On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu



Monday, 2 April 2012

Government internet snoop plans in a small a nutshell as I can manage


Communications Capabilities Development: Mass Internet Interception and Surveillance Programme

Yesterday's announcement on the Government's new internet snoop plan (a re-hash of something Labour twice tried to introduce under the title 'Interception Modernisation Programme') comes as no surprise to me, since I broke the story last year on 10th December.

To explain what the government is trying to do you need to know 3 things:
  1. Information about electronic communications are by UK law separated into 2 categories. Traffic data and content.  Traffic data is defined in the Regulation of Investigatory Powers act as information such as who you're communicating with, for how long, etc, plus location data. The content of communications is what you're writing or saying. 
  2. Government, police and even local authorities (although a magistrate will soon have to approve for local authorities) can access 'traffic data' records from your telephone or internet service provider without a warrant. Requests are signed-off by a mid-ranking officer in the force or department making the request.
  3. Access to content is harder and requires an interception warrant ultimately approved by the Secretary of State, police Chief Constable or a few other designated senior authorisation officers.  All authorisations are overseen by the Interception of Communications Commissioner
In a nutshell, the Communications Capabilities Development Programme as described to me will have the effect of downgrading content into traffic data, thereby allowing the government, police, security services and local authorities to milk far more private information from our internet activities without need for a burdensome interception warrant.

'They' want to know who we're talking to, when and how often, to keep us all safe. 

The problem for the UK government is that we're all talking to people using a wide range of platforms which include e.g. overseas email services, non-UK gaming platforms, social media, whatever.  Unless these companies cooperate, the UK government can't get what it sees as traffic data from them.

Traffic data is a legacy concept not for the internet age

Confusion comes about because traffic data is a legacy concept not fit for the internet. When telephone networks were computerised in the 70s and 80s suddenly a lot more data was available to law enforcement.  

This data was captured for genuine purposes (billing) and it seemed reasonable that the police could access these records. Whether or not they should be obliged to seek a warrant from a court to access this data was a hot debate when the Regulation of Investigatory Powers Act was drafted in the 90's and very early 00's.

The internet messed up the neat distinction between traffic data and content.  To my ISP the traffic data is simply my computer talking to Yahoo! servers. To Yahoo! the traffic data is whom I'm sending my email to.  Similarly for direct messages on Twitter, Facebook or any other messaging service.

Moreover my ISP has no genuine reason to store this information since it is not billing me per visit.

Because law enforcement had relatively easy access to such data from telephone networks for a relatively short time - around 25 years from the mid 1980's to now, when many people rarely use phones to make a voice call - it wants this capability back.

Turning content into traffic data

The proposal is essentially to install a new network of 'little black boxes' (on top of the existing network used for what is known as 'directed surveillance').  These boxes will scan all internet activity to look for what government lawyers believe can be disclosed as traffic data.

These boxes will use an algorithm to perform the intrusive surveillance, but only output what the government claims is the less-intrusive part.

But as our use of communications technology has evolved, even traffic data is now incredibly intrusive. We interact many hundreds of times more each day, but say less; and the traffic data says so much more about our personal likes and dislikes: the websites we visit, where we shop, which films we view.  It's time to rethink the legal distinction, not invent technology to get around the existing legal safeguards.

I'm also hearing very worrying noises from Conservative party sources. Once installed, these boxes could be re-purposed - given an appropriate act of parliament - to implement secret blocking orders against overseas websites.

My source claims these blocking provisions could be enacted late on in the development of the Communications Bill around 2014.  Such moves will be seen as more palatable if the cost of installing the technology was already borne by earlier legislation.

As for the surveillance aspect there's already a spanner in the works as, since this plan was formulated 5 years ago many websites such as Facebook, Twitter and Gmail allow access via secure HTTPS communications.

The government used to have in theory had the capability to monitor HTTPS (clarify: by exploiting  procedural weaknesses in the SSL certification chain), although not without potentially alerting a tech-savvy operator. Moves by Google and Mozilla to rethink who we trust to issue SSL certificates will thwart this particular man-in-the-middle attack vector but that doesn't mean there aren't others.

My biggest worries are that this approach to scan and interpret the content of our communications will be open to abuse, will yield results for only minor offences and mid-level criminals, will place an emphasis on capabilities-based policing when what the internet sorely needs is a community or consensual-based approach to policing (as any good neighbourhood cop knows), will lead to a costly arms race as new services launch that attempt to evade monitoring, and will create a security back-door for our entire communications network that ultimately will reduce not improve our cyber security.

Part 2: we must not allow the government to back-door our entire communications infrastructure.

@JamesFirth

3 comments:

  1. The government have had these plans for a long, long time now, and you can't blame the current administration entirely for their strange eagerness to pursue this insane proposal - they only voiced opposition to the plans so as to draw voters away from Labour while Labour held the reins of power; a move in a political game of chess, nothing more. Since we've discovered that both parties basically eat at the same trough, it's become clear that the Ministers had no real plans to shelve this project at all, did they?

    We all now need to get tech savvy here, upgrading our internet connections, anonymising our access to the web and avoiding posting sensitive data to Google and Facebook. Also, if you have access to a service which provides secure emails outside of the ISP services and the public email accounts such as Hotmail, Yahoo Mail, Gmail etc., sign up for those accounts.

    All legitimate users of the internet, myself included, have a right to privacy and to enjoy conversations free from snooping by a judgmental, paranoid, terrified government that knows it has pushed too far and that expects a backlash any day now.

    ReplyDelete
  2. Unfortunately the people who still manage to trust the government and police will say that if you have nothing to hide why hide it. The answer is plain and simple to most normal people - who you send xmas cards to, what you twitter about Strictly Come Dancing, the colour of your boxers, or opinions about train timetables, to take a few example,s are all private and should only be available to who you choose even though they are of no real consequence.
    The up-side is that the government and police will end up with data overload and won't be able to see the wood for the trees and as Alex, the previous poster said, security will inevitably deteriorate.
    Britain is getting overloaded with snooping; from excessive CCTV to street mounted car registration, and even face recognition, cameras.
    It's time the government, police and local authorities understood that they are our servants and what we do 'upstairs' whilst they are 'downstairs' is none of their business.

    ReplyDelete
  3. With whom have the Home Office officials responsible for/involved in this bill exchanged communications, at what times and in what numbers?

    No _content_ involved there, but I suspect they would claim that this information must be kept secret, as part of the war against %_BADTHING.

    ReplyDelete

Comments will be accepted so long as they're on-topic, do not include gratuitous language and do not include personal attacks or libellous assertions.

Comments are the views of the commentator and not necessarily the view of the blog owner.

Comments on newer posts are not normally pre-moderated and the blog owner cannot be held responsible for comments made by 3rd parties.

Requests for comment removal will be considered via the Contact section (above) or email to editorial@slightlyrightofcentre.com.