2015-12-10

#IPBill Oral evidence to Joint Committee on Draft Investigatory Powers Bill

I was honoured to have the chance to give evidence to the Joint Committee on the IP Bill yesterday.

It was interesting, and I was not at all nervous. I think the number of live TV interviews I have done, where I have random questions fired at me, have helped a lot. Being politics I actually had a list of likely questions in advance, which helped me rehearse some answers.

http://parliamentlive.tv/event/index/54f42d6d-2377-4e98-9f6b-f21149c2b21f?in=17:12:14

In fact, most of the answers were much more on-the-spot than my prepared notes.

I was lucky to be on with only one person, James Blessing, who is very clued up. I am not sure which of us is more guilty of talking for too long when answering a question. I think we both did very well and I hope we helped the committee understand the issues.

[Somewhat edited from this point]

"Internet Connection Record" is not a defined thing - in the bill or in industry!

One thing that was a concern, and predicted by one of the ISPs at our Home Office meeting, was that one of the members (David Hanson MP) was adamant that an "Internet Connection Record" was "defined in the bill". He referred to page 25 and asked us to work out costs based on that definition. Page 25 is in the "explanatory notes" and not the bill, and itself is massively unclear. It basically says "It is a record of the services that they have connected to".

To try and explain this a little more, as I plan to tweet to David Hanson MP and ask him to take a look here if he can. I fully understand that to someone not technical, saying "It is a record of the services that they have connected to" seems reasonably clear. Sadly it really is not, and if you look at the actual wording of the bill, and not just the explanatory notes, it is less clear still.

Unlike a telephone call, or even just sending an email, even the definition of the term "connected" is complicated, as is defining the term "service". Actually what happens is packets of data are sent between devices, and as an ISP we send those packets on towards their destination. We don't "see" any sort of "connection" or "service", all was see is "packets".

One possible meaning could be that we log the destination IP address of each packet. Sadly this is not either easy or cheap as there are literally billions of such packets whizzing through our network every minute, and we are a small ISP.

There is a protocol for a type of "connection" used in the Internet, called TCP. This is only one of many types of connection that can be made but is the most common. So the meaning could be to log each such logical connection. This would mean making something of a jigsaw puzzle of the meta data (the destination and source addresses) in each of those billions of packets as they pass and tracking millions of simultaneous logical "connections" that are happening at any one time, then logging these. Again, this is neither easy nor cheap, and even more work than above. There are also many types of "connection" - an "Internet phone call" using a protocol calls SIP does not normally even use TCP but a "connectionless" protocol called UDP, so somehow that would need to be tracked and logged too.

Of course, it could be that what is meant is we must log is more a matter of logging each "web page" accessed with the name of the web site, and similarly for other "services". Indeed, some comments made by the Secretary of State suggested this may be what was meant. This means not only the jigsaw puzzle to construct those TCP connections, but actually looking in to the data that passes on those connections, connecting the data from many packets together, and looking for a part of the information sent called a Host: header. This is yet more complexity and work and cost. Again, web pages are just one type of communication that uses a "connection". There are many other types of "connection" that could be made, and new types will come along every day or even every few hours as new applications are developed and new innovations made. Each of these is not published - we know how "web pages" work because they follow a published standard, but mobile phone apps do not have to follow any such standard, they do not even have to use TCP to communicate. So we'd have to constantly research each and every new application and protocol that people invent anywhere in the world, work out what part of that data counts as "Relevant Communications Data" and record it in some format that the police know to ask for and understand. We would not have the help of the developers in this. Indeed, we'd have to buy and test every app ever published and reverse engineer it to work out what to log. That would be a huge on-going undertaking at huge cost, made massively worse by the fact that each ISP is on their own not allowed to tell anyone else what they are doing with data retention.

So the meaning of recording "what services you connect to" is really very very unclear, and the cost involved in making such logs is not something one can sensibly estimate without actual details.

I am considering another written submission to basically explain how this all works and the issues.

20 comments:

  1. Netflow is a superb tool for investigating incidents but it only provides an IP address. It is almost never possible to know what A record(s) may be pointing to that IP and some web server farms have just 1 IP for many, many servers. Equally a DNS record could have multiple IP addresses and a devious abuser could present different Ip addresses simply based on views (e.g. BIND configs). So even net flows are limited. Mix in deep packet inspection for URLs, As, etc and that will need a very clever Filter. Analysis really does need an analyst with clue and experience.

    ReplyDelete
  2. You actually came across very well, and I think you and James did do a great job of conveying points - I think there was a genuine appreciation of your input (it was significantly more specific and real world than some of the answers from the larger ISPs that went before you.

    I did have a chuckle when James went into a geek moment and had to unwind to help the audience understand.

    ReplyDelete
  3. Have you seen the latest proposals in France after the Paris attacks? They want to ban Tor completely, and shutdown all public wifi (because you can't tell who is connected, apparently) for the duration of the state of emergency (which currently has another 3 months to run). All because one of the attackers used "encryption". But there is no evidence he used Tor, and as we all know there are many different forms of encryption.

    Public wifi is possible to shut down, just a lot of work to enforce when you get down to the last few cafes and people running them in their houses or wherever. But how exactly do they plan on preventing Tor? If the Tor exit node is outside France, surely there is absolutely nothing they can do. And even inside France that's very difficult to police.

    ReplyDelete
    Replies
    1. To be fair, as I understand the French proposals, they are limited to a "state of emergency".

      Legally, the UK government could insist on exactly the same during a "state of emergency" right now, without any new legislation. (Whether it could be done technically / enforced is another matter, but the powers are there.)

