Good news for privacy - Investigatory Powers Act vs CJEU

As reported by the BBC, the European Court of Justice has made a ruling that could seriously impact the powers in the Investigatory Powers Act to collect data on everyone in the UK.

The IP Act has provisions, much like the Data Retention and Investigatory Powers Act (DRIPA) it replaces, and the Data Retention Directive (DRD) before it, to retain data about use of communications systems.

The IP Act actually pushes this much further - previously telcos/ISPs could have been asked to retain certain data they processed (e.g. telephone itemised billing records) but could not be required to actually generate data they were not processing. The IP Act allows much more and it has been made clear that the government wish to log usage of the Internet in some detail - down to the level of recording every web site everyone has accessed. This is far more than just retention of data, and would apply to everyone, even those not suspected of any crime.

The good news is that the ruling from the CJEU is that this sort of mass retention of data is not consistent with our basic human rights and EU law. These apply regardless of whether we leave the EU or not.

The BBC article is not ideal in its analysis, and Open Rights Group have a much better analysis (here).

Retention is an invasion of privacy

The key point of argument here is that the UK Government considered that indiscriminate retaining of data should be allowed as long as access to that data was restricted and controlled in a suitable way. However, that is not the case. The court ruled that indiscriminate retaining of data was simply not acceptable. You have to be much more specific about whose data is to be collected to target suspects in a crime.

Only to be used for serious crime

The court also looked at the issue of controls over access to the retained data. Again, this did not go well as the access has to be restricted to only serious crime. The IP Act tries to even redefine serious crime to include things that are not serious, so that will have to change too.

Proper independent authorisation of requests for data

On top of that - the access to the retained data should be approved by an independent body, such as a court, and not simply by the current system of a Designated Senior Officer. This could finally mean we see proper court warrants for access to retained data.

No more secrecy

As I have long said, the secrecy around data retention and collection of data is not really acceptable. The ruling says subjects of access should be told about it once there is no longer a risk of prejudice to the investigation.

We can still catch criminals

None of this stops wire taps (or the Internet equivalent) on suspects in serious crime, set up and accessed with the proper controls. All it stops is the indiscriminate logging of everything we all do on the Internet - and that is a good thing - we are all meant to be innocent until proven guilty, after all.

Read more

Read the ORG article for a lot more useful insight in to this ruling.

Investigatory Powers Act - devil in the detail

It is published (here). It is an interesting read, so here are some initial observations...

I have been trying to focus on the bits that could impact us (A&A and FireBrick) mainly, and I am very happy to have had help from a friendly lawyer on this matter. I am the first to accept that I am not an expert on reading legislation, but getting better as the years go on.

So, some observations, in no particular order...

Can a retention order be placed on BT Wholesale to monitor A&A traffic?

We think no - surprisingly. This is because of 87(4): "A retention notice must not require an operator who controls or provides a telecommunication system (“the system operator”) to retain data which relates to the use of a telecommunications service provided by another telecommunications operator in relation to that system".

So that should mean, we think, that BT Wholesale or Openreach or BT plc as "the system operator" cannot be ordered to retain data which relates to the use of the telecommunications service provided by A&A in relation to that system. We see that as meaning BT provide PPP and we provide IP, and so BT cannot be ordered to log IP (or above), only PPP which is basically their RADIUS logs, because IP is related to what we provide via that system.

Good and bad - good is it means, in theory, if we say we have no monitoring (we don't) and we can assume BT do not, then there is no monitoring (same logic to LINX and transit providers). Bad news is that they may be more inclined to ask us to do retention as a niche ISP.

But it gets more fun - given that this now covers private as well as public telecommunications services, it is easy to say that every single one of our customers is a telecommunications operator even if only running one router to provide service to one person. So we can argue that we cannot be expected to retain data relating to our customer's use of the IP - you have to ask each and every one of them to retain data and not us.

We'll see how that plays out if ever we are asked to do retention (which we, A&A, have not been).

Can FireBrick be forced to add a back door?

We think no, thankfully. The definition of a telecommunications operator, which we thought could cover FireBrick would require that FireBrick is providing a "service", which we are not, we are providing a product, and that the FireBrick itself is a "system", which it is not, it is apparatus.

Even so, we still have standing order that if asked to back-door FireBricks then the UK company FireBrick Ltd would be dissolved.

In short, you can trust FireBrick!

Is FaceBook a telecommunications operator?

Well, this is tricky. Home office think so, apparently. An operator offers "services", and services means a service consisting of access to or facilitating making use of, a "system". A system is something allowing transmission of communications by electrical or electromagnetic energy.

So a system is wires and fibres and radio; A services provides access to that or making use of that; An operator offers a service to do that.

I think the wires, and fibres, and radio, facilitate the use of FaceBook, not the other way around. The "make use of" may be the sticking point.

I think it is badly drafted! FaceBook may want to argue on that definition.

What are Internet Connection Records?

Something much hyped in the process of this becoming law, but relegated to a small part of the Act.

It is a narrow and specific definition, "In this Act “internet connection record” means communications data which may be used to identify, or assist in identifying, a telecommunications service to which a communication is transmitted by means of a telecommunication system for the purpose of obtaining access to, or running, a computer file or computer program, and comprises data generated or processed by a telecommunications operator in the process of supplying the telecommunications service to the sender of the communication (whether or not a person)."

So it is just stuff to identify the service used by the sender, nothing more. But why does this narrow definition matter?

Well, retention can cover all sorts of data, anything that is not "content", which is "meaning of the communication". And that can be way more than ICRs. It is clear that ICRs are a subset of that data.

However, requests for this data to be acquired (e.g. from retained data) can cover anything.

There are restrictions on "local authorities" getting ICRs, but as that is a subset of the data ISPs may be forced to collect. So that is a less than useful constraint. Local authorities could ask for all sorts of non ICR data an ISP was required to "retain"!

How serious is "serious crime"?

Some aspects of the acquisition of data have restrictions for "serious crime", and that covers stuff with long prison sentences. Good. But, oddly the section also covers "relevant crime" which is rather fun as it covers offences that are "by a person who is not an individual, or which involves, as an integral part of it, the sending of a communication or a breach of a person’s privacy." This means things like failing to put your company number on your letterhead (a crime by a company) is lumped in with "serious crime"!

And the irony that you can get all this data which is a huge invasion of privacy to investigate a breach of a person's privacy is not lost on me.

Can the food standards agency get browsing history?

Well there are caveats, but yes, they are in the list and not even covered by the "local authority" exception to getting ICRs.

Does this mean back-doors can be mandated?

Well, yes, to any "service" which can be ordered to maintain a capability to decrypt stuff and even notify if new services are planned to ensure they have the back-door.

But not if you do the encryption yourself, using PGP or your own apps or pen and paper! Criminals can do this and do so legally with no interference by this Act. Well done!

