A number of people thought that the BBC article Email and web use 'to be monitored' under new laws had to be an April fools joke.
After all, even the government are not crazy enough to think they can legitimately spy on everyone's email and text and tweet, speculatively...
But no. Apparently it is real. There was a talk on this at ORGCon2012 but few details had been released by the government of what they planned.
It is still not entirely clear and I am sure that there will be a lot more detail in time. Obviously civil liberties groups are up in arms over this, with good reason.
The main issue here is the issue of "communications data". For a long time the authorities have been able to get details of who called what numbers from telcos. The problem is that this is not so clear now. Are your facebook friends list just communications data? Where is the line drawn exactly.
This also goes way beyond what was done before - which was simply expecting the incumbent telco to search its logs which it had collected for billing purposes. Now we have a situation where there may be no logs (not under UK jurisdiction anyway). People use hotmail and gmail and so on - and not their ISPs mail servers, so there is no record of who emailed who for an ISP to search. Even where a telco is all UK based and their servers are used, they may not actually collect communications data. After all, if they have "unlimited" package they don't need to. Up until now there has been no requirement to collect extra data for law enforcement, and indeed, under Data Protection laws, there is reason not to collect any data you don't need. Collecting extra data, and, importantly, keeping that data safe and secure, is extra cost for ISPs and telcos.
The proposals seem to suggest that they want monitoring at the packet level to track who emails who even if using some gmail web page to do it, or messaging on facebook or twitter.
This is crazy, from a technical point of view. Anyone that has ever tried to screen scrape a popular web site will know it needs constant tweaking. You can't just put a black box in and expect it to work - it has to handle every new application that comes along that allows messaging and every change that is made by the web designers and application designers, none of which have to publish any spec or notify the UK authorities of changes. So to do this you need not only hugely powerful monitoring boxes, but boxes that allow remote administration and update - so could easily start monitoring lots of other "stuff" with no visibility of the ISP or their customers. Thin edge of the wedge?
Of course it is also totally impossible to win this - anyone that has any reason to hide their communications data can do so - it is very simple.
What makes things even worse is that it is not just the "bad people" that can easily hide their data - it is happening as a matter of course. Web mail applications are using https - encrypted from the users device to the server that may not be in the UK. The servers and user computers have more than enough computing power now so that strong encryption is the norm.
Of course, I was struck by how silly this is today when I downloaded wordfeud on my iPad because my son's girlfriend's parents play it (long story). Suddenly that is new communications data - it has in-game chat.
AAISP have no intention of installing any montioring
equipment. Sadly, if the government have any sense, they won't expect us
to - they will install it in large carriers or at the borders to the
country - like China.
As an ISP, we already explain to customers about running your own mail server and using encrypted mail transport and end to end encrypted emails. I can see us explaining things like Tor in more detail soon as well. After all, if criminals can hide who they are communicating with, surely law abiding citizens should have the same right?
Anyway, there will be a lot more on this over the coming months I am sure. Lets hope that groups like ORG can fight this effectively.
P.S. Nice diagram, thanks to Alec from ORG:-