> No I have not missed the point.
Yes you have. You are expecting the law to be reasonable. RIPA is not.
> If the key is unavailable because it has
> been
> deleted and the key is 100 random characters long then the authorities
> cannot
> expect you to produce something that is impossible to give them.
Yes they can.
Read the act - it's at
http://www.opsi.gov.uk/Acts/acts2000/20000023.htm .
specifically, look at section 49; that makes no mention of whether or not
it is reasonable for you to posess the key, merely whethr or not the
"person with the appropriate permission under Schedule 2 believes, on
reasonable grounds ... that a key to the protected information is in the
possession of any person". It does not require that person to come up with
any evidence; it only requires him to believe that you have a key. Now
look at the paper-thin evidence that's been used in certain other "War on
Terror" atrocities. This is already being misused - see
http://news.bbc.co.uk/1/hi/technology/7102180.stm . In this case, the
defendant claims she hasn't even got anything encrypted; that doesn't
matter. She has still been served with a disclosure order under section
49, and failure to comply with that is punishable by 2 years in clink.
> It is up to you to show the judge and a jury how a password was produced.
No it isn't. It is up to you to defend yourself by showing how you
complied with the section 49 notice. Anything other than that means you
have to argue why the law does not apply to you; that's always a difficult
defence, and it's even harder in the current climate where much of the
population believes someone is a terrorist just because the Police have
said they believe him to be so.
> It
> is up to you to show a judge and jury that the passwords that your program
> uses is impossible to remember. If the password produced demonstrates to a
> jury that it is something impossible to remember then you are halfway
> there.
No you aren't. You are in flagrant breach of section 3 of RIPA. A canny
prosecution bod might even argue that you have taken deliberate steps to
attempt to avoid having to comply with RIPA - a law which was brought in
to protect the public from Terrorism (a good barrister can talk in
capitals).
> The law deals with intent.
It doesn't - it deals with actions. Intent can occasionally be used as
mitigation. Nevertheless, the offence is "failure to comply with a
disclosure notice issued under section 49 of RIPA"; it's quite clear from
the argument that you're taking (hiding your keys by technical methods)
that you're trying not to comply. That pretty much sows it up, don't you
think?
> The law is designed to deal with passwords or pass phrases that can be
> remembered.
No it isn't. Read the Act. Perhaps it should have been worded as you
describe; probably, it shouldn't have been worded at all. But it was
passed as it is, not as we'd like it to be. And it doesn't care whether
your decryption keys are memorable or not; it merely requires you to hand
them over on demand.
> Passwords that are impossible to remember has to be subject to a different
> law.
That simply isn't true.
> The law must prove a criminal offence.
Failure to comply with a Section 49 disclosure notice is a criminal
offence. All they need to prove is that you were served the notice, and
you didn't comply with it.
> False
> imprisonment is a subject of human rights violations. You are entitled to
> have your own computer forensic expert to show that what is present is
> random data and not an encrypted file.
And how are you going to do that? You're attempting to prove a negative.
Decrypting it would prove that it is encrypted data, but failing to
decrypt it only proves that you don't have the wherewithal to do so. That
is a very long way indeed from "reasonable doubt"; it's more likely that
you've used good encryption and haven't handed over the key.
> Simarly the law have their expert who has to prove that what you have is
> an encrypted file and not a random data file. Intent is again the key.
Only in your mind, John. In reality, failure to disclose is the whole of
the offence.
> If you have the computer programs which can demonstrate what you say
But you cannot do that. It is not possible to prove something doesn't
exist simply by failing to observe it a few times.
> The law says that it must be beyond resonable doubt.
An offence under RIPA is easily proved beyond reasonable doubt. Was the
defendant served with a disclosure notice? Did the defendant comply with
that notice?
> The law does not require you to keep all the files you have every
> produced.
It requires you to produce decryption keys on demand for anything an
authorised person *believes* might be an encrypted file that might be
interesting to them for the purposes of National security, preventing or
detecting crime, or in the interests of the economic well-being of the
United Kingdom. I've deliberately emphasised the word "believes" - because
that is all that is necessary for a disclosure notice. They don't even
need evidence that a file contains encrypted data.
> I cannot afford to ask for a barristor's opinion on this. Is there anyone
> in the LUG who is a barristor and can elaborate further on this topic?
The CPS has the odd barrister on their books. They have already issued a
Disclosure Notice against someone who claims not to use encryption. CPS
barristers clearly disagree with your interpretation of the law.
Vic.