      Delete
  4. It's a shame that you never got the chance to disparage the secrecy aspect of the Retention Orders, which I consider as the most sinister area of this utterly malevolent bill.

    Sadly I don't think they'll give any regard to anything you and James said when the bill is finalised. They want these powers for nefarious reasons and are on a mission. A handful of terrorist outrages has provided the perfect selling mechanism to a largely moronic public with no understanding of the issues involved.

    ReplyDelete
    Replies
    1. Wd did mention that several times, honest. James made it clear how the secrecy would hinder implementation as well. Sadly you may be right though on the impact we have - we'll see.

      Delete
    2. Thing is, I really don't see the purposes behind this as being nefarious. All of the conversations I've had with the people "on the other side" as it were about this have been well-meaning people who are doing their best in a difficult world to track down people who, they honestly believe, are engaging in criminal acts.

      What I'm really concerned about though is how well the law is written to ensure that "feature creep" is limited to legitimate expansion due to "future proofing" (urgh, I hate that phrase) and anything more than that requires public oversight.

      I do however feel that secrecy is a necessary part of this - not for the type of data you're gathering nor for the interfaces with the LEAs and security services, I agree, those should be public for the reasons you and James so eloquently put yesterday - but rather the existence of the order to intercept should be kept confidential. Secrecy and confidentiality is a necessary part of an investigation and sometimes, the result of that is that the agency decides that the initial report was wrong and closes the case - I'm sure you'd want the presence of that sort of investigation against you personally to be kept confidential. In such cases, oversight is necessary and we have to delegate that trust to a third party who we have to believe is acting in our best interests.

      Delete
    3. Indeed, James made clear that it is not that we don't want to help the police, and that if the definitions of what is wanted were clear we could thrash out what is, in fact, possible, or proportionate or cost effective. There is a lot of debate on privacy, which makes sense, but debating some of this (like cost) with no basis for what is wanted is nonsense.

      Delete
    4. > All of the conversations I've had with the people "on the other side" as it were about this have been well-meaning people who are doing their best in a difficult world to track down people who, they honestly believe, are engaging in criminal acts

      I don't disagree although, as Adrian and James said yesterday, in a way this is far from the point. The current Home Secretary, and those with power in the agencies, may be utterly trustworthy and entirely respectful of privacy. But the legislation does not apply solely to them: it applies irrespective who is in the seat, holding the power. And tomorrow's staff or officials, for whatever reason, may not be so well meaning.

      Delete
    5. Aled, I don't think anybody here has suggested that intercept orders for targeted surveillance should not be secret, have they?

      Delete
    6. Clearly reasons for such orders to be secret at least until case is sorted - ideally transparency in long run.

      Delete
  5. I liked the bit about keeping our data safe.

    Big ISPs said "regular auditing" "cultural process" http://parliamentlive.tv/event/index/54f42d6d-2377-4e98-9f6b-f21149c2b21f?in=16:56:23

    And asked the same question, I think I detected a snigger from you. :) http://parliamentlive.tv/event/index/54f42d6d-2377-4e98-9f6b-f21149c2b21f?in=17:43:13


    ReplyDelete
  6. I think that David Hanson MP was perhaps, when he said people with nefarious intentions would simply use small ISPs, was trying to highlight that the whole process is pointless if you don't bother with small ISPs, and given that it's not economical or practical to serve notices on small ISPs, the whole bill is pretty pointless.

    ReplyDelete
  7. Re: applications like Skype, iPhone etc. is there not a case for you saying it's impossible for you to determine the parties involved and that you will just say it was in use between certain times. The police or whoever must enquire of the persons proving that service for the details (you are the mere conduit).

    ReplyDelete
    Replies
    1. Yes, definitely a case, and I think nearly every network operator has, or will, be making this point, in written evidence if not in the oral sessions. "Third party data" is a major concern.

      Delete
  8. Regarding the point about "a record of the services that they have connected to" seeming simple to a non-technical person.

    I wonder if it would help to give an analogy here.

    People are familiar with phone records - they contain the number called and the duration of the call. The phone company could not carry out their business without gathering this information.

    So how about this: asking an ISP to report what services were connected to, is like asking a phone company to record who spoke on the phone, and what the subject of the call was.

    The phone company doesn't gather that data, because they don't need to for the system to work. To get it they would have to listen in to every call and also do a lot of external research. All of which would cost a great deal.

    Even if the requirement excludes the *content* of the conversation, they would still have to do most of the same work, at immense cost.

    And there would have to be a very clear specification of the requirements to even estimate that cost. E.g. how sure do they have to be of the identities of the people on the call, and what methods are considered acceptable to find this out?

    Perhaps some expanded version of this idea would help to get the point across.

    ReplyDelete
  9. One thing none of the ISPs seem to mention is that the bill seems to talk about "per device" records.

    Given that IPv4 and NAT is still here, how is the ISP supposed to track "per device"? The ISP does not know if it's my laptop, my partner's phone, my kid's desktop, or my youview box, that is connecting to a service.

    And if they ask Vodafone for all of little missing Alice's connection records, and come up blank, do they go round asking every ISP for records from Alice's phone just in case she has connected to a Wifi? Could AAISP *ever* find out if Alice's iphone had connected to a Wifi owned by one of their customers?!

    ReplyDelete
  10. yeah the whole thing is a mess, also what abou the 1000s of tiny web providers who sell email services? e.g. I could buy my own domain (which I have anyway) and host it at a web/email provider or even host it in my home. In that scenario the broadband isp can do absolutely nothing, even dns lookups can be encrypted as well.

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.

Missing unix/linux/posix file open option

What I would like is a file open option for "create replacement file". The idea is that this makes a new inode in the same mount p...