Privacy watchdog bashes UK.gov net snoop plan
'Case yet to be made'
What you need to know about cloud backup
Whitehall plans to order ISPs and mobile operators to gather massive quantities of data on every customer's internet use are vague, misleading, risky and possibly unnecessary, according to the Information Commissioner.
In forthright comments on the Interception Modernisation Programme (IMP), Christopher Graham said the Home Office's proposals represented "a step change in the relationship between the citizen and the state".
"Prior to this, police and intelligence services would have access to information which was already collected and held... for the first time this proposal is asking [communication service providers] to collect and create information they would not have previously held."
The independent data protection watchdog said he was not convinced that IMP - which aims to insert deep packet inspection probes in access networks to harvest details of who contacts whom, when, where and how online - is even needed.
"The Information Commissioner believes that the case has yet to be made for the collection and processing of additional communications data for the population as a whole being relevant and not excessive," his submission to a Home Office consultation said.
Since news of IMP broke, the Home Office, law enforcement and intelligence agencies have repeatedly stated it will merely "maintain capability" to access communications histories when investigating serious crime and terrorism.
Apparently reflecting comments made by academics and other observers, Graham, who took over from Richard Thomas at the end of June, disputed that line. "It is important to note that while the consultation presents this as maintaining a capability, this will in effect involve the collection and processing of a significant amount of additional information not previously available to [communications service providers] and police and intelligence services," he said.
Graham also agreed with observers such as the London School of Economics' Professor Peter Sommer, who has argued the current distinction in law between communications data (who contacts whom, etc) and content (what they say) is meaningless when applied to the internet via deep packet inspection. The government has sought to maintain the distinction, with former Home Secretary Jacqui Smith emphasising that no content would be intercepted without a warrant under RIPA.
Graham however said: "All communications over the internet involve packets of data, with the traffic data at the beginning and end of the data packet. But if an individual is using a third party communications provider [eg Facebook]... then the traffic data will only show the recipient as being the third party provider."
The Information Commissioner was responding to the Home Office consultation "Protecting the Public in a Changing Communications Environment", which closed as Parliament rose for summer recess last week.
IMP will monitor website visits, instant messenger and social networking contacts, along with email and VoIP use. Once probes are deployed, sources say they will be remotely configured by technicians at GCHQ in Cheltenham, to keep up with new applications and changes in how communications data is transmitted by existing internet services.
In its consultation document, the Home Office said it then wants ISPs and mobile operators to store and process the resulting terabytes of data, linking usage to individual customers.
The government's plan to have private companies do much of the work of IMP - at a cost of £2bn over ten years - also raised worries at the Information Commissioner's Office.
Graham said the system must have "strict and specific" legislation to prevent providers spying on their customers for commercial purposes, and to guard against "well-meaning but misguided function creep".
Referencing the Information Commissioner's Office's role in the controversy over BT and Phorm's secret tests of interception technology in 2006 and 2007, he echoed the European Commission's concerns over the UK's implementation of privacy laws in relation to interception.
"Effectively... where the private sector, either through their own provision of services or through being placed under a legal obligation, are intercepting communications of services' users, there are gaps in the regulatory regime.
"Arguably there is a need for an empowered regulator, who can provide advice and guidance and ultimately impose civil sanctions against private sector players."
Graham concluded that gaps in the current interception regulatory regime would mean IMP would carry "an inbuilt risk of non-compliance" and not only privacy risks but also commercial risks. Documents seen by The Register show ISPs have serious doubts about the proposed system.
The Home Office's preferred option - presented in its consultation as the only option between the two extremes of doing nothing and building a massive state-run central warehouse of internet communications data - would see ISPs and mobile operators store data on all customers. The Information Commisioner's Office doubted whether this was the only option.
It suggested collection of extra communications data on a targeted basis, acting on suspicion or intelligence gathered through other means.
"Has the Government considered bringing forward legislation that would allow specified public authorities to request that this further communications data be collected only in relation to specified individuals, and possibly their associates, who have come to the attention of those authorities by other means?" it asked.
"Or have they considered only collecting communications data from the media where there is greatest risk?
"Another option could be that specific phone numbers or circumstances could be targeted. These and other alternatives would be less intrusive than obliging all [communciations service providers] to collect this further communications data on all subscribers and more justifiable as it would be targeted and collect a narrower range of information about fewer individuals."
The Home Office made no mention of such a targeted approach in its consultation.
Civil servants are now digesting the Information Commissioner's document and other responses to their plans for IMP. The next announcement is expected when Parliament returns in Autumn.
The Home Office consultation is here and the Information Commissioner's response is here. ®
COMMENTS
The End
The end of Britain being a free and democratic society, that's what this measure is.
The State will monitor your contacts, and draw inferences from them and they will be logged. The state will monitor and record data which will reveal your political affiliations, your religious beliefs, your sexual interests, what literature you read, what subjects you research; a constant, watching eye, peering over your shoulder and writing it all down (to be used against you, never for you, of course).
The expansion of the power that this gives the state over all British citizens is immense. We, the people will not have access to the activities of politicians, civil servants, but they will have a complete record of our online lives, what books/newspapers/magazines we read and what causes we might support.
Today, police are preventing both lawful protest and social gatherings. This is not the behaviour of a state that respects freedom or democracy. The big chill is upon us. This spying system is the end of free inquiry and association and the birth of the neo-stasi state.
The threat to our freedom, or values and way of life didn't come from the terrorists, it came from those who would rule us.
@Grease Monkey
***"Do they not realise that anybody who is really up to no good will do their browsing and emailling using SSL through off shore anonymous proxies."***
Any criminal or terrorist with half a brain will *already* be using those precautions. The problem with IMP is that it will prompt a great many *other* people to do the same.
When we are all using encryption because we don't want Stasi-New-Labour snooping on our legitimate use of the Internet, how will they tell the difference between an encrypted holiday photo and encrypted terrorist plans?
face-palm
If terrorists are really interested in obfuscating their correspondence, it's so easy as to become ridiculous and the method existed long before the inter-webs.
You simply use a key-text - usually a very long book. The correspondecne between the bad people is done plainly in the open, only referencing a series of three numbers now and again (page, line, word). It's not difficult to write a long letter or e-mail with enough numbers in it to create the message.
Without prior knowledge of the key-text, it's gibberish and anyone with half a brain can write a banal e-mail with the relevant information in it.
Remembering that thats at the low end of how to do this, not difficult to add in photographs to an e-mail and utilise RGB colour numbers to get the same page, sentence, word sequence. Hell, you could actually just have a couple of numbers mentioned in the accompanying text to give you the X, Y co-ords of where the message sequence starts.
And thats off the top of my head and without utilising anything (barring the image), that hasn't been around for hundreds of years. Simple cryptography is still used because it works. Until someone with a basic understanding of that is involved, we're going to keep seeing the same idiotic arguments trotted out time and again form this imbecilic bunch of fuck-tards.
Do we really have to wait until next year for an election ??
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Steps to Take Before Choosing a Business Continuity Partner
Enabling efficient data center monitoring
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