Snooper's Charter and A&A

First off - I appreciate that my blog is not an official statement for A&A, but I have linked the status page here to give you an idea of my thoughts on the matter and how that may play out for A&A in due course.

Summary: Watch this space - more to come over coming weeks.

I have commented many times on the Investigatory Powers Bill, and submitted written evidence to parliament as well as oral evidence to the committee. I have attended meetings with privacy groups and legislators. I have spent a lot of time on this. I have tried very hard to try and get some degree of sanity in to this legislation, and I am sorry to say that on the whole I have failed to make any real changes, sorry.

Once we see it, I am planning to go through the final wording of the Act, with a lawyer friend of mine, and we are going to try and make sure we understand the nuances that finally made it in to law. Once we have done that I do plan to write up something much more comprehensive.

But how does this impact A&A and the services offered.

As I say, this is not an official statement yet - we'll be posting more details of what we are doing and when as time goes on. At this stage there is nothing that needs doing urgently - it will take time for anything to happen in relation to the new Act and a lot of time (and money) for the monitoring and logging to get in to place.

It is also worth pointing out that I don't really have a real problem helping the police investigate crimes as long as there is a proper oversight and control.

In practice a lot of the Act relates to the intelligence agencies, and whilst there a lot of problems with this, it is unlikely we can do much now, or that we would be impacted by this aspect of the Act. However, some of the steps we can take for privacy thwart those parts of the Act too!

The real issue we see is the huge invasion of privacy in collecting and storing data on innocent people - and the bulk powers for "data retention" do just that. They are designed to allow lots of personal information to be gathered on everyone - so mostly people completely innocent and almost entirely people not even suspected of a crime in any way. This is compounded by systems to search through that data over many ISPs and provide it to a wide range of people including the police, without a warrant of any sort.

We expect that it is very unlikely A&A will be asked to do anything - this is because companies like BT and Talk Talk will be asked (ordered) to and that will allow deep packet inspection in the back-haul networks that are used by A&A (and most ISPs).

So what can we do about that?

One of the biggest things we can do is provide information and advice about exercising your basic human right to a private life. This will take some time to put together in detail once we fully understand the legislation. We will start a specific section of the wiki pages as well to cover ideas people have. We are interested in suggestions people have too.

There is also a good possibility that we can engineer some services that operate in a way that bypasses the logging. A simple example would be an outgoing email server that is esmtp only (encrypted) to a service that is outside the jurisdiction of the UK and new law. This would be servers outside the UK and also set up in a way that A&A, or any people in the UK, technically have no control of them. This means that nobody under UK law could be required to comply with an order to include logging on those servers. As an ISP we, or BT/TT, would only see encrypted esmtp traffic to that server and hardly any useful meta data on the emails and nothing on the addresses involved.

Of course, even something simple like this suffers the big problem that the person at the other end of such communications (e.g. emails) will not have the same degrees of security and hence allow logging of meta data at that end. This is always a problem with any communications.

There is also a lot of advice on the use of tools and apps that help - like signal and tor. Sadly even tor has limitations and performance issues.

One answer is VPN services with endpoints outside UK jurisdiction but still reasonable latency. This is hard to scale up - but we are already talking about this in the FireBrick dev team about this.

In the short term we are seriously considering a trip to Iceland to investigate data centres and transit there - perhaps installing some tin that can run VMs as needed - but we also have to investigate the exact way such servers can be outside our control and hence not subject to orders on us to add data retention or intercepts under UK law.

Irony?

It is, of course, right for everyone to expect to be able to exercise their human rights, including the right to privacy. There are a lot of people, in light of this incredibly intrusive new legislation, that wish to do so, and so there will therefore be a lot of companies working on ways to provide (sell) services to help people do that. These services will have to be designed to be outside UK law, obviously. But this means they are also outside the law where there is a specific suspect of a crime, and a more reasonable justification to provide intercept or collect data to help law enforcement (with suitable warrants). So by encouraging people to need privacy and encouraging companies to offer privacy you actually make fighting crime harder. It is worth bearing in mind that serious criminals have always been able to avoid this type of monitoring, but more and more normal people and, occasionally, those committing minor crimes will find it easier and easier to use services offering privacy now.

#IPBill madness

As reported, under the IP Bill/law "[Companies] subject to a technical capability notice must notify the Government of new products and services in advance of their launch, in order to allow consideration of whether it is necessary and proportionate to require the [company] to provide a technical capability on the new service,", and "The tech companies will have little say and the Government say explicitly they have the power to bring legal action against them if they do not comply,"

Seriously why would any company comply?

OK law will be law, so one simply makes a separate company which does not actually come under the IP Bill/law, and which is not subject to a technical capability notice which develops all new products. It has no obligation to notify. Then when launch arrives, it having prepared all the technical and marketing in advance, it tells the main company which is subject to a notice, and launches. Main company complies with law and tells government in advance of new product/service launch, 30 seconds in advance, but in advance, job done.

Many companies already develop new products and services with a degree of secrecy internally and externally, especially people like Apple, so this will simply add a legal layer of separation between R&D and product development and the main company. Simple step, easy, and makes the law on this totally fucking pointless.

Getting really really cross with UK Government wanting to spy one everyone now.

P.S. A&A are not subject to data retention or technical capability notices. Even so, we are agile enough that we will often launch a new service within days of coming up with the idea, so even complying with such laws will leave the government dragging their heels.

P.P.S Why would any foreign company comply with this bullshit anyway? They will have a UK subsidiary company which can be kept in the dark until actual launch.

Is this why we need to spy on every citizen on everything they do in their home all the time? #IPBill

This is one of the examples from the National Crime Agency as to why we need the IPBill and automated filters to search a huge distributed database of everything everyone does on-line in the UK.

This really does show how invasive this will be if allowed to continue in to law. It is quite shocking. This is police state gone mad.

There are so many things one could say about this terrible example, I don't know where to begin. But here are just a few of the issues.

