tag:blogger.com,1999:blog-3993498847203183398.post4302347819655519648..comments2024-03-19T09:14:24.926+00:00Comments on RevK<sup>®</sup>'s ramblings: #IPBill Oral evidence to Joint Committee on Draft Investigatory Powers BillRevKhttp://www.blogger.com/profile/12369263214193333422noreply@blogger.comBlogger20125tag:blogger.com,1999:blog-3993498847203183398.post-85967235242955158402015-12-30T14:18:40.693+00:002015-12-30T14:18:40.693+00:00yeah the whole thing is a mess, also what abou the...yeah the whole thing is a mess, also what abou the 1000s of tiny web providers who sell email services? e.g. I could buy my own domain (which I have anyway) and host it at a web/email provider or even host it in my home. In that scenario the broadband isp can do absolutely nothing, even dns lookups can be encrypted as well.chrcolukhttps://www.blogger.com/profile/07286563087540322040noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-90585607461344899762015-12-11T12:56:44.503+00:002015-12-11T12:56:44.503+00:00One thing none of the ISPs seem to mention is that...One thing none of the ISPs seem to mention is that the bill seems to talk about "per device" records.<br /><br />Given that IPv4 and NAT is still here, how is the ISP supposed to track "per device"? The ISP does not know if it's my laptop, my partner's phone, my kid's desktop, or my youview box, that is connecting to a service.<br /><br />And if they ask Vodafone for all of little missing Alice's connection records, and come up blank, do they go round asking every ISP for records from Alice's phone just in case she has connected to a Wifi? Could AAISP *ever* find out if Alice's iphone had connected to a Wifi owned by one of their customers?!rtho782https://www.blogger.com/profile/02052870855136709228noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-3590410979813558872015-12-11T10:22:31.831+00:002015-12-11T10:22:31.831+00:00Regarding the point about "a record of the se...Regarding the point about "a record of the services that they have connected to" seeming simple to a non-technical person.<br /><br />I wonder if it would help to give an analogy here.<br /><br />People are familiar with phone records - they contain the number called and the duration of the call. The phone company could not carry out their business without gathering this information.<br /><br />So how about this: asking an ISP to report what services were connected to, is like asking a phone company to record who spoke on the phone, and what the subject of the call was.<br /><br />The phone company doesn't gather that data, because they don't need to for the system to work. To get it they would have to listen in to every call and also do a lot of external research. All of which would cost a great deal.<br /><br />Even if the requirement excludes the *content* of the conversation, they would still have to do most of the same work, at immense cost.<br /><br />And there would have to be a very clear specification of the requirements to even estimate that cost. E.g. how sure do they have to be of the identities of the people on the call, and what methods are considered acceptable to find this out?<br /><br />Perhaps some expanded version of this idea would help to get the point across.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-76563623465766668802015-12-11T07:55:30.014+00:002015-12-11T07:55:30.014+00:00Yes, definitely a case, and I think nearly every n...Yes, definitely a case, and I think nearly every network operator has, or will, be making this point, in written evidence if not in the oral sessions. "Third party data" is a major concern.Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-51188920028822503672015-12-11T00:04:23.877+00:002015-12-11T00:04:23.877+00:00Re: applications like Skype, iPhone etc. is there ...Re: applications like Skype, iPhone etc. is there not a case for you saying it's impossible for you to determine the parties involved and that you will just say it was in use between certain times. The police or whoever must enquire of the persons proving that service for the details (you are the mere conduit).jelvhttps://www.blogger.com/profile/06330649794336059930noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-91477726354435178102015-12-10T20:02:41.798+00:002015-12-10T20:02:41.798+00:00Clearly reasons for such orders to be secret at le...Clearly reasons for such orders to be secret at least until case is sorted - ideally transparency in long run.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-81650090609763679172015-12-10T20:00:25.648+00:002015-12-10T20:00:25.648+00:00Aled, I don't think anybody here has suggested...Aled, I don't think anybody here has suggested that intercept orders for targeted surveillance should not be secret, have they? Anonymoushttps://www.blogger.com/profile/10823387395371201608noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-43623071651775870512015-12-10T19:58:23.034+00:002015-12-10T19:58:23.034+00:00If that was what he meant, the good man!If that was what he meant, the good man!RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-79480861423519008812015-12-10T19:34:57.482+00:002015-12-10T19:34:57.482+00:00I think that David Hanson MP was perhaps, when he ...I think that David Hanson MP was perhaps, when he said people with nefarious intentions would simply use small ISPs, was trying to highlight that the whole process is pointless if you don't bother with small ISPs, and given that it's not economical or practical to serve notices on small ISPs, the whole bill is pretty pointless.rtho782https://www.blogger.com/profile/02052870855136709228noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-66343201969832398922015-12-10T16:52:46.795+00:002015-12-10T16:52:46.795+00:00Ha, just a bit :-0Ha, just a bit :-0RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-72089119739922688022015-12-10T16:43:30.150+00:002015-12-10T16:43:30.150+00:00I liked the bit about keeping our data safe.
