Thursday, 12 November 2015

What privacy can we promise you?

Someone has asked me today to be careful what I promise customers, and he is right to be cautious, so I thought I would explain what we can and cannot do as an ISP.

For a start, private communications will always be possible. There are ways to send messages that nobody else can read - such systems exist, and can even be done using pen and paper.

But what if even that is made illegal, and nobody can even send encrypted data - well, there are systems called steganography where the "noise" in something like an image or video is used to carry an encrypted message, and no way to prove that there is a message. There are even "plausible deniability" systems where you can provide a key to produce the innocent message that was encoded and again no way to prove that there was another message hidden.

So, in short, normal people, and criminals, and terrorists, will always be able to communicate privately. That is a fact of life and mathematics. This also makes all of this surveillance crap a bit pointless.

But what about the Draft IP Bill? At this stage it is a tad hard to say for sure - as the exact details of what the "Internet Connection Records" will be are unclear. Here I am talking about the mass surveillance by ISPs part of the bill - there are also mass surveillance by GCHQ, etc, and targeted surveillance. However, at this stage encryption is not actually banned.

Up to now the logs could be from email servers, telephony, text, but not a lot else. Now they could be more - including logs from web sites, and maybe even logs from DNS servers. What is not clear is if an ISP would be required to deep packet inspect data as it passes and make logs of activity where there is no server involved in the ISP. We hope not, not least because that is hard and expensive.

However, the good news is encryption is not banned as such - what is clear that you have to be doing the encryption yourself! If you rely on any third party to do it, perhaps even Apple, then the bill (as it stands now) could expect the third party to break or undo the encryption they are offering. There are apps for some phones, and of course a whole load of packages for PCs of all sorts based on PGP which allow end to end encryption which you do control yourself. Bear in mind that the bill would allow hacking of your computer though, so make sure you have good firewalls and trust nobody as anyone could be conscripted to get your data and do so secretly. My guess is that the safest O/S for this will be linux as there is no provider that can be ordered to put in back doors or break it "legitimately" and as such the hacks would have to be via vulnerabilities.

But back to what we can do as an ISP.

Let's be clear here - we do expect people to abide by the law - but also, it is none of our business what you do with your Internet connection. We are not your mum, or the police, and though we are not trying to actively impede them in any way, but we just want to get on and do our job and that is all. We value your privacy and see no reason to compromise that unless someone comes along with a proper targeted warrant backed by a proper judicial process.

Obviously, with a suitable order, we can disclose subscriber details for an IP address, but we always stress the this does not identify a person or user, or even that the source of any IP traffic is in the premises and not spoofed, relayed, Tor, or the result of a virus, just in case the police officer in question is not aware of that! Indeed, a request for "user" details is always rejected saying we have no details of "users" - they have to resubmit asking for "subscriber" details to make this point really clear.

As for RIPA requests we have had? We have had a couple to find subscriber details of an IP, one of which was plainly a waste of everyone's time and not in any way criminal and just showed how stupid the whole process was. We have had a few for phone numbers to identify subscriber, but pretty much all of these are spoofed CLI so one of our numbers but not in use, or numbers that are not even ours, or numbers used by another telco from our blocks. It seems our customers are pretty good at not being targets of RIPA requests, and we'd like to keep it that way.

You can tell we are not keen on the mass surveillance aspects. So we want to find ways of avoid them.

The biggest thing is that we have never been subject to a retention order, so no legal requirement to retain anything routinely for all customers. We also don't have any government "black boxes" to allow covert monitoring of anything in our network. Thankfully we are too small.

We do provide itemised phone bills, and those hang around - we are not sure of a tidy way to not keep them as they are needed if any billing dispute. One thought was to send digitally signed call records on the bill, and then delete them - that way, if there is a dispute, you have to provide the call records, but we can validate that they are genuinely from us and unchanged. That may be a way forward for call records.

We do have logs for things like email, but they are for diagnostics and support, and not kept for long. We don't log DNS. We'd like to not have any logs for any significant time other than necessary to help support technical issues.

What if we get a retention order? That is tricky. Assuming for a moment it does not mean deep packet inspection and creating new logs for Internet Connection Records, what of DNS logs, email logs, and the like. Well, we could move the key services we offer off-shore. Most things, like an email server or even a voice server, do not have to be in the UK to work. If done right, we could move all things that need logging to a jurisdiction that does not require logging. It would be tricky - we'd have to set things up as hands-off as possible, but this are services we could be paying a foreign company to run for us. We did wonder what the rules are for Isle of Man, for example, or maybe we keep it in the EU. We could even have the third party send digitally signed call records to our customer directly so we never have them, just sending us the totals for billing purposes.

