Scrambling for Safety 2012

April 12th, 2012 at 09:21 UTC by Ross Anderson

On the first of April, the Sunday Times carried a story that the Home Secretary planned to expand the scope of the Regulation of Investigatory Powers Act. Some thought this was an April Fool, but no: security minister James Brokenshire confirmed the next day that it was for real. This led to much media coverage; here is a more detailed historical timeline.

There have been eight previous Scrambling for Safety conferences organised while the UK government was considering the RIP Act and the regulations that followed it. The goal is to bring together different stakeholders interested in surveillance policy for an open exchange of views. The conference is open to the public, but you have to register here.

Here is the programme and the event website.

Entry filed under: Legal issues, News coverage, Politics, Seminars

5 comments Add your own

  • 1. Ross Anderson  |  April 19th, 2012 at 14:27 UTC

    I’m at SfS and as Julian Huppert asked me for my notes I thought I might as well put them here as a liveblog. So here’s what happened in the first panel session.

    Gus Hosein kicked off with a summary of the history of comms data surveillance at the IMP: for more, see the CCDP wiki and the Privacy International blog.

    On the panel, Shami Chakrabarti asked whether the Home Office goal is that there should be no unwatched spaces online or off. On their arguments, you can justify putting a mike and a camera in every home, as every home will be a crime scene eventually. The big question is what sort of society do we want; where will be the private space, without which we can’t have intimacy or even dignity?

    I spoke of the FIPR big browser amendment to RIP in 2000: traffic data is only up to the first slash. It says you went to Google, not what you searched for when there. Now the Home Office wants to rewrite this, and get all the dozens of ways you communicate on Facebook. Yet as everyone uses such tools, traffic data becomes ever more “specially sensitive” in DP terms.

    Tech issues include (1) the senior civil service is clueless; this seems to be driven by tech mafia 1-2 layers down plus vendor salesmen (2) once black boxes are in place, GCHQ can get content as well as traffic (3) at present BT has capacity to DPI 100,000 circuits; x100 would mean a £2bn project, of which Huawei might get £200m (4) this would enable BT to rebuild its network at taxpayer expense but would screw the smaller ISPs: Thatcher’s achievement in telecomms reform will be undone (5) given the falling cost of storage, it is now possible to store all UK comms on about 10,000 servers; India is already doing this (6) but everything is going behind TLS because of phorm etc. My prediction was that mass DPI will be abandoned but it will eventually come down to a conversation between the government and the service providers. If Google says “come back with a warrant”; while Facebook says “please put your kit in that cupboard over there”, how do we regulate that?

    Julian Huppert: Ministers and policymakers don’t get it. Having the head of OSCT as a serving MI6 spook protects their interest not ours: he spends avast budget but when he talks to Home Affairs Committee the room is cleared and everything he says is redacted. The coalition agreement says end retention of email and phone records without good reason – and Julian hasn’t heard the good reason. Nick Clegg asked him to arrange tech briefing meeting: will have Google, FB, TalkTalk and some of the people here. Teresa giving evidence to HA committee, live from 1230 next Tuesday. He is relieved that the proposed legislation will now be a draft and will have a special committee to go through it. He supports a magistrate’s warrant for data requests and promises that Lib Dems will stop the ever-encroaching drive to an authoritarian state.

    Trefor Davies: as an ISP CEO he has not been party to the spec of the black box, or data preprocessing requirement. Can we do it? Can we do what? We can do anything – see China. Voice easy; email headers are straightforward; web too. All the big ISPs traffic manage but the small guys mostly don’t. Also, you need to do quite a bit of development to get something useful (e.g. correlate traffic logs with your CRM system). Could we wiretap the Internet for £2bn? sceptical. £100-200k for entry-level traffic management, for every ISP, then much bigger implementation costs. But then, traditionally only big ISPs were asked to enforce stuff like Digtial Economy Act; small ISPs don’t have such systems! He had eight different email servers, from acquisitions, and struggled to unify them. He can’t see what’s in traffic to Google; would the GCHQ black box decrypt it? If so, people would notice. And then there’s dropbox, google docs, anonymisers – do you drive people underground? Digital Economy Act may drive people to use proxy servers … At which point do we stop resembling a free society and start resembling China?

    David Davis: just came from a serial crime scene, namely the House of Commons! If you appeal to MPs with purely intellectual arguments on this, we’ll lose the vote 600 to 10. Milliband’s reaction on a radio chat was: “oh you’re going to take away powers we already have?” Ministers don’t know one end of a machine from another; they also deal with terrorism but have never seen an actual terrorist. Officials can tell them anything. The Home Office had a good first six months, then a pause, now back into full Blairite mode. The Damian Green incident involved a whistleblower who was fired; there were 16 others. With pervasive comms data surveillance there won’t be another whistleblower. And how many ministers would like to have their entire comms records – including to Mr Murdoch – put in the public domain. The real costs are not financial but liberty. He would not support CCDP even if it cost tuppence. There are ignorant experts too, claiming data mining effective, despite the risk of many more false positives: 900,000 went to Pakistan last year; thousands of people know terrorists; and there will be more Forest Gate shootings when the police go aggressively after the wrong people. We need to take back powers given in RIPA. The “three blind mice” (the commissioners) are useless; get rid of them. This needs to be dealt with full-on, not as a technical matter. Tech no longer a problem for the spooks – that’s just bonkers. They get access to vastly more than they used to. The proposals will turn us all into a nation of suspects – except for those who’re actually guilty.

    Questions: [1] does Julian feel opportunity for Lib Dems to say enough is enough? [2] what positive options are there? [3] how to get clueful people into positions of influence? Julian: see party positions. Me: invest in competence on forensics, and we need a huge shift of resources from GCHQ to police, who should take on burden of domestic surveillance from councils. Shami: yes, conceptually and legally we must go away from mass surveillance to targeting suspects. Trefor: a specialised judiciary to take educated view on RIPA would help. David: the problem is not just MPs – what proportion of voters understand? 1%? Disproportionate power to cognoscenti in modern politics – look at 38 degrees which stopped forestry policy and massively amended NHS policy. State surveillance best dealt with by warrantry; judges used to be woken up in the middle of the night (and he wouldn’t mind if some warrants retrospective by an hour or two). The ID card argument wasn’t won by us but by the government throwing away 26m records – that changed the polls. Will you air-gap the whole system? Trefor: career swaps between BT and civil service have dropped off, and maybe we should fix that so some civil servants are more clueful. [4] The onus must be on proposers to explain why they can’t get content; on MPs, get each adopted, and teach them guilt by association [5] don’t underestimate the public’s ability to understand and desire not to live in a Stalinist state [6] data global, and the civil liberties fight, so how can we protect UK citizens from CISPA [7] judges issue injunctions as well as warrants, so how to protect journalists [8] non-UK states have employees here, so will diplomats complain, or circumvent? Shami: US activists concerned and angry at UK policy laundering. Me: wholesale international trade in surveillance kit, and BIS seems unwilling do export control because it’s in GCHQ’s interest to have black boxes on Syria’s network. It’s in China’s interest to have 10,000 black boxes on ours, so why are we going down this path? We need joined-up policy, as the traditional boundaries between civil/military and home/foreign are not sustainable. Julian: like idea of adopting an MP as few people come to him to talk details of policy – so go talk to MPs in a calm way. We should not be a standard bearer for greater authoritarianism. Goal: bill should just tighten access controls on data already kept, or else kill it. Trefor: just google for “how to bypass my school filters”. David: the public don’t want snoopers’ society. And we must engage on foreign issues: public takes ten years to get it, and often it’s the Gary McKinnon type cases. And while you can reverse domestic policy, treaties are much harder. (And it’s rumoured that foreign states bypass controls.) Information nowadays is what money was in Gladstone’s day; we need a Gladstone to reform information law.

  • 2. Ross Anderson  |  April 19th, 2012 at 15:58 UTC

    The second session started off with a tutorial from Peter Sommer on the growing technical difficulty of separating comms data from content. He worked through examples of conventional email headers, which are fairly easy to parse, and how this becomes so much more difficult as everyone moves to webmail. You can get his slides here.

    The first panel speaker was Douwe Korff, who examined the human-rights law aspects of surveillance. The interference with a fundamental right (privacy) must be according to law; it must also be necessary and proportionate. Most EU law does not distinguish between content and metadata (the one exception being the data retention directive, but that’s badly drafted: it says no content can be retained pursuant to the directive, which isn’t technically feasible). Case law includes Scarlet and Netlog, in both of which the Court found pervasive indiscriminate suspicionless mass monitoring os ISP subscriber activity for IP enforcement was a disproportionate interference. Would it be allowed to detect crime? In Douwe’s view, no. The proposals also conflict with data protection principles and cannot be done via voluntary codes as they violate rights. The key legal test may be intrusiveness. Mass surveillance is a mass violation; targeted surveillance according to law is OK.

    Sir Chris Fox is a former chief constable, yet agrees with almost everything Shami Chakrabarti and David Davies said earlier. He won’t talk about the engineering or the economics but the practicality. What’s the business case for hoovering everything up? These surveillance tools may help some people sometimes, but he suspects very rarely; the people proposing them don’t much understand the investigation process. He accepts the proposers are well meaning, just ignorant. We should accept that there will be terrorist incidents, but the balance is that we live in a free society. Foreseeable problems include false positives causing problems for all sorts of people; the top level of terrorists and crooks will stop using the surveilled media. The Royal Mail will become the communications channel of choice! (We’d never accept them steaming open every letter and keeping a copy on file.) The key is about safeguards and controls, not hoovering everything up just in case. The difficult area is the process by which people become suspects, not getting warrants for known suspects. But mass surveillance will not be cost effective. We should aim at judicial safeguards and punitive control of the process.

    Tom Brake is the Lib Dem spokesman for Home Affairs. There’s an open argument about this stuff in government, and if any changes were made in respect of Facebook, Skype etc, then the quid pro quo would have to be a tightening up of RIPA. The issue of content versus headers will be tackled in Julian’s meeting next week: is it possible to unpack them? This is a hot debate in government, as is security (which is currently about a central database versus requiring ISPs to hold data themselves, and about what happens if ISP staff sell stuff). He hopes the outcome will be a lot more palatable than what appeared in press articles. Has there been progress since that leak? Well, pre-legislative scrutiny will give NGOs a better chance, and we ideally want the National Crime Agency proposals disconnected as the NCA os positive and this is negative. Questions: the protection of freedoms bill was always intended to be just a starter; as for warrants for comms data there’s the practicality of dealing with the 250,000 requests last year. Questioner: but almost all of those were reverse lookups! Talked about legal aid, then left.

    David Smith is the Deputy Information Commissioner. He is not taking sides in the debate as they haven’t seen the proposals yet. The ICO will give a view in due course when asked. In the past all we had law enforcement access to what the providers had, namely billing data; we moved to requiring them to keep it longer; and we’re now talking about getting them to retain stuff they wouldn’t or even create data they wouldn’t. The claim that they’re maintaining a capability has to be seen in context of how we live our lives differently; we do lots of stuff online that we used to do face to face. For example, smart meters will transmit data about our electricity usage that never existed in the past. In general, the ICO is concerned with setting up systems that intrude into privacy, often on the grounds of counterterrorism, that then get used for other things that would not in themselves have justified the creation of such systems. An example is border agency data that’s actually used nowadays to counter drug trafficking. As Tim Berners-Lee said in the Guardian yesterday, all data are vulnerable to insiders, so we need proper regulation and the prospect of prison sentences. Finally, the law must be clear, or they as the regulator will not be able to deliver what people expect.

    The final panel speaker was crypto pioneer White Diffie. He thinks human autonomy has very little chance against improving communications. 25 years ago a truck driver would just be told to haul a load from Boston to San Diego in a week; they didn’t know whether he did a side job on the way or even stopped off at a whorehouse. Also, a general would be sent off to fight a war and left to get on with it. But by 1967, the commander of the sixth fleet was told by McNamara to recall his planes when he tried to protect the Liberty. From low to high in society, comms undermine autonomy. Businesses used to protect customer data from competitors; this is declining as data are traded, and no-one has figured out how to make a killing from respecting customer privacy. The new style is online services which make everything you do fundamentally knowable to others. The analogy with the crypto wars is weak; then governments worried that crypto would be more successful than it had been. The shoe is now on the other foot; we the “good people” are trying to prevent the government from doing something it wants to do and thinks it ought to (and incidentally may help stay in power). Back then, the interests of ACLU, EFF, EPIC and Liberty were aligned with big corporations like Microsoft; that’s much less clear now. Then, we focussed on protecting content; protecting traffic data is much harder. Even in the 19th century it took a warrant to open a letter but “mail cover” (reading envelopes) was much easier. In the 1980s, he would phone Harvard and ask the operator for an extension; no record was available to his organisation. Then it got automated and post-cut-through digits started being available (and fight over wiretap versus pen register status). In the present, clickstream data gives you more and more data about your target in less and less time. To sum up, the welfare of society depends on three things: law, technology and business. We have to consider all three when working on these problems.

    Questions: [1] might a constitutional monarch talk of surveillance? [2] can you operate on principles rather judicial review? [3] what happens once most of our comms are encrypted? Whit: there are circumstances where SSL will help but many others, such as when looking for a divorce lawyer. Even if google is encrypted, the pages I look at mostly aren’t. You can get better results using onion routing but you pay a great deal for that. Douwe: it’s hard to de-identify data but you can talk about different levels of intrusion. Search data and geographical data are very intrusive. Ultimately the ICO should apply the law except where it conflicts with ECHR. David: the ICO won’t take a view on whether a law is contrary to ECHR but he does take a broad view of the definition of personal data; he is sceptical of the content/traffic distinction. [4] (Duncan Campbell:) RIPA section 3.2 allows for the interception of all traffic across the UK’s borders, so it allows GCHQ to do content analysis of everything, including your hotmail, while section 5.6 lets them take domestic stuff too. The impact is minimal because of the tight boundaries around the intelligence community. So who are the customers for this new stuff? [5] (Retired special branch man in the audience:) government trying to get ahead of the curve. The French government had 500 email addresses of people who’d contacted the motorbike killer, but didn’t get him in time. What they propose isn’t near the top of the list of what I wanted! Home sec said she wanted to look at people who’ve not come under suspicion yet. She doesn’t have a clue [6] SSL attacks are easy to MITM if you’re a government; is that the future? Chris: the crux of the matter is that the government’s not sure. In the case of 7/7 the perps were known but were among many; officials ask whether with more comms data they might have been prioritised. But then we’d have so much information that all the resources would be looking at it and no-one would be doing anything else. Whit: NSA has not been terribly outgoing to the police! It sees law enforcement assistance as an imposition and a security threat. Douwe: every policeman who argues for this stuff should learn about the base-rate fallacy. Read Schneier and don’t do policy that’s not consistent with mathematics. Judith Rauhofer: maybe we can connect this to the falling standards of mathematics in British schools! [7] This stuff is clearly not HR-compliant; how can we challenge it in the courts? Whit: can’t use too broad a brush; a lot of progress in government over the past 200 years is their better understanding of population needs. Douwe: there has been hardly any evidence produced in support of mass surveillance, just a few anecdotes about particular cases. And remember to win in Luxembourg or Strasbourg you need to explain stuff to judges and technically clued as I am. [8] (Ian Brown:) you can’t expect the European Court to save us! This is politics; join the Open Rights Group. Telling politicians they’re stupid won’t get us anywhere. [9] As for royal pronouncements, the Queen’s speech might end up a joke. [10] Is privacy the right platform for arguing these proposals? We get into social media, apps and everything else. [11] how will the arms race play out? [12] do people want to move away from a data definition of privacy to a situational one? Whit: the technical side will be beaten by the business side. Chris: they haven’t made a business case. David: it’s right to move away from data privacy to situational ideas but have to keep the law and apply it situationally depending on risk and harm. Douwe: it’s not really “privacy” or “data Protection” but power: people have information about you and use it to take decisions about you. But you’re right it depends a lot on the situation. Douwe would prefer a hard court of law to the soft stuff from the ICO. David: there are other priorities than analytics on websites.

    The wrap-up was given by Nick Pickles. This campaign is now beginning, not finishing; we have to ensure that this doesn’t get on the statute book, and that the fall-back version doesn’t either. We now know that RIPA is the target. We must ensure there’s a debate on the wisdom of creating, or leaving in place, machinery that could be abused by a bad government in future. Just because we haven’t had a revolution in Britain, we may trust government too much. Recall “We must confront the surveillance state!” (David Cameron 2009). This is not just technical, or business; it’s about trust.

  • 3. Ross Anderson  |  April 19th, 2012 at 22:00 UTC

    Coverage by the BBC and in Paul Bernal’s blog.

  • 4. sigma  |  April 19th, 2012 at 22:04 UTC

    We are already under surveillance from the ISPs.
    TalkTalk intercept and replay their users browsing requests both by bots controlled by themselves and export the same to Huawei who additionally replay the browsing requests from Chinese IP’s. There is masses of evidence in server logs of this, even server logs that show the TalkTalk bot attempting to transact the same commerce as the user it was tracking.
    Vodafone have a similar arrangement with BlueCoat in the USA. In both these cases, personal data in the url is harvested. In spite of this being in breach if the current RIPA and DPA both the ICO and the police have refused to act on behalf of UK citizens. Arguably, these interceptions can be seen as prototypes for the CCDP.

  • 5. Ross Anderson  |  April 20th, 2012 at 13:34 UTC

    More coverage in Techworld and The Register.

Leave a Comment

Required

Required, hidden

Some HTML allowed:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe to the comments via RSS Feed


Calendar

April 2012
M T W T F S S
« Mar   May »
 1
2345678
9101112131415
16171819202122
23242526272829
30