Bi...I liked the bit about keeping our data safe. <br /><br />Big ISPs said "regular auditing" "cultural process" http://parliamentlive.tv/event/index/54f42d6d-2377-4e98-9f6b-f21149c2b21f?in=16:56:23<br /><br />And asked the same question, I think I detected a snigger from you. :) http://parliamentlive.tv/event/index/54f42d6d-2377-4e98-9f6b-f21149c2b21f?in=17:43:13<br /><br /><br />Stuarthttps://www.blogger.com/profile/13123065586219602414noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-11095526012026376672015-12-10T15:30:58.657+00:002015-12-10T15:30:58.657+00:00> All of the conversations I've had with th...> All of the conversations I've had with the people "on the other side" as it were about this have been well-meaning people who are doing their best in a difficult world to track down people who, they honestly believe, are engaging in criminal acts<br /><br />I don't disagree although, as Adrian and James said yesterday, in a way this is far from the point. The current Home Secretary, and those with power in the agencies, may be utterly trustworthy and entirely respectful of privacy. But the legislation does not apply solely to them: it applies irrespective who is in the seat, holding the power. And tomorrow's staff or officials, for whatever reason, may not be so well meaning.Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-37630641505422498452015-12-10T15:25:53.779+00:002015-12-10T15:25:53.779+00:00Indeed, James made clear that it is not that we do...Indeed, James made clear that it is not that we don't want to help the police, and that if the definitions of what is wanted were clear we could thrash out what is, in fact, possible, or proportionate or cost effective. There is a lot of debate on privacy, which makes sense, but debating some of this (like cost) with no basis for what is wanted is nonsense.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-55029372430589651302015-12-10T15:23:40.097+00:002015-12-10T15:23:40.097+00:00Thing is, I really don't see the purposes behi...Thing is, I really don't see the purposes behind this as being nefarious. All of the conversations I've had with the people "on the other side" as it were about this have been well-meaning people who are doing their best in a difficult world to track down people who, they honestly believe, are engaging in criminal acts. <br /><br />What I'm really concerned about though is how well the law is written to ensure that "feature creep" is limited to legitimate expansion due to "future proofing" (urgh, I hate that phrase) and anything more than that requires public oversight.<br /><br />I do however feel that secrecy is a necessary part of this - not for the type of data you're gathering nor for the interfaces with the LEAs and security services, I agree, those should be public for the reasons you and James so eloquently put yesterday - but rather the existence of the order to intercept should be kept confidential. Secrecy and confidentiality is a necessary part of an investigation and sometimes, the result of that is that the agency decides that the initial report was wrong and closes the case - I'm sure you'd want the presence of that sort of investigation against you personally to be kept confidential. In such cases, oversight is necessary and we have to delegate that trust to a third party who we have to believe is acting in our best interests. Aledhttps://www.blogger.com/profile/04986038559799820004noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-6054922457561124892015-12-10T15:06:55.232+00:002015-12-10T15:06:55.232+00:00To be fair, as I understand the French proposals, ...To be fair, as I understand the French proposals, they are limited to a "state of emergency". <br /><br />Legally, the UK government could insist on exactly the same during a "state of emergency" right now, without any new legislation. (Whether it could be done technically / enforced is another matter, but the powers are there.)Anonymoushttps://www.blogger.com/profile/18427000118752159232noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-70098851902696102532015-12-10T14:41:18.820+00:002015-12-10T14:41:18.820+00:00Wd did mention that several times, honest. James m...Wd did mention that several times, honest. James made it clear how the secrecy would hinder implementation as well. Sadly you may be right though on the impact we have - we'll see.RevKhttps://www.blogger.com/profile/12369263214193333422noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-4891546905189341182015-12-10T14:39:14.098+00:002015-12-10T14:39:14.098+00:00It's a shame that you never got the chance to ...It's a shame that you never got the chance to disparage the secrecy aspect of the Retention Orders, which I consider as the most sinister area of this utterly malevolent bill. <br /><br />Sadly I don't think they'll give any regard to anything you and James said when the bill is finalised. They want these powers for nefarious reasons and are on a mission. A handful of terrorist outrages has provided the perfect selling mechanism to a largely moronic public with no understanding of the issues involved. Anonymoushttps://www.blogger.com/profile/10823387395371201608noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-89448758731378314532015-12-10T14:05:13.323+00:002015-12-10T14:05:13.323+00:00Have you seen the latest proposals in France after...Have you seen the latest proposals in France after the Paris attacks? They want to ban Tor completely, and shutdown all public wifi (because you can't tell who is connected, apparently) for the duration of the state of emergency (which currently has another 3 months to run). All because one of the attackers used "encryption". But there is no evidence he used Tor, and as we all know there are many different forms of encryption.<br /><br />Public wifi is possible to shut down, just a lot of work to enforce when you get down to the last few cafes and people running them in their houses or wherever. But how exactly do they plan on preventing Tor? If the Tor exit node is outside France, surely there is absolutely nothing they can do. And even inside France that's very difficult to police.Owen Smithhttps://www.blogger.com/profile/00890951742186614705noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-16644021764060433652015-12-10T10:22:23.051+00:002015-12-10T10:22:23.051+00:00You actually came across very well, and I think yo...You actually came across very well, and I think you and James did do a great job of conveying points - I think there was a genuine appreciation of your input (it was significantly more specific and real world than some of the answers from the larger ISPs that went before you.<br /><br />I did have a chuckle when James went into a geek moment and had to unwind to help the audience understand. <br />The Backup Exec Goathttps://www.blogger.com/profile/16532538047698437455noreply@blogger.comtag:blogger.com,1999:blog-3993498847203183398.post-3565866902946793642015-12-10T09:25:59.415+00:002015-12-10T09:25:59.415+00:00Netflow is a superb tool for investigating inciden...Netflow is a superb tool for investigating incidents but it only provides an IP address. It is almost never possible to know what A record(s) may be pointing to that IP and some web server farms have just 1 IP for many, many servers. Equally a DNS record could have multiple IP addresses and a devious abuser could present different Ip addresses simply based on views (e.g. BIND configs). So even net flows are limited. Mix in deep packet inspection for URLs, As, etc and that will need a very clever Filter. Analysis really does need an analyst with clue and experience.Anonymoushttps://www.blogger.com/profile/14101302013525389570noreply@blogger.com