1. Firstly I am surprised it is reported to the police as it would very quickly become apparent the the emails in questions are not from who they claim to be, and the recipients just put them in their spam folders and never see them again. Even so, this is some kid being naughty. It is not on, I agree, but does it really justify an expensive police investigation?
2. If it was reported to the police, would they actually do anything to investigate? I would suggest not - we simple do not have the resources in the police to handle such trivial cases. It is a sad state of affairs I know, but the police are under enough pressure as it is. I seriously doubt the case would get any attention. Problems like this go away if ignored (look like they stopped after two weeks anyway), so even more likely to get no urgent attention.
3. But seriously, if the sender is smart enough to use a Russian anonymising service, they probably are not going to get traced by this - for a start the service would probably be using https on a generic cloud based platform, or several of them, where the IP is shared with loads of other generic services and is changing all the time.
4. Also, the service would almost certainly suggest ways to be less traceable, using wifi in a coffee shop, using tor, and maybe even offering delayed sending of emails so you can be in the room when the email arrives removing any suspicion from you and screwing with the above detection method.
5. The whole thing relies on today's method of communication using a simple TCP connection, but that is changing, there are many other protocols and an increasing need (because of NAT) to communicate by a long standing persistent connection. As technology moves to that, any time stamp correlation goes out of the window.
6. In practice, all of this will only identify a household. It is possible the household has more than one suspect (sisters perhaps), and the suspect does not confess. Even with one child in the house, what if they do not confess? So what then? A raid on the house, seize all computers, phones, and tablets for investigation, demand PIN and passwords to unlock them? Breadwinner of house has work laptop taken, ends up losing job over stigma? The kid in question used privacy mode on the browser so police find no trace, and even if they did, they cannot tell which of the sisters used the machine, so no conviction or further action happens.
7. Worse, actual sender is a different kid, that uses the house wifi from outside, knowing that in this police state the house will get raided, which was their intention all along.
8. Or finally, what if the the kid sends these abusing communications by post,. Does the NCA call for a national database of everyone's handwriting and DNA to be collected and stored. Or do we just go for cameras in every room in every house to keep us safe?

I am just shocked that they do not see this as an example of how invasive and police state this example shows the IP Bill to be... Shocked!

P.S. Look how easy such a system is for tracking the confidential source for a journalist, or such like. All without a warrant even!

P.P.S. Technical point...

The police would have the name of the service used. The CSPs would have the IP addresses of the TCP connections made - they would not have the name. (Yes, https can expose the certificate name using DPI at present, but that will change soon).

So, the query needs to state IP addresses to be checked, not a service name or domain name.

I see nothing in the IP Bill providing for a system to track the IP addresses used by every domain name in the world in real time as they change. Indeed, I am not sure such a system is technically possible. It would also have to track the "view" from each ISP at the very least as DNS servers can (and do) give different answers depending on who is asking. Such a system would be a really huge project, but without it, the police would have no way to know what IPs to ask the CSPs for in their search as they would have no way to know what IP was in DNS two weeks ago!

Internet Connection Records, a small taste of the problems with #IPBill

We (A&A) upgraded some core switches on Thursday morning. There we more snags than expected but the work was completed in the planned work window, in the middle of the night, and once again I'd like to thank the staff involved.

However, there have been a small number of consequences which we have been working on. Obviously not show stoppers otherwise the planned work would have been reversed, but oddities.

One of them was that we were having difficulty getting SNMP from some of our LNSs, which meant some of our monitoring was unavailable. This had left us scratching our heads somewhat as the LNSs were not rebooted or reloaded or anything.

Then, another snag was that today one of our servers that does syslog started to run out of disk. Again, a puzzle. But this was easier to understand just by looking at the logs.

It turns out these are related. We have some debug logs from the LNSs related to setting up PPP sessions and allocation of IP addresses. These are kept for a couple of days to help resolve any connection problems.

One of the things logged is the IPv6 allocation, and this is logged by logging the DHCPv6 request/reply exchange from the customer router. Usually these either happen once after connection or maybe once an hour.

The problem, it seems, is rather odd. Some customers still use the Technicolor ADSL broadband routers that we used to sell from years ago. It seems many of these got upset in a rather odd way after the work on Thursday. We can see no logical reason for this, but they are now in a state where they are on-line and working, but generating approximately 1GB of uplink traffic a day, each, sending DHPCv6 requests! We were logging all of these. It seems the logging may actually have been so much load that it was impacting the SNMP responses.

The fix is rebooting the Technicolor routers, which, thankfully, we can do remotely.

But this gives me a slight insight in to the difficulty of collecting Internet Connection Records. Each of these DHCPv6 exchanges would be something that might well be logged as an ICR.

In practice, just trying to log this one type of packet we could not keep up - the log file was only 16GB (158 million entries) since 4am today. Looking at the traffic levels, that is a tiny fraction of the number of requests being sent by these routers. Our LNS logging system has built in limiting to try and avoid overloading things, and it was being pushed to the limits.

If we had to log every session (TCP/UDP/SCTP/IPSEC/ICMP, etc) there is just no way any of our existing kit could keep up. Of course it wasn't designed to! It was designed to shift packets quickly and provide Internet access to our customers, not snoop on anybody.

This also highlights the issue with any deliberate generation of ICRs by s/w on customer networks. It is easy with relatively low levels of traffic to cause a lot of ICRs to be created, if the #IPBill passes.

#IPBill - Next Step the public bill committee

Well, I had my say on RT yesterday.



The next stage is for written (and maybe oral) submissions to the public bill committee. I think I need to do some work on this over the weekend and next week and get it in early.

And if you are writing to them or your MP, feel free to quote me when I say that we used to be proud of saying Made in UK on our products and now that could become a badge of concern.

GCHQ boss: Tech firms should co-operate over encryption

This BBC article says GCHQ want to work with tech firms over the encryption issue.

Unfortunately there is a conflict of interest here - what the tech firms wish to do is keep user's data safe - they should do this - it is even in the Data Protection Act that personal data is important and should be kept safe.

So the objective of the tech firm is at odds with the objective of GCHQ which is to access user's data when they want to.

The gold standard for the tech firm is to make the data so safe that even they cannot access it. Even someone that knows exactly how it all works, that wrote the code that is used, cannot, by any means, access the data. Apple are pretty close and I am sure are working on ensuring this is the case.

If a tech firm is successful in this goal then there is not really a lot to discuss with GCHQ, is there? They cannot have the data, end of story. If there was something to discuss, some way that the data could be accessed by any means, then that is a loophole the tech company should be working on plugging!

One statement "The solution is not, of course, that encryption should be weakened, let alone banned. But neither is it true that nothing can be done without weakening encryption," shows the problem.

Let's be clear - this is not about the mathematics - this is a very simple high level thing. Anything that allows a third party (such as GCHQ) access to data is weakening the encryption. It does not matter if that is some procedural change, some storage of keys in a "safe place", some trick in the mathematics to allow a third key - none of that matters - the very possibility of access is a "weakening of encryption" by definition.

I am shocked that they seem not to understand this. Well, I am sure they do, but want to gloss over it.

Of course, the real "back door" to any system is the software update. It is essential to have this, not just for new features in a product, but also to fix vulnerabilities. Software is never 100% perfect, and even if it was the world changes and what is necessary to defend against attacks changes. So s/w updates are needed and should be encouraged. They should be digitally signed to ensure the s/w is genuine, of course. The issue is that new software can help access data - whether by allowing lots of attempts very quickly (what the FBI want) or by capturing keys next time the user legitimately unlocks the data.

There are steps a tech firm can take, and I expect Apple are working on this, such as ensuring there is no way to update the software on a locked phone. Even make the security hardware not allow an update without correct use of the PIN or password (and not allow many attempts). This addresses the issue of access to a device after it has been seized, but not the possibility of a systemic vulnerability being introduced on devices in advance - that needs trust in the suppler.

