LINX have confirmed that the governance discussions are totally unrelated to IPA and intercept on the basis that such laws apply regardless, and gagging orders apply. The good news is LINX have been taking legal advice to understand how they would handle such orders, and if they can provide warrant canaries (which they feel they cannot).
As reported in the register, and LINX reply, there is concern over some of the changes to the way LINX is governed - a matter to be voted on this week at the LINX96 meeting.
For those of you that do not know, LINX is a major UK peering point - it is a network infrastructure mostly in London (the "L" in LINX) that connects lots of Internet providers together and is used by everyone that accesses the Internet in the UK a lot.
This is a serious matter - what do all of the secret / gagged orders in the Investigatory Powers Act mean for a membership organisation like LINX? Could it mean secret orders that a handful of people know if implemented in order to spy on member's traffic? Every member is a part of LINX!
Well, what I am told is that is not the idea, but I am concerned that the changes could inadvertently allow such orders. We need to be sure of some transparency, at least, before approving them.
However, what it has hi-lighted is that we need some frank and open debate within LINX on the whole issue of the IP Act and the possibility of secret orders to snoop on LINX traffic. The same needs to happen at LONAP too.
So, personally, I am not yet up to speed on the changes proposed, and if they allow "secret" orders or not, but this is my overall view, so far. I expect to blog again once we have had some discussions during the week and the vote is over. It is serious stuff - my own staff are already asking if we should stay LINX members or leave, just based on The Register article, and we are not alone in asking this.
So what needs to be addressed:
- We need to consider what LINX may be asked to do. This means lawyers and maybe even talking to The Home Office (maybe someone has?!). And we need to debate and agree in advance the way this needs to be handled with members.
- We need to consider the level of transparency of any such orders, with members, and outside LINX. What if LINX M&A mean the directors have to discuss any orders with members? Is that good or bad? Does it make The Home Office re-think orders? What do they have to consider in asking for intercepts and data retention (collection)?
- To what extent will LINX management challenge orders. Clause 87(4) tries to stop any retention order forcing a provider to monitor "third party data". But for LINX, anything over and above Ethernet MAC addresses is "third party data", so needs to be challenged via the appeal process and even the courts if necessary. I am sure LINX would get support from ORG and/or EFF on taking any such a matter to CJEU or the ECHR (whilst we still can).
- What exposure does LINX management and even LINX membership have? Can management share "gagged" orders with membership? They have to be able to share to some extent with the techies making it happen, so there is scope, but how much transparency is allowed, and what are the consequences? Some of it is NOT CRIMINAL in any way in that no "offence" is defined in law - it is simply a "duty" not to disclose, enforced by civil proceedings (telling LINX "stop sharing this information" after it is already been shared). But even if shared with members, are members exposed if they share with customers or the press, and is that exposure for LINX as a whole or just that member?
- In all of this I am making the huge assumption that LINX members do not want snooping by anyone - very much against the spirit of the Internet. If I am wrong and actually LINX members do want government snooping, we will be leaving LINX and so will many others. But we need the debate to understand if we do all agree on this position in the first place.
But ultimately, do any of us (LINX members) want to be part of an organisation that would secretly snoop on its members? I would not. Let's hope that is not what this is about, and we can move on with M&A changes in one form or another, and then start some serious debate and discussion with members on what will and must happen if the IP Act ever does come to bite us...
If this is all a storm in a teacup, then fine. We will soon see.