Analysis of Part III of the (draft) Electronics Communications Act 1999

Tipping off

The "tipping off" offence has had a rough ride. Its apparent requirement to make you lie about the security of your encryption has come in for specific criticism. The generality of the offence has led to a number of thought experiments as to what it would actually mean in practice and to various ways that one might protect ones security without transgressing the law.

Meantime, some of the more general questions remain unanswered. Would failing to provide ISP service to a child pornographer be "tipping off" ? If so, why isn't this an explicit offence ?

Of course, in some countries "tipping off" is a requirement since the security forces have to inform the intercepted, after the event, that they have been overheard.

Why a "tipping off" offence might be needed
Amateurs may be helping the police and they must be encouraged to "play the game".

How a Section 10 order will feel in practice
David Swarbrick explains what a secrecy notice will feel like, and Brian Gladman reminds us that these notices will be served on those whom the people under investigation communicate with - not on the suspected criminals themselves. Marital Relations
Ian Batten asks if you should lie to your husband or wife.

Can you tip off if you have no keys ?
Yes! The offence is divulging the details of the notice, and you may have been completely unable to help.

How can one check the validity of a Section 10 notice?
If you ring up the local nick to ask if a warrant card belongs to their officer and if the Section 10 notice is valid then surely you are "tipping off" the sergeant at the desk.

Can I still use my computer ?
How far do you have to go in not letting anyone know your key has been compromised ?

Do you have to hand over equipment in response to a Section 10 notice ?
What if key is locked in a physical device ? What if that device is keyed to your iris pattern ?

The legality of revoking keys ?
Can you revoke your keys after you have disclosed them under a Section 10 notice ?

What disclaimers will work ?
Can you put a disclaimer on your key or its revocation to show that it has not been disclosed under a Section 10 notice ?

Why a "tipping off" offence might be needed

Quentin Campbell
At present the Home Office authorises taps on phones and the opening of Post Office mail. In both cases the work is normally done by specially vetted employees of the organisations carrying the traffic. In all cases the people involved will have gone though some form of indoctrination and have signed the Official Secrets Act.

"Tipping off" in these circumstances is unlikely and is in any case dealt with by offences and penalties set out in the various sections of the OSA.

The Home Office has to call on a different category of "helper" when it serves a section 10 notice under the proposed EC Bill. These people will neither be vetted nor have signed the OSA. They will have little understanding of, or concern for, or may be actively hostile to, the need for secrecy in such operations.

This may explain why section 14 of the EC Bill prescribes a maximum 5 years imprisonment for "tipping-off" which seems to be considerably longer than that for similar offences in the OSA (as I understand it as a non-lawyer).

One way of looking at the EC Bill is that sections 13 and 14 have to stand in place of the sorts of indoctrinations, restraints and habits of secrecy under which I assume Smiley's People operate.

When seen in that context is Section 13 so unreasonable?

This raises the following intriguing question: If someone who has signed the Official Secrets Act is served with a section 10 notice (which had a requirement to keep it secret) and is subsequently arrested for allegedly "tipping off", which criminal offence takes precedence - the one committed under the OSA or the section 13 offence of the EC Bill?

David Swarbrick
You have the context almost right, but the only bit you omit is that the recipients are likely to be in quite large numbers, and innocent of any suspicion.

You also omit the poisonous effect of receiving such notices on family and employment relationships. It seeks to make liars of us all and to destroy any relationship of trust. How can I ever know that an employee has not betrayed my firms private key.

Note also that there is no provision for recompense unless the notice was issued on behalf of the secretary of state. It specifically envisages people having to persist with their lies through all civil and criminal proceedings, and offers them no compensation in return.

It is, quite simply, evil.

Quentin Campbell
Section 13(8) seems to mean that the person "tipped off", even if he did not make further use of that knowledge, can face proceedings himself under that section.

The loving wife (who has been served with a Section 10 Notice "requiring [her] to keep secret the giving of the notice") MUST lie to her husband in order to protect him and he family. Otherwise what happens to the kids if they are both carted off to prison for 5 years?

If my understanding of this is correct I would expect soon to see the Tories mocking the government over this Bill's undermining of its attempts to promote "family values".