Of course if you do not trust your supplier or the government, you can do encryption yourself, and none of this will then apply. I should not have to keep saying this but criminals can always use encryption, and even do so covertly. Such laws or discussions only impact the non criminals!

Sadly the UK wants to remove all trust in any UK firm by allowing secret orders that could do exactly that - compromise security on all devices in advance. It will be a sad state of affairs very soon when we have to trust a foreign supplier as we cannot trust anyone in our own country.

"Made in UK" will become the hallmark of distrust by the end of the year!

P.S. The original talk was actually more balanced, but still misses the key points in many ways and thinks there can be a way for law and encryption not to clash, and somehow that criminals would obey any such laws anyway.

His comment "On encryption, it simply repeats the position of earlier legislation: where access to data is legally warranted, companies should provide data in clear where it is practicable or technically feasible to do so. No-one in the UK Government is advocating the banning or weakening of encryption." clearly lacks an understanding of the power of the bill going through parliament, that can secretly demand much much more.

Maricopa County Attorney bans iPhones

An odd article: http://www.scmagazine.com/maricopa-county-attorney-bans-iphones-questions-apples-motives/article/479287/

They say that "Apple's refusal to bend to federal prosecutors a “corporate PR stunt.”"

I have to say that the move by that body seems to me to be an ill conceived PR stunt of some sort and misses the point massively.

However, I got a rather odd (what I can only describe as) "troll" on my comments on Facebook over this, saying: :"since it's only the newer versions that Apple cannot/will not provide access to at this time, the County Attorney does not want government phones that have this feature - thus sticking with older models and refusing upgrades that might incorporate that feature since they own the units and have every right to access them at will."

This struck me as rather odd.

1. If there are work related files on a staff iPhone, and only on a staff iPhone such that recovery of such files would be needed later then there is a serious problem. Storing data sole on an iPhone is not a safe place - they can easily break. Use apps that securely ensure data that needs to be stored is stored centrally (in a "cloud" even) and not solely on a phone, and then there is no problem with no being able to get data on the phone.
2. If there is any personal information stored on the phone, it needs to be secure. Phones can get lost, so making sure a phone does not have encryption means that any personal information could be lost and leaked just by leaving a phone on a bus. You actually need high security if storing any customer/public personal data on a phone or you are perhaps negligent.
3. If you have worries about staff storing data you cannot access on the phone, you are stuffed, as encryption exists and data can be encrypted and stored on the phone in a way neither you, nor apple, nor the FBI can access.

This is a boycott, pure and simple, and it is stupid and ill thought out.

What is especially ill conceived is the idea that upgrades are a bad thing. This could be one of the biggest fall outs to the whole fiasco that people feel unsure of deploying s/w updates on products for fear of secret back-doors being added, and hence leaving themselves more vulnerable to attack from criminals.

Apple

As I am sure you all know, Apple have taken a stand on a recent court order requiring them to make a back-door version of iOS so the FBI can try and unlock a phone of a known terrorist. Their customer letter makes their position very clear.

I know some people do not like Apple, and there are a lot of issues around the way they do business, but in this case I am very pleased with the stand they are taking. I, and anyone else with any clue as to the technology, have been saying the same all along. This is in part why I have started yet another petition (please sign).

There is, however, a big problem with explaining this to the public - because TERRORIST! I mean TERRORIST FFS!!!

I asked my wife if she had seen this in the news and her reaction was along the lines of "well, if he is a terrorist then they should unlock the phone". I do think I have convinced her that this is a really bad idea and a hugely bad precedent to be set.

The fact they have used an ancient law to force this order is just a clue to how underhand this is, and if allowed could open up all sorts of orders.

It is also crucial to realise that this is theatre. Criminals can encrypt things - the "secret" of encryption is out of the bag. I can encrypt things and store them on my phone, and the FBI would not be able to decrypt them even with Apple's help. This order may help one investigation with one phone now, but it is not a help in general, but it is a serious risk to the normal day to day security that we all expect and deserve. It is just about control of the largely innocent population. It is putting the government on the same side as the criminals in the security "battle", which is just silly.

Of course, one of the issues would be, if allowed, that every other country's law enforcement would ask Apple the same under each of their own laws, whether that is the UK, or France, or Russia, or China, or North Korea, and how would Apple have any argument? Indeed, once the magic version of iOS is made, Apple cannot even argue that they would have a cost in making it for other countries.

But what could Apple do if they fail to defeat this order? Well, one possible move would be to put keys in a separate tamper proof module in the hardware design in future. Much as SIM cards and bank cards work. This would allow a separate bit of hardware to impose retry timeouts and fail counts and erasure of keys on repeat fails. If that was in the hardware design then they would be unable to bypass in the firmware of the phone. Would they be ordered to change the hardware design? It clearly would not make sense to make an order for decoding one phone in future if it had such hardware...

Another simple idea, which they may be able to do now with the new s/w release even, is to make the firmware not allow loading new (signed) firmware on a locked phone. That would mean that the magic firmware the FBI get would work until the next iOS release and never again after that!

Really, we need governments to understand that encryption exists and if you make any part of it illegal or weakened you only do so for those that obey such laws - actual criminals will be unaffected by such rules, and you make their life so much easier when they are hacking us.

Indeed, part of the reasoning to explain this to my wife was another news article of an LA hospital being held to ransom by computer hacks. That is quite serious, and it is vulnerabilities and back doors in s/w that allow such things - the very sort of thing the FBI are asking for.

P.S. Seems later models already have a separate hardware security model! See here for good explanation.

P.P.S. Reading more details, the order is very specific to one phone and can even be done in Apple's premises, but the bigger concern for apply is the use of this old law to make such an order - if allowed, then it could mean any number of more intrusive orders. This is a "foot in the door" situation that needs to be stopped.

Properly clarify status of encryption in The Investigatory Powers Bill

I have tried to make the wording clearer and once again try a petition on this.

Sign here: Petition 121521

This is the wording now:-

Properly clarify status of encryption in The Investigatory Powers Bill

The draft bill suggests that communications providers may have to remove "protection". The joint committee says the bill should make clear that this be only where technically practicable. This does not quite go far enough. We need a clear statement allowing CPs to offer secure communications.

The bill MUST make clear that CPs can offer secure communications which cannot be read or intercepted even with a warrant or with an intercept order or order to maintain an intercept capability.

Without this people (in UK and overseas) cannot trust CPs offering secure communications, and trust is essential in this industry. 

Even as worded now, the bill allows criminals to communicate using own encryption, so that battle is lost. We need to allow non-criminals the same benefit using CP services

Contrary to last time the petition was published in a day, on a Sunday! Do sign...

Sign here: https://petition.parliament.uk/petitions/121521/

#IPBill Joint Committee report

It comes out tomorrow at 09:30. I have a copy.

