back to article Top spook: ISP black boxes NOT key to UK's web-snoop plan

Government-funded black boxes that monitor the UK's internet traffic are not "the cornerstone" of the Home Office's web super-snoop plan, a top spook has told MPs and peers. Ex-MI6 man Charles Farr, who heads up the Office for Security and Counter-Terrorism, dismissed claims that Deep Packet Inspection (DPI) probes are the " …

COMMENTS

This topic is closed for new posts.

Page:

  1. Anonymous Coward
    Anonymous Coward

    VPNs to be banned in the UK.

    That's how I read this statement.

    Farr admitted "there will still be workarounds" but claimed by 2018 that that gap could be tightened with a new law.

    1. g e
      FAIL

      "by 2018 that that gap could be tightened"

      Exactly what I was about to say.

      SSH tunnels it is then. Unless they want to ban SSH too and grind all internet work to a halt in the UK.

    2. Anonymous Coward
      Anonymous Coward

      Re: VPNs to be banned in the UK.

      If they have access to unencrypted data from the CSPs, VPNs are fairly pointless...

      1. DJ Smiley

        Re: VPNs to be banned in the UK.

        Sigh....

        1. TakeTheSkyRoad

          Re: VPNs to be banned in the UK.

          If you and me setup a VPN with encrypted with a key we share then the ISP and the CSP don't have access to the unecypyted data. Only you and me.

          There are apps free apps to setup private VPN's between friends already, often with gaming in mind.

          I'm going to be generous then assume then that you mean a VPN provided by a CSP/ISP

          1. Anonymous Coward
            Anonymous Coward

            Re: VPNs to be banned in the UK.

            Fair enough, but no my point was that using VPN to access a CSP would be pointless...

            The VPN would shield you from a DPI on the ISP side(s), but if the CSP was willing/ forced by law to divulge their unencrypted data then the VPN doesn't really help...

            For P2P/ non-CSP uses as you have suggested, VPNs would work well.

    3. PyLETS
      Big Brother

      Re: VPNs to be banned in the UK.

      Very unlikely, a. given long established business needs for these, and b. given VPNs tunnelled using widely used ports and encryption methods and using appropriate padding and chaff will be indistinguishable from SSH remote admin and HTTPS traffic. Your security using these also depends partly upon where and with whom you trust your VPN endpoint, and partly on the extend to which plod is willing covertly to burgle your premises, install taps on your LAN and rootkits on your devices.

      I'm all in favour of envelopes as well in preference to postcards most of the time, not because I have much to hide and not because steaming them open isn't possible, but because privacy is as much a convention as wearing clothes and steaming envelopes open and strip searches are sufficiently expensive for plod that these don't happen very often.

      Same goes with the workarounds mentioned - sure they exist, but how much do they cost ? Make his enquiries a little more expensive and plod doesn't go on fishing expeditions, he has to restrict his more expensive espionage techniques to serious terrorism and organised criminality.

      1. Anonymous Coward
        Anonymous Coward

        Steaming envelopes open

        You make a very good analogy, sir.

        Isn't this the 21st century equivalent of those activities carried out (under the pretext of "security", of course) in East Germany? Who do you say are going to run those boxes, the Ministry for State Security, perhaps?

        I look forward to a UK remake of Das Leben der Anderen, although I'm not too sure this one will have a happy ending.

    4. despairing citizen
      Big Brother

      Re: VPNs to be banned in the UK.

      closely followed by as many companies that can, decamping their IT and core business admin out to countries where your price sensitive information can't be snooped on by every bent copper in the Met, without any form of monitoring.

      Yet another "tackling unemployment" initative curtsey of the House of Clowns.

    5. Anonymous Coward
      Anonymous Coward

      Re: VPNs to be banned in the UK.

      Get real!

      With all the businesses that require VPNs and encrypted comms to meet their compliance requirements to allow external users to connect to base, especially finance companies? No way!

    6. LarsG
      Headmaster

      As with

      As with all information, the more information you store, the more you want and then the more you want becomes an obsession for control. Look at the local councils as an example.

      The downside for them will be that there will be so much, so so so much information that it will be impossible to sift through. Eventually the amount of information is so great, there is overload and it becomes useless.

      1. Anonymous Coward
        Anonymous Coward

        Re: As with

        "The downside for them will be that there will be so much, so so so much information that it will be impossible to sift through"

        Downside?

  2. leon clarke
    Black Helicopters

    If that's all true...

    It would be quite easy to write a proportional bill.

    Key clauses:

    The spooks can only ask you to use the black boxes you already have and are using anyway, not install ones.

    If something isn't traffic data from your point of view, it doesn't matter if it's traffic data to someone else.

    We could go on to suggest that the spooks can see any relevant data you have, but can't demand any data you don't see a need for.

