« SPECIAL RULES ON THE EFFECT OF IMPOSING DISCLOSURE REQUIREMENTS paras 6.1 to 6.2 | Main | Notices requiring disclosure of a key paras 6.9 to 6.15 »

Special circumstances requiring disclosure of a key paras 6.3 to 6.8

Special circumstances requiring disclosure of a key

6.3 The Act imposes extra conditions upon requiring disclosure of a key, in addition to those for requiring the disclosure of protected information in an intelligible form.

6.4 No person able to do so shall give a direction that a disclosure requirement can be met only by disclosure of a key unless that person believes:

  • that there are special circumstances of the case which mean that the purposes for which the disclosure notice is necessary would be defeated, in whole or in part, if a key was not required to be disclosed; and
  • that the requirement for disclosure of a key is proportionate to what is sought to be achieved by preventing compliance with the disclosure requirement other than by disclosure of a key.

6.5 Matters to be considered in determining such proportionality include the extent and nature of any protected information (other than that to which the disclosure requirement relates) which is protected by the same key and any adverse effect that a disclosure requirement might have on a business carried on by the person on whom the requirement is imposed.

6.6 This means that the person giving a direction that a key is required to be disclosed must consider the actual or potential collateral intrusion that will or may arisefrom disclosure of the key and its application to any protected information that has come into the possession of any person or is likely to do so or might do so

6.7 Although the special circumstances for giving direction to require the disclosure of a key will vary with each case as will the proportionality of doing so such a requirement may be appropriate where:

  • trust is an issue - where there is doubt about the integrity of the person or organisation being asked to comply with a disclosure requirement, for example the person or organisation concerned is suspected of involvement in criminality or of protecting another person or persons involved in criminality;
  • credibility is an issue - where a prior disclosure of protected information in an intelligible form, whether undertaken voluntarily or in supposed compliance with a notice, is demonstrably incomplete;
  • timeliness is an issue - if a person or organisation has the key to protected information but cannot, for whatever reason and having been given the opportunity to do so, provide the information in an intelligible form in a time critical situation[15];

        • [15] See paragraph 4.23

  • the content of the intelligible information is an issue - where the person required to make the disclosure might find the intelligible form of the material offensive, obscene or otherwise distressing or it is important in the interests of justice that they do not view or be reminded of the material;
  • the key itself has evidential value - where there is reasonable belief that the key may provide evidence linking a person or persons to an offence or offences, for example where a person seeks to deny responsibility for protected information in their possession but a password or pass-phrase for the key is personal to the person being served the notice or is indicative of the material it protects;
  • practicality is an issue - where the key is divided into split-keys and it is not practicable or possible for the holders of the split-keys, or sufficient number of them, to act together to provide access to protected information or to disclose it in an intelligible form it may be necessary to require disclosure of one or more split-keys.

6.8 Particular care must be taken when considering the imposition of a requirement to disclose a key upon a provider of financial services in view of the crucial role that protected information has in the financial services sector. No such requirement should be imposed upon any company or firm regulated by the Financial Services Authority without prior notification to the Chairman of the Authority. The period of notification will be reasonable in all the circumstances of any instance.

Comments

6.8 Particular care must be taken when considering the imposition of a requirement to disclose a key upon a provider of financial services in view of the crucial role that protected information has in the financial services sector. No such requirement should be imposed upon any company or firm regulated by the Financial Services Authority without prior notification to the Chairman of the Authority. The period of notification will be reasonable in all the circumstances of any instance.

How is this legal ?

The Chairman of the Financial Services Authority, currently Sir Callum McCarthy, may well be an excellent chap, however, he is not
a retired High Court Judge serving as one of the RIPA Commissioners appointed by the Prime Minister, and with sufficent Security Clearance to be able to deal with terrorism or national security cases, is he ?

Is the Chairman of the FSA expected to detail every instance of such a Key Discosure Notice request in the annual report of the Financial Services Authority , or not ?

The extreme doubts and scepticism expressed by the financial sector aboiut RIPA Part III is well merited, but this obvious sop to their concerns is surely nowhere near enough to allay their fears of being driven out of business because of the massive loss of trust and confidence that the forced disclosure of their core business Cryptographic keys could entail.

What action can the Chairman of the FSA actually take if, say, some Policeman invesigating credit card fraud which may or may not involve terrorist finance, demands the master Keys from VISA or MASTERCARD or the Keys which protect all of an internet Bank's SSL/TLS encrypted web server sessions ?

All that he can do is complain to other people e.g. in the Treasury, thereby furrther increasing the number of people who are "tipped off" about the investigation, something which could well be illegal under the "tipping off" provisions of RIPA Part III. section 54

Even the existing RIPA Commissioners

(11) In this section "relevant Commissioner" means the Interception of Communications Commissioner, the Intelligence Services Commissioner or any Surveillance Commissioner or Assistant Surveillance Commissioner.

although exempt from the "tipping off" offence, and, in various combinations, must be notified about a Section 49 key Disclosure Notice, which they will no doubt record and check the details of, they do not have any powers to veto the issuance of such a notice or to add or remove the "tipping off" secrecy provisions.

That is all left to the judgement of the official who is authorising the Key Disclosure.

The RIPA Commissioners do not even have any say in whether or not the investigation is to be regarded as a "national security investigation" or not. They may obviously have their own views on this, but they were not given any extra powers, when the Terrorism Act 2006 amended RIPA to increase the penalties for non-disclosure of a Key or of Protected Data, in such circumstances.

Terrorism Act 2006 Section 15 Maximum penalty for contravening notice relating to encrypted information

15 Maximum penalty for contravening notice relating to encrypted information (1) In section 53 of the Regulation of Investigatory Powers Act 2000 (c. 23) (offence of contravening disclosure requirement)-

(a) in paragraph (a) of subsection (5), for "two years" substitute "the appropriate maximum term"; and

(b) after that subsection insert the subsections set out in subsection (2).
(2) The inserted subsections are-
"(5A) In subsection (5) ‘the appropriate maximum term’ means-

(a) in a national security case, five years; and

(b) in any other case, two years.
(5B) In subsection (5A) ‘a national security case’ means a case in which the grounds specified in the notice to which the offence relates as the grounds for imposing a disclosure requirement were or included a belief that the imposition of the requirement was necessary in the interests of national security."

(3) This section does not apply to offences committed before the commencement of this section.

See also para 11.1 to 11.4 Oversight