall return to the exceptional circumstances in which it might be appropriate not to give the protected information to the noticee when I come to discuss Section 8 of the Code.As I said on Report, we do not believe it right to include a blanket provision that a person serving a notice must in all cases provide the recipient of a notice with all the relevant protected information that they do not possess. That would be the effect of the amendment. In some cases that will be appropriate, but in others it will not. The issue is best dealt with in the code of practice. As I said on Report, we shall take away the comments of your Lordships and other interested parties and try to reflect them in fleshing out the details of the code on this point."
The wording of the Act now requires that time to be "reasonable in all the circumstances". The Code therefore needs to give some guidance on this matter. I would suggest that an elapsed time of 24 hours should be the norm, measured from the time at which the noticee has been provided with all the information referred to above. That time may then be varied up or down if exceptional circumstances so require. Exceptional urgency in the need for the plaintext might be good grounds for a shorter (perhaps considerably shorter) time, but issues of proportionality would then arise. Particular difficulties encountered by the noticee in retrieving his copy of the key, or in accessing suitable equipment to derive the plaintext, or in making arrangements with other keyholders where several keys are needed in order to decrypt the data should be grounds for a longer period. It should be incumbent upon the officer issuing the notice to be aware of the circumstances in which the noticee will be operating, and to be prepared to listen to representations made by the noticee and if necessary to amend the notice accordingly.f) specify the time by which the notice is to be complied with;
g) describe what disclosure is required (i.e. the plain text of protected information or a key) or how that requirement is to be fulfilled (to whom is the required information to be disclosed).It should also, at this point, summarise the safeguards established by the Act and by this Code regarding the safe storage of the disclosed material, and the limitations as to the purposes for which it may be used.
5.3 Where a relevant public authority has obtained a direction that a key rather than plain text - is required to be disclosed, the notice should make it clear, in accordance with section 48 of the 2000 Act, that the choice of which key to disclose (if there is more than one which can access the protected information or put it into an intelligible form), rests with the person on whom the notice is being served. For further information see Section 8 of this code (keys).The wording used at this point should explicitly mention sessions keys and the likely benefit to the noticee of disclosing same, in those cases where the encryption system used so allows. Again, the explicit safeguards established by the Act and by this Code for the storage of disclosed keys should be summarised.
5.6 The Act also permits certain disclosures to be made where these are authorised by the person serving the notice or by the terms of the notice itself. For further information about this, see Section 6 of this code on Service on notices.The notice should contain an explicit invitation to the noticee to seek permission if he feels that further people need to be told (for example, on the grounds that he needs their cooperation in order to comply).
6.4 It is important, in these circumstances, to consider carefully who should receive a notice. The starting position, subject to any operational considerations, should be to choose the person best able to comply.The Act goes into some detail as to who the notice should be served on in the case of a corporate body or a firm. It is necessary to identify some appropriate "senior officer", and the Code needs to set out some standard practices to be followed in this regard. Issues to be addressed include:
And finally, this section of the Code should include procedures to be followed when amending a notice (for example to add a requirement to disclose a key where previously only plaintext had been asked for). There should also be procedures to be followed when withdrawing a notice (with particular reference to when the underlying warrant is withdrawn).
8.3 The Act imposes extra tests for demanding keys, over and above those for requiring the disclosure of plain text. Keys may only be required to be disclosed when the extra statutory requirements set out in section 49(2) of the Act, described in the following paragraph, have been fulfilled.Since that was written, there are now extra requirements in the Act. Specifically, there are extra requirements in the case of multi-use keys, and there is requirement to inform the Surveillance Commissioner (though why it is the Surveillance Commissioner and not the Interception Commissioner is entirely unclear). In particular, the Minister agreed that notification to the Commissioner should take place as soon as possible (and normally well within the statutory 7 days). See Hansard for July 19th Col 1053:
"Having said that, we shall ensure that the code of practice should encourage best practice in terms of immediate notification, or something similar."