  3. LinkOfHyrule
    Joke

    black box would be placed on a network where such information could be hoovered up

    I'm not sure how effective a 90s Italio House band would be at doing that to be honest - I used to love that tune of their though with the bird who mimed - "'cus you're right on time... woah-oah-wo-oa-oh-woah-oah-oh-ah-oh-woah-hoa!"

  4. Anonymous Coward
    Big Brother

    Bugger...

    Well if they have this access to the unencrypted data from the CSPs then rather pointless using VPNs...

    Unless you're setting up your own personal mail server...

    A few things

    - The author seems to surprised that "Twitbook would be expected to retain unencrypted data on thier systems". How can they not? The only data items that will regularly be encrypted would be key things like passwords and card details, no CSP is going to encrypt and store anything else. And even if they do, it will be in a form that they themselves can easily decrypt and provide

    - "It's very easy to separate content from commns data", really???

    - "many CSPs were only too happy to cooperate", was this based on a court order, or as seemed to be the proposal here "signed-off by a senior member of the police force"

    - "If you have the right kind of data, issues of anonymisation cease to be a problem" sounds... interesting

    - "If people take greater efforts at anonymisation, it could become a problem", well you are driving them to it with laws like this

    - "there will still be workarounds" but claimed by 2018 that that gap could be tightened with a new law", that says what exactly, a monitoring software on each PC a la China?

    1. itzman

      It's very easy to separate content from communications data???

      you say really? I say bollocks.(not to you obviously)

      Its ALL communication and its all content and its all both.

      I post a picture of a nude with a photo shopped tattoo saying 'plan B'..is that content or communication.

      Who knows?

      1. Ben Tasker

        Re: It's very easy to separate content from communications data???

        Post yer picture of her and I'm sure someone will tell you ;)

        I agree though, it's all content and communication and any attempt to seperate them is going to have a high failure rate. You can be damn sure that they'll be willing to risk more false positives than missed intel though

  5. JetSetJim
    Black Helicopters

    Replies from MP

    The replies I got from my MP & James Brokenshire MP (Parliamentary undersecretary for crime and security) basically state (http://forums.theregister.co.uk/forum/1/2012/05/21/JetSetJim_CCDP_response_from_MP/) that the new legislation is identical to the old legislation, but with the "outsourcing" component being to make ISPs capture this data. Where they can't capture it, they'll stick in DPI.

    Ironically they still hold up the RIPA safeguards as examples of how the information isn't going to be abused/leaked.

  6. Colin Miller

    HTTP

    In HTTP without persistent connections it is reasonably easy to separate the headers from the data in a PUT request (or all other requests).

    With persistent connections, how can you pick up the headers from any requests following the PUT without parsing the entire conversation?

    1. Tom Chiverton 1

      Re: HTTP

      It's worse.

      With Twitter, for instance, the 'who' is embeded in a packet of JSON you send to the server. So the black box needs to parse that. And Twitter can change their format any time, never mind when a new service comes along...

      But it's not about the technical details of why it wont work; it's about it being wrong to intercept everyones comms.

      Innocent people have a right to privacy.

      1. Amorous Cowherder
        Unhappy

        Re: HTTP

        "Innocent people have a right to privacy."

        Yeah but the Gov and their corporate scumbag mates know your "movements" worth a freaking mint, so stuff privacy when you're such a valuable little blighter!

        The first step is to strip us of our rights and freedoms, next step is to bottle us up and plug us in to the grid as just another battery, ala The Matrix!

    2. Mr Spoon

      Re: HTTP

      I very much doubt they're claiming they won't parse the data, the question is about what the algorithm parsing it spits out to investigators at the end, which means it's pretty easy to separate content out provided you have a parser per protocol, including higher level "protocols" like Twitter's AJAX interactions etc.

  7. Andrew Baines Silver badge
    Coat

    Cunning terrorist ideas

    Semaphore in a private room in Second Life?

    1. Bakunin
      Coat

      Re: Cunning terrorist ideas

      "Semaphore in a private room in Second Life?

      That would be a dead give away as you'd be the only two people still on Second Life.

    2. Tom Chiverton 1

      Re: Cunning terrorist ideas

      Or stego. in youtube posts.

      No ISP is going to be able to do that. And YouTube are unable, physically or electronically, to send how ever many years worth of video is uploaded each day to the spooks for checking. Assuming the spooks could check them all.

      1. Vic

        Re: Cunning terrorist ideas

        > Or stego. in youtube posts.

        Terrorspam. Stego in pictures of asian "doctors" trying to sell you little blue pills.

        You could send it to the bloke that's supposed to be investigating the bad guys - if it gets through his spam filter, he'll undoubtedly bin it without looking at it.

        Vic.

      2. Anonymous Coward
        Anonymous Coward

        Re: Cunning terrorist ideas

        They don't send or redirect traffic via the black box. That would be stupid IT people like you that think this, right? Only persons of interest and with a court order.