The irony here is that at present, within a short time, a RIPA request could get some data out of us, especially itemised phone bills. But force us to record all data for a year and it may be that we have zero data to report. Whilst this will stop any fishing expeditions, or automated collection and collation of records on the public, it will impede some legitimate investigations - so maybe it is better to keep us on-side here and helpful rather than forcing our hand?

That said, you don't know what the law will end up doing, and it could be that we are expected to record data from deep packet inspection, or worse, that BT wholesale and TT wholesale are forced to. If that happens, then there is little we can do except repeat the tips on encryption, end to end, and in your own control.

We hope we don't ever get a retention order, and one aspect of the bill is that we can challenge it. The gagging order part is going to be tricky as it could try to force us to commit fraud, and that may be a stumbling block. I doubt the government want warrant canaries tested in UK law, so I would hope that alone means they avoid giving us an order ever. If they were tested and deemed valid, that could undermine gagging orders in many laws.

So, good luck to all in preserving your basic human right to privacy. We'll try and do our part on that.


  1. "We did wonder what the rules are for Isle of Man, for example, or maybe we keep it in the EU"

    I'm thinking Ireland might be quite good. They speak the same language (which makes explaining things to remote hands easier), there are plenty of datacentres in/around Dublin, connectivity both across the pond and back to the UK is good, and it's (relatively) inexpensive to get to quickly in person if needed.

  2. If your back-haul carriers were forced to record data from deep packet inspection would you be aware of the fact, given that they would presumably be legally prevented from revealing what they're doing? If not, then how can you be sure that they are not already collecting data?

    The possibility of a retention order on wholesale providers hadn't occured to me until you mentioned it. Hopefully it won't occur to the technically illiterate politicians either.

  3. "We do provide itemised phone bills, and those hang around - we are not sure of a tidy way to not keep them as they are needed if any billing dispute. One thought was to send digitally signed call records on the bill, and then delete them - that way, if there is a dispute, you have to provide the call records, but we can validate that they are genuinely from us and unchanged."

    Judge: "So, Mr Bloggs, you're suing Andrews and Arnold because you claim they overcharged you for your phone calls. What evidence do you have of this?"
    Bloggs: "Actually, none. I never received a call itemisation and lots of money was just taken from my account."
    Judge: "OK. This should be easy to sort out. Mr Kennard, please could you provide the call itemisations?"
    RevK: "No. We delete them after e-mailing them to the customer and producing the invoice."
    Judge: "So you have no evidence of what calls were made and how much Mr Bloggs was charged for them?"
    RevK: "No. But we e-mailed them to Mr Bloggs, so he has copies."
    Judge: "But Mr Bloggs claims not to have received the e-mail. What evidence do you have that Mr Bloggs received it?"
    RevK: "None."
    Judge: "Then I find for Mr Bloggs and order the full amount to be refunded with costs."
    Bloggs: [wanders off singing "I'm in the money"]

  4. If you do get given a retention + gag order, I assume that you have no equipment capable of performing the required functions. If you were to put an order in for this kit with another company (say A&A Equipment Ltd.) is there anything stopping them from putting out a press release saying they have had a large order of surveillance equipment from AAISP? I assume the gag order wouldn't cover them, and they wouldn't even have knowledge of it. All they know is that you have purchased equipment from them...

  5. Hmm, I was hoping A&A would offer end to end encryption to a foreign country. Ie. I buy a Firebrick to do the encryption at my end, and my A&A internet then goes via an encrypted VPN to somewhere else who decrypt it and pass it on to the internet. If we're all expected to set that sort of thing up entirely by ourselves, then the uptake will be minimal and costs for doing it individually probably high.

    1. Well, basically, that is Tor, which is simple to set up and use. If we ran the encryption we could be subject to retention and intercept orders.

    2. But you could open an independent offshore company, whose only business is to offer a persistent IPSec tunnels (along with perhaps a DNS server). That surely _would_ do the trick.

    3. Yes, but large scale IPSec is not simple, but something to look in to.

    4. I want this for all my traffic, not just web browsing. So Tor doesn't do the job, unless I've misunderstood it. Also I don't want something as complex and slow as Tor, it doesn't need to bounce around a lot of sites. A simple encrypted tunnel for all my traffic that exits outside the UK is all I want.

      The ability to add exceptions for certain devices in my house would be useful too, or some other way to exempt iPlayer and other TV catchup services. Otherwise they'll be geo blocked.

