2015-09-19

Internet and law

Times are changing, and the governments of the world are trying very hard to keep up. There are consultations on this at an EU level, and the UK is considering the "snooper's charter". Legislation is being considered that would impact everyone.

This blog post is my thoughts on the matter, and I hope a good start to some debate. As an ISP, I am, of course, somewhat biased - but I am also an Internet user, and a parent, and someone that has had computers nicked and needed police to trace an IP address.

Summary

  • Physical infrastructure (ducts, mast owners) should be provided and managed independently to competing CPs (Communications Providers)
    • CPs paying a fair price for access (e.g. non-profit running it) and no "fibre tax"
  • CPs should have no responsibility for the content of communications ("mere conduit")
    • This ensures CPs can continue to innovate and develop services
  • CPs should not be expected to block traffic
    • This avoids unnecessary technical and commercial impact on CPs
    • Encryption and Tor and VPNs and proxies make such measures pointless
  • CPs should not be expected to look in to the content of communications
    • This avoids unnecessary technical and commercial impact on CPs
    • Encryption means that CPs cannot do so anyway
  • CPs are expected to assist authorities with criminal investigations
    • This must be specific and targeted investigation with formal process and oversight
    • CPs should not be expected to collect data or monitor users generally
    • CPs should be paid for costs involved in assisting authorities
    • Basic processes such as finding billing address from IP should be more streamlined!
    • There should be transparency - advising subjects of requests once no longer suspect
  • Encryption should be encouraged not restricted or banned
    • Criminals are attaching the virtual world of the Internet and encryption is the protection for privacy and security that is now essential to combat such crime

Layers

One of the first issues which needs considering carefully in any legislation is the way that the government think of "the Internet". Having had an interesting dinner with several MPs (thanks to ISPA) it is clear that MPs see "the Internet industry" as very much one "thing", lumping in everyone from a company putting fibre in the ground to FaceBook as the same "industry".

In actual fact, just like the protocols used in the Internet, there are layers. It is important for legislators to understand this, as the rules have to be different for different layers. If you think about this, it does make sense, and I have included "a company putting fibre in the ground" in the above list deliberately as an example because that is pretty obvious. Putting glass in the ground, and even renting that glass out to companies, is clearly at much the same level as an electrician wiring up a house. They are clearly not responsible for what flashing lights are sent down that glass, and would not have any way to take any responsibility for that. I think even MPs can understand that.

At the other extreme, companies like FaceBook provide a service which "just happens to make use of the Internet as a means of communication". In theory one could operate such a service over the post (did any of you have a pen pal)? The fact that the Internet is use is, of course, important, but the service itself is very much more than simply flashing lights down a bit of glass. FaceBook have contracts with customers (albeit ones where there is no payment in most cases); they manage personal information; they operate in multiple countries and across borders; they have policies on content and police those policies. There are already a whole raft of rules and regulations in many countries that cover a lot of what they do.

Glass

I picked fibre as an example of the lowest level, but there is an even lower level that could be worthy of legislation. It is not legislation concerning snooping, or security, but more one of providing access to the Internet. Governments recognise (thankfully) that the Internet is an invaluable resource within a community, and ensuring good access for all citizens has benefits to the community and the economy as a whole, so should be encouraged.

It seems to me fairly obvious that there needs to be a lowest level of access by way of "ducts" and radio mast sites that take physical space and can be included in designs for new housing developments. These are things that probably do not benefit from competition in their provision at that level - having multiple providers running cables and ducts in the same street is how it was done in the past but it may make sense if ducts and basic roadwork type stuff is handled by someone like the council, or a non-profit responsible for providing access to physical infrastructure to competing telcos.

Internet Protocol

The level above copper and glass is the actual data being sent over those. There are actually two layers here really - the means to send data over the raw infrastructure, and the operation of a network of such infrastructure to provide something like a packet routing system such as Internet Protocol. At present we see companies like BT and TalkTalk operating national infrastructure networks, using Openreach copper pairs, and providing access to end users and connecting that to internet providers.

At the lowest level, the internet provider (ISP) routes packets - simple as that. There are extra services that are essential, like DNS, and then more optional services like email, web sites, and so on.

When it comes to the low level communications itself, such as routing IP packets or telephone calls, I think it is very important to separate the communications system itself from what is being communicated.

We already have this concept in EU, and also in US. In EU it is called "mere conduit", and it means that CPs don't have liability for what is being communicated.

