Friday, 15 April 2016

Is this why we need to spy on every citizen on everything they do in their home all the time? #IPBill

This is one of the examples from the National Crime Agency as to why we need the IPBill and automated filters to search a huge distributed database of everything everyone does on-line in the UK.

This really does show how invasive this will be if allowed to continue in to law. It is quite shocking. This is police state gone mad.

There are so many things one could say about this terrible example, I don't know where to begin. But here are just a few of the issues.

  1. Firstly I am surprised it is reported to the police as it would very quickly become apparent the the emails in questions are not from who they claim to be, and the recipients just put them in their spam folders and never see them again. Even so, this is some kid being naughty. It is not on, I agree, but does it really justify an expensive police investigation?
  2. If it was reported to the police, would they actually do anything to investigate? I would suggest not - we simple do not have the resources in the police to handle such trivial cases. It is a sad state of affairs I know, but the police are under enough pressure as it is. I seriously doubt the case would get any attention. Problems like this go away if ignored (look like they stopped after two weeks anyway), so even more likely to get no urgent attention.
  3. But seriously, if the sender is smart enough to use a Russian anonymising service, they probably are not going to get traced by this - for a start the service would probably be using https on a generic cloud based platform, or several of them, where the IP is shared with loads of other generic services and is changing all the time.
  4. Also, the service would almost certainly suggest ways to be less traceable, using wifi in a coffee shop, using tor, and maybe even offering delayed sending of emails so you can be in the room when the email arrives removing any suspicion from you and screwing with the above detection method.
  5. The whole thing relies on today's method of communication using a simple TCP connection, but that is changing, there are many other protocols and an increasing need (because of NAT) to communicate by a long standing persistent connection. As technology moves to that, any time stamp correlation goes out of the window.
  6. In practice, all of this will only identify a household. It is possible the household has more than one suspect (sisters perhaps), and the suspect does not confess. Even with one child in the house, what if they do not confess? So what then? A raid on the house, seize all computers, phones, and tablets for investigation, demand PIN and passwords to unlock them? Breadwinner of house has work laptop taken, ends up losing job over stigma? The kid in question used privacy mode on the browser so police find no trace, and even if they did, they cannot tell which of the sisters used the machine, so no conviction or further action happens.
  7. Worse, actual sender is a different kid, that uses the house wifi from outside, knowing that in this police state the house will get raided, which was their intention all along.
  8. Or finally, what if the the kid sends these abusing communications by post,. Does the NCA call for a national database of everyone's handwriting and DNA to be collected and stored. Or do we just go for cameras in every room in every house to keep us safe?
I am just shocked that they do not see this as an example of how invasive and police state this example shows the IP Bill to be... Shocked!

P.S. Look how easy such a system is for tracking the confidential source for a journalist, or such like. All without a warrant even!

P.P.S. Technical point...

The police would have the name of the service used. The CSPs would have the IP addresses of the TCP connections made - they would not have the name. (Yes, https can expose the certificate name using DPI at present, but that will change soon).

So, the query needs to state IP addresses to be checked, not a service name or domain name.

I see nothing in the IP Bill providing for a system to track the IP addresses used by every domain name in the world in real time as they change. Indeed, I am not sure such a system is technically possible. It would also have to track the "view" from each ISP at the very least as DNS servers can (and do) give different answers depending on who is asking. Such a system would be a really huge project, but without it, the police would have no way to know what IPs to ask the CSPs for in their search as they would have no way to know what IP was in DNS two weeks ago!

23 comments:

  1. Of course, it also needs to be corrected to: "The emails, referring to a recent date and suggesting the recipient suffered erectile dysfunction, were actually sent via a botnet without the knowledge or consent of the computer's owner, so all the expensive police operation catches is the school secretary having an expired anti-virus utility on her old Windows PC at home." Not to mention the risk of witch-hunts against teachers or parents named in the spam as having dated the 16 year old student...

    The idea that law enforcement would actually devote time and money to persecuting the sending of nuisance email is somehow both comical and alarming at once: comically absurd, in a world where they have yet to crack down effectively on illegal bulk commercial nuisance calls or eradicate the stupid "number withheld" mechanism usefully, and alarming: genuine police states DO indulge in this sort of witch hunt while disregarding serious crimes they can't be bothered investigating...

    ReplyDelete
    Replies
    1. Indeed, I was also thinking that an anonymising service might use bot nets to do low level connections in background from all over country to create fake ICRs.

      Delete
    2. Yes, there's already a free Chrome plugin called Hola which does almost precisely that - a sort of cut-down Tor clone, where every user also acts as an exit node for all the others. (I installed it briefly, spotted what it was up to and disposed of it pronto, of course, but it seems quite popular: over 100k reviews and 8m users, according to the Chrome store!)

      Obviously a scenario they haven't put the slightest bit of thought into - just assuming there will be a nice easily queryable database of "who connected to gmail.com between 10:15 and 10:30 on Sunday?", without contemplating the absurdity of having to execute that search on every single UK ISP (what, 200+?), collate the results, get the address for all of those users (not necessarily the *right* address, of course: Openreach still have the wrong address for my office!) - then geolocate every one of those addresses (whoops, chargeable service there remember) to find some suspects ...

      Will they go and track down the whereabouts of all red Fords if the driver of one whistles at the delicate Head Girl's revealing outfit one evening, too?