I note the embargo does not say a time zone, so I wondered about finding an Aus site to publish it on tonight, but maybe not.

The whole issue of what would happen if I published it sooner it a grey area - with penalties for contempt of the House of Commons and House of Lords being a bit tricky under Human Rights law if they do not have a clear legislative framework, but suffice to say that I am not planning to be a test case for that right now. Maybe next time.

I am actually quite surprised how easy it is to be part of the democratic process. I, like many people, vote. However, like most people I have to feel my vote makes almost no contribution to the result. I could stay at home (again, like many people) and make no difference.

But the process here has allowed anybody - and not even just any UK citizen - to contribute to the process and submit evidence, yet only 148 people and organisations did, and only 59 people gave evidence in person. I submitted two bits of written evidence and one oral evidence session.

I am mentioned on 15 pages of the 194 page report!

I feel like I have made a contribution to the democratic process somehow. It is really a strange feeling - 64 million people and I am quoted on a report about a new law that impacts them all, 15 times!!!

I mean, that is not just my "15 minutes of fame" which I have done many times on TV, that is actually in the parliamentary process. It is a tad scary. They even mentioned my pornhub comment! I think someone owes me a free subscription :-)

I'll comment on the actual report tomorrow once the embargo is over, but I am sure many others will comment in more detail. The bill has many issues. The committee has picked up many, but not all, of the serious concerns. We'll see how it goes.

Will Govnt allow companies to offer communications services which can't be read?

In spite of saying that I had not made clear what I was asking the government to actually do, they have now published my revised petition which is the same but says I am asking them to answer a question.

Please sign https://petition.parliament.uk/petitions/120148



So let's try and get a straight answer shall we?

GCHQ and snooping

I need to make this clear to the non-techies, and this needs to be explained.

The Draft Investigatory Powers Bill covers a lot of stuff, but there are two main things...

1. What the hell the spooks do in GCHQ and making that legal now!

2. Snooping on us all for police investigations

A lot of what I have posted is on the second point. The stuff GCHQ do is harder to tackle. There is a shitload that is clearly morally wrong, and way too "big brother", but let's put that to one side for a second.

The bill covers "Data Retention" and "Intercept capabilities" that can impact us all.

Data Retention means your ISP, hopefully only the large ISPs and not A&A, keeping track of your life - everything you do on-line, every web site, the lot, and hence making it available to your local plod if they want. It is a lot of data about you, and simultaneously is both "sensitive personal data" that says a lot about you and also very "not useful to actually investigating crime".

"Intercept capabilities" mean designing systems that are not actually secure so that, just in case, the authorities can snoop on you if they want. It means any attempt for any UK provider to sell "secure communications" becomes a lie as they may have to include a way for them to "remove protection" from communications. Whilst you may not be a suspect, if your provider has that means then what they are selling is not secure, and not only can police access what you are doing, but so can determined criminals.

So the objections I have been raising here are not anything about "protecting us from terrorists" at all, they are about your life on display- for any hacker to extract from your ISP, and for any police officer that does not understand these things to assume you are up to no good.

It is about "big brother" in so many ways. Ultimately you have to accept that if the police had cameras in every room of everyone's house it would help with investigations. This is that sort of thing by the back door. It is not acceptable. It is SNOOPING!

Let's be clear here - it is SNOOPING. One person giving evidence did not recognise "snooping" as a warrant was needed. Well, even if a warrant is needed it is still snooping, but more importantly data retention and maintenance of intercept capability do not need warrant. Data retention is SNOOPING on all that we do on the Internet, simple as that.

So please, tell people to talk to their MP, to read my numerous blog posts, to take a stand.

This is not about headline grabbing and statistically insignificant issues like terrorists or pedophiles, this is about your life on record and held by your ISP for police to look at.

[Quite separately GCHQ need reining in, and even in the US the NSA has had many powers restricted]

All about trust

At the moment, at A&A, we provide Firebricks to customers in various circumstances, including as part of our high availability multiple line Office::1 product.

Usually, and with the customer's knowledge and consent, we will include a login (suitably locked down and secure) for us to access the FireBrick. This means that we can address tech support issues, and make config changes if requested and so on.

This works because our customers can, and do, trust us.

 Of course, even where such access is via IPSec tunnels, it still involves trusting us!

The problem is not that we are untrustworthy, but the law, if the Draft Investigatory Powers Bill passes as it is now, would legally compel us to be untrustworthy as it forces us to co-operate with "equipment interference" and "removal of protection on communication" in some circumstances.

If it passes it is simply the case that our customers cannot trust us any more, as that trust will have been officially removed by the law of the land.

So, we are considering what we should do, before any such law comes in to force.

One obvious measure is to not have a login in to the FireBrick. However, the FireBrick does have a trick up its sleeve here - in that we can put our login on a profile and have that controlled by another login that the customer knows. That way they can decide to turn on or off our access as and when they need.

But we may have to go further and ensure that the signing of FireBrick code for automatic updates is managed outside A&A. The issue is that whilst A&A do most of the FireBrick R&D, A&A is also a communications provider. FireBrick is not, and hopefully is outside the scope of this legislation. So A&A might be compelled to add a back door to FireBrick code. If we make the signing authority for code updates exist outside A&A, in FireBrick Ltd only, then we cannot be compelled to issue code with holes in it just to allow equipment interference or removal of protection. What I don't know yet is whether that can be done simply by use of separate hats - i.e. can I be director of A&A and director of FireBrick, but only have authority to sign code in that second role and not the first. May have to take legal advice on that. If not, we will have to have a FireBrick member of staff and one that is not part of any telco that signs the code after reviewing changes - which is a nuisance.

Why do we care - surely this is all about targeted surveillance? Well maybe it is, but the wording of the bill allows bulk equipment interference, and a general intercept capability, neither of which is targeted.

But there is also the principle here - can our customers trust us? I would like them to be able to trust us. Should trusting your ISP be like trusting your lawyer or your MP? I really hate the idea that any law can officially undermine trust customers have in us - so yes, of course - we'll take steps to ensure that trust is valid and continues.

This is massively about perception. Even if we have no such orders - which we really doubt we would ever have - if people believe we may have, and lose trust, they may disable code updates. That would be bad for the product and ultimately their security as we would not be able to fix any weaknesses in their FireBrick that we discover. Ultimately, this really is all about trust!

Threat from terrorists

Whilst the threat to all of us in the UK from terrorist attacks may have massively increased from today, please remember that it still remains a fraction of risk we all face from every day things like driving.

Maybe I do need protection from some terrorists as defined by the law - I can see one person who seems to be threatening serious violence and serious damage to property by means of airstrikes to advance political cause and influence a government. Have I misread the definition?

