« Time to comply with a notice paras 4.20 to 4.23 | Main | Explaining the notice paras 4.27 to 4.29 »

Authenticity of section 49 notices paras 4.24 to 4.26

Authenticity of section 49 notices

4.24 It is essential that any person who is given a notice is able to confirm its authenticity should they need to do so. In practice the giving of a notice will be a stage in the progress of an investigation or operation and the person given the notice will usually have been involved earlier in that process, either as a consequence of their arrest or having been identified as being in possession of a key to the relevant information.

4.25 In addition to the statutory requirements[13] all written notices must include a unique reference number, must identify the public authority and must provide the address of an office and a published contact telephone number using which the recipient of a notice may check its authenticity.

      • [13] See paragraph 4.12

4.26 Public authorities must provide a means for authenticating any notice they give at whatever time the notice is given. In addition, the person giving the notice should, when doing so, carry sufficient identification to confirm their office, rank or position and, if requested to do so, should produce that identification to the person being given the notice.

Comments

Examples of the format of these notices must be made publically available on an official UK Government website, in order to reduce the scope for fake notices being used by criminals to steal sensitive Keys or Data from organisations which will have never seen one of these "Section 49" notices before.

a published contact telephone number using which the recipient of a notice may check its authenticity.

Given the potential multi-billion pound financial value of some of these Keys or Data, this is a totally inadequate and insecure method of "authentication".

A fake "Section 49" notice will have a fake or temporarily diverted telphone number where an attacker will happily "confirm" the apparent "authenticity" of such a notice.

Why is there no Single Point of Contact system for Key Disclosure Notices, like there is for Electronic Intercepts and for Communications Traffic Data ?

Why does this Code of Practice not mandate the use of Digital Signatures on all Section 49 notices ?

This could well help speed up the release of Key material in urgent, time critical cases, especially outside of normal office hours, allowing copies of the Notices to be sent via email, rather than via postal deliivery etc.

4.26 Public authorities must provide a means for authenticating any notice they give at whatever time the notice is given.

There is no justification for each "public authority" to be allowed to set up its own, incompatible system for doing this.

The same arguments apply as those which led to the setting up of the Single Point of Contact procedures for dealing other RIPA warrants. certificates and notices i.e. need to have trained people familiar with the law and data security procedures
to handle what will be for most organisations, very rare circumstances , the need to reduce to a minimum repeated requests for the same information by several branches of Government or Law Enforcement, and the reporting and financial accounting requirements.

Post a comment