8.5 Circumstances will vary from case to case. But by way of illustration, consideration may be given to seeking permission to require the disclosure of a key where:No, that is not good enough. Ministers have given explicit promises on several occasions that the circumstances in which this power would be used would be set our explicitly in the Code of Practice. To give examples "by way of illustration" comes nowhere near fulfilling those promises. Businesses who are concerned about this power (as many are) need to be able to arrange their affairs so that compromise of their valuable multi-use keys can be avoided, and for this there need to be hard and fast rules. Only two grounds for using this power have ever been mentioned, and Lord Bassam has said (Col 1057):
"Earlier the noble Lord, Lord Lucas, referred to the matters of trust and timeliness. I readily confirm that those are precisely the values which we seek. We see no reason why anything else should be the case."In actual fact, there are currently four situations in which a key (perhaps even a multi-use key) could be forced out of an unwilling noticee:
However, the Code should require that this power is not invoked
unless it is known for certain that the noticee could not provide plaintext
within the required tight timescale (it is not the officer's function to
second-guess what facilities the noticee might be able to put in place).
Moreover, since the noticee has an absolute right to choose to disclose
a session key, and since the time taken to extract the session key from
the protected information is essentially the same as the time taken to
extract the plaintext, it is hard to see any circumstance in which this
power would be used in practice.
(b) The noticee was himself suspected of criminality; it is even harder to imagine how or why this could apply - it requires a scenario wherein the suspect is entitled to see the information (as in case (a)) but has not seen it yet nor is likely to (but why ever not?) and the authorities, who do not yet know what it contains, believe his criminal purposes would be furthered if he did see it.
Again, the Code must spell out very precise rules at this point
regarding the manner in which this power is exercised.
8.8 By virtue of section 48 of the Act, where a direction has been given to require that a key be disclosed, the recipient of the notice may choose which key or keys to disclose (if there is more than one which can carry out the required decryption).Again, there should be explicit mention of session keys at this point.
8.10 But where there are reasonable grounds to believe that a key has been used for electronic signature and, additionally, confidentiality purposes, that key may be required to be disclosed under the terms of the 2000 Act.But how far back can "has been used" go? 15 years? There is nothing in the Act to prevent that, but it would clearly be inappropriate in view of the common usage of dual-purpose keys in systems deployed before the Act (such usage can now be expected to diminish, and it is no longer regarded as good practice, but that is no comfort to those who already use such keys).
On the other hand, it would be difficult to specify that such keys should not have been used for both purposes during the currency of the investigations which gave rise to the notice. In resisting an amendment to that effect, the Minister pointed out that the investigations might have been in progress for as much as six months. In view of this, I therefore propose that the Code should stipulate that keys regularly used for electronic signatures should not be demanded in Section 49 notices unless they had also been used also for confidentiality purposes during the preceding 12 months. That should give plenty of leeway, and it would give a clear indication to those who already have such keys as to the steps they should take to avoid the potential problem.
9.2 Section 52 of the 2000 Act creates an offence where the recipient of a disclosure notice which explicitly contains a secrecy requirement, or a person who becomes aware of it, "tips off" or discloses to another that a notice has been served, or reveals its contents or the things done in pursuance of it. The provision is designed to preserve but only where necessary - the covert nature of an investigation and to deter deliberate and intentional behaviour designed to frustrate statutory procedures and assist others to evade detection. There is a similar offence for unauthorised disclosures in Part I of the 2000 Act (section 18).The words "deliberate and intentional behaviour" are crucial there. They need amplification by stating that neither public revocation of a key (provided no reason is given) and lack of behaviour (e.g. by failing to deny that a notice has been served) do not amount to such "deliberate and intentional behaviour". To add this explicitly to the Code would be in line with several Home Office pronouncements to this effect.
If, for some reason, the noticee is to be required to take special or unusual measures to keep the existence and contents of the notice secret, and if such measures will involve him in additional expense, then the notice must stipulate those measures in detail, and he should be reimbursed for the costs incurred.