This is not a very new principle - even the postal service has some long standing legal protections in place. The most obvious being that the post office are not responsible for the content of letters, and are not considered to be assisting or aiding and abetting any criminal activity carried out by post, nor even profiting from crime; and, the security and integrity of the post is important and "interfering with the mail" is considered a serious matter. Communications itself needs to be reliable and independent of what is communicated. These protections allow CPs to provide the services cost effectively.

I feel quite strongly that Internet service needs to have these protections, and that even "mere conduit" is not quite far enough. We have to consider slightly more, and this is something the EU is considering now - "Net neutrality" is the term being used. It is important that CPs are not locking horns with "content providers" over access and priority of traffic. This has happened in the US and could lead to some complicated issues which would impact customers. Essentially, it is important that  CPs route traffic fairly, and when there is congestion packets are dropped purely on technical and practical basis and not for political or commercial reasons.

I also consider it important that CPs are not expected to look in to packets for any reason. This is much like "interfering with the post" but it is also down to a simple practical fact of life now - that encryption exists. Whatever the reason a government may want for CPs to look in to the packets is basically going to be thwarted by normal, day to day use, of encryption. It is common now for encryption to be used for web site access, messaging systems, and pretty much anything using the Internet. Even if encryption was somehow banned or crippled, the fact that it exists means that criminals or suspects could use it and be breaking just one more law. There are also many ways to use encryption which would either not be illegal, or not be detectable or provable.

Blocking web sites

Even though there is "mere conduit" there is one catch in the copyright legislation that allows a court to grant an injunction against a communications provide where they are aware of copyright infringement. This has been used to block access to some specific web sites like The Pirate Bay.

Unfortunately this is pretty much totally ineffective. The Pirate Bay have loads of mirrors and proxies and they move all the time. This means ISPs are spending time and effort messing about playing whack-a-mole. Of course VPNs, proxies, Tor and the like means that even if the ISP was actually blocking the site in question reliably, their customers can still easily access it.

After a spate of blocks, The Pirate Bay reported that they had massive increases in traffic - it was publicity! This means that he blocks are not just ineffective, they are counter productive. One court in the EU even reversed an injunction because it was ineffective.

Given that this has been tried and failed, it seems sensible to remove this anomaly from the copyright legislation - to stop ISPs having to waste time on this crap.

Of course, in principle, ISPs could provide blocking services to customers. It is rather concerning that the UK government seem to have pressured many ISPs in to providing some blocking by default for porn sites. We already see over blocking, which could create liability for ISPs and may even be a breach of the Computer Misuse Act. We also see that people now sell USB sticks with pre-installed Tor browsers so that kids can bypass blocks!

Back on the whole net neutrality front, it makes sense that ISPs simply do the job or routing packets, not blocking or prioritising things, just providing the raw communications means. ISPs have enough work doing that without getting bogged down with politics.

Of course, there are things people do using a communications system that are illegal, and they should be held to account for that.

Helping the authorities

Obviously I am keen on legislators not interfering with CPs and I think it is critical to ensuring CPs can provide the innovation, development and investment in providing access to everyone in the best way.

However, CPs are a key factor in helping the authorities investigate crimes. One of the most obvious things that anyone investigating a crime will need is the ability to track where an IP address is being used.

Unfortunately the very nature of Internet Protocol makes that impossible to do reliably. I recall an old cop show on TV and they were thwarted tracking a call to a payphone which had the handset taped to the handset of the adjacent payphone. Whilst that is a tad silly for phones it is actually incredible simple for IP networks, and even normal. IP can be, and is, tunnelled over IP or relayed at higher levels as a proxy. There are systems like Tor that specifically relay connections randomly around the Internet with no record of the real endpoints.

Even so, there is a starting point for authorities if they can quickly locate the installation address (if there is one) for an IP address for a connection. CPs can be an assistance to authorities in this in many cases. However, even with something so seeming simple as this, there is a catch. Carrier Grade NAT and transparent or explicit proxies mean that the IP address seen at the other end on the Internet is of the CGNAT or proxy system and not the end user. It is not necessarily practical for an ISP to have logs of every single connection made via such a system, and even where there are logs you may need millisecond accurate timestamps to track to one installation address. Even when you have an installation address you do not know what user at that address (if the user is there even) applies.

So, yes, CPs need to help the authorities, but there is only so much they can do. We have RIPA with covers this already. What we do not need is forcing CPs to start logging everything that they don't log anyway. This has a technical and commercial cost that CPs do not want, but also a security issue. You potentially start having logs of everyone's "activity" using the Internet - including all of the people that are not criminals and suspects. This is not just an invasion of privacy (which should be protected) but also a target for crime and hacking. Information has value.

