Wednesday, 4 November 2015

Draft Investigatory Powers Bill

Snoop on everyone just in case!

The draft bill has been introduced today and it is quite big, and will take some time to address all of the concerns. Do see Neil's comments as well. Here are just a couple of the concerns so far...

ISPs to generate new data and retain it!

At present it is possible for an ISP to be subject of an order requiring retention of certain data which it processes. This is data the ISP has, and it simply means the ISP has to keep it for 12 months. Thankfully AAISP has never been subject to such an order.

The new scheme seems to require an ISP to actually generate new data, Internet Connection Records which mean logs of the IP addresses and connections. This is a huge step - as an ISP we do not have that data or the equipment to generate or retain that data.

That data is also potentially very sensitive communications data - including details of every web site or service you ever access. Yes, the specific page on www.ashleymadison.com will not be logged, but the site you accessed would be.

Again, the scheme is based on an order to an ISP to retain data so may not extend to all small ISPs. The bill also provides options to challenge any such orders (73), which includes challenging the order on the likely cost and other effect of the notice on the operator (72). At A&A we are proud to state that we have no government snooping equipment or anything to collect and retain this sort of bulk data in our network. We have even made it a contract term that we will give 12 months notice when if we start doing this. Such an impact on our business must be considered as part of any order, as well as the proportionality and benefits of such an order. Of course the bill makes it a duty not to disclose the order - so it would be interested to ask what they want me to do when asked if we are subject to such an order. If you ask now I say no, we are not subject to an order. What is a concern is that, because the orders are secret, nobody knows what is actually being logged anyway!

Yes, they are talking about all sorts of safeguards on who can access this stored data and which data they can access, but that does not stop the fact that there is snooping in the first place.

There is a new definition of "content" of communication (which is not to be logged). It relates to the meaning of the communication itself. This could allow for deep packet inspection to unwrap L2TP, PPP and so on in back-haul carriers and so allow this monitoring to be done in BT or TalkTalk. One wonders if end users will be able to send DPA subject access requests to BT to get a copy of all such retained data.

But let us be clear - this is mass surveillance on everyone and holding that sensitive data in private companies (ISPs). With the recent Talk Talk issues, you can see that this is a concern. The data, even if just a list of web sites you have visited, is valuable to criminals and even marketeers! It will encourage much more sophisticated attacks, even infiltrating staff at companies, to get the data that the law will make ISPs retain.

And, of course, there is a cost to retaining all of this data. It is not a small amount.

iMessages safe?

The bill does not outlaw encryption or end to end encryption, it just leaves the same as now that a communications provider asked to intercept is expected, where possible, to provide data in an unencrypted form. Apple outside the UK do not have to take any notice of such a law, but if they wanted to, then they could change the keys on iMessage for an individual such that they can intercept. No idea if they would do so.

However, there are end to end encrypted messaging apps which do not make use of a communications provider's systems other than to pass the encrypted data, and such systems will clearly be both legal and safe - so if you respect your privacy (or are a criminal) you simply use such systems and the new law will not be an issue for you.

Will it get through?

The data retention directive was kicked out because it required logging of non-criminals data, so we can only hope this will fail too, but who knows. Talk to your MP!!!


Update: Best tweet I have seen on this:

19 comments:

  1. Given that a lot of web sites exist on the same machine as others, for instance a.www-server.co.uk, there is going to be a lot of useless data for the spooks to shift through, and if, say AAISP happen to be hosting a site for Terrorists-r-us.co.uk, anyone visiting any site hosted there is a potential suspect.

    I'm also wondering what happens when IPv6 addresses are fed into the governments systems; they haven't exactly gone out of their way to embrace the present.

    Also, do they want the data at individual host level, or just target network? Some sites are served by multiple hosts in a network. Note to Teresa May; Today I have accessed many systems in 0:0:0:0:0:ffff::/96 which contains quite a lot of known terrorist sites.


    (Notes that terrorists-r-us.co.uk is unregistered, but fully expects it to be hosted by aaisp shortly ;-)

    ReplyDelete
    Replies
    1. They could order logs of DNS lookups too I think, or extracting the host name from the packet. The actual orders can almost ask for anything, and they are secret!

      Delete
    2. Indeed, DNS could easily be a target, and is probably easily snoopable upon in the BT network even without the ISP's cooperation.

      Any plans to deploy DNScrypt ( details https://www.opendns.com/about/innovations/dnscrypt/ ) or similar?