9.5 Disclosure notices served by public authorities other than those specifically named in the preceding paragraph may not include a secrecy requirement.For the removal of all doubt, it would be useful to give examples of the excluded bodies here.
9.7 ... . This is because interception is necessarily secret, as the provisions of Part I of the 2000 Act confirm. But in a case where a computer containing protected material is seized during a search warranted under the Police and Criminal Evidence Act 1984, a secrecy requirement may not be justified since the search will have been overt."would not be justified" would convey the intended meaning better.
9.8 As described in Sections 5 and 6 of this code, the fact that a disclosure notice contains a secrecy requirement should be made clear to the recipient of that notice.Moreover, the noticee should be explicitly invited to request permission to tell additional people (perhaps including reference to 9.17 and 9.18 of the Code).
9.14 Section 52(6) of the 2000 Act provides a statutory defence to ensure that persons may approach a legal professional for advice about the effect of the Part III provisions, and that advice may in turn be given, without either party being guilty of "tipping off". There is a further statutory defence in section 52(7) where a disclosure was made by a lawyer in connection with legal proceedings.Mention should also be made that it is always lawful to tell the appropriate Commissioner.
10.1 This section concerns the practice for receiving the information required to be disclosed under a section 47 notice.However, the section is written almost entirely with reference to the handing over of keys. It needs considerably rewriting to ensure that it covers, equally well, the handing over of plaintext (which will be the common case, anyway).
Moreover, it speaks of handling certain information as SECRET without recognising that there are two entirely separate reasons for using that classification:
10.3 In circumstances in which a disclosure requirement for a key is necessary in support of a statutory power to intercept communications, then that key will be handled as SECRET6 information from its handover to the person giving the notice or its transmission to any processing facility and during processing and storage within any processing facility. Once the handover has taken place, it shall be the duty of the person serving the notice or the official in charge of any processing facility to ensure physical or electronic transmission appropriate to SECRET material.This is the first example of the anomaly. Keeping the key SECRET is only one among many things that the authorities might like to be kept SECRET (such as the fact that the key has been seized at all). But to the noticee, it is of primary concern.
On the other hand, considering the noticee's position only, the Code has made a huge and unnecessary overkill. Granted that a multi-use key, which could decrypt a substantial part of the communications delivered to a company by all sorts of people unconnected with the investigation, is an exceedingly valuable commodity from the point of view of that company (and hence worthy of protection to the demands of SECRET) it should be realised that such keys will rarely (indeed probably never) be handed over in practice. What will be handed over will be session keys and, since these protect only a single communication, their value is much less.
Therefore, much trouble and expense would be saved within GTAC if the Code were to specify that only multi-use keys needed to be handled as SECRET, and that session keys could be handled according to a lower level of confidentiality. Indeed, since session keys and plaintext are more or less interchangeable; session keys should be protected to exactly the same level as plaintext, whatever level that might turn out to be.
Moreover, the footnote
6 Defined as: "The compromise of this information or material would be likely: to raise international tension; to damage seriously relations with friendly governments; to threaten life directly, or seriously prejudice public order, or individual security or liberty; to cause serious damage to the operational effectiveness of security of UK or allied forces or the continuing effectiveness of highly valuable security or intelligence operations; to cause substantial material damage to national finances or economic and commercial interests."gives entirely the wrong impression since it relates entirely to purpose 2. The compromise of valuable company multi-use keys is unlikely to raise international tension or to damage relations with friendly governments. The reason why they need to be treated as SECRET arises from purpose 1 and it would be better to make that explicit, either in this footnote ot elsewhere.
On the other hand, the Code distinguishes some apparently "lesser" cases where the key is disclosed in support of some statutory power other than warranted interception (10.5), so that purpose 2 does not apply. This leads to the reverse case of the anomaly, allowing keys disclosed in the lesser cases not to be protected so carefully, which is absurd.