---

Section 1 of Terrorism Act 2000

1 Terrorism: interpretation.

(1) In this Act “terrorism” means the use or threat of action where—

(a) the action falls within subsection (2),

(b) the use or threat is designed to influence the government or an international governmental organisation or to intimidate the public or a section of the public, and

(c) the use or threat is made for the purpose of advancing a political, religious, racial or ideological cause.

(2) Action falls within this subsection if it—

(a) involves serious violence against a person,

(b) involves serious damage to property,

(c) endangers a person’s life, other than that of the person committing the action,

(d) creates a serious risk to the health or safety of the public or a section of the public, or

(e) is designed seriously to interfere with or seriously to disrupt an electronic system.

Data Retention, Spooks, and National Security

Some of the comments I have seen about my various rants over the Draft Investigatory Powers Bill have been slightly negative - basically suggesting that we as a society should accept almost any invasion of privacy to protect us from terrorists.

I think that there is perhaps some slight misunderstanding here, and worth clearing up.

The bill has several parts - one part covers bulk intercept of communications and is basically the spying done by the likes of GCHQ. They allegedly have taps on to transatlantic cables and loads of computing power to allow them to look for threats and chase leads and to address "National Security" issues. They already do this (allegedly) and the bill is primarily to put what they do on a more clear legal footing.

I have not really said a lot about that - partly because, like everyone else, I do not know a lot about what they actually do, and partly because the technical issues are sort of their problem. There are, of course, privacy issues, and I have concerns over what they do - but there are bodies like Privacy International and Open Rights Group working on these (and I am helping with that where I can).

The main issues I have been raising are not over the bulk intercept but over data retention. This is where ISPs keep data for up to 12 months to help the authorities. This is almost always normal requests from police forces investigating some normal crimes. Apparently, as I understand it, RIPA requests relating to national security are really rare compared to more normal crimes (which is not a huge surprise).

We have seen how the police handle such requests first hand, both as an ISP and as a victim of a crime, and we have seen how badly they handle the requests and the data.

The snooping that the government want ISPs to do, as opposed to GCHQ doing, is for these types of requests - so that normal police enquiries can get details. This is also the area where knowing every web site you have visited is likely to be very unhelpful (as seen in Denmark).

So accusing my comments as trying to hamper "National Security" is somewhat misguided.

Of course, as I have pointed out many times, the threat from terrorists is absolutely tiny compared to so many other threats and disproportionately treated in legislation like this.

• Security technology is changing, largely to tackle the very real threats of so called "cyber attacks", and this will render both bulk intercept and data retention more and more useless over time.
• Terrorists and criminals are already able to evade both bulk intercept and data retention anyway.
• ISP data retention is not generally related to terrorist investigations and national security anyway - that is more related to GCHQ and bulk intercepts.
• Having ISPs collect and retain this data has cost, privacy, and risks of data being disclosed or misused which far outweigh any benefits.

In my opinion we should scrap forcing ISPs to retain data at all - ISPs will have some data anyway for operational reasons, and once the police understand this technology better they will be better able to use RIPA requests to access the data that is available now. Forcing retention for a long time, and forcing logging and retaining more data is not a good idea.

Home Office meeting re IPBill

Thanks to the Internet Service Provider's Association (ISPA) I got the chance to visit the Home Office yesterday and hear their briefing on the Draft Investigatory Powers Bill and ask lots of questions. There were a number of small ISPs at the meeting. Obviously these are my views as I don't speak for ISPA.

Firstly, as you can imagine, security is pretty tight. There was an X-ray screening, and a two door air-lock entrance thing to get in, and constant escorts, and locking up phones, laptops, and any recording devices on a separate floor before going to the meeting. Obviously I was told to bring photo ID, and as I got to the desk I went to get my driving licence when the receptionist said "Ah, I can see your photo ID" and handed me my visitor's pass and sent me on my way. They even let me keep my pen knife. Yes, I got in on my work's photo ID around my neck, which I printed myself on the work Matica card printer - I could have been anyone!

However, apart from that amusement, things were quite interesting. We asked a lot of questions around data retention - this is one of the main areas of concern for small ISPs as the bill seems to allow an order to retain data that could only be obtained by somewhat expensive deep packet inspection (DPI) equipment. It also does not say we'd get paid for this kit, just that the "contribution" would not be "nil".

What we heard was somewhat "civil servant" waffle, but overall was quite reassuring. They basically said they already have retention orders with the large ISPs under the existing regime, and would expect to serve new orders only on them. They have already discussed with them what they could retain. They even said that an ISP would not be expected to log things for which they don't have the capability, or to log any "third party data", or "over the top services". From what we can tell, the logging of "Internet Connection Records" would come from operators that have web proxies and/or CGNAT equipment. They also said they currently do 100% cost recovery and intend to keep that the same.

Of course, they could not rule anything out. We basically said we need some of that re-assurance on the face of the bill some how (see my written evidence at the end of this post for more details of what I would like). The key points in the bill now are that they do have to consider cost and impact on the ISPs business when making an order, and they do have to consult us first. That should probably rule out doing any DPI stuff on cost grounds. Mind you, after yesterday, I would be surprised if A&A do not have a red flag and "don't go near with a retention order"...

At the start of the briefing the the bill was explained, and we heard a story very similar to Theresa May’s comments along the lines of:-

“Consider the case of a teenage girl going missing. At present we can ask her mobile provider for call records before she went missing which could be invaluable to finding her. But for Internet access, all we get is that the Internet was accessed 300 times. What would be useful would be to know she accessed twitter just before she went missing in the same way as we could see she make a phone call”

Now, I am sure this is a well practised speech, used many times before. I am sure the response has been nodding of heads and agreement with how important “Internet connection records” are, obviously.

However, I, and other ISPA members immediately pointed out the huge flaw in this argument. If the mobile provider was even able to tell that she had used twitter at all (which is not as easy as it sounds), it would show that the phone had been connected to twitter 24 hours a day, and probably Facebook as well. This is because the very nature of messaging and social media applications is that they stay connected so that they can quickly alert you to messages, calls, or amusing cat videos, without any delay.

This seemed to fool them somewhat and they had no real answer - we were not just nodding and agreeing, and that was unexpected :-)

I asked about Data Protection Act Subject Access Requests for retention data, and they don't know.

We asked if DNS logs might be wanted, and they don't know.

I asked about my canary and if the law could compel me to lie - they could not answer that either.

We asked what an "Internet Connection Record" is meant to be, and they confirmed that it is basically down to what they agree with the ISP when they do the consultation before the make a retention order, and will depend on what the ISP can log. We all expressed concern that the bill makes out that an "Internet Connection Record" is a real "thing" and not just some vague term.

I asked about the gagging clause - not allowed to disclose retention orders, and they said the large ISPs asked for that clause, which makes no sense as they could simply choose not to disclose anything.

I asked if the audio content telephone calls to directory enquires counted as "content" and not "communications data" and if so, the content of DNS packets should be treated the same. They were very non committal on that and I wonder if they will be wanting DNS logging. One ISP there outsources DNS to an American company so would have no logs!

