Wednesday, 4 November 2015

Working with ISPs

MPs, talk to me about the Draft Investigatory Powers Bill.

In all seriousness, I run an ISP and will talk frankly on these issues, but I also have a much deeper understanding of the technical aspects than most CEOs you will talk to. I actually wrote the routing code in AAISP's core router and can pull an IP packet apart by hand. That said, I run a multi-million pound company and have to take a pragmatic view on things as well.

So, cards on the table, where do I stand.

1. I think the mass surveillance (logging internet connections records) is crazy and it would take a hell of a lot to convince me otherwise, but you are welcome to try. The issues include (a) invasion of privacy (b) scope for abuse and thin end of wedge (c) cost and work for ISPs (d) risk of data theft (e) pointlessness as serious criminals will use TOR, etc. Even emotive arguments over lost children do not work as all you find is that they were on Facebook or using WhatsApp, same as every day. Remember, you only got itemised phone bills because telcos wanted to collect that data for themselves - this is very different.

2. I think targeted surveillance of serious criminal suspects is, in principle, not so bad. It does need safeguards, transparency and accountability. There are also a lot of technical aspects that need addressing still.

3. I am not really sure about bulk surveillance that GCHQ does. I'd need to understand more, and how relevant it is in the increasingly "encrypt everything" age to which we are moving.

But I can help with some useful views on all of this, and technical insights, and I know they do some nice food in the House of Commons :-)

This is an open offer - call the A&A press office if interested. Happy to talk to groups or committee, but also happy to talk to individual MPs that just need to understand more about how Internet stuff works - I even do courses on this stuff.


  1. Having just read it, as I mentioned on Twitter more briefly, I have a nasty feeling they have failed to grasp the difference between circuit switched and packet switched networks - or perhaps, more cynically, want to exploit MP's ignorance of this.

    A telco inherently "knows" that I established a call to 1571 now, then disconnected that 37 seconds later, because establishing and tearing down calls is a signalling function within their network. Hanging on to that record for later use is just a case of storing some piece of information that got created anyway. That, I'm sure, is what MPs - and journalists, and others - will have in mind as they contemplate these "Internet Connection Records". (OK, for regular numbers the switches might ignore the last few digits for routing lookups - but porting removes much of that these days doesn't it?)

    Perhaps it would help to document and explain in layman's terms that when we route an Internet packet, there is no such thing as a "session" and that the routers never see a name: they see an incoming packet which must go to 8. - and probably stop there, because that's enough of the address to identify the destination as Level 3's network: it doesn't matter to you whether or not that happens to be the famous server of Google's, that's Level 3's problem.

    Perhaps we should also make a point of asking how they're getting on with having Royal Mail record the destination and origin of all our incoming and outgoing mail? After all, there's far less of that, processed much more slowly, so that should be a much easier job to track surely? (Not to mention having a more analogous routing system: Royal Mail see my letter to my Korean pen-pal and don't care where in Pyongyang 4321 Dear Leader St is, or even where Pyongyang itself is, they just stick it in a bag of stuff going to North Korea and forget about it - so trying to record all that would be more of an extra effort.)

  2. "I also have a much deeper understanding of the technical aspects than most CEOs you will talk to"

    That just says you're not One Of Them and are *technical* thus are beneath contempt, one of the "little people" who should just do what the proper arty types running the country tell them to do.

  3. Oh Adrian, please make this offer to the news broadcasters. The coverage I've seen completely missed the "only very very stupid criminals who can't use Google to find a simple way around the monitoring" will get their collars felt.

  4. I would say that it goes beyond "pointless" (e) and well into "counterproductive". In days gone by, not a huge amount was encrypted and there wasn't much talk about spying, so:
    1. Many criminals wouldn't encrypt stuff, so targetted surveillance would provide useful information.
    2. Encrypting stuff might have actually served to draw the attention of the authorities since it potentially indicated you were up to no good.

    Mass surveillance has, and will continue to, push *everyone* towards encrypting everything. This is good for an individual's personal security, but bad for the authorities. If everything is encrypted, even targetted surveillance is going to be useless. And if everyone's encrypting everything, encryption is nolonger a sign that you might be "up to no good".

    I can't help but think that bulk surveillance has bought the security services an extremely short term advantage right before making life extremely difficult for themselves. I can make a comparison to MAD - you've just shot your nukes at the enemy and are celebrating victory, having wiped your enemy out. But the celebration is short because your enemy's retaliatory nukes are in flight and will soon make things very difficult for you.