11.1 This section concerns the arrangements for safeguarding information obtained under Part III of the 2000 Act. The statutory requirements are set out in section 53 to the Act.Again, this section places undue emphasis on safeguards with respect to keys, and again it needs to be rewritten to make it clear how seized plaintext (and the equivalent session keys) are to be handled.
11.2 All keys to protected information obtained under a disclosure notice must be handled in accordance with approved safeguards. These may vary for different agencies and/or different classes of disclosure but must accord with the general principles set out in this code.Again, this seems much weaker that is proposed in 10.3 and exhibits the same anomaly. And why should protection afforded to a key depend on the "agency". Is it not the case that only GTAC may receive and hold seized keys (at least multi-use keys - session keys do not matter so much).
11.5 If discrete parts of the protected information itself can be identified as subject to privilege or special procedure material, that information should be deleted. However this may not take place if such an action carries the risk of damaging the remainder of the information or the evidential status of such information.It would be useful to point out, in particular, that this might apply where there was an electronic signature covering the whole of the material.
11.6 The number of persons to whom any key, the detail of any key or the fact of possession of a key is disclosed, and the extent of disclosure, must be limited to the minimum that is necessary to allow protected information to be made intelligible. This obligation applies equally to disclosure to additional persons within an agency, to disclosure outside the agency and to any data processing facility.There is absolutely no reason why anyone outside of GTAC (or indeed more than a very small group of persons within GTAC) should ever need to be provided with the seized key (I speak here primarily of multi-use keys). Rather, other agencies who have legitimate need for the plaintext should apply to GTAC to have it decrypted within GTAC (or, equivalently, to have a session key obtained) and then only the plaintext (or session key) should be delivered to those agencies. It is always safer to take the data to the key than to bring the key to the data, and the Code should make it absolutely clear that this is the procedure to be followed.
11.8 In the case of keys required to make intelligible protected information other than incept material, neither the key, the detail of any key nor the fact of possession of a key may be disclosed to any person unless that person's duties are such that he/she needs to know the information to process the protected information or to conduct a criminal prosecution.Again, the absence of purpose 2 is being used to weaken compliance with the needs of purpose 1. There should be absolutely no difference in the way in which keys are handled in the two cases.
11.10 The number of copies made of any key or the detail of any key must be limited to the minimum that is necessary to allow protected information to be made intelligible. A record must be maintained of any copy made. Where protected information is put in an intelligible form using a disclosed key, and that intelligible information is used in criminal proceedings copies of the key will be required for evidential or disclosure purposes.Note that intercepted material will never be needed for evidential purposes. In the case of other material, it will be sufficient (with all commonly used encryption systems) for the expert witness who is to testify to be provided with the protected information and the session key. Thus no cause to move copies of any multi-use key outside of GTAC should ever arise.
11.13 In the circumstances in which a disclosure requirement for a key is necessary in relation to protected information other than intercept material, it shall be the duty of the person serving the notice to protect the material from unauthorised disclosure. While a key disclosed for such purposes will normally be unclassified, the person serving the notice may require that any key handed over shall be handled at a higher level of security if this is necessary in the particular circumstances of the case.Again, this exhibits the same anomaly. The person serving the notice is not in a position to make this judgement because he will not be aware of all the circumstances that will be known to the noticee (and, generally speaking, he has no authority to pry into the noticee's business in order to find out).
12.9 The 2000 Act adds to the remit of the Chief Surveillance Commissioner established under the Police Act 1997 the following functions as regards Part III of the Act (so far as these are not the responsibility of the Commissioners listed above): ...I am not aware of any circumstance where one of the other Commissioners would not have responsibility for this. If there is such an example, it should be mentioned here.
- the adequacy of the safeguards arrangements for protecting keys so far as these are not the responsibility of one of the other Commissioners.
Moreover, there is now a further situation where the Surveillance Commissioner has responsibilities under PART III, namely he is to be informed whenever a demand for actual keys is included in a notice. I am still curious to know why the Surveillance Commissioner was singled out for this role, when the Interception Commissioner would have been the obvious choice (and, moreover, the one more likely to have acquired some expertise in this area).