I pointed out that if asked to log email I can simply move email to a foreign email service to avoid the hassle. That caught them out - almost like they have never considered that anyone would do that.

Overall - it looks like small ISPs probably have nothing to worry about, but...

• We'd like that a lot clearer on the face of the bill
• None of this addresses the privacy issues, but I have been invited to working group on that in a few weeks.

There is a call for written evidence - here is what I have submitted (pdf).

P.S. No, I did not see Theresa; No, they did not hypnotise me; No, I have not yet wiped my phone after being in their hands for two hours... yet; Yes, they had coffee and biscuits; No, I don't think Theresa is a goa'uld; No we have never been and are not subject to a retention order; No we have no "black boxes" of any colour.

How can terrorists and pedophiles bypass the IPBill?

One of the issues with the Draft Investigatory Powers Bill is how pointless it is, given that its measures can by circumvented easily.

Of course, what I mean is "How can NORMAL PEOPLE THAT WANT TO MAINTAIN SOME PRIVACY IN THEIR OWN HOME bypass the IP Bill"?

So, I'll explain a few ways you can use the Internet and communicate reasonably privately. These are not new. These are explained in guides for journalists and freedom fights in oppressive countries. As an oppressive regime is something the UK is clearly aiming for, it is no surprise that these methods are the same. They can also be found in terrorist manuals, again, unsurprisingly.

Firstly, if you really are a terrorist or a criminal, please stop it now.

Simple instructions - time/place, etc.

If you want to send a simple instruction to your friends, perhaps because you are starting a video game or something, maybe “On est parti on commence.” then there are simple ways to do this and you can easily encrypt that message in totally uncrackable ways without even using a computer (see my simple encryption video). Of course, you can even just pre-arrange that when you say "elephant" in any message, that is the message to get started - you don't need encryption in any way at all. So none of the following really matters if you are sending something really simply like this - you could even use plain old SMS.

Equipment Interference

This is just hacking your computer, but legally! If you are a suspect they may have hacked your machine, or your web cam or whatever, so you are probably stuffed. Using good practice for security and firewalls and sensible use of the Internet may help avoid that happening. You may want good locks on your doors too. The best thing is not to be a suspect in a crime, if you can.

Accessing web pages

The simplest way to access web sites privately is to us Tor. This is a development funded by the US navy originally. You can download a Tor browser and use it. The browsing is bounced around multiple nodes on the Internet, many of which may not be in the UK, and all of that communications is encrypted. Each node only knows the next node, and they do not log anything. Eventually the data leaves an exit node - which could be anywhere in the world, and goes to the web site. The web site does not see your IP address, it sees the exit node's. The browser may leave some fingerprints of who you are, but a Tor browser would try not to. Obviously if you give a web site any details yourself then they will know who you are or claim to be. But the IPBill will only log that you are connecting to random nodes on the Internet, and that maybe you are using Tor. The ISP retention stuff will not show where you went on the Internet.

Using secure sites

Using an https (secure) web site outside the UK should be safe from the content being logged, but the fact you visited the site can be snooped. At present the name of the site may be too, but protocols are improving. Depends if you want to protect the content or meta data.

Sending and receiving email

For the content of email this is easy, get one of the PGP email plug-ins for your mail client. May be listed a GPG or GNUmail or similar. They talk an encrypted email protocol. Read up on handling keys properly and check the keys of your friends are really theirs. This protects the content of the email. Importantly it does not protect the subject line or the from/to email addresses. That could all be logged.

However, there are simple ways to protect the to/from and subject and so on - using encrypted links from your phone/PC to your email servers. This is normal, using imaps and smtps, and many mail services allow this. Or use https to a web mail system. But beware - the mail server may have logs, and if in the UK they could be collected under the IP Bill. To avoid this you need to run your own mail server - which is really not that hard (google it). You also need your friend to run their own mail server too. The snag then is that they can see this encrypted connection between your email server and your friends so assume you are communicating. Using Tor will help hide some of that too.

An alternative is use a common mail server in a sane country and use smtps and imaps to talk to it, and hope that country is not handing over logs to the UK. I don't know if there are email services in North Korea, but if there are you can bet they don't send logs to the UK.

Messaging

There are a number of end to end encrypted messaging apps for phones, but even iMessage should be mostly safe unless Apple get coerced in to unlocking it. All the snooping will show is you are talking to Apple - it may not even be obvious you are using iMessage. There are also Tor messenger that makes use of message systems like irc but encrypts message and hides the parties to the chat channel.

Phone calls

Tricky - some things like Apple FaceTime are as safe as iMessage, to probably quite good. Some apps exist like Signal which help ensure content of calls is secret, but the fact you are using Signal will probably not be. The biggest issue is that any calls to or from the normal phone network are already logged. Same with SMS to or from the normal phone network. Using foreign SIP gateways and a VPNs to get to them could make it hard to link the calls to you though. It depends a little if you just want to protect the content of the calls, or the meta data (the fact you made a call, when, and who to).

VPNs

One on the all encompassing methods it simply to make use of a VPN. This is an encrypted link to some point on the Internet. From there it is normal Internet traffic and all of the above may be useful, but if the VPN endpoint is in another country then that bypasses the IP Bill. The snooping shows only that you connect to that foreign endpoint using a VPN, not what you are doing.

Two main ways to make a VPN. One is to buy a VPN service. There are quite a few now, and some will allow connections via various countries. For a few quid a month you can make all of your Internet go via this.

The other way is to buy a cheap VPS (a virtual server) which is a computer on the Internet, and then install a VPN application on that server. Again, only a few pounds a month. This is then in your total control, but works in the same way. Of course if you and your friends all connect to a dedicated VPN endpoint like this, then the snooping shows you are connected somehow. Using a commercial VPN endpoint will hide that.

Either way you can make your phone or PC talk directly to the VPN endpoint, or you can even get some home routers now that handle IPSec (a VPN protocol) to put your whole house and wifi on the VPN.

The other end

Remember, if you are communicating with anyone, even a web site, the other end sees the communications. If they are compromised, hacked, or simply untrustworthy, they can reveal your communications. In some cases, such as Tor to a web site, they don't know who you are or where you are, but for email and messaging and so on, that is not so easy. Anonymity is a who other area of privacy which I am not going to try and cover here.

Conclusion

Yes, there a load of ways to make the logging in the IP Bill totally pointless. A lot of people would not bother with even these simple steps, but any criminal with any sense whatsoever will be able to hide what they are doing with ease. The real victims of the invasion of privacy will be the innocent citizens of the UK.

However, please, politicians, take this in the way I mean it - as an example that shows the futility of this endeavour. Concentrate the effort and money where it matters - police on the ground - following the leads you already competently get - stopping crime without invading privacy.

