[liberationtech] PrivateSky Takedown

Caspar Bowden (lists) lists at casparbowden.net
Fri Dec 13 08:30:08 PST 2013 

> ...Posted by Brian Spector...
> Secondly, a very important point wasn't printed. GCHQ couldn't, by
> law, request a blanket back door on the system.

Untrue. A "property warrant" under the Intelligence Services Act 1994 
<http://www.legislation.gov.uk/ukpga/1994/13/section/5> can require 
installation of a backdoor

> There are a very rigid
> set of controls that mean only specific individuals can come under
> surveillance.

Untrue. A RIPA S.49 decryption order can be applied to a RIPA s.8 
"certificated warrant" (which is used for GCHQ trawling of international 
comms e.g. TEMPORA - bit like a FISA 702 but without the constraints by 
US nationality/residency).

Even if a S.49 order is applied to a RIPA s.5 warrant targeted at a 
particular person's comms internal to UK (think Title III), it can 
require a key for past or FUTURE 
<http://www.legislation.gov.uk/ukpga/2000/23/section/49> ("is likely to 
do so") data, so whilst in theory a session key could suffice 
<http://www.legislation.gov.uk/ukpga/2000/23/section/50> (50(5)) for 
former, obvious the latter would require a private (assymetric) key, and 
BTW could also require a stream of PFS transient keys to be logged and 
handed over thereafter

>   The legal request for such surveillance has a due
> process that must be stridently followed.

I think he means stringently. Actually there is no "due process" that 
would be recognizable US legal terms. There is a possible appeal to a 
Technical Advisory Board (which at least up until a few years ago had 
never convened to hear such a case), but only on grounds of technical 
impracticality

> At no time did I or anyone
> at CertiVox talk about CertiVox in relation to any RIPA warrant, only
> the generic process by which these warrants are served.

RIPA S.49 decryption orders can carry an indefinitely long secrecy 
requirement (see here <http://www.fipr.org/rip/CoPsampleGAKnotice.htm> ; 
numbering is anomalous because it's a draft)

Rather looks as if Certivox trying to dig out of the hole they might 
have breached secrecy in previous reports, and trying to backpeddle

@CasparBowden
(author of www.fipr.org/rip/ - not updated since 2001)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20131213/c93e568a/attachment.html>

More information about the liberationtech mailing list