      Delete
  2. Have you seen the aptly-numbered Section 101 yet? It's in the section about hacking... (I'm sorry "targeted equipment interference")

    If I'm reading it right (and I may well not be) it seems to suggest a legal duty on communications providers to help the government hack people.

    If so, I wonder if it might end up being the death-knell for the UK tech industry. No-one would ever trust anything made here again.

    ReplyDelete
  3. What is regarded as a CSP? Anyone providing any internet traffic being an ISP or transient provider? So would my communication logged by my ISP, its transit traffic provider, then if the host is located in the UK again by the host pipe provider?
    This would massively duplicate records (and mostly useless for users behind CGNAT) but would impact plan to VPN everything to a host in a different country if at any point my traffic comes back in the UK.

    ReplyDelete
    Replies
    1. Sect 193 is so wide in what a "communication" and a "telecommunication service" are that it sounds like roughly any entity in the UK is potentially a "communication service provider".

      Wondering how much the government is ready to fork for records keeping?
      I can see myself providing communication to my children WiFi AP and charging the government.

      But that would put me in a strange legal position, as parent I should be able to check my children internet habits, put as "communication service provider" do I have the right to snoop on my user data? Will I have to send a SAR to myself? Will the government cover the cost of such a SAR?

      Delete
    2. I would be more worried if I was a pub/hotel/cafe offering a free wifi service - typically it is a case for reading the wireless network key off a sign, or asking for it. The upstream ISP will have records, but the site itself will not be able to determine which of the many thousands of people made particular DNS lookups / accessed particular websites as these hotspots are typically a standard home router.

      Delete
  4. I'm not going to read the actual bill, just the guide (too much legalese for me), but there is one section (at least) which contradicts itself:

    "45. An ICR is not a person’s full internet browsing history. It is a record of the services that they have connected to, which can provide vital investigative leads. It would not reveal every web page that they visit or anything that they do on that web page."

    But then later on...

    "Why do we need them?
    46. ICRs are vital to law enforcement investigations in number of ways. For example:
    ....

    To establish whether a known suspect has been involved in online criminality, for example sharing indecent images of children, accessing terrorist material or fraud"

    That isn't possible from the "ICRs"... is it?

    The bit a little bit later on that section that mentions there being around 800 paedophiles they can't do anything about because they don't have the powers to investigate winds me up, especially as earlier on they cited the Ian Watkins case using existing powers to convict him, and others involved. If you know about 800 people why can't they use targeted methods to get their data? I would be behind that!

    ReplyDelete
  5. The guide is actually incredibly unclear and in places contradicts itself and the bill.

    The proposed bill is the interesting reading here, really.

    ReplyDelete
    Replies
    1. This was meant to be a reply to Dave above.

      Delete
  6. Would this apply to AAISP customers based outside the UK?

    ReplyDelete
    Replies
    1. We don't do connectivity outside UK

      Delete
  7. Have you made any estimates to see how much storage 12 months worth of every customer's connection logs would mean ?

    ReplyDelete
  8. Could you and the other ISPs effectively kill this by setting the charge for doing the logging and storage so high that its unaffordable

    ReplyDelete
    Replies
    1. Well, you don't have to contrive that really. For an ISP that forces a proxy (as some mobiles may do), it is retaining some existing logs - big job, but not silly. For ISPs that shift packets, like us, it would be a nightmare of DPI to extract Host: fields in http or something and really quite complex and expensive.

      Delete
  9. If I use an encrypted VPN tunnel that I encrypt in my house and that exits in a foreign country, surely there is no way for any of this to affect me? The ISP or BT can't decrypt my private end to end VPN encryption.

    ReplyDelete
    Replies
    1. Correct, and anyone smart enough to be a "serious" criminal will pay a tech to make that so for them too.

      Delete
    2. Not much to pay.... Open a free tier Amazon Web Service account, terminate your favorite VPN tunnel on a tiny instance located outside of UK.
      But I wouldn't be surprise that if they look at your ICRs and see IPSEC (or other VPN) they might "ask" your ISP to route that traffic via GCHQ for storage (at least), that's probably part of the "facilitate interference" bit of the bill.
      But that once again only concern honest citizen that care about their privacy.
      Steganography being the way to go if you want to pass information discretely (but that's a notion that either Theresa May can't grasp or more likely is sure the vast majority of the public won't know).

      Delete