Tuesday, 27 January 2015

SnoopersCharter is already out of date

Watching the debate yesterday did raise a few interesting points. One is that it is taking a long time to get in to place something to fill a supposed "gap" in logging of communications data (hence the proposed amendment to re-introduce the Data Communications Bill). Another is that a key problem with the snoopers charter is that it tries to be far too broad in order to allow for new technology without having to keep making new laws. This means far too much ends up in scope.

However, being in technology, I (and many others) can see that even with such wide scope it is already out of date!

It relies on some basic concepts which are changing, and have changed in some cases :-

That there is a communications provider, and one that is in the UK

The bill takes steps to impose conditions on communications providers. It would be impractical to try and impose these on every end user, and would also defeat the point if those end users are the very people you are trying to monitor.

The problem is that there are increasingly not a communications provider at all. In most cases there is, at a low level (copper wires, radio waves) a provider, but they are not providing the communications that you want to monitor. It is a bit like modems - the only communications data for any Internet access back then would be that you called your ISP for X minutes. Well, the Internet is the medium by which we communicate now, and you can use layers and layers. A communication (a message) may be sent as part of the content of something done on a web site, so all you log is that someone accessed the web site, and not that using that web site they sent a message to someone else. In that case the web site operator is a communications provider of a sort, but may not be in the UK. Things like TOR complicate the matter even more - its is a "network" with no providers.

But there are things where there is no communications provider even at the low level - mesh networks. With so many people owning wifi equipment it becomes possible to create networks that work via your neighbours wifi and create a whole Internet with no actual "provider" involved.

So making laws that impact communications providers only really works whilst they exist at the level you wish to monitor.

That there is a sender and a recipient

This is a pretty fundamental assumption in the legislation, and already is not always the case. A tweet is public, and whilst people may follow some people, they can just see tweets anyway and search for them anyway. If I post a tweet, who is the recipient? Do we try to work out who it was aimed at in some way, or just say it was sent to 1000 people (my followers). What if it is then retweeted to a million people - who sent the "message" and who was it to?

That the communication is a message

Again, this is ingrained in the legislation - but a communication could perhaps be clicking "like" on a FaceBook post. Again, who is that communicating to, and what is the message?

That you can separate envelope from content

This is also fundamental as the government quite rightly feel that snooping on everyone's content (opening everyone's letters) would not be acceptable.

The problem is that it is no longer easy or even possible to tell the content from the addressing information. What is the "content" of clicking "like"? What if I tweet and include the string @xkcd in that "message"? Is that "content", being within my tweet, or is it the address, being that it would be shown to Randall if he ever logged in to twitter.

There is legislation saying, for example, that no part of the content of an email shall be logged, but they want logging of the addressing. So if I included in the content of the email my email address does that then stop that address being logged, as it is also a part of the content?

Even talking of "weblogs" they are specifically talking of URL up to first slash (which is entertaining as that is "http:/") but they basically mean logging the hostname part. That is fine until you realise that lots of web sites are in fact Facebook.com/somecompany, or someproxy.com/realwebsite, so you are not in fact logging the "site" being visited. Future changes to https may ensure that even the hostname cannot be logged.

So, I suggest that even now, the snooper's charter is already out of date for its stated purpose (as well as being technically impossible and immoral)

Update: The four horsemen (I mean Lords) are trying again http://www.bbc.co.uk/news/uk-politics-31062757


  1. Https doesn't really stop the hostname being blocked anymore as most browsers use SNI. This involves them sending the host as part of the TLS handshake so that the server can send the correct certificate back (in the case where one server hosts multiple SSL sites)

    1. Are you sure? I thought that was done after DH negotiation which you could only MITM and hence read if you then broke the subsequent session. I may be wrong.

    2. No, SNI is definitely sent in the clear. In fact there's a discussion on the IETF TLS WG mailing list about whether it would be feasible to encrypt SNI for TLS 1.3.