Quote of the day from the A&A irc channel:

I actually already do tunnel almost all my internet stuff 

through a VPS, to deal with general local ISP rubbishness (e.g. 

dynamic IP address, lack of IPv6) and very localised 

surveillance/tampering (e.g. a dodgy wifi hotspot) rather than 

to try to hide from the UK government.

Cost of Data Retention

The Draft Investigatory Powers Bill has a requirement for ISPs to retain data, but the wording is so wooly it could literally be any data.

One of the important points to be debated about the bill is the cost impact. Obviously people are asking what the cost of retention will be. Unfortunately I don't know, because unless, and until, we get a secret retention order, we don't know what is expected of us. Even if other ISPs get orders, we will not know as they are secret.

So we need to get a handle on what they intend. Unfortunately it is more important than that though - it is not just what they intend, but that intention has to be then put in the bill. If not, then the second the bill passes the secret orders could be very different and have totally different costs to those debated in parliament before the bill passes. If even the politicians are honest (choke!) a change of government puts someone else in charge and they can use the act based on what it says, not what the intentions were. What is worse, as they are secret, nobody will know that the orders are not as per the intentions explained to parliament.

To try and put this in to some sort of logical order, I have listed below some of the things that could possible be requested and an idea of complexity. What would be useful it to know which of these they are after, and have that writing in to the bill now.

Keeping existing logs for a year

Some things an ISP already logs. Examples are email server logs, or call server logs. If the ISP already logs something to a durable medium such as a hard disk, and keep logs logs for a period (a few days for email logs, for example), then simply asking that they keep the logs for a year, and provide a means to access via RIPA requests, is not too hard. It has some costs (bigger hard disks), but is technically relatively simple. I am not too worried if such orders are made, especially because we could move such services outside the UK if we did not wish to make logs at all.

Making some new logs

In some cases an ISP will have equipment which has some means of creating some logs, but they don't log at present. Assuming the equipment is capable of making logs that can be stored in some durable medium, then it could be possible to turn on that logging and keep those logs and have them for a year. This is slightly more work. If the logs are particularly sensitive data, the ISP may have to have extra security measures that would not be present if simply "not logging" as now. It is a step further than just keeping existing logs, but may be possible.

New equipment to make more logs

There are ways in which some equipment can create additional logging, such as sampled IP headers. This is usually used for network diagnostics, things like working out where a denial of service attack is coming from and going to or planning network upgrades or configuration changes. It may not be enough to be that useful for intelligence services as it is more statistical than a proper connection log, but it may be. Installing new equipment or upgrading existing equipment may be possible to provide this sort of additional logging. This will have some costs for the new equipment, and again for the logging itself, so is a step further. The cost will somewhat depend on the extent of logging required. In the case of A&A, one of the big costs in any new equipment is the fact that the rack in question is full and the data centre in question has no spare racks - that could make installing one cheap piece of kit very very expensive.

Logging TCP sessions, UDP exchanges, etc.

It could be that they would like a log of all "sessions". Note that a "session", or "Internet Connection" is not a hard concept - it exists for TCP, but not for UDP or ICMP. It sort of exists for IPSec with key negotiation. For some protocols like SCTP or MOSH it is somewhat more complex as the single "connection" can change endpoints like Trigger's broom and stay up for years. Even with TCP, a "connection" could last days or months or years - it could be that when the session ends and is logged it is already older than the 12 month period of logging. Just trying to define what a "connection" is will be hard, but some sort of Deep Packet Inspection (DPI) kit could track sessions. This is very expensive on any scale at all - ISPs routers use specialised hardware (ASICs) to keep up with just forwarding packets - to track "connections" is a lot more work and cost.

Logging stuff from TCP sessions, like web or email addresses

Ultimately, what was said in parliament, is that they want web logs - logging the web site names. This is much harder still - you don't just have to track a TCP session over multiple packets but have to track the clean data stream within it, understand higher level protocols like http, and extract information from those protocols like web site host name or email headers. This is another level of expensive and complex over and above session tracking. Note that this level will be increasingly thwarted by the use of encryption.

Logging all content

We don't think they yet want to log all content, but basically that would be impossible. The storage requirements would be vast and impossibly expensive - the data flowing over the Internet is just too vast to log.


In addition to these various levels of logging, there are some other key issues :-

Denial of Service attacks

One small point is that there are denial of service attacks - these will look like millions of separate connections a second. Any system that tries to log "internet connection" records will need to be able to keep up and log these. The issue is, of course, that these are enough to break the network normally - having a logging system that does not break in the face of trying to log this traffic will be even more expensive. Now, you could take the view that we don't need to log a denial of service attack, but (a) surely you do as it is illegal activity and that is the whole reason for making these logs, and (b) the DOS could be targeted at the logging - not enough to damage the ISPs network but enough to look like a shit load of connections and be too much for the logging systems to keep up with - thus losing real connection logs. Being able to cope with such new DoS targets will mean even more complexity and cost for the ISP.

Maintenance

One of the big issues, and costs, with any of the more complex solutions for tracking "connections" and especially tracking data from within those connections, is the changing nature of the Internet.

Already we see more and more systems using encryption - so even something a simple as sending or checking email will now be impossible for the ISP to "see" in to and identify the sender and recipient of the email by email address unless they are themselves providing the email service. https which is used for many web sites now currently allows DPI to "see" the website hostname, but that too is changing and it will soon be encrypted too.

But even without encryption, the protocols change. This is not just because standards change, and they do, but because of the very nature of the Internet. It allows packets to go from one place to another and does not care what protocols are used. As long as both ends understand, it does not have to be any sort of "standard" at all. An application on a phone could talk some completely new IP protocol to its server over the Internet, or even talk something that looks like an existing protocol like TCP but actually in a totally non standard way. That is all valid in the Internet. Web sites generally have to follow some standards but games and apps can do what they like, and often make up their own unique protocols for communication with game servers. One of the key things that may want to be tracked is things like in-game chat - but there is no way an ISP can sensibly do that looking at the packets as they pass, even if not encrypted.

Interestingly Network Address Translation (NAT) is responsible for limiting the protocols commonly in use (typically to ICMP, UDP and TCP) because that is what NAT boxes understand. Even with this limitation, the protocol then used over TCP and UDP can be whatever you like. However, IPv6 is finally taking back the Internet as simply a means to get IP packets end to end (as it was designed) - it now allows new protocols and misuse of existing protocols without the limitations of a NAT box having to understand what you are doing.

So, the equipment that does any sort of session/connection tracking or DPI will have to be constantly updated and maintained to handle the new protocols coming along, and even guess at some protocols it has never seen. If looking in to higher level protocols, that will be a constant battle with innovation on the Internet, and with rebellion at the monitoring that is being done.

However, in summary - we need to know what level of logging is intended by the bill, and we need the bill updated to be clear on that, else the cost estimates are a joke.