One of the other concerns I have is the transparency of these processes. RIPA allows all sorts of "authorities" to request all sorts of information. What seems obvious to me is that this needs oversight, and controls. One simple step is that the subject of any such requests should be notified of the request. This is a problem if they are a suspect in a crime, so some requests have to be kept secret., but even then, once no longer a suspect the subject could then be notified.

Encryption

This is perhaps the elephant in the room. Encryption is not a new concept, but the changes in computer technology over the years have moved the goal posts somewhat. What has changed is that computing power in our hands (quite literally in most cases - mobile phones) is now at a level where encrypted communications can be used completely routinely. It used to be used only in specific cases like on-line banking, but is now used for simple web site access (even the conservative party web site). Once again, this is seen as a threat by the spooks that want to be able to covertly monitor suspects communications.

It is important to realise that there is always "plain text" at each end of the communications, and various ways one can access that if you can compromise one end (either social engineering, infiltrating a criminal organisation, or technical means like key loggers on computers). It is also the case that encryption normally means some degree of verifiable trust and use of keys - and people can be sloppy over encryption keys no matter how good their computers are. So encryption does make some things harder but it does not stop the authorities investigating crimes and suspects.

It is also important to understand that encryption exists. It is not a secret. Most encryption software is free, and so there is no "software company" to go after with legislation. This means that making it illegal (or illegal to use "strong" encryption) does not make it go away. Criminals can use encryption and will just be breaking one more law. It is also possible to use encryption in ways that cannot be proved (designed to provide "deniability") and the software to do that is also free and freely available and not secret.

It is also important to understand that encryption is not "hard". Yes, computers are good at this, and use a lot of processing to do the encryption we use every day, but there are systems you can use to unbreakably encrypt messages that nobody can decode without the right key and yet use pen and paper and dice and nothing more (see my video here). So unless you also ban something as basic as "adding up" you still allow "strong encryption".

Encryption is however important. It is seen by anyone with any technical clue as complete irony for governments to make statements like "In our country, do we want to allow a means of communication between people which […] we cannot read?" yet at the same time as saying encryption is "important to the economy". There is simply no way to make a system which allows only the authorities to read a message, and ensures only criminal's and suspect's messages can be read by the authorities.

Criminals are moving on, even "terrorists". I don't like the use of terrorists and pedophiles in the media and by MPs to justify any legislation like this as they represent a tiny fraction of crime and harm done to the public. I find it ironic that the whole idea of terrorism is to create "terror" and then we make that "terror" ourselves in the way to portray and report terrorists. If we reported every car accident with the same publicity as any terrorist attack then nobody would dare drive again. But yes, if someone is hell bent on causing big scary havoc, they do need a bomb, they can hack in to critical infrastructure or even domestic infrastructure. Things like taking down the power grid are big and scary, but even things like hacking the logistics systems for all of the major super markets could suddenly mean nobody has any food for a few days - now that is a terrorist attack. There are also issues on smaller scales, like hacking in to cars (already been done) - imagine just disabling a small percentage of all of the cars on the M25 all at once so they stop and cannot be moved. All of this is without hacking banks and simply stealing money. These systems are protected by strong encryption, and any steps to weaken that or add back doors for the authorities will make the crimes easier.

So, in short, encryption needs to be encouraged, not banned or crippled.

Debate

Please do comment and discuss. I may have missed something.

3 comments:

  1. Accessing 'banned' websites is even easier than stated. Don't use your ISP's DNS, instead I use Google DNS at 8.8.8.8 with 4.2.2.2 which I believe is a Verizon one as secondary.

    Then, browse to the HTTPS version of your desired evil piracy site. As you are not using your isps DNS, they can't filter the request there, and as you are using HTTPS, they can't see the URL you are visiting only the IP (which could host many sites), so you can view it.

    I know this works with talktalk, plusnet, and BT. It just shows how pointless the system is.

    ReplyDelete
  2. I think this is an excellent manifesto for sanity. Now all that is needed is a small amount of deep education for MPs and the moral panic merchants in power.

    ReplyDelete
  3. It appears that that method also works on Virgin Media rtho782

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Hot tubbing...

I have a hot tub, it came with the house over 3 years ago. Managing a hot tub is complicated, and expensive. The expensive part is the power...