Pete Chown
Actually this could be a big problem as well I guess. Suppose it was alleged that you had written a document on the basis that it was signed with your key. The only disclosure of your key had been as mandated by a notice under the e-commerce bill. It is easy to imagine a situation where you would have a choice between breaking the requirements of the notice and lying in court.

Quentin Campbell
I feel that I might be particularly vulnerable (see below) in this regard and so have been trying to understand why I have been put in this position. I agree with your analysis when looked at from _my_ perspective.

If I may I would like to add my own concerns to those you express above. In the situation that I describe below I suspect that I am not alone.

This site generates very large volumes of e-mail (13,000+ e-mail users). We have significant numbers of overseas students who, if only because they are Registered Aliens, are of automatic interest to the HO Immigration Dept and Police Special Branch. Some of these students may also be of special interest to other LEAs as well for all I know.

I have no basis for knowing what the actual level of use of encryption is in e-mail here. However indirect evidence suggests that its use is still very limited. This may change and there are no restrictions on its deployment by our users.

I have acted, when requested to do so by the University, as a link with the Police, BT Investigations Branch, etc, during criminal investigations involving users or equipment here.

As a result of these past contacts I sometimes have informal approaches made directly to me from LEA sources. I invariably refer these people to the Registrar of the University. I refuse any assistance unless instructed to provide it by the Registrar.

The EC Bill is likely to change this.

I could be served a section 10 notice directly in order to provide a user's encryption key or other data. If this notice has a requirement to keep its contents secret then section 13 prevents me from referring the notice to the Registrar in order to protect myself [this University makes it a disciplinary offence, punishable by dismissal, for an employee to access computer records without authorisation].

Even if I was willing to act on the section 10 notice I may not be able to meet the requirements of the notice at all or at least without resorting to assistance from colleagues. At worst I still get caught be section 12; at best I will have to lie about what I am doing and why to my colleagues and my employer. It is an unpleasant and worrying prospect.

Ian Batten
Is it actually permitted to have laws that force people to perjure themselves on pain of penalty? For example, if someone is asked a direct question in court or parliament, the answer to which requires them to contravene the official secrets act, is the fact of being asked in court a defence when prosecuted under the OSA, or is the fact of being under the OSA a defence against a charge of perjury or contempt of court?

Another interesting little side-line, and one which one can imagine being a problem, is how a section 13 notice would interact with a fraud investigation where witnesses can be compelled to answer questions (in other words, where ``I will not answer that'' is of itself actionable).

This was the sort of enquiry which gave rise to problems in various SFO cases in the mid-90s.

And how would it play against a question asked by a parliamentary select committee, which so far as I understand it can offer absolute privilege?

David Swarbrick
See the references in the Bill and notes to IOCA s 9. Under that section:-

Exclusion of evidence

9.- (1) In any proceedings before any court or tribunal no evidence shall be adduced and no question in cross-examination shall be asked which (in either case) tends to suggest-

(a) that offence under section 1 above has been or is to be committed by any of the persons mentioned in subsection (2) below; or

(b) that a warrant has been or is to be issued to any of those persons.


A pretty little circle has been described.

You are served with a notice. It is not authorised by the Secretary of State directly so you may not take any matter before the tribunal (and cannot get compensation under this Act). The notes say you fall back upon the general law, but s9 is now intended to be applied to this Act, and therefore _any_ losses suffered other than under the authority of an SS warrant are claimable provided only that you may not actually say that a notice was served etc.

How a Section 10 order will feel in practice

David Swarbrick
"Hand over your private key. No, you haven't done anything wrong, but if you ever, at any time in the future, tell anyone, parents, teachers, friends, you are liable to imprisonment for five years. You will lie to anyone and everyone, whoever it is, and as often as necessary, to protect this lie. You will lie to your parents, your priest, and your pals. You will put at risk every relationship of trust you have ever had, or will have. You will continue to leave us in a situation where we can read anything anyone sends to you. You must do nothing to warn them."

The answer will come from Nigel's friends at the Home Office 'We will never do that' If not, then why take the right?