    5. Can't you do that with nothing but ssh -w (the tunnel device version) and a single remote host out there on the net to act as an ssh endpoint? (Assuming the user has something capable of running ssh -w, which, come on, a suitably capable device costs about £30 these days.)

  6. Another point, of course, is whether you consider looking at the source and destination addresses in the IP header to be "Deep Packet Inspection". They may well ask you to log all "unique" samples of IP headers, for example. (Whatever their definition of "unique" may be. Of course they wouldn't tell you how that would be feasible either. Just that you _must_ do it.)

  7. Why does this legislation annoy you so much? Just because the bad guys could potentially keep their conversations completely private, this doesn't mean that all communications by the bad guys they are after would definitely use encryption, or that the encryption couldn't be broken when required, so perhaps the proposed surveillance isn't as completely pointless as you believe.

    If the encryption used was standard TLS, then if the government was determined enough, it could easily break that today using a man-in-the-middle style attack, just like an SSL proxy like Bluecoat does for companies wanting to "secure" their corporate networks to scan the traffic going in and out - See They would only need to create fake certificates using a certificate authority recognised by the world's normal web browsers to make this work without being detected by most people.

    You are a technical expert and you understand clearly what can and cannot be intercepted and exactly what you need to do to maintain privacy and avoid man-in-the-middle attacks. I doubt that very many (if any) of the bad guys that the authorities are after will be as technically clued up as you are and often they will be as lazy as anyone else in the general public and will value the convenience and ease of use of modern (potentially insecure) communication technology over and above maintaining their own privacy of communications. It is the modern and easy technology that has enabled the bad guys to organise themselves more easily and efficiently than was possible previously, so is it any wonder that the authorities want to at least try and listen in?

    Furthermore, I suspect that most of the general public consider assisting the authorities to catch the bad guys as being more important than maintaining absolute privacy over their own communications data, which for most people probably contains nothing that much worth hiding anyway, especially if it is metadata they are after as opposed to data payload. And this metadata is often still valuable in an encrypted world, as you can still at least see who is communicating with whom, even if you can't work out what they are saying.

    In any case, as you have often pointed out, anyone, including you, can maintain the privacy of their communications through their own encryption mechanism using their own keys if they really want to and if it is important enough to them. It's just a whole lot less convenient to do so!

    1. There is a huge difference between assisting catching of a criminal and spying on everyone just in case they are a criminal. We have a principle of innocent until proven guilty - so spying on the innocent needs careful controls and oversight to be done on those genuinely suspected of a crime. We have a human right to privacy.

    2. Just because the government wants to use technology to help keep us all safe by helping them find evidence of serious crimes does not automatically mean we are all guilty until proven innocent! Far from it, the fact that it is mass surveillance means that they know that almost everyone they are observing is innocent. The government is just using technology to efficiently sift a big stack of data, to help the find the proverbial needle in a haystack and produce the genuine evidence needed to either protect the public and prevent atrocities or to use in a court of law to help secure a sound conviction.

      In any case, effective individual privacy for the good guys is still almost entirely maintained despite mass government surveillance in that the data they collect is not simply "published" for anyone to see /use and should only be used to help our governmental authorities find genuine evidence of serious wrong doing. I agree with you that use of this data does need to be very carefully controlled, but the fact that this is such a sensitive issue should hopefully mean that it is. I would be much more sympathetic to privacy campaigners if and when they can highlight actual inappropriate use of mass surveillance data.

      What sort of breaches of privacy are people really worried about? Well, if someone steals your personal data and publishes it to the world (think Prince William and press photographers publishing photos of him and his family in private moments with long telephoto lenses) or uses your personal data to harm you in some way (e.g. if someone stole your customer list / contact details with the intent of trying to poach all your customers later), then you clearly have a breach of privacy which most members of the public would consider to be completely unacceptable.

      Whilst in a theoretical ideal world we could have absolute privacy, in the real world, there is a practical trade-off to be made between a very modest loss of privacy (which does not result in any normal law abiding citizens suffering any real world harm at all) and the much larger and more important role of government in keeping society safe and secure and facilitating the collection of genuine evidence to achieve sound convictions.

    3. Yes, it is a trade off, but eventually you have to be pushing one step too far, and I feel that mass surveillance like this is one step too far.

  8. So how are those "black boxes" - its seems a while since you denied having any?

    1. We have never been subject to an intercept order or maintenance of capabilities order or data retention order, and as such have now "black boxes".

  9. I hope 'now "black boxes"' is a typo for "no black boxes"

    1. FFS yes, "no 'black boxes'" - my bad!