    3. Tim #3

      Re: Cunning terrorist ideas

      or just post letters to each other

  8. Andy The Hat Silver badge
    Thumb Down

    "... needs to be signed off by a senior member of the police force."

    Hmm ... would that be an elected (from a limited, pre-chosen few), party-political puppet of a Police Commisioner who will not have the knowledge of the law behind him (unlike a Judge should) and could easily be pressurised by the 'more knowledgable' requesting officers? This probably means the decision ocould be made in a completely biased way depending on the day of the week ...

    This is not good.

  9. Crisp
    Go

    All my future posts on all sites will now look like this:

    -----BEGIN PGP MESSAGE-----

    hIwDAgRLABzXpVEBA/93TN+SJhlB46hg53+MvMNmqM6LyPHrh0JKANlnI9wb

    nv5jpFTOnn1uZ0KflUlKkJqrdXKDb7TmLOwmtiAIxAmeA7bF/fXGMcqhrH5U

    eStOnZbzXMTeSW8r0VF4p9+9kXwNyZteWDjAePVmrUqT8KZFbs9V9rYmYBC4

    5+VNjsepp6Q6BmSsG/nC6I77YYQE5CJ+XSLbMzqO/GfHJaPH7IK5RXnNby7t

    AN2gxsyyWxV42ALupa2TMQVr8bLgyg==

    =6J2b

    -----END PGP MESSAGE-----

    1. Anonymous Coward
      Joke

      Re: All my future posts on all sites will now look like this:

      Sounds like an excellent idea!

      But I'll go one up on you by not posting at all!!

    2. Ben Tasker

      Re: All my future posts on all sites will now look like this:

      They'll crack it in minutes:

      "Sir, this message has been encrypted. Any idea what that means?"

      "Well Agent Smith, it means he's a terrorist"

      "Helicopters and waterboard despatched sir"

      1. oldredlion
        Happy

        Re: All my future posts on all sites will now look like this:

        xkcd covered this form of security

        http://xkcd.com/538/

  10. Chris Miller

    Can anyone explain

    why "between 500 and 1,000 communication data requests could be submitted for an average murder investigation"? It's been a few years since I worked on ETSI Lawful Interception, but IIRC a request normally relates to some or all voice/data/position info for a particular number for a given period. Do you really have hundreds of suspects in a single case?

    1. Tom Chiverton 1
      Meh

      Re: Can anyone explain

      Dear $telco,

      Please send me the details of everyone connected to the nearest cell tower to $murderLocation between $murderTimeStart and $murderTimeEnd.

      Thanks,

      Plod

      1. Chris Miller

        @Tom

        Quite - but I think that would only constitute a single request.

        1. Julz

          Re: @Tom

          But after you get the list of connected people, you then ask for all their data and voice records...

    2. Anonymous Coward
      Anonymous Coward

      Re: Can anyone explain

      I think they call this a "drag net"... from what I can tell the idea is catching on... once up-on-a-time there was something called "evidence based investigation" which is hard for plod to do (right), so:

      * build a national ID database

      * build a DNA database

      * build a communications intercept database

      ... you get the idea... or put another way "we're sleep walking in to a surveillance state" - perhaps what we need is a constitution to give us some protection from HMG?

  11. Tom Chiverton 1
    Stop

    So, the black boxes are required, and a key plank, unless you are using Talk Talk who already do DPI for something different ?

    Or black boxes are only required if you wont give the spooks direct SSH access to the ISP mail cluster ?

    Sadly no one of the committee new enough to ask him what will happen when the CA for the spoofed SSL certificates is removed from every ones browser...

    1. Anonymous Coward
      Anonymous Coward

      I think its worse than that!!

      I think you'll find that "they" have several intermediate certificates "legitimately" issued by major CAs so that they can insert a new cert signed by an intermediate (that they "own") from the same originating CA... at least that's what a man from Detica said ;-)

      Ergo... there is no "spoof CA" that you can delete to fix this problem... we're all doomed I tell you!

  12. JimmyPage Silver badge
    Big Brother

    The bottom line

    there's an obvious dichotomy inherent in the governments plans.

    If they can intercept and read everything then clearly e-commerce will die. If banks can't rely on the technology used to be secure, then they can't offload the liability onto the customer. The second that happens it's end of game.

    If they have to leave some parts secure, in order to assuage the worries of the banks, then there is always the option to use *that* channel for your secret surfing.

    The *real* purpose of this law though, like the extreme porn law, or various swathes of anti "terror" legislation, is to give the state a tool they can use to deal with people they don't like. Since Magna Carta, inventing reasons to lock people up (and in most cases execute them) has been frowned upon. So successive governments have carefully (what, you though they were incompetent when they were drafting those laws ? A parliament full of lawyers ?) drafted laws that can catch most people out, if they step out of line.