I must apologise for my earlier post. I spelt Staasi wrong.

Brian Gladman
David is right, this is not about ISPs, this is about about our rights as uk citizens to be free from oppression by the State when acting within the law. It is in the nature of public key cryptography that decryption orders may have to be served on entirely innocent and completely honest and law abiding citizens.

Citizens have a collective right to expect that individuals among us will co-operate with us as a group to find and deal with others who act against our interests. But in return we have a duty to those we call on for such co-operation to ensure that we require only what is absolutely necessary of them and that we do this in such a way that any detrmimental impact on them is at an unavoidable minimum.

IMHO seeking the decryption of given encrypted texts, in strictly defined circumstances and with clear legal safeguards, meets this mandate. But to require the revelation of decryption keys goes far too far and is a gross infringement of civil rights that have taken centuries to establish.

This is an action that will, on occasions, seriously imperil the safety, security and privacy of entirely honest and law abiding citizens who, through no fault of their own, have the misfortune to find themselves subject to decryption orders. And to go even further and make honest, law-abiding citizens into potential criminals when all they have done is to use cryptography to protect themselves is the hallmark of the sort of oppressive (communist or fascist) regime that I never thought I would see in the uk.

It is very clear that while the Government has given up on key-escrow, it has not given up on the warped thinking that lies behind it and is now seeking the same unjustified access to decryption keys in another way.

Marital relations

Ian Batten
Simple scenario. Husband and Wife communicate by encrypted email while one is away on business, because they are both using laptops connected via untrusted ISPs. During the trip, a s.10 decryption is served on one of them in the course of an on-going investigation. As a law-abiding citizen with `nothing to hide', s/he immediately complies, handing over their PGP private key in unencrypted form. Their spouse, in casual conversation, says, ``I don't really understand this PGP stuff: it means no-one else can read our mail, right? I want to tell you what I dreamt about you last night''.

Does the recipient of the s.10 notice (a) lie to their spouse in order to stay within the law --- obviously, for ministers, lying to their spouse is a way of life given the amount of adultery, but for the rest of us it's a bit more serious. Or (b) tell the truth to their spouse, making themselves a criminal for `tipping off'.

Nice choice, eh? Especially since, as I understand it, spouses cannot be compelled to give evidence against each other.

Can you tip off if you have no keys ?

Andrew Meredith
I worked as a motorcycle courier for a while after leaving college and very seldom knew what was in the packages I carried. Sometimes they were obviously magnetic tape reels of some sort.

I was told at the time that I should be very careful about packages that I suspected of being "Dodgy", as they were my responsibility between the originators signature and the destinaton signature. I heard of several cases of couriers being had up for drugs offences because of this.

Can I assume that the same would apply to encrypted data tapes if this Bill becomes law? The courier would of course be completely unable to supply keys.

Does the "Tipping Off" offence still work if the subject fails to supply keys? In which case, if the LEAs served notice on a courier and he failed to supply keys and subsequently told his office about the events, he would have committed an offence .. yes?

How can one check the validity of a Section 10 notice?

David Wadsworth
A problem which nobody has raised yet, is how do you authenticate the warrant and warrant holder? There are a considerable number of cases nowadays of 'social engineering' where people impersonate those in authority in order to commit crimes. In these days of colour copying machines and graphics programs, the production of a forged warrant, and convincing police or security 'credentials' would present a minor problem. Any irregularities might be glossed over by referring to the security services, or suspicion of 'money laundering'. A simple call to your local police station or any one else you might trust, might make you liable for the 'tipping off' offence. Suppose the message decoded held the combination to a diamond merchants safe? Under the proposed legislation, you could not warn him that his property was now at risk. If the contents of the safe were subsequently stolen then presumably the new law would insist you lie to the investigators of the robbery, provided the warrant was genuine.

Can I still use my computer ?

Quentin Campbell
Can this draft Bill compel me to continue to use a computer once I have been served with a Notice? I might say " I am going to stop using my computer for fear of tipping-off my correspondents".

Could any inference be drawn if I reverted to using FAX, P.O. mail, telephones, presenting myself in person, etc, in place of my "normal" mode of using encrypted e-mail? No court could hold that these were abnormal or unusual behaviours!

What if my correspondents were to regularly ask me in their messages every Friday evening: "are you the subject of an Interception Notice?".

I am an honest person and would not wish to tell a lie. If I am not the subject of an order I could answer honestly "No".

If I was the subject of an order it appears that I am compelled by law to lie and say "No". But what if I answer honestly and tell the enquirer: "under the terms of a Section 10 notice I am not allowed to say"?

This last response would appear to be "tipping off" unless I used it every time I was asked whether I was the subject of an Interception Notice". This is rather like the response of Ministers to questions about "security matters" in the Commons. However in normal circumstances I have absolutely no obligation or reason to use that form of words.

Is the new Bill going to compel us all to start acting like Ministers in the Commons? I am sure Jack Straw and colleagues would say: "what is wrong with that?".

Nicholas Bohm
I think you are compelled to say "I cannot tell you the reason, and cannot tell you the reason why I cannot tell you the reason." I do not see how that can be tipping off, since it discloses nothing.

One has the impression that the authors of this machinery have not thought through its workings.

David Swarbrick
No, you have told him that there exists some reason which obliges you not to disclose it. Beforehand they do not know there is a reason. After you have spoken they know two new things 1) that there is a reason, and 2) that you cannot reveal that reason.

It is a straight hint, and liable to leave you locked up.

Do you have to hand over equipment in response to a Section 10 notice ?

Pete Chown
Here is another question. Suppose I create a key on a tamperproof device such as a Javacard. The program I use to create the key will never reveal it, even to me; all it will do is decrypt data when I ask it to.

If I am served with a notice to hand over the key, do I have to hand over the physical card? And of course if I do so, I will subsequently be unable to read any messages which people send me. Even without me saying anything, this will show my correspondents that it is necessary to change keys (although it will not show that a compromise has taken place).

Nicholas Bohm
No; sections 10 and 11 are limited to "disclosure" of the key. If you cannot comply and are not allowed to provide plaintext instead, then you are guilty of an offence. The approach to sentencing will be interesting. Keep us posted, please.

If the card is lawfully seized under a search warrant and a section 10 notice is served in respect of the "key" to the card as being an indirect key to protected information, that might work. Awkward if the key is your iris pattern: try not to blink, and you've disclosed it.

The legality of revoking keys

Malcolm Hutty
The compliance statement says "Where the production of plaintext is deemed acceptable, compliance cost may be limited to the administrative costs of processing the notice and delivering up the required data. But where a notice specifies that a key be handed over, the individual/business served with a written notice may decide that their security has been compromised and may incur considerable costs in implementing new security systems or changing the keys of other trading partners, customers or associates."

Surely if I have a public key which is compromised, and distribute a new public key to every associate of mine except one, I can expect PC Plod to clap me in irons for tipping off. We can expect that arguments about where the line is drawn between the generality of section 13 ("tipping off") and the steps envisaged in the above paragraph will be the subject of fevered negotiation between industry and police/prosecution officials at best, expensive and erratic case law at worst.

Since there is nothing in the legislation that significantly restricts what may be made secret under the section 10 notice, we can however all expect to be instructed to continue to use systems we consider compromised on pain of 5 years imprisonment.

I believe that the practical effect of section 13 will be to force the deployment of systems like IPSEC which defeat the intention of section 10 by ensuring that there is no persistent key to disclose.

Nigel [Hickson], even from your point of view this is a perverse outcome. May we look forward to a government-sponsored amendment to restrict section 13 to cases where there is a criminal conspiracy as described in subsection 13(6)?

Of course, reversing section 13 to *require* disclosure at the conclusion of an investigation is needed. But cynics would not have been surprised at the lack of this basic concession to HRA in a spook-sponsored Part.

Nicholas Bohm
I do not think section 13 makes it an offence to revoke a key or to issue a revocation certificates and a new public key to all and sundry. This conclusion seems consistent with view on which the Regulatory Impact Assessment is based.

No doubt it would be an offence to explain that this was the result of a compromise compelled by the service of a decryption notice (if that notice made itself into a secret). There will be awkward cases where a refusal to explain the reasons for a revocation leads to an inference being drawn that it results from a secret notice; but unless the legislation expressly imposes an obligation to tell a lie. I think it very unlikely that any such obligation would be implied.

This seems to make the service of a notice in respect of information "likely to come" into someone's possession unlikely to be useful, since by the time it does, it will have become less likely that it will be encrypted to the key handed over under the notice (if that is promptly revoked).

Brian Gladman
If I revoke my key because it has been compromised, I consider it part of my duty of care to my colleagues with whom I interact securely, to explain the circumstances of revocation so that they can assess any risks to their security posed by the compromise of my key. If I do not explain the circumstances of compromise they are in no position to make any such assessments.

So without explicitely stating that my key had been compromised as a result of the service of a decryption order, can I lawfully explain a whole series of compromises that might matter to them but which they need not worry about because they have not happened? If I do so it would be reasonable for them to conclude that the compromise had been the result of a decryption order. It hence seems to me that I would probably be taking a big risk in doing this.

But if I cannot provide this information one serious security consequence of this bill will be to introduce new security vulnerabilities by preventing effective assessments of the consequences of key compromise.

I must say that I find it amazing that, after all the educational effort that many have made, the government has still not done the simple and obvious thing of just requiring access to the decrypted information. It simply has no case for having the keys unless it has motives that go beyond those it claims.

Maybe someone in government can explain to me why the government needs the keys rather than the decrypted information? In other words, why are the two clauses in this part of the bill not the other way round - "give us this specified information in intelligible form or, if you prefer, give us the decryption key".

Nicholas Bohm
I think they still hanker after covert real-time access: they want your key so that thereafter they can read your associate's emails to you as they come in. Not likely to be effective if you revoke the key and publish the revocation certificate widely, including to your associate.

Malcolm Hutty
Would you reassess in the hypothetical case where the section 10 notice explicitly states "This notice concerns material intercepted and continuing to be intercepted under the Interception of Communications Act. You are not to do anything that may indicate to anyone that we are intercepting this material; specifically, you may not revoke the key"?

That's exactly my point; anyone who is surveillance conscious would certainly be suspicious of the unscheduled and unexplained revocation of a long-term confidentiality key.

Nicholas Bohm
Section 13 does not enable such a statement to have effect; it can do no more than require the keeping secret of the giving of the notice, its contents, and the handing over of the key or plaintext.

Malcolm Hutty
If creating this suspicion is not intended to be enough to amount to tipping off within the meaning of the Bill, then this ought to be made explicit; the converse is also true.

Nicholas Bohm
I agree; the limited (if obscure) privilege conferred on some key recovery software by section 13(3)(a) is objectionable on the same ground.

What disclaimers will work ?

Nicholas Bohm
I think you are compelled to say "I cannot tell you the reason, and cannot tell you the reason why I cannot tell you the reason." I do not see how that can be tipping off, since it discloses nothing.

These keys have not been the subject of any decryption notice under the Electronic Communications Act [2000]. If I cease to make this claim, section 13 of that Act may make it an offence for me to explain why.

Brian Morrison If someone said that to me, it would be absolutely clear that nefarious forces were at work. The lack of disclosure of information does not prevent me from inferring my own opinion of what that lack indicates.

Perhaps one could place a widely known rider on the revocation of one's key(s). "Should I revoke a key without explanation, correspondents may infer that I have done so due to a perceived need upon which I cannot comment". If that isn't enough for anyone, they deserve to have their mail read!

Nicholas Bohm
Hence no doubt the instant popularity of the answer so tellingly used in "House of Cards", "You may think that; I couldn't possibly comment."

All this assumes a knowledgeable enquiry about why a key has been revoked. The relevant knowledge is still only spreading slowly.

Denis Russell
Maybe we've stumbled into Gödel's Incompleteness Theorem as applied to legal systems:

"In any legal system that is complex enough that some laws refer to the law-making process itself, there will be some laws that are quite clearly self-contradictory, but cannot be proven to be so."

Back to the analysis of part III

Return to the Draft E-Commerce 1999 Bill Review front page.