RIPA Part III consultation blog

Remember that the older versions of one the most popular free encryption software program, Pretty Good Privacy (PGP), used to use exactly the same key for both Secrecy/ Encryption and for Digital Signatures

All versions of PGP use the same Pass Phrase to protect access to the Private Keys

Revealing the Pass Phrase to provide access to the Keyring for one purpose e.g. Secrecy/Encryption, automatically compromises the same or separate Keys for Non-Repudiation / Digital Signatures usage.

How can anyone possibly prove that a Public/Private Key Pair used for a Digital Signatures, has not also been used for Secrecy / Encryption ?

Therefore Paragraph 3.16 needs to be spelled out in much more detail, with examples, ideally including the proper legal handling of a single PGP key out of a Keyring containing several of them.

The "definition" in paragraph 3.15 of an "electronic signature" is not the same as that which is already enacted in law via the Electronic Communications Act 2000 Section 7 Electronic signatures and related certificates.

Surely the definition laid down in a full Act of Parliament takes legal precedence over this Code of Practice ?

There are literally multi-billion pound implications for e-commerce, electronic share dealing, credit card and internet banking contracts etc. if this definition of an "electronic signature" is changed willynilly by this Code of Practice.

Any doubt or confusion on such a fundamental topic will result in serious economic damage to the United Kingdom economy.

Has the Home Office actually consulted with the Department for Trade and Industry and Her Majesty's Treasury on this point ?

It will be very interesting to see any Regulatory Impact Assessment of this proposed change in the legal definition of an "electronic signature".

I am confused. I thought the regulations were pretty much in stone at this point with regard to electronic signature capturing. After all the US and the EU both addressed the matter years ago. The US with the ESIGN and UETA laws, and the EU with Reg 2002.

Does this current question on terminology have any real impact on just pure electronic signature capturing? For example we use PrivaSign.com (https://privasign.com) for all of our EU transactions, and we have not had any problems, do you see any issues with services like this? Our attorneys say everything is fine, but I thought you might have an opinion. Also I know Adobe has a service for capturing electronic signatures on Adobe files now, but I am not sure if it has any validation parameters, and I am further not sure if a system as broad as that one could ever validate and cross check any information. The thought is to have a convenience tool here and not a complex and difficult system.

Lance

@ Lance - our opinion, for what it is worth:

We are waiting to find out if the Department for Trade and industry have been consulted over this paragraph or not.

This section of the RIPA Part III Code of Conduct, if it is presented to Parliament without any amendments as a result of public feedback to this formal Public Consultation, will have the status of a Statutory Code of Conduct, and will be cited in any future legal cases involving "electronic signatures" or "Digital Signatures" etc.

The Home Office's wording in paragraph 3.15 is not a bad definition of a digtal or electronic signature, but it it is not the same as the one in the definition in the Electronic Communications Act 2002:

PART II FACILITATION OF ELECTRONIC COMMERCE, DATA STORAGE, ETC.

Electronic signatures and related certificates.

7. - (1) In any legal proceedings-

• (a) an electronic signature incorporated into or logically associated with a particular electronic communication or particular electronic data, and

• (b) the certification by any person of such a signature,

shall each be admissible in evidence in relation to any question as to the authenticity of the communication or data or as to the integrity of the communication or data.

(2) For the purposes of this section an electronic signature is so much of anything in electronic form as-

• (a) is incorporated into or otherwise logically associated with any electronic communication or electronic data; and

• (b) purports to be so incorporated or associated for the purpose of being used in establishing the authenticity of the communication or data, the integrity of the communication or data, or both.

(3) For the purposes of this section an electronic signature incorporated into or associated with a particular electronic communication or particular electronic data is certified by any person if that person (whether before or after the making of the communication) has made a statement confirming that-

• (a) the signature,

• (b) a means of producing, communicating or verifying the signature, or
• (c) a procedure applied to the signature,
  is (either alone or in combination with other factors) a valid means of establishing the authenticity of the communication or data, the integrity of the communication or data, or both.

Note the lack of any equivalent of

"by providing a link between the signatory or other source and the communication or data"

Can you see the potential for legal confusion ?

In a web based e-commerce service like PrivaSign, there are several "signing" keys involved in the whole transaction. The actual "electronic signature capture" aspect of a service like this or the Adobe one, or the UPS parcel delivery "write your signture on this touch sensitive portable computer screen" etc. is covered by the Electronic Communications Act 2002, but not by the Regulation of Investigatory Powers Act 2000 Part III.

However there are also some Secure Sockets layer / Transport Layer Security (https://) "session" keys, used both during the customer logon, and to protect the online Credit Card or PayPal payments for the service.

If a PrivaSign (or other e-commerce) customer becomes the focus of a UK criminal or intelligence agency investigation, which has been (legally) intercepting the the SSL/TLS encrypted sessions to and from the webserver, then the
private keys associated with the Digital Certificate installed on the "secure" internet web servers could be subjected to a section 49 Disclosure Notice and the "tipping off" offences which could prevent the other innocent customers from being told that the levels of assumed Confidentiality, and Non-Repudiation they were expecting, have been destroyed through legal investigation "collateral damage".

Obviously PrivaSign are not based in the UK, but any UK offices of international companies could easily be served with such Disclosure Notices, and who knows what sort of legal investigation "collateral damage" could be caused by a request via a Legal Mutual Assistance treaty request, or the forthcoming European Evidence Warrant ?

The thought is to have a convenience tool here and not a complex and difficult system.

Anything to do with RIPA Part III will be involve extra administrative, legal and bureaucratic burdens and costs, even if your company is never served with a Disclosure Notice, you have will need to have people trained, and systems in place to deal with such a request, especially the onerous "tipping off" offence secrecy requirements, which, since it does not cost the requesting law enforcement or intelligence agency bureaucrats anything to invoke them, will no doubt be used far more often than really needed "just in case".

This section of the Code of Practice also has relevance for SWIFT, and probably for other financial networks like VISAnet etc.

"NYT: SWIFT international financial data handed over to US intelligence agencies"

reveals that the US Government has sneaked around normal financial data privacy laws and been given access confidential data, initially on a wholesale basis, to data from the
the Belgium based Society for Worldwide Interbank Financial Telecommunication (SWIFT) financial network which serves over 7,800 international banks, and handles the majority of the world's international bank money transfers in over 200 countries.

SWIFT does not appear to be regulated by the Financial Services Authority, even though it deals with vastly more money and private data than any single UK Financial Institution does, apparently some 6 trillion US dollars every day.

If the UK Government takes the same attitude as the US one, that it is a "messaging service, not a bank or financial institution."
then what is there to prevent a bungled law enforcement or intelligence agency investigation from demanding , via a section 49 Disclosure Notice the secret Encryption Keys and imposing the the "tipping off" secrecy provisions, which would put it at risk of criminal or terrorist attack, and a massive loss of trust and confidence.

The potential for corruption or coercion of bureaucrats and officials who have routine access to this sort of power is enormous, and must be very carefully monitored and controlled, given the immense economic damage to the United Kingdom that they could do, by, for example compromising the security of the London node of the SWIFT network, or by disrupting its operations even for a few seconds, during "evidence gathering".

On the definition of electronic signatures discussed above. There are already two definitions of an "electronic signature" in law. Both the ECA (2000 c.7, s.7(2)) and RIPA (2000 c.23, s.56(1)) offer their own definitions of an electronic signature. The definition in the Code of Practice seems to follow that in RIPA.

@ rag - true enough, but the potential conflict between the two definitions has been masked by the fact that RIPA Part III has still not yet been brought in force,

Section 56 Interpretation of Part III

"electronic signature" means anything in electronic form which- (a) is incorporated into, or otherwise logically associated with, any electronic communication or other electronic data;

(b) is generated by the signatory or other source of the communication or data; and

(c) is used for the purpose of facilitating, by means of a link between the signatory or other source and the communication or data, the establishment of the authenticity of the communication or data, the establishment of its integrity, or both;

The ECA definition is law, and is in force, is not repealed or amended by RIPA Part III, and has been cited in legal cases regarding the validity of electronic signaures.

However if this Code of Practice is passed by Parliament, as a Statutory Code of Pratice, then it also has to be taken into account in any legal case arising.

The Code of Practice should therfore make a specific reference to exactly which legal definition applies.

The Code of Practice should add legal and procedural clarity and not more confusion.

The Department for Trade and Industry are now aware of this Public Consultation:

http://www.spy.org.uk/foia/2006/07/reply_from_the_dti_re_ripa_part_3_consultation.html

However we met with Home Office officials on 30th July 2006 to discuss a range of issues arising from the consultation and the possible impact on business practices. We discussed the relevance of the Code of Practice for signing keys but at this stage do not believe that a reference in the Code of Practice will in any way change the legal definition of electronic signatures.

It is unlikely that the Department will make a formal contribution to the consultation process.

HM Treasury seem to be blithely unaware of this RIPA consultation.

http://www.spy.org.uk/foia/2006/07/reply_from_hm_treasury_no_ripa.html

Following a search of our records I can confirm that we do not hold information on discussions, consultations or meetings with the Home Office Covert Investigation Policy Team on the issue of electronic signatures and paragraph 3.15. We also do not hold any information relating to the Treasury view on this matter, or whether the Treasury will be making a submission to the Home Office public consultation. On the last point, it is not normal practice for departments to submit to other departments’ consultation exercises.