    1. Tom Wood

      Re: The bottom line

      By "comms data" they mean "Joe Bloggs sent a message to John Smith at (date/time)". The sort of thing equivalent to checking telephone records to see that number x called number y.

      This is different from intercepting the content of the communication (the equivalent of tapping the phone call).

      Banks only care that the content of the messages are private, not that the details of the communications are private.

  13. Tom Chiverton 1
    FAIL

    Ummm

    "If CSPs refuse to provide those authorities with access to such data, a black box would be placed on a network where such information could be hoovered up."

    CSP was defined as Facebook/Google rather than ISPs earlier.

    So if Facebook/Google wont give in to a UK court order, and we know Google does refuse them, then every one in the country has to be wire tapped ? What 'logic' ...

    1. Anonymous Coward
      Anonymous Coward

      Re: Ummm

      This is possible without any "black box" that they want. The ISP can see connections from IP X to IP Y at Z date/time. This is no matter how encrypted the content is.

      This is the same as the phone records.

      So why do they need to snoop?

  14. SJRulez

    The missing %

    "we are not proposing this law on the grounds that it will provide 100 per cent coverage of the communications data in this country"

    Yep and you can guarantee the missing per cent will be the important terrorist communications...... or at least that will be the defending argument when there is an incident they failed to detect and they have to justify the ridiculous amounts of money that will be spent.

    1. PyLETS
      Big Brother

      Re: The missing %

      It's likely also to include my £15/month Virtual Machine server, capable of running a variety of encrypted services. I'm not expecting plod to ask for access to my email logs any time soon, but if he does, I'll want to be sure the request is legal and required under the law before I comply, otherwise I might be breaking the Data Protection Act by acceding to a bogus request. If plod wants to put a DPI black box on the network of the ISP hosting the VM or use other techniques e.g. to obtain access to the VM filesystem on the VM host, that's up to them. If I were bothered enough about this, I'd find a virtual server host in a country with different laws.

      Securing direct real time access for plod seems more likely for larger CSPs than small ones like yours truly. Going after the minnows is going to be much more expensive and generally slower. So if you want plod to have to ask politely and have his credentials checked carefully when he asks, choose a smaller CSP in preference to Gmail or Hotmail or Facebook.

      1. Arrrggghh-otron

        Re: The missing %

        If i'm reading the draft bill correctly then you are considered a 'telecommunications operator' and hence come under the scope of the bill. On the upside, again if I am reading it right, there will be some funds available to help you monitor your VM and retain all that lovely traffic and user data...

        (I was checking because I don't like the idea of blanket monitoring and wanted to reply to the consultation, but I also run an email service both at home over dsl and on a VM which is deliberately overseas but not in the US.)

        21. Subsection (1) provides for the Secretary of State by order (subject to the affirmative

        resolution procedure – see clause 29(2)) to ensure or otherwise facilitate the availability of

        communications data from telecommunications operators so that it can be obtained by relevant

        public authorities in accordance with Part 2. The term ‘telecommunications operator’ is

        defined in clause 28 as a person who controls or provides a telecommunication system, or

        provides a telecommunications service. The term ‘communications data’ is also defined in

        clause 28. In summary it is information such as telephone numbers dialled, times of calls,

        details of callers and receivers, and website addresses. It is not the content of the

        communication. The Annex provides an illustration of what communications data means for

        particular forms of communication.

        1. JetSetJim

          Re: The missing %

          Someone should nail them to a figure per annum that the govmt will provide to do this. Then every single forum operator in the country should ask for it.

  15. Anonymous Coward
    Anonymous Coward

    More Power... to Them

    The security services will always want more powers. I'm not sure whether this law will pass in its present form, whether it will be struck down or a compromise reached. However, if it is defeated a new law would likely be introduced in a few years time under a more amenable Labour government. It is a bad law. For a start they are proposing they have the option to record the information on the outside of letters & postcards, though they won't use it!

  16. Vladimir Plouzhnikov

    Spooks

    I have come to a firm conclusion that any "security" services anywhere in the world are just self-serving mafia parasites. Their value to society is precisely zero. None of the "terrorists" they from time to time "catch" turn out to be terrorists, while real terrorists blow themselves up at will (when they are bright enough to be able to press the correct button).

    Looking back to the Cold War years, when these charlatans declared themselves the saviours of the world order (on both sides of the Curtain) all they ever did was occasionally murdering their counterparts, torturing each other on suspicion of being turncoats and claiming great insights into what the other side was doing, while in reality knowing absolutely bugger all about it. There was absolutely nothing they ever did or could do that could have changed the course of history or had anything to do with "security" with the exception of their interference in the political power play inside their own countries.

    Parasitic vermin - that's what they all are.

Page:

This topic is closed for new posts.

Other stories you might like