      Delete
    3. Also worth considering; what is the energy and time cost of such a query, given the sheer amount of data they're talking about sifting through?

      After all, it might be wonderful to have a personal helicopter for every police officer, but it's worthless if you can't then afford to keep the helicopters in the air.

      Delete
  2. In this scenerio, what happens in that if the mail provider is a popular one such as Gmail or Hotmail? How are the police meant to be able to tell which of thr potentially thousands of households in a 15 mile radius with devices which automatically 'check for new mail' every minute or so was responsible?

    Who is going to reimburse every single ISP for the time taken to do these searches (all ISPs and UK VPN providers will need to be checked for each request in this scenerio)

    ReplyDelete
  3. Timezone would stump them!

    ReplyDelete
    Replies
    1. I have seen that - took police like two days to come back and ask "What does UTC mean?"

      Delete
  4. I think they have been watching NCIS and think it's true!
    They should recruit McGee...

    ReplyDelete
  5. Thanks for bringing this example up, I will immediately be submitting a further piece of evidence on the matter.

    The ignorance of these people is shocking. If someone is intelligent enough to use an anonymous email service in Russia, they're intelligent enough to use VPNs/TOR.

    ReplyDelete
    Replies
    1. Well, also, please do mention the huge, expensive, and basically impossible, project to track the IPs of domains over time so searches can specify the right IP addresses retrospectively.

      Delete
  6. Further proof (as if any was needed) that the IP bill has absolutely nothing to do with terrorism or even serious crime, but is about giving law enforcement more tools to control online speech, which is apparently the absolute top priority for the censorship-obsessed government and the bourgeois Guardian luvvies who set the political agenda.

    ReplyDelete
    Replies
    1. And IP licencing violation ("piracy"), which is the top priority of the media owners who contribute so much to party funds.

      Delete
    2. Indeed; I suspect the government are keeping rather quiet about just how trivial it will be to run fishing expeditions for everybody who has accessed The Pirate Bay or a known BitTorrent tracker URL in the last year.

      On the other hand, the authoritarians may at least achieve their goal of eliminating abusive trolling. Why bother sending people death threats when you can send them disguised links to TPB or child-porn sites, and book them in for a nice public dawn raid and seizure of all of their computer equipment?

      Delete
    3. But ISPs and CSPs certainly have pointed out to government the fear that, if they are compelled to record (generating it, if needs be) this information for law enforcement, the copyright industry will want to be able to access it to.

      It will be interesting to see how this interplays with obligations not to disclose the existence of retention orders when faced with a Norwich Pharamacal order for data on a subscriber.

      Delete
  7. I get to step 1) in that picture you posted and then solve the problem by "school puts a block on jessicalord@yourmail.com in their mailserver config".
    Problems solved. No law enforcement intervention required, minimal cost.

    ReplyDelete
  8. Except that in the micro-controlled country we now live in the school is probably compelled to report such incidents as a crime to plod immediately. The police won't then be content until they have 'solved' the crime. Prevention doesn't get their boxes ticked.

    ReplyDelete
  9. Point 2 is actually the main issue here. @gradwell we have lost thousands in fraud over the years through well known direct debit and telecom scams and on many occasions have engaged the police - sometimes giving them the address of the Bloke they need to arrest!. But they never do anything so what makes them think they will have time for all of this!

    ReplyDelete
    Replies
    1. Indeed, in today's newspapers there are stories about a fraud in Glasgow where someone emailed a solicitor instructions to pay £30,000 to a particular bank account. They have not only the email, but also the bank account details the recipient used, which should make it trivial to trace both the money and the culprits ... level of police activity so far? I think we all know that, don't we...

      Delete
    2. The plumpergeddon site was fun.. A guy had his laptop stolen, but had tracking software on it. He knew the address of the thief, had is picture, videos of him using stolen credit cards, and loads of stuff.

      Police closed the case with 'no evidence'.

      It went on for ages, until the press got interested and the police finally realized if they didn't do something they'd look like incompetent idiots, and used the exact same 'no evidence' to send the perp to jail.

      Delete
  10. I'm surprized noone has mentioned what happens if you run services from home. Are you required to keep logs of everyone who uses your services? For example an email service for family use or a wordpress family website that you might also let your friend host his website from the same box. What happens then?

    ReplyDelete
    Replies
    1. It has come up in the debate more broadly, although perhaps not in the comments to this particular blogpost.

      The framework sets out the ability for the home secretary to issue retention notices. If you do not have a retention notice, there is no requirement to retain logs. Because the definition of "telecommunications operator" is "offers or provides a telecommunications service to persons in the United Kingdom", someone who provides a service to others in their home is potentially in scope of such a notice.

      In practice, I suspect it is *highly* unlikely.

      Delete
  11. What has happened here is redefinition of all these crimes to be some kind of derivative of one of the four horsemen of the internet.

    So, cyber bullying gets covered under the rubric of 'child protection' (which people assume will be protecting children from abuse), and so on.

    The example on page 20 is also apposite, as it directly relates to the evidence you gave in your submission to committee. It's possible to get an app that will place a bid in the last few seconds of an auction - the fact that a bid is placed is not necessarily evidence that the driver was using their phone at the time.

    ReplyDelete