      If you doubt this, open Wireshark and try connecting to any website via HTTPS.

  2. Given the lack of technical knowledge, as I'm sure many of us who followed the debate in the Lords noticed, I wonder if there's an opportunity here to help educate our political representatives.

    I wonder if we (as an industry - or even a concerned group within that industry) could perhaps produce a bullet point list, in easily digestible English, that we could offer to legislators to help them understand the issues involved.

    It won't stop them enacting legislation, but if it makes them even a few percentage points better informed when they're debating this stuff, it's gotta be worth a try.

  3. Matthew is correct. SNI happens during the initial stages of the TLS/SSL handshake as it is used by the server to select the correct keys and certificate to use for the connection when a Web server is running multiple virtual sites in different domains (so a wildcard cert can't be used).

    In TLS, DH is used to provide perfect forward secrecy for the symmetric encryption key. It still requires the server to first select and transmit a certificate to the client. Either the certified public key itself is the server's DH key (static DH) or the server generates an ephemeral DH key dynamically which is then signed using the server's private RSA key (and therefore verified by the client using the certified public key obtained from the certificate the server supplied).

    Also the certificate itself, which will usually have the server hostname as a subject or SAN is sent to the client in the clear, so this is another way to infer the hostname.

    In either case, for HTTPS there's no guarantee that the URI that ends up being requested via HTTP over the TLS connection uses the same hostname.

    This is basically how application-aware firewalls (eg Palo Alto) can identify and log every application that is being used without doing MITM decryption. There is enough info in the clear text part of the TLS handshake (SNI and certificate).

  4. Reading through what they want service providers to store, I don't think they have a clue about what they want.

    They talk about several specific cases, and I can get my head around them:

    IP address A logs in and posts a message. IP address B, C, D. (You can log in from multiple places and read a message) read it. Along with date and time etc.

    Now since a lot of facebook messages are public, or semi-public, you obviously need to record every IP address that read it, as you don't know who the actual intended recipient was. One method bad people may employ is to have a dummy account that is nobody's, then they communicate via this persons profile, rather than direct to each other.

    You probably need to store who observed a like on a photo or post. In fact, looking at a photo is a communication. There could be all kinds of information recorded into it.

    Twitter would work very similarly. Snapchat and whatsapp I've never used, but I imagine its similar to twitter.

    Where I think things really come unstuck is what about the services that are smaller in user base? IRC for example. Is this covered under the regulations? One would assume it is.

    What about the OpenTTD server I operate for friends (I don't really, but I could...)? I believe there is a chat system in there, so I presumably would need to record that, but you could write out messages in road or tracks etc.

    In fact, Minecraft is infinitely more popular, and something similar would be possible there. Are the game server operators supposed to record the IP addresses and dates of when someone makes a change to the game at location (X,Y,Z) and then the IP address of everyone who visits that location in the game world?

    Then there is the entirely more plausible scenario of someone creating 'Terrorist Chat' which is a P2P fully encrypted service, so there is no central server where this information can be logged. This wouldn't be a very difficult system to create, but how are the government going to eavesdrop on that?

    Communication is such a nebulous term. Logging the information (I think) they want is just not simple. Sure, legislation could target the facebooks, and twitters, define exactly what for each of these services needs to be logged and ignore the smaller services. Problem being the bad guys will just move to the smaller services.

    I see so many problems with them trying to get what I think they want without even tackling the issue of people masking their IP address, or trying to establish who behind a home CPE NAT actually made the communication.

    I see something getting introduced at some point. They will keep trying and trying until they get something through to give them the 'information' they need. The problem is the bad guys will immediately change how they communicate to avoid the logging.

    They are in dire need of actual matter experts to consult, and help them out with legislation. I'm sure there is lots of other legislation where I don't have as much knowledge in the subject area that gets passed, and is also completely useless. Is it time for a reform